[1136] in cryptography@c2.net mail archive
Supreme Court dicta on safe combinations
daemon@ATHENA.MIT.EDU (Phil Karn)
Tue Jul 1 16:08:38 1997
Date: Mon, 30 Jun 1997 22:39:35 -0700 (PDT)
From: Phil Karn <karn@qualcomm.com>
To: cryptography@c2.net
Cc: karn@ka9q.ampr.org
After reading the opinions in ACLU v. Reno, I started browsing around
the various legal servers on the net. They are much more complete and
useful now than just a year ago.
I finally found the case that others have occasionally cited here as
relating to the issue of whether the Fifth Amendment protects the
compelled disclosure of cryptographic keys in a criminal context.
The case is Doe v. United States, 487 U.S. 201 (1988). You can get the
full opinion either by going to <http://www.findlaw.com/> and entering
the citation, or you can enter the following lengthy URL:
<http://www.findlaw.com/cgi-bin/getcase.pl?court=US&vol=487&invol=201>
The case had to do with whether a grand jury could constitutionally
compel the target of an investigation to sign a consent form
authorizing a foreign bank to disclose its records. The Court held
that signing the consent form was not "testimonial", so the Fifth Amendment
did not apply.
The relevant quote is in Justice Stevens' dissent. (The opinion was 8-1).
A defendant can be compelled to produce material evidence that is
incriminating. Fingerprints, blood samples, voice exemplars,
handwriting specimens, or other items of physical evidence may be
extracted from a defendant against his will. But can he be compelled
to use his mind to assist the prosecution in convicting him of a
crime? I think not. He may in some cases be forced to surrender a key
to a strongbox containing incriminating documents, but I do not
believe he can be compelled to reveal the combination to his wall safe
- by word or deed.
The majority directly answered this dissent in footnote 9:
[Footnote 9] We do not disagree with the dissent that "[t]he
expression of the contents of an individual's mind" is testimonial
communication for purposes of the Fifth Amendment. Post, at 220,
n. 1. We simply disagree with the dissent's conclusion that the
execution of the consent directive at issue here forced petitioner to
express the contents of his mind. In our view, such compulsion is more
like "be[ing] forced to surrender a key to a strongbox containing
incriminating documents" than it is like "be[ing] compelled to reveal
the combination to [petitioner's] wall safe." Post, at 219.
In other words, the majority held that signing a consent form did
*not* explicitly admit knowledge of the foreign accounts. It merely
granted consent to the banks to reveal any accounts in his name if in
fact they existed. For that reason signing the form was "non
testimonial" and therefore not protected by the fifth amendment.
While the language in Footnote 9 is encouraging, it seems to this
legal layman that the issue of whether a court could compel the
disclosure of a cryptographic key in a criminal investigation is still
far from settled. I'm now beginning to understand Mike Godwin when he
said that much may depend on whether the government already knows that
you know the key, or whether you'd be implicitly admitting that you
know it by divulging it.
Consider a) the passphrase for a PGP key that has your name on it and
b) the passphrase to a conventionally encrypted file. In the first
case, the government could argue that because your name is on the
public key used to encrypt some file, you must certainly know its
passphrase. So revealing it would not be testimonial; it would be like
giving up the key to a safe deposit box already known to be in your
name. Of course, you could simply have forgotten your PGP passphrase,
as seems to happen all too often, just as you could claim to have lost
the safe deposit box key -- though safe deposit boxes are much more
easily drilled open than strong ciphers.
The second case is more problematical for the government, though it
might claim that you'd have no reason to waste disk space on an
encrypted file for which you don't know the passphrase.
Two countermeasures seem appropriate: storing encrypted backups for
others for which you don't have the key, and using conventional
encryption, not public key encryption, for personal file storage.
Comments?
Phil
