Cat-and-mouse game: Customers demand cybersecurity, law enforcement wants easier access to evidence
Password, Please
As that debate simmers, judges around the U.S., confronted by encrypted data in criminal cases, are compelling defendants to decrypt their devices.
In one recent example, a warrant was issued to search Ryan Michael Spencer’s residence in Aptos, California, including computers and storage devices, for evidence of child pornography. Spencer refused to provide passwords to give law enforcement access to encrypted data on three of his 12 devices, invoking his Fifth Amendment privilege against self-incrimination.
In April, Judge Charles Breyer of the U.S. District Court for the Northern District of California disagreed and ordered Spencer to decrypt his devices. In the opinion, he held that the government had met its burden by showing that Spencer had the knowledge to decrypt the devices.
“A rule that the government can never compel decryption of a password-protected device would lead to absurd results,” wrote Breyer.
Spencer didn’t comply, and the judge found him in contempt of the order and imposed a $1,000-a-day fine until he complied. Spencer notified the court that he will appeal the contempt order to the U.S. Court of Appeals for the 9th Circuit at San Francisco. Plea negotiations to the underlying crimes are ongoing.
Other circuits have set the bar even higher for the government. In 2017, the 3rd Circuit at Philadelphia required the government show “reasonable particularity” that the defendant can decrypt a device. In 2012, the 11th Circuit at Atlanta ruled that to compel decryption, the government must show that the defendant knew the password and that particular, incriminating information was on the encrypted device.
Writing for the 11th Circuit panel, Judge Gerald Bard Tjoflat held that compelling “decryption and production would be tantamount to testimony by [the defendant] of his knowledge of the existence and location of potentially incriminating files,” which would infringe his Fifth Amendment right.
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
Moot Point?
While the constitutional contours of this issue will continue to form, the reality is that compelling decryption may not be necessary. But the alternatives still pose a challenge.
Jennifer Daskal, associate professor at American University Washington College of Law, says that before law enforcement compels decryption there should be an obligation to try other means to access the evidence.
Take, for example, the case of Paul Manafort, President Donald Trump’s 2016 campaign chair. According to court filings from June, Manafort allegedly communicated with individuals over Telegram and WhatsApp—two end-to-end encrypted messaging apps—in an attempt to coordinate testimony. Neither app creates or keeps copies of messages sent.
While some of the communications were given to investigators willingly by other participants, documents filed in the U.S. District Court for the District of Columbia show that Manafort’s communications were collected from his Apple iCloud account, which kept backups of his messages. Investigators never needed to access the defendant’s phone.
In August, Manafort was convicted on eight counts of financial fraud in a trial stemming from the Russia investigation.
While opportunities like this exist for law enforcement to uncover otherwise encrypted data, it is easier said than done.
“The inability to effectively identify which service providers have access to relevant data was ranked as the No. 1 obstacle in being able to effectively use digital evidence in particular cases,” wrote Daskal in a 2018 report that surveyed law enforcement officials, technology company representatives and advocates for the Center for Strategic and International Studies, a think tank in Washington, D.C. “Difficulties in obtaining sought-after data from these providers was ranked as a close second.”
Rich Littlehale, technology and digital evidence committee chair for the Association of State Criminal Investigative Agencies, sees this reality in his work.
Littlehale says that if you look at law enforcement email discussion lists that deal with digital evidence “you will see a constant stream of frustrated emails about response times, specific phrasing requirements for legal demands and efforts to get someone on the phone to answer questions.”
requesting digital evidence
It is hard to know exactly how much of this frustration is justified. Transparency reports from Apple, Facebook and Google that summarize the second half of 2017 indicate a majority of law enforcement requests are being fulfilled—at least in part.
Apple received U.S. government legal process requests for 4,450 devices, including search warrants, wiretap orders, pen registers and subpoenas, among others. According to the report, data was provided for 80 percent of requests.
Facebook reported that it produced some data for 85 percent of requests. Similarly, Google reported 82 percent of requests lead to some data being produced.
“An 80 percent response rate sounds good on the surface, until you compare it to traditional warrants that we execute ourselves,” which near a 100 percent response rate, Littlehale says. He adds that companies’ decisions to reject these orders are rarely litigated.
Daskal and her co-author, William Carter, argue in the report that a new “national digital evidence policy” is needed to fill in the gaps between law enforcement and technology companies. They recommend working across local, state and federal law enforcement agencies to track challenges law enforcement face accessing digital evidence, increase education and funding and improve cooperation with service providers.
Littlehale, however, thinks law enforcement may need to go further.
If technology company compliance with court orders continues to lag, he believes that “it may be that we will have to start litigating these [rejections] more and more.”