Cryptography and the Fifth Amendment

Mark Eckenwiler

Imagine the following scenario: You receive a federal grand jury subpoena. It seems several of your co-workers are implicated in a criminal conspiracy; moreover, federal agents have discovered a suspicious encrypted file on your employer's computer system, and believe you have the password. (They're right, but since the file contains notes on the conspiracy, you'd rather not tell.) The subpoena orders you to disclose the password. Does the Fifth Amendment protect you?

Maybe. Maybe not. Courts have never confronted this problem, largely because strong crypto only recently became widely available to the public. In the past, law enforcement never needed to compel disclosure, either because it had enough other evidence to convict or because it could crack defendants' crypto. In 1992, for example, the FBI seized an electronic address book from a Mafia suspect; although the addresses were encrypted, agents were able to decrypt them with the help of the manufacturer. With strong crypto like PGP, law enforcement won't have it so easy.

On its face, the Fifth Amendment privilege is straightforward: "No person . . . shall be compelled in any criminal case to be a witness against himself . . . ." As with most provisions of the Constitution, however, the Self-Incrimination Clause has been interpreted using an increasingly complex body of judicial rules. (This isn't invariably bad news. The phrase "in any criminal case" is read to refer to the possible later use of testimony in a criminal trial. Thus, a witness can invoke the Fifth not only at his criminal trial, but also in a civil trial, before a grand jury, or in a congressional hearing.)

To begin with, the Fifth protects only "testimonial" acts. If an act is "nontestimonial," your cooperation can be compelled even if it would produce evidence against you. According to the Supreme Court, there's no "testimony" involved in taking a breathalyzer test or in giving a sample of your hair or your handwriting. On the other hand, the Supreme Court has recognized that "the vast majority of verbal statements . . . will be testimonial" because most oral or written statements "convey information or assert facts." In addition, two other factors must be present: compulsion and potential incrimination. Compulsion may take a variety of forms, from a grand jury subpoena (with the implicit threat of contempt for noncompliance) to police beatings. But even with compulsion of a testimonial act, the privilege against self-incrimination isn't triggered unless the testimony has the potential to incriminate the speaker.

How does our hypothetical subpoena fare under this standard? If the password is in your head, the answer is easy: the Fifth Amendment protects you. As the Supreme Court made clear in Curcio v. United States (1957), the government cannot force someone "to disclose the contents of his own mind" if that information is incriminatory. While there are exceptions to this rule, they remain extremely limited. For instance, in 1990 the Supreme Court held that a drunk driver could be forced to disclose his name and date of birth to the arresting officer. In the same case, however, the Court ruled that coercing the answer to a simple "drunk test" -- asking the arrestee the date of his sixth birthday -- violates the Self-Incrimination Clause.

Unfortunately, the strength of crypto depends in many cases on the length and complexity of the password used. The longer and more complex the password or passphrase, the more likely it is someone will write it down as a memory aid, and once you write things down -- whether on paper or in a computer file -- the applicable legal analysis changes radically. A century ago, the Supreme Court believed that "private books and papers" were inherently protected by the Fifth Amendment, and that a person could never be compelled to turn over his diary or similar documents. (Don't get nostalgic, though. In those days, the Court also thought that the Fifth Amendment -- and, indeed, the rest of the Bill of Rights -- restricted only the federal government, leaving state law enforcement unfettered.) In Fisher v. United States (1976), however, the Supreme Court concluded that private papers are not protected by the Fifth Amendment, no matter how incriminating they are. In essence, the Court reasoned that a document is not Fifth-Amendment privileged when created voluntarily rather than under compulsion; in the same way, a confession can be used against a defendant if given freely and without coercion.

Every now and then, somebody suggests on Usenet that the way to gain a Fifth Amendment privilege for a PGP passphrase is to choose one like "I am guilty of a crime." Under the guiding principle of Fisher, doing so would be completely irrelevant: because you choose your passphrase in the absence of governmental compulsion, a written copy of it enjoys no inherent Fifth Amendment protection, no matter how incriminating the wording. Had the Fisher Court stopped short in its analysis, government subpoenas would be a virtually limitless tool of oppression. A grand jury could order you to produce "all documents written by you in furtherance of crime X," and your refusal to comply would result in a contempt-of-court finding (and probably incarceration).

Fortunately, the Supreme Court went further. At the same time it abandoned the "private papers" rule, the Court created the "act-of-production privilege." This new doctrine recognized that producing documents is itself often a testimonial act regardless of the contents of the documents. If, for instance, you produced the papers requested in the "crime X" subpoena above, you'd implicitly attest that the papers exist; that you possess (and wrote) them; and that you participated in the alleged crime. Since these concessions are powerful evidence of guilt, the subpoena would force you to give self-incriminating testimony -- exactly what the Fifth Amendment forbids.

Back to the original hypo, then: must you turn over your crypto key if it's written down? Clearly, producing it is incriminatory. Even if your name isn't in the encrypted file describing the conspiracy, the fact that you have restricted access to it is powerful evidence of your participation. The Supreme Court drew similar conclusions in United States v. Doe (1984), where the Court quashed a grand jury subpoena for Doe's business records. As in Fisher, the Court found that the very act of producing the documents -- entirely apart from their contents -- had Fifth Amendment ramifications.

Does this end the inquiry? Hardly. The complication -- and the great unresolved question -- is the government's ability to grant immunity. Title 18, section 6002 of the United States Code allows prosecutors to compel testimony in return for "use immunity": that is, by promising not to use immunized testimony or evidence derived from it. This statute allowed Congress to compel the testimony of Oliver North (and caused his conviction to be struck down when an appeals court concluded that his testimony had been used against him indirectly at trial). In Doe, the Supreme Court ruled that granting immunity was the only way to force Doe to hand over the documents. Under those circumstances, the government could never use the fact of Doe's compliance against him. (For example, prosecutors could not tell the jury that Doe had produced the documents.)

What the Court did not make clear, alas, is the effect immunity has on prosecutors' ability to use the contents of such documents at trial. The Doe Court did declare -- in a footnote not necessary to the decision, and therefore not binding as law -- that immunity would not always automatically prohibit any use of the documents themselves. But this leaves open the possibility that in some cases such documents would be treated as evidence derived from the testimonial act of production (and therefore inadmissible). The Supreme Court has not clarified this issue, and commentators (and lower courts) disagree on the answer.

More than one scholar has pointed out, for example, that if prosecutors know a document exists only because it was produced under a grant of immunity -- that is, if they had no previous independent knowledge of it from a third party -- then any use of the document at trial is arguably "derivative" and therefore improper. On the other hand, section 9-23.215 of the Department of Justice Manual asserts that documents produced after a grant of immunity "may, of course, be used for any purpose because they are not privileged." How this question will ultimately be resolved is anybody's guess. The current Supreme Court hasn't exactly bent over backwards to interpret the Self-Incrimination Clause broadly. On the other hand, in the North case (and others) federal appeals courts have taken an expansive view of the scope of federal immunity.

What is clear is that there are no guarantees. One day, some crypto user on the wrong end of a subpoena may have to choose between self-incrimination and contempt of court. That prospect should trouble all of us.

A version of this article originally appeared in NetGuide, November 1995. Copyright 1995, 1996 Mark Eckenwiler.