Computers, Privacy & the Constitution

View   r3  >  r2  ...
WilliamCorsoFirstPaper 3 - 28 Apr 2012 - Main.EbenMoglen
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
Encryption, Common Use Assumptions, & the 5th Amendment of the U.S. Constitution

Line: 8 to 8
 As one commentator has argued regarding the tension through contemporary application of the 5th Amendment, "In the pre-digital age, there was a distinct boundary between the information that resided only in our minds and the information that we committed to paper. The former was afforded strong constitutional protection; the latter, much less so." In light of this sentiment, should the law recognize the boundaries of information storage? Especially in the context that the frequency at which people's general utilization of digital media (whether e-mail, text message, chat) has increased to such an extent that it could be argued that keeping files on one's own computer has become so "second nature" the law should afford special protection beyond keeping paper documents in a wooden filing cabinet? Furthermore, are the common assumptions of computer use adequately taken into consideration in the course of the law?
Changed:
<
<
This author would contend that the trends to recognize greater protection for consumers in regard to lengthy "terms of service" that are generally accepted to be read by "no-one," should be used as an analogy to the possibility that the scope and depth of digital storage has become so intertwined with the way people think and behave that its contents should be afforded protection equal to that of the contents of any defendant's own mind. I must ask whether we are at a point in time where the assumptions about the use of technology should in fact govern the use of technology? Or will we continue to allow judicially created rules or contemporary statutes enforce rules of law that would today be both unexpected and have unexpected consequences?
>
>
But this is not the Fifth Amendment issue. As the author of the piece you cite explains, the question there is about the passphrase that is assumed to decrypt a file or a set of files. Everyone agrees that the Fifth Amendment never had any barring effect on the use of papers in a filing cabinet. And the digital files too are "mere evidence," from a Fifth Amendment point of view. But producing the passphrase, like producing a safe combination, is a testimonial act by the party giving it up. This, the distinction between testimony and evidence, is what the engineer authoring the Future Tense piece is adverting to, and which you are surprisingly eliding here.

"Common assumptions" may be relevant not only to the context in which you keep finding them, which is discussions of commercial privacy, but also—one is rather despairingly forced to assume—with respect to the "reasonable expectation of privacy" calculus too often used in Fourth Amendment analysis. But it doesn't have any relevance to Fifth Amendment discussion, which treats the distinction between testimony and evidence as a legal matter, historically informed by disputes over ex officio oaths in prerogative and ecclesiastical courts. I and some other historians wrote a book once about the history of prohibition on compulsory self-incrimination in Anglo-American law. I think it still has some value, and you might find it useful.

This author would contend that the trends to recognize greater protection for consumers in regard to lengthy "terms of service" that are generally accepted to be read by "no-one," should be used as an analogy to the possibility that the scope and depth of digital storage has become so intertwined with the way people think and behave that its contents should be afforded protection equal to that of the contents of any defendant's own mind.

But this is not a form of constitutional argument that had any background in history or current doctrine. This asserts that the evidence in digital files should be treated as though it were testimony, a position that would reverse hundreds of years of independent development of doctrine about searches and doctrine about compelled self-incrimination. Indeed, it would make the idea of "self-incrimination" pretty much irrelevant. The ground on which this proposal stands is that "common understanding" of the privacy of digital material treats our digital files as decisively more private than our papers. I see no evidence for this proposition, and no reason to believe that the constitutional provisions themselves license such a conclusion. The constitutional rule is that papers and other evidence may be searched for and seized on a showing of probable cause or other circumstances amounting to reasonable use of state force. Compulsory self-incrimination is forbidden. (The alternative for securing testimony is immunity, to which we return below.) Mixing those two regimes on a showing of "common understanding" is the same as suggesting in any other context that courts acting alone should change previously-settled legislative or constitutional provisions so they correspond to the preponderance of lay opinion. It's not a persuasive argument, to say the least.

I must ask whether we are at a point in time where the assumptions about the use of technology should in fact govern the use of technology? Or will we continue to allow judicially created rules or contemporary statutes enforce rules of law that would today be both unexpected and have unexpected consequences?

The usual answer to that question is that the common law changes more slowly than surrounding social conditions, but it changes.
 Section II The CFAA Making Everyday Computer Use Criminal?

The Computer Fraud and Abuse Act (CFAA)(18 U.S.C. § 1030(a)(2)(A)-(C))makes it a crime for any person to "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information." The critical question that generally becomes at issue in these circumstances is what constitutes "authorization." Here, the statute makes it a criminal offense to in effect even view a website without proper authorization. The possible result here is that any website can in fact write its own criminal law against those users who utilize a service or any other aspect of the website in a manner that violates the private contract between user and service (the Terms of Service). It can be argued that this is an absurd result that an ordinary person would never expect, even some U.S. Courts that noted (United States v. Drew, 259 F.R.D. 449, 457-462 (C.D. California 2009)) that such a result lacks adequate notice. However, the question that this author feels is most important, in the context of whether the 5th Amendment should protect the compelled disclosure of encrypted files, is in regards to what is the common assumption? Some would argue that it is common knowledge that no one reads terms of service agreements. Thus, can the same be said that it is common knowledge that someone would believe that his or her encrypted data is just as secure as the thoughts inside his or her mind?

Added:
>
>

But there's no real problem here. The issue of notice is sufficient to abate prosecutorial misbehavior, and the principle of lenity in the construction of criminal statutes renders it more than highly likely that courts will read the statute as requiring proof of defendants' knowledge that their access was unauthorized. No defendant will omit to seek such an instruction, or fail to appeal a resulting conviction after refusal, so the issue cannot be avoided in relevant cases. Why should we take this supposed difficulty seriously?

 Section III Should Application of the 5th Amendment Follow Contemporary Assumptions About Computer Use?
Changed:
<
<
In the opinion of this author the answer is yes, and one could argue that to some extent in some jurisdictions the law in some tentative ways reflects this position. In one case a Federal District Court in Florida held a defendant in contempt for not producing unencrypted contents of encrypted files. The 11th Circuit Court of Appeals later overturned this decision. As the 11th Circuit noted the prosecution told the defendant that they would not use the "act of production" against him, but would use the contents of the unencrypted files against him. The question must be asked whether such a statement comports at all with the spirit of the 5th Amendment? Regardless, the 11th Circuit found that the prosecution could not use evidence "derived from the immunized testimony." (immunized testimony being the "act of production"). Furthermore, action in the law that tracks the assumptions of computer users can be found in regards to where the European Union is questioning whether (in light of the recognition that few read Terms of Service Agreements) Facebook is giving its users sufficient notice regarding their privacy. Such a move by the EU could potentially reflect motion to recognize within the law what people actually assume as opposed to the law's varied interpretation.
>
>
In the opinion of this author the answer is yes, and one could argue that to some extent in some jurisdictions the law in some tentative ways reflects this position. In one case a Federal District Court in Florida held a defendant in contempt for not producing unencrypted contents of encrypted files. The 11th Circuit Court of Appeals later overturned this decision. As the 11th Circuit noted the prosecution told the defendant that they would not use the "act of production" against him, but would use the contents of the unencrypted files against him. The question must be asked whether such a statement comports at all with the spirit of the 5th Amendment?

Yes, narrowly. Immunity is the prosecutorial tool to secure testimony otherwise inaccessible because of the rule against compulsory self-incrimination. Conviction, too, makes compulsion possible, of course, because there is no jeopardy arising from incriminating testimony after conviction for the crime. Immunity is a prerogative of the executive, not subject for separation of powers reasons to judicial control, but the court is required as a matter of law to determine when applying compulsion to testify whether the immunity accorded by the prosecutor is as broad as necessary to prevent compelled self-incrimination.

In the case you briefly discuss, the Court of Appeals is correctly determining that "use immunity" for the testimonial production of the decrypted disk drives is too narrow, and that the party subpoenaed was entitled to immunity from prosecution on the basis of anything derived from the testimony, specifically the files contained on the drives. This question, of the relevant breadth of the necessary immunity grant, arises in this case precisely as it would in the case of a demand, for example, for the testimonial production of paper business records of a sole proprietorship, with respect to a future prosecution for personal income tax evasion on the basis of the business records produced.

Regardless, the 11th Circuit found that the prosecution could not use evidence "derived from the immunized testimony." (immunized testimony being the "act of production"). Furthermore, action in the law that tracks the assumptions of computer users can be found in regards to where the European Union is questioning whether (in light of the recognition that few read Terms of Service Agreements) Facebook is giving its users sufficient notice regarding their privacy. Such a move by the EU could potentially reflect motion to recognize within the law what people actually assume as opposed to the law's varied interpretation.

But this is a different legal context in a different legal system. Simply adjoining the two sentences doesn't make the second observation relevant to the first in any way.

What concerns me about this draft is the extent to which it rests on questionable interpretations of the relevant legal doctrine. The constitutional issues are expressed imprecisely, and the thesis of the draft depends to a large extent on the imprecision. The first step seems to me to turn the legal hull upright before seeing what can be salvaged of the cargo.

 \ No newline at end of file

Revision 3r3 - 28 Apr 2012 - 17:59:26 - EbenMoglen
Revision 2r2 - 13 Mar 2012 - 01:35:08 - WilliamCorso
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM