On October 9, in the case R v. S and A  EWCA Crim 2177, the Criminal Division of the England and Wales Court of Appeal held that requiring criminal defendants to disclose an encryption key allegedly protecting criminal materials does not violate the privilege against self-incrimination under U.K. law or Article 6 of the European Convention of Human Rights. The U.K. court’s ruling is at odds with Magistrate Judge Jerome J. Niedermeier’s ruling on a similar issue in the District of Vermont, In re Boucher, No. 06-mj-91, 2007 WL 4246473 (D. Vt. Nov. 29, 2007).
R v. S and A involved two defendants whose encrypted laptops were seized in the course of an anti-terrorism investigation. The authorities located several suspicious files that they could not open due to encryption. Pursuant to section 53 of the Regulation of Investigatory Powers Act of 2000, the defendants were served with a notice requiring them to reveal the encryption key. Defendants refused and applied to stay the notices.
As the United Kingdom lacks a written constitution, the privilege against self-incrimination is a common law principle. It is not absolute and is subject to numerous statutory exceptions. The court did not address this issue at length, however, because it found that requiring the defendants to reveal an encryption code did not trigger the privilege. The court found that the encryption key existed “independent of the will of the subject,” much like the key to a drawer. Even though the defendants created the key initially, “once created, the key to the data, remains independent of the appellant’s ‘will’ even when it is retained only in his memory, at any rate until it is changed.” The court noted that while evidence of the defendants’ knowledge of the encryption key could itself be incriminating, the trial judge could preclude such evidence and was a minimal intrusion into the right against self-incrimination as compared to national security.
In In re Boucher, Magistrate Judge Niedermeier considered Boucher’s motion to quash a subpoena requiring that he produce all documents reflecting any passwords used or associated with his computer. At hearing on the motion, prosecutors offered to allow Boucher to enter the code without any monitoring, rather than to reveal it outright, and further offered not to comment at trial upon his knowledge of the password. This was not protective enough for the Magistrate, as discussed below.
Unlike the British court, the Magistrate found that requiring Boucher to reveal or enter the encryption code he used to protect his alleged child pornography triggered his Fifth Amendment rights, which prevent compelled disclosure of incriminating information of a testimonial nature. See Fisher v. United States, 425 U.S. 391, 408 (1976). The Magistrate cited United States v. Doe, 465 U.S. 605, 612 (1984) and Doe v. United States, 487 U.S. 201, 209-212 (1988), for the premise that the mere act of producing a non-testimonial document or object can be testimonial where it reveals a defendant’s knowledge. The Magistrate drew upon the same key/locked drawer metaphor as the British court, but citing Doe v. United States at 218, held that unlike surrendering a key, disclosing a password reveals the contents of one’s mind and is therefore testimonial. In re Boucher, 2007 WL 4245473, at *4. Magistrate Judge Niedermeier’s ruling quashing the subpoena was appealed to District Judge William K Sessions III and, according to the PACER docket, has been pending since May.