Can the state compel a suspect to provide access to encrypted files on the suspect’s computer? For example, if the police suspect that I’m running a Ponzi scheme, but I’ve got all my business records encrypted, can the state require me to produce an unencrypted version of the records? It’s an important question because more and more computer users are using encryption software — and there’s encryption software that is available for free on the internet, yet is so robust that the federal government’s best codebreakers and hackers can’t beat it.
A federal district judge in Vermont recently addressed this issue in In re Grand Jury Supoena to Boucher, 2009 WL 424718 (D. Vt., Feb. 19, 2009). In December 2006, Sebastien Boucher crossed from Canada into the United States. Officers at the border decided to search Boucher’s car. (The documents that I’ve seen don’t say why, but officers generally don’t need any level of suspicion to conduct searches at the border.) A laptop was in the car, and the officers searched the laptop, finding files suggesting that Boucher might be interested in child pornography. Boucher said he was unsure whether his computer contained child pornography. The officers read Boucher his Miranda rights, which he waived, and Boucher said that he downloaded pornography, that the downloads sometimes included child pornography, and that he deleted the child pornography as soon as he recognized it. Boucher showed the officers the Z drive on his computer, which was where the pornography was stored, and the officers found some files that contained child pornography. They arrested Boucher, seized the laptop, and shut it down.
Boucher was charged with transporting child pornography. The government obtained a search warrant authorizing a search of the computer, but upon opening the laptop, the government’s computer forensic expert found that the Z drive was encrypted using a program that neither he, nor any of the government’s other experts, could break. The government’s next move was to issue a grand jury subpoena to Boucher, demanding that he produce the password to the Z drive. Boucher moved to quash the subpoena, arguing that it violated his Fifth Amendment right against self-incrimination.
The government responded by narrowing its request to a demand that Boucher enter the password before the grand jury without providing the password to anyone, and later, to a demand that Boucher simply produce an unencrypted copy of the Z drive, presumably by entering the password outside the presence of the grand jury. Boucher maintained that even the last request would still violate his Fifth Amendment rights, under the act of production doctrine established in Fisher v. United States, 425 U.S. 391 (1976), and United States v. Doe, 465 U.S. 605 (1984). In essence, that doctrine holds that in certain circumstances, producing documents or other evidence in response to a subpoena is a testimonial act, because it constitutes an admission that the requested documents or evidence exist, are within the subject’s possession, and are authentic. For example, if a prosecutor subpoenas a suspected drug dealer’s list of heroin customers, producing a list would be an admission that the suspected dealer maintained a list, that the list contained names of heroin customers, and that the list was authentic — all damaging admissions.
Although Boucher persuaded a magistrate judge to grant his motion to quash the subpoena, the government appealed to a district judge, who reversed. He found that, because the government already knew that the Z drive existed and was located in the laptop, it fell within the foregone conclusion exception discussed in Fisher: when the prosecution already knows that a specific document or other item exists, knows where it is located, and can establish its authenticity, a subject’s production doesn’t tell the prosecution anything it doesn’t already know, and so, the theory goes, it is not really testimonial, and does not fall within the Fifth Amendment’s privilege.
That analysis is fine as far as it goes, but it doesn’t reach an additional concern. If Boucher produces an unencrypted version of the Z drive, he’s not just admitting that the Z drives exists, etc. He’s also admitting that he has the password. i.e., that he has access to the drive. Perhaps that’s a foregone conclusion, too, since he had access to the drive during the original border search, or perhaps that’s a non-issue in this particular case because of the government’s promise that it would not use the act of production against Boucher. But it may require a caveat to the foregone conclusion doctrine in certain circumstances. Imagine that officers determine that a computer located in a college dorm room is sharing child pornography over the internet. They search the room when no one is present, and seize the computer, which is on and which contains child pornography. Just as in Boucher, the officers shut the computer down, and later find that its hard drive is encrypted. They issue a grand jury subpoena to roommate A, asking him to produce an unencrypted copy of the drive. Arguably, the foregone conclusion doctrine still applies: the officers know of the existence and location of the drive. But if roommate A produces an unencrypted copy of the drive, he’s implicitly admitting that he has the password, which shows that he, rather than (or in addition to) roommate B, controlled the computer. That’s information that the prosecution didn’t already have, and a different result seems appropriate in that case.