Sabrina I. Pacifici of bespacific calls attention to a newly released CRS report by Richard M. Thompson II, Legislative Attorney, and Chris Jaikaran, Analyst in Cybersecurity Policy: Encryption: Selected Legal Issues
In 2014, three of the biggest technology companies in the United States—Apple, Google, and Facebook—began encrypting their devices and communication platforms by default. These security practices renewed fears among government officials that technology is thwarting law enforcement access to vital data, a phenomenon the government refers to as “going dark.” The government, speaking largely through Federal Bureau of Investigations (FBI) Director James Comey, has suggested that it does not want to ban encryption technology, but instead wants Silicon Valley companies to provide a technological way to obtain the content stored on a device for which it has legal authority to access. However, many in the technology community, including technology giants Apple, Google, and Facebook, and leading cryptologists have argued that it is not technologically feasible to permit the government access while continuing to secure user data from cyber threats. This problem is exacerbated by the fact that some suspects may refuse to unlock their device for law enforcement.
The current debate over encryption raises a wide range of important political, economic, and legal questions. This report, however, explores two discrete and narrow legal questions that arise from the various ways the government has attempted to access data stored on a smartphone. One method has been to attempt to compel a user to either provide his password or decrypt the data contained in a device pursuant to valid legal process. This prompts the first question: whether the Fifth Amendment right against self-incrimination would bar such a request. Generally, documents created independent of a government request (e.g., a photo stored on a camera) are not entitled to Fifth Amendment protection because their creation was not “compelled” by the government as required under the text of the Amendment. However, the act of unlocking the device may have testimonial content of its own (e.g., it may demonstrate that a suspect had access to the device), which may trigger Fifth Amendment protection. While there are a handful of lower court rulings and a growing body of academic literature on this issue, there is only one appellate case applying the Fifth Amendment to compelled decryption and, as of the date of this report, no Supreme Court case law.
The other method is going to the company and requesting its assistance in unlocking a device, which prompts the second question: whether the All Writs Act—a federal statute that provides federal courts with residual authority to enforce its orders—can be interpreted broadly enough to cover compelled assistance on the part of the device and software manufacturer. This question is the subject of ongoing litigation—including government requests to access the iPhone used by the San Bernardino shooter—in various federal district courts and is likely to engender similar litigation in the future. This inquiry will largely hinge on whether the request would impose an unreasonable burden on the company and whether it would be consistent with the intent of Congress.
This report first provides background to the ongoing encryption debate, including a primer on encryption basics and an overview of Apple, Google, and Facebook’s new encryption policies. Next, it will provide an overview of the Fifth Amendment right to be free from self-incrimination; survey the limited case law concerning the compelled disclosure of encrypted data; and apply this case law to help determine if and when the government may require such disclosures. The next section of the report will provide background on the All Writs Act; explore both Supreme Court and lower court case law, including a discussion of United States v. New York Tel. Co.; and apply this case law to the San Bernardino case and potential future requests by the government to access a locked device.