Government May Compel Disclosure of Encryption Passwords in Pennsylvania

The Pennsylvania Superior Court issued another troubling, computer-related opinion in late November 2017. Commonwealth v. Davis holds that the Pennsylvania government can compel an individual to disclose a computer password for an encrypted computer. Commonwealth v. Davis, 2017 PA Super 376 (Nov. 30, 2017).

The Superior Court stated that constitutional protections against no-compelled-testimony and no-self-incrimination, under the federal Fifth Amendment and Pennsylvania Article 1, Section 9, do not apply to encrypted computers on the facts in Davis.

To reach the conclusion, the Superior Court looked to problematic opinions in other jurisdictions—which may be outdated or that may improperly analogize to otherwise incompatible technologies.

A Troubling Application of the Foregone-Conclusion Exception to the Fifth Amendment

The Superior Court held that the foregone-conclusion “exception” to the Fifth Amendment applies to the password itself. Compare Davis, 2017 PA Super at 10-13, (the password) with Davis, 2017 PA Super at 14-15 (underlying documents) and, e.g., Fisher v. US, 425 US 391, 409-410 (1976).  That is, the foregone-conclusion analysis no longer applies to the foregone-conclusion of access to the materials sought (here allegedly criminal images) but to the password itself that allegedly gives access to those materials. See Davis, 2017 PA Super at 10-14.

As the Court suggests, to compel, the government need only prove:

(1) the existence of the evidence demanded;
(2) the possession or control of that evidence by the
defendant; and
(3) the authenticity of the evidence. Id. at 11.

Those elements assume application to the documentary evidence. See Fisher v. US, 425 US 391, 409-410 (1976)

Yet, according to the Superior Court, that becomes, :

(1) the existence of a password;
(2) the [apparent] possession or control of the password by the defendant; and
(3) the authenticity of the password is assumed and does not need to be proven (because if the password opens the device, it must be authentic). Id. at 12-14.

Thus, the Superior Court holds that the government can now compel the password to an encrypted hard drive by using the “foregone-conclusion exception” applied to the password itself—not to the underlying, alleged, evidence.

Applying the foregone-conclusion “exception,” which previously applied to the underlying documents, see Fisher v. US, 425 US 391, 409-410 (1976), appears a breathtaking conflation of Constitutional issues. Unfortunately, a case like this might be used to support more generalized demands for access to encrypted information.

Troubling Bootstrapping By Assuming that Technology Self-Authenticates

A party admitting evidence must demonstrate that the proposed evidence is authentic. Pa. R.E. 901 et seq. Authentication means “the item is what the proponent claims it is.”  Pa. R.E. 901. Notably, technology does not appear on the list of self-authenticating evidence. See Pa.R.E. 902.

Nevertheless, the Pennsylvania Superior Court in Davis claims:

“technology is self-authenticating.” … Namely, if appellant’s encrypted computer is accessible once its password has been entered, it is clearly authentic.

Davis, 2017 PA Super at 14 (internal citation removed, quotes in original).

The Court assumes, without any technical support, that entering a password self-authenticates the password merely because the password makes the computer accessible.

The Court’s recitation of the facts in Davis show why making this assumption is not accurate. The Court mentions the use of TrueCrypt to encrypt the hard drive at issue. Id. at 2. However, prior to the alleged acts at issue in Davis, the developers of TrueCrypt shut down that project due to alleged problems with the encryption technology.

TrueCrypt was an open source, community-developed software package that could be used to encrypt hard drives or file containers. TrueCrypt was legitimate software similar to widely-used Microsoft’s Bitlocker, Apple’s FileVault, or Linux’s encrypted file systems.

In early 2014, the developers of TrueCrypt suddenly and immediately shutdown the project. The shutdown was highly controversial in the technology community and was surrounded in mystery in the post-Snowden era. The developers simply stated: “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues” TrueCrypt Website (former). The terse comment raised even more speculation about national security implications and vulnerabilities.

The technical history may become material in a case like Davis. At minimum, the Superior Court’s assumption that “technology is self-authenticating” requires serious revision. TrueCrypt could have been shutdown due to cryptographic hash collisions, errors in the encryption algorithm, side-channel attacks, or any number of other technical deficiencies. The point is: having a password does not necessarily mean authentication because, for example, the algorithm (or algorithms) themselves may be defective or manipulated.

Bootstrapping for Compelled Disclosure of Encryption Passwords

And this goes back to the Davis bootstrapping problem. The electronic materials (files) are at issue in Davis. The government sought access to the alleged criminal materials (files). The encryption allegedly limited such access. Therefore, the Court held that the Court can compel the disclosure of the encryption password to provide access to the allegedly criminal materials by bootstrapping the foregone-conclusion “exception” as applied to the password to affect the access to the allegedly, criminal materials. Perhaps on the very narrow facts in Davis, such a conclusion makes sense. But, the bootstrapping is deeply troubling for future cases.

 


Original: 1/9/2018

This is not legal advice.


F1 Discussion of the inherent problems with Fisher v. US, 425 US 391 (1976), which developed the so-called “exception” to a fundamental constitutional right, and inconsistencies with applying this “exception” more broadly goes beyond this article.