encryption password not testimonial under the Fifth Amendment

Back in 2007 (here) and 2009 (here) I discussed the case of In re Boucher, where a U.S. judge for the District of Vermont ruled that requiring a criminal defendant to produce an unencrypted version of his laptop's hard-drive, which was believed to contain child pornography,did not constitute compelled testimonial communication.  Professor Orin Kerr posted a detailed discussion of the matter here.

The circuit court appeal in Boucher was dropped, but a new case has surfaced in the U.S. Court for the District of Colorado, United States v. Fricosu.  There, a bank fraud defendant's home was searched pursuant to a warrant, and a computer seized which held encrypted files. Further, Defendant provided evidence indicating her ownership computer, that she knew it was encrypted, and that it contained inculpatory evidence. The government subpoenaed defendant to produce an unencrypted version of the content of the computer, offering immunity against authenticating for doing so.  Defendant  moved to quash, arguing that the subpoena violated her Fifth Amendment privilege against self-incrimination by requiring a testimonial act of production by compelling her to acknowledge her control over the computer and its contents.  Borrowing substantively from Judge Sessions' decision in Boucher, Judge Robert E. Blackburn  ordered defendant to reveal the decryption password to the contents of the hard-drive.

In Boucher, Judge Sessions observed that, although the Fifth Amendment privilege ordinarily applies to verbal or written communications, an act that implicitly communicates a statement of fact may be within the purview of the privilege as well.  (citing United States v. Hubbell, 530 U.S. 27, 36 (2000); Doe v. United States, 487 U.S. 201, 209 (1988)), and that, although the contents of a document may not be privileged, the act of producing the document may be.”   United States v. Doe, 465 U.S. 605, 612 (1984).  Production itself acknowledges that the document exists, that it is in the possession or control of the producer, and that it is authentic. Hubbell, 120 S.Ct. at 2043.  In summation, an act is testimonial when the act entails implicit statements of fact, such as admitting that evidence exists, is authentic, or is within a suspect's control. 487 U.S. at 209.

In Fricosu, Judge Blackburn has ruled that, where the existence and location of the documents are known to the government, no constitutional rights are touched, because these matters are a foregone conclusion, insofar as they add little or nothing to the sum total of the Government’s information. Likewise, defendant's production wasn't necessary to authenticate the computer drives where she had already admitted possession of the computers. See United States v. Gavegnano, 2009 WL 106370 at *1 (4th  Cir. Jan. 16, 2009) (where government independently proved that defendant was sole user and possessor of computer, defendant’s revelation of password not subject to suppression). Specifically, Judge Blackburd ruled that, "There is little question here but that the government knows of the existence and location of the computer’s files.  The fact that it does not know the specific content of any specific documents is not a barrier to production."

Law Technology News quoted my colleague, Craig Ball, what disturbs him most about Judge Blackburn's ruling is "that Judge Blackburn points to Boucher and simply equates the two scenarios without noting that the government's knowledge of the contents of the kiddy porn laptop was substantial, specific, and no way speculative." He added that this case differs from Boucher in the sense that the government at least saw the questionable files on Boucher's computer already, "the LEOS saw the contraband with their own eyes and recognized its criminal character." But, in the District of Colorado case, officials likely don't know what is on the computer, because "the cops never got past the log in screen, due to the computer's encryption."  Likewise, Professor Kerr characterizes Judge Blackburn's ruling as "not a model of clarity."

I see Craig's point, and I recognize that he doesn't want law enforcement to have carte blanche to peer into one's encrypted volume based solely on reasonable suspicion (or  --alternatively-- to suffer an adverse jury instruction (State v. Levie, 695 N.W.2d 619 (Minn.App. 2005)).  But, I wonder whether a helpful analogy (one I can't claim credit for) is the locked safe, within which the police have probable cause to believe a stolen painting has been stored. They don't want to blast the safe open, because the priceless painting may be destroyed.  Assume the safe is in defendant's home, and the police have a search warrant, and, therefore, assume the safe belongs to defendant and he is aware of its presence. Can defendant be compelled to turn over the key to the safe?  The answer, I believe, is yes. See Schmerber v. Cal., 384 U.S. 757 (U.S. 1966) (Where blood test evidence, although it may be an incriminating product of compulsion, is neither testimony nor evidence relating to some communicative act or writing by a defendant, it is not inadmissible on privilege grounds).  Now, let's assume that it's not a key the cops need, but a combination code to the safe.  Defendant has this code memorized.  Can the defendant now not be compelled to give up the code?  Why not?  Because it's a memory?  But the Fifth Amendment doesn't afford an unqualified privilege for memories; it affords a privilege to statements that are testimonial in nature.  How could defendant's very knowledge of the code to a safe in his own home be either incriminating or testimonial, regardless of whether the cops actually saw the painting deposited therein or not?

Increasing Entrustment of Client Data to Third Parties Resulting in Modified Lawyer Obligations

In the last few years, an number of ethics opinions concerning information technology are aimed at the increasing entrustment of client data to third partis (viz. so-called "cloud computing"), and are trending along with proposed or enacted data privacy litigation across the country. For example, California’s proposed Formal Opinion 08–0002 requires a lawyer to evaluate information security and finds that “attorneys are faced with an ongoing responsibility of evaluating the level of security of technology that has increasingly become an indispensable tool in the practice of law.” State Bar of Cal. Standing Comm. on Prof’l Responsibility & Conduct, Formal Op. Interim No. 08-0002 (2010)   Alabama’s Ethics Committee Opinion 2010–02 requires attorneys to exercise reasonable care against unauthorized access, which includes becoming knowledgeable about a cloud provider’s storage and security. Arizona’s Ethics Opinion 09–04 provides, in pertinent part, that:

[W]hether a particular system provides reasonable protective measures must be informed by the technology reasonably available at the time to secure data against unintentional disclosure. As technology advances occur, lawyers should periodically review security measures in place to ensure that they still reasonably protect the security and confidentiality of the clients’ documents and information.

It is also important that lawyers recognize their own competence limitations regarding computer security measures and take the necessary time and energy to become competent or alternatively consult experts in the field.

State Bar of Ariz., Ethics Op. 09-04, Confidentiality: Maintaining Client Files; Electronic Storage; Internet (12/2009) (citations and quotations omitted) (citing N.J. Ethics Op. 701).

Likewise, Opinion 842 of the New York State Bar Association requires lawyers to “stay abreast of technological advances,” (New York State Bar, Ass’n Comm. on Prof’l Ethics, Op. 842 (2010) (quoting N.Y. State 782 (2004))), and Minnesota's Rule 1.6 requires that “[a] lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer's supervision.” Minn. R. Prof'l. Conduct 1.6 cmt. 15 (emphasis added). See also Minn. Lawyers Prof’l Responsibility Bd., Op. No. 22, A Lawyer’s Ethical Obligations Regarding Metadata (2010).

And, earlier this year, the ABA Commission on Ethics 20/20 released it’s a proposal for comment regarding “lawyers’ growing use of technology, especially technology that stores or transmits confidential information.”  The commission recommended amendments to Model Rules 1.6 and 5.3, adding a paragraph to the former requiring attorneys to “make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, confidential information, including information in electronic form.” The Commission also is concerned with the inadvertent transmission of information and recommend that lawyers have a duty to notify the sender of both physical and electronic information under certain circumstances.

Juror's social networking activities results in new trial for convict

The Arkansas Supreme Court reversed and remanded a death row inmate’s murder conviction, ordering a new trial because one juror slept and another used the Twitter service during court proceedings.

Significantly, the trial court instructed the jurors prior to opening arguments, as follows:

When you’re back in the jury room, it’s fine with me to use your cell phone if you need to call home or call business. Just remember, never discuss this case over your cell phone. And don’t Twitter anybody about this case. That did happen down in Washington County and almost had a, a $15 million law verdict overthrown. So don’t Twitter. Don’t use your cell phone to talk to anybody about this case other than perhaps the length of the case or something like that.

In one message, the Juror 2 wrote: “Choices to be made. Hearts to be broken...We each define the great line.” Less than an hour before the jury announced its verdict, he tweeted: “It’s over.”  Others including references to the trial, such as, “the coffee sucks here” and “Court. Day 5. Here we go again.”

The supreme court observed:

Because of the very nature of Twitter as an ... online social media site, Juror 2’s tweets about the trial were very much public discussions. Even if such discussions were one-sided, it is in no way appropriate for a juror to state musings, thoughts, or other information about a case in such a public fashion . . . More troubling is the fact that after being questioned about whether he had tweeted during the trial, Juror 2 continued to tweet during the trial.

11/08/2011 CTLS meeting legislative & caselaw update/summary

Legislative Committee Report

The following are the highlights of the caselaw and legislative updates provided by the Legislative Committee:

•    Patterson v. Turner Constr. Co, 2011 NY Slip Op. 07572 (Oct. 27, 2011, Appellate Div., Supreme Court of New York, 1st Dep't) (discovering party peruse Facebook activities (including those set to private or restricted outsider access) insofar as they are relevant, in that the information contradicts or conflicts with a plaintiff's alleged restrictions, disabilities, losses and other claims.)

•    California enacted the Reader Privacy Act, updating reader privacy law to cover new technologies like electronic books and online book services as well as local bookstores.

•    Vulnerability uncovered:  If one's iPhone falls into the wrong hands, Siri will obligingly disclose the owner's texts or e-mails - or send text and e-mails that appear to come from owner. This is true EVEN if the phone is locked with a PIN.  This recently discovered security flaw can be corrected, but the owner must take the affirmative step of disabling Siri when the phone is locked.

•    On September 27th, Chief Judge Randall Rader of the U.S. Court of Appeals for the Federal Circuit unveiled a model order that would limit e-discovery in patent cases. He wrote that the Federal Circuit Advisory Council had unanimously voted to adopt the order.  The model order contains the following provisions:

    * Metadata is excluded from e-discovery production requests without "a showing of good cause."
    * E-mail production requests must be for specific issues "not general discovery of a product or business."
    * E-mail production requests should be delayed until after disclosures about the patents, the accused uses of the invention, relevant financial information and the prior art — published information about the subject matter of the claimed invention, including issued patents.
    * E-mail requests are limited to five so-called custodians per producing party and five search terms per custodian.
    * Courts may consider up to five additional custodians per producing party and five additional search terms per custodian. Litigants who submit e-discovery requests to adversaries that exceed court orders and the parties' agreement must pay for the extra production.
    * Receiving parties are barred from using e-discovery that the producing party asserts is attorney-client privileged or work product protected.
    * The production of electronic information in a mass production, or the inadvertent release of privileged or work product protected electronic data, is not a waiver or permission to use it.

•    FCC's Net Neutrality Rules ("Preserving the Open Internet") were published Sept. 23, 2011 in the Federal Register Volum 76, No. 185.

•    Oct 3, 2011 - The Ninth Circuit  unequivocally extended the protections of the Electronic Communications Privacy Act (“ECPA”) to foreign citizens yesterday.  In Suzlon Energy Ltd. v. Microsoft Corp., the court held that the ECPA protects the emails of non-citizens that are stored in the United States from disclosure.

•    The Supreme Court will today (Nov. 8th) consider in U.S. v. Jones whether police need a warrant before secretly attaching a GPS tracking device to a suspect's car.