Recent advances in cryptographic technology and the widespread use of free, open-source  cryptography have made encrypted information pervasive in our everyday lives. Apple and Google have both announced that their latest mobile operating systems will be encrypted and the manufacturers will be unable to decrypt the phones even if ordered to do so. Additionally, all Apple iPhones since the iPhone 3GS have used built-in encryption. This article provides a primer to encryption, and whether police officers can compel you to provide your password.
Officers can compel individuals to provide their fingerprint to unlock a phone. New Apple phones and tablets are all equipped with “TouchID.” Users of these devices are allowed to unlock their devices using only their fingerprints. The easiest way for users of these devices to avoid being compelled to provide their fingerprint to unlock their device is to restart the phone. Once the device is turned off, it will require a passcode on restart before TouchID will be active again.
Encryption is the process by which information is converted from a form that can be understood by anyone (“plain text”) into a form (“ciphertext”) that only be read by someone who has the “encryption key.” In modern times, where information is commonly stored electronically, the key takes the form of a complex algorithm that converts plaintext into ciphertext.  The term cryptography, which is the science of encryption and decryption, comes from the Greek words “kryptos” and “graphos,” which together mean “hidden writing.” 
Encryption, in its many forms, has played an important role in keeping communications secret since humans first started sending messages to each other. Encrypted messages have been sent by means of hieroglyphics and smoke signals.  Early Americans relied on encryption to keep their communications secret during the time of the American Revolution.  After the Revolution, prominent figures like Benjamin Franklin and the first Chief Justice of the United States Supreme Court continued to be known for their use of encrypted documents. Benjamin Franklin invented ciphers that were used by the Continental Congress.  He even went as far as printing a book on the use of ciphers.  John Jay, the first Chief Justice of the Supreme Court used ciphers for all diplomatic correspondence made while he was outside of the country. 
In recent years, the level of encryption available to the general public has far outpaced the government’s technological capabilities to decrypt the information. A brute force attack is an attempt to decrypt information by trying every possible key combination until the right key is found.  The number of possible keys depends on the level of encryption, which is commonly measured in terms of bits. The most common level of encryption used today is 128-bit encryption. After years of studying encryption and the rate at which computers have improved, the European Network of Excellence in Technology reported last year that it would take at least thirty years before 128-bit encryption could be defeated in a timely manner.  The report was the culmination of over four years of research into encryption, brute force attacks, and increases in computational power over time.  Even taking into consideration significant future projected increases in computational power, such as the advent of quantum computing, the organization expects 256-bit encryption will remain a highly recommended level of encryption for the foreseeable future. 
Despite the difficulty in decrypting even 128-bit encryption, commonly available software now allows users to encrypt their data using much stronger levels of encryption. As a result of the advances in encryption technology, law enforcement agents and the intelligence community looked to the courts to compel encryption keys through court orders and grand jury subpoenas.
The Fifth Amendment protects individuals from being compelled to be witnesses against themselves.  For the Fifth Amendment protection to apply, a statement must be (i) compelled, (ii) testimonial, and (iii) incriminating. 
In re Boucher, the first case in federal court to deal with the compulsion of cryptographic keys, was decided in 2007.  Sebastian Boucher was crossing the Canadian border into the United States when his vehicle was stopped for a routine border inspection.  Officers found a laptop on the backseat of the vehicle and proceeded to access the files on the computer.  The investigating officer was able to inspect the contents of the laptop without being prompted to enter a password.  The officer noticed a number of files with names suggesting the files might be child pornography.  He then asked a special agent trained in recognizing child pornography to assist with the investigation.  The special agent viewed the files and determined they were images and videos of child pornography. After placing Boucher under arrest, they seized his laptop computer and powered it down. 
When law enforcement agents later tried to access the files on the laptop, they discovered the hard drive was encrypted and a password was required to access the hard drive when the computer was powered on.  A special agent trained in computer forensics testified before a grand jury that there were no known backdoors to the encryption software Boucher had used by which law enforcement might defeat the encryption.  The special agent also testified it would be virtually impossible to guess the password in any reasonable amount of time because it could take years for an automated program to try every possible encryption key combination.  Based on the special agent’s testimony, the grand jury subpoenaed Boucher to divulge the encryption key.  Boucher refused and moved to quash the subpoena.  At trial, United State Magistrate Jerome Neidermeier held that compelling Boucher to reveal his key would violate the Fifth Amendment. 
On appeal, the state changed its strategy and instead of requesting production of the cryptographic key itself, the state requested that Boucher enter his cryptographic key to unlock the hard drive, thereby granting investigators access to the drive without forcing Boucher to divulge the key.  The United States District Court ordered Boucher to enter his cryptographic key as requested.  The court held that the Boucher had no act-of-production privilege that would protect him from providing the grand jury with an unencrypted version of the disk.  The court, relying on Second Circuit precedent, ruled that although the entire contents of the hard drive was not known, it was a foregone conclusion that the disk contained evidence of child pornography since the government could show “with reasonable particularity that it kn[ew] of the existence and location of the subpoenaed documents.” 
While Boucher was required to turn over his password, the court reached its decision because the state already knew what was on the hard drive. Essentially there is a “foregone conclusion” to the Fifth Amendment privilege against self-incrimination
In 2012, the Eleventh Circuit determined that individuals cannot be compelled to decrypt hard drive contents when the defendant had not provided law enforcement information as to what is contained on the encrypted drive. United States v. Doe (In re Grand Jury Subpoena Duces Tecum Dated March 25, 2011), 670 F.3d 1335 (11th Cir. 2012). The case arose after police seized computers and external hard drives they tracked using internet protocol addresses they had reason to believe contained child pornography. The defendant was held in contempt after refusing to decrypt the laptops and hard drives for law enforcement. On appeal, the Eleventh Circuit held that decryption and production of the contents of the hard drive would be testimonial and did trigger Fifth Amendment protections.
Today, phones and tablets are commonly secured using fingerprints. Computers are regularly secured with fingerprints and are sometimes encrypted with iris scans. While biometric scans offer better security the average user, there is a distinct downside for everyday users. Unlike a password, which requires something you know to access your data, a biometric scan only requires something you have. In other words, the Fifth Amendment is not implicated in providing a fingerprint or iris scan, were being required to provide a password would give rise to Fifth Amendment protections.
A Virginia Circuit Court judge ruled that officers can compel individuals to provide their fingerprint to unlock a phone. The defendant in that case, David Baust, was charged with an assault-strangulation case. The police had reason to believe the fight may have been recorded on Baust’s phone and sought to compel him to unlock his cell phone. Judge Steven Frucci ruled that providing a fingerprint does not implicate the Fifth Amendment because fingerprints are nontestimonial in nature. It is no different than being compelled to provide a DNA sample or a physical key: it is something you have, not something you know.
Many phones today are equipped with “TouchID.” Users of these devices are allowed to unlock their devices using only their fingerprints. The easiest way for users of these devices to avoid being compelled to provide their fingerprint to unlock their device is to restart the phone. Once the device is turned off, it will require a passcode on restart before TouchID will be active again.
As law enforcement agencies become more adept at leveraging technology to their advantage, the need for criminal defense attorneys who stay abreast of changes in the law and technology only grows.
Call us at (817) 203-2220 for a complimentary strategy session. Our team of former prosecutors and Board Certified Criminal Lawyers are here to help. During this call we will:
You can also contact us online:
[gravityform id=”8″ title=”false” description=”false”]
 See Jennifer Nou, Privatizing Democracy: Promoting Election Integrity Through Procurement Contracts, 118 Yale L.J. 744, 784 (explaining that open source software is software available to the public allowing other programmers to review, modify and redistribute the code, which in the case of encryption software is an added layer of protection against backdoors in the program that might allow the encryption to be defeated).
 See A. Michael Froomkin, The Metaphor is the Key: Cryptography, the Clipper Chip, and the Constitution, 143 U. Pa. L. Rev. 709, 713.
 D. Forest Wolfe, The Government’s Right to Read: Maintaining State Access to Digital Data in the Age of Impenetrable Encryption, 49 Emory L.J. 711, 714.
 See John A. Fraser, III, The Use of Encrypted, Coded and Secret Communications is an “Ancient Liberty” Protected by the United States Constitution, 2 Va. J.L. & Tech. 2, 18 (1997) (describing early forms of secret communications).
 Id. at 21 (describing the use of secret communications in early American history).
 Fraser, supra note 23, at 33.
 George Fisher, The American Instructor, 54-55 (Benjamin Franklin 1748) (1748).
 Id. at 27.
 Henry B. Wolfe, Encountering Encrypted Evidence, Informing Science, June 2002, at 1602.
 Steve Babbage et al., ECRYPT Yearly Report on Algorithms and Keysizes (2007-2008) 30 (2008), available at http://www.ecrypt.eu.org/ecrypt1/documents/D.SPA.28-1.1.pdf.
 See also Adam C. Bonin, Protecting Protection: First and Fifth Amendment Challenges to Cryptography Regulation, 1996 U. Chi. Legal F. 495, 503 (1996) (suggesting that 1024-bit encryption would take 8.96 times 10^27 years to defeat using a brute force attack using a computer which could process one million keys per second.)
 U.S. Const. amend. V.
 Fisher v. United States, 425 U.S. 391, 408 (1976).
 In re Boucher, No. 2:06-mj-91, 2007 WL 4246473, at 1 (D. Vt. Nov. 29, 2007).
 Id. at 2.
 Id. at 1.
 Id. at 2.
 Id. at 6.
 In re Boucher, No. 2:06-mj-91, 2009 WL 424718, at 1 (D. Vt. Feb. 19, 2009).
 Id. at 3.