Compelling Password Disclosure and the United States’ Role in Cyberspace Justice

The Supreme Court now acknowledges an important privacy concern in computer passwords, finding that password disclosure is not a physical act akin to handing over a key, but rather a mental process protected by the 5th Amendment.

“Can the U.S. government compel me to provide my password?”

No.

“Awesome!”

But the answer wasn’t always so clear. Contrary to media depictions, until recently court-mandated password disclosure was not limited to accused pedophiles or other criminal offenders. Anyone who protected personal data with a password was at risk that the government might, in connection with criminal prosecution, compel a suspect to disclose their password.

Up until United States v. Kirschner, decided only last year, when trying to compel a password the government would argue either “foregone conclusion” or that a password is equivalent to a key.1 Under foregone conclusion, if the government had previously seen your files—say, because they saw your computer before you restarted it—they would argue that you were not providing any new evidence against yourself and therefore could not invoke your Fifth Amendment right against self-incrimination.2 If that argument did not work, the government would argue that they were not interested in the password itself, just the documents hidden by it. Therefore password disclosure was equivalent to turning over a key.3

Justice Stevens believes a password to be more like a safe combination
Fortunately, Justice Stevens’ dissent in Doe v. United States sparked the Court’s understanding that a password is not equivalent to a physical key.4  Justice Stevens explained that he believed a password to be more like a safe combination, which he believed a court could not compel you to provide.5  Though Justice Stevens’ opinion was the dissent in that case, his reasoning proved critical in the Kirschner decision where the Court found that the government was, in fact, “requiring [Kirschner] to divulge through his mental processes his password.”6

The “mental processes” issue is critical because you cannot invoke your Fifth Amendment right against self-incrimination unless you are being asked to testify.  For instance, if you have a notebook at home where you write down who you dislike and why, the government only needs a subpoena in order to compel you to turn over the notebook. But if you keep your ramblings in your head and the government puts you on the stand, the government cannot compel you to disclose who you dislike and why. The Fifth Amendment prohibits the government from compelling you to reveal your thoughts.

The Fifth Amendment protects against all testimony which calls on you to divulge your mental processes, whether it’s remembering your password or remembering what you ate for dinner last night.

So long as you rely on your memory in order to remember your password, the Fifth Amendment will protect you. By remembering your password, the government will be forced to trigger your Fifth Amendment right when it pursues testimony which demands that you divulge your mental processes. The Fifth Amendment protects against all testimony which calls on you to divulge your mental processes, whether it’s remembering your password or remembering what you ate for dinner last night.

Yet other countries are taking a different stance, seeing refusal to turn over passwords as a mere stall tactic. Because those countries permit their governments to compel the suspect or a third party to either turn over the password or provide unencrypted copies of the data, refusing to turn over a password simply buys time for a suspect’s attorney while the government obtains a court order to compel the data. In England, the government can compel those served with a “Section 49” notice to provide either their passwords or unencrypted copies of the data the government seeks.7  France takes the same approach.8

Australia throws privacy concerns out the window by making it a crime to refuse to aid the government in decrypting a suspect’s data.9 Australia’s stance is based on the Council of Europe’s Convention on Cybercrime Treaty, a treaty that aims to “civilize the Internet” but “fail[s] to specify proper level[s] of privacy protection necessary to limit the over-broad surveillance powers it grants law enforcement agencies.”10  Thirty-seven countries in the world have ratified the Convention on Cybercrime Treaty.11

Though there is a valid argument that suspects should be required to disclose their passwords, as the public does not want to allow criminals to hide harmful evidence behind encryption, we should be encouraging foreign nations to value the rights of each individual citizen.  Since not all countries have rights against self-incrimination, it is the United States’ responsibility to promote our legal policy regarding compulsory password disclosure, a policy which does just that.

If a court compelled you to share your password, what secrets would you be forced to expose?

 


  1. United States v. Kirschner, 823 F.Supp.2d 665 (E.D. Mich. 2010).
  2. United States v. Doe (In re Grand Jury Subpoena Duces Tecum Dated March 25, 2011), 670 F.3d 1335, 1345-1346 (11th Cir. 2012).
  3. Id. at 1345.
  4. Doe v. United States, 487 U.S. 201 (1988).
  5. Id. at 219 (1988).
  6. United States v. Kirschner, 823 F.Supp.2d 665, 669 (E.D. Mich. 2010).
  7. Jeremy Kirk, Contested UK encryption disclosure law takes effect, The Washington Post, Oct. 1, 2007, available at http://www.washingtonpost.com/wp-dyn/content/article/2007/10/01/AR2007100100511.html.
  8. Business Software Analysis, Country Report: France, available at http://portal.bsa.org/cloudscorecard2012/assets/pdfs/country_reports/Country_Report_France.pdf.
  9. Rebecca Bowe, The Battle for Privacy Intensifies in Australia (Aug. 31, 2012), https://www.eff.org/deeplinks/2012/08/battle-privacy-intensifies-australia.
  10. Katitza Rodriguez, Dangerous Cybercrime Treaty Pushes Surveillance and Secrecy Worldwide (Aug. 25, 2011) https://www.eff.org/deeplinks/2011/08/cybercrime-treaty-pushes-surveillance-secrecy-worldwide.
  11. Council of Europe, Convention on Cybercrime, Nov. 23, 2011, CETS No.: 185, available at http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=&CL=ENG.