The issue of forced smartphone decryptions, as it pertains to Constitutionally protected rights, is gathering steam. According to various sites, Indiana’s Supreme Court will soon be listening to arguments on whether Fifth Amendment rights are being violated when the government forces suspects to unlock their encrypted smartphones (the Indiana Court of Appeals judged that it was a violation, in 2018).
Earlier in the year, a California judge ruled that forcibly unlocking encryption by biometric means was a violation of a person’s Fifth Amendment rights, the one that protects people from self-incrimination.
In the 2018 judgment, the Indiana judges said that forcing suspects to decrypt cryptographically secured contents is in of itself unconstitutional, regardless of how it’s done. A summary how this case came about to be can be found here and here.
The arguments involve the cast of usual suspects: the Fourth and Fifth Amendments, foregone conclusions, smartphones and the amount of personal data they store, encryption (obviously), and whether the act of producing something is “testimonial” or not. These have been covered many times over in this blog and elsewhere.
There is one surprising twist in the Indiana Court of Appeals decision, however: one of the judges argued that (my emphasis):
“(W)e consider Seo’s act of unlocking, and therefore, decrypting the contents of her phone, to be testimonial not simply because the passcode is akin to the combination to a wall safe as discussed in Doe,” he wrote. “We also consider it testimonial because her act of unlocking, and thereby decrypting, her phone effectively recreates the files sought by the state.” [theindianalawyer.com]
Could Lead to Bad Logic, Terrible Results
Analogies break down when you get into the nitty-gritty of things. And yet, analogies must be used when trying to bridge the digital to the analog, the virtual to the real.
The layman’s version of how computer encryption works is this: you provide an encryption key (generally, a very, very long string of numbers and characters) and the computer unscrambles data. Take away the key, usually by shutting down the computer or closing the app or file, and the computer scrambles the data. Due to the length of the key, which makes it humanly impossible to memorize, a person usually uses a password as a go-between: if the password matches the one on file, then the encryption key is made available; otherwise, nothing happens.
In non-digital encryption – usually in the form of written text on paper – the work of the computer is done by a human being: a person, in possession of the encrypted text and the encryption key, manually decodes the message. If he or she loses the decoded message, the process of unearthing the message from the encrypted text must be repeated.
In the latter case it is obvious that a file “sought by the state” has to be recreated if one is forced to surrender an encryption key, assuming a previously deciphered document is unavailable. Someone will take that key and the encrypted message and work to produce a plaintext document.
But in the digital version, is it still the case?
It is true that the computer (or smartphone) must do work to show you the decrypted data. It is also true that the natural state of the data is in its encrypted form. Arguably, the process of decrypting the information – which could also be seen as restoring or reassembling it, if you will – is the same as recreating it. But then, the argument must also hold that the process of encrypting data is tantamount to destroying the information. Otherwise, why would it be created and recreated each time you unlock a smartphone?
This last argument is troubling and terrifying. Its implication ought to give people pause. Technicalities such as this one is what gets people into trouble despite being law-abiding citizens.
Would it strain one’s gray cells to imagine a situation where a suspect is accused of “destroying” information because he had it encrypted? Or because the contents were automatically encrypted after a specified period of time, as it does with smartphones (which will happen when they’re put under custody of the state)?
For example, technically, when you stream audio and video, you are creating a copy of those files. Makes sense if you think about it: It’s not as if the video disappeared in the server and appeared on your screen. The video is still on the server, to be accessed by another person; but, it’s also on your screen…because a copy of it exists in one form or another on your computer or smartphone. Now imagine that this is not taken into account when drafting and passing copyright law. Less than reputable companies would go around suing people because they “copied” the video when they streamed it legally. If memory serves, this hypothetical actually happened under the original DMCA.
Of course, saner minds would ultimately prevail. Hopefully. But, the point is that you shouldn’t give people the legal green-light to go crazy before reining them in: the damage they cause in the meantime is real.
Related Articles and Sites: