On February 16, 2016, a federal magistrate judge in the U.S. District Court for the Central District of California issued an order requiring Apple, Inc. to assist the Federal Bureau of Investigation (FBI) in obtaining encrypted data off of an iPhone related to a 2015 shooting in San Bernardino, California. Apple resisted the order. This particular case was resolved when the FBI pursued a different method to access the data stored on the device. But the case, and the heated rhetoric exchanged by parties on all sides, reignited a decades-old debate about government access to encrypted data.
The law enforcement community often refers to their challenge in this context as “going dark.” In essence, “going dark” refers to advancements in technology that leave law enforcement and the national security community unable to obtain certain forms of evidence. In recent years, it has become synonymous with the growing use of strong default encryption available to consumers that makes it increasingly difficult for law enforcement agencies to access both real-time communications and stored information. The FBI has been a leading critic of this trend, arguing that law enforcement may no longer be able “to access the evidence we need to prosecute crime and prevent terrorism, even with lawful authority.” As a result, the law enforcement community has historically advocated for legislation to “ensure that we can continue to obtain electronic information and evidence pursuant to the legal authority that Congress has provided to keep America safe.”
Technology companies, civil society advocates, a number of federal agencies, and some members of the academic community argue that encryption protects hundreds of millions of people against theft, fraud, and other criminal acts. Cryptography experts and information security professionals believe that it is exceedingly difficult and impractical, if not impossible, to devise and implement a system that gives law enforcement exceptional access to encrypted data without also compromising security against hackers, industrial spies, and other malicious actors. Further, requiring exceptional access to encrypted data would, by definition, prohibit some encryption design best practices, such as “forward secrecy,” from being implemented.
These two outlooks are not mutually exclusive. The widespread adoption of encryption poses a real challenge to the law enforcement community and strong encryption is essential to both individual privacy and national security. A narrative that sets government agencies against private industry, or security interests against individual privacy, does not accurately reflect the complexity of the issue.
Compelled Disclosure by Individuals
Although much of the debate has focused on requiring third party companies to decrypt information for the government, an alternative approach might involve compelling decryption by the individual consumers of these products. On a case-by-case basis, with proper court process, requiring an individual to provide a passcode or thumbprint to unlock a device could assist law enforcement in obtaining critical evidence without undermining the security or privacy of the broader population.
Given evolving technologies and the trend towards using biometrics—like a fingerprint or facial recognition software—to decrypt data, Congress might consider the following questions:
§ Can the government compel an individual to unlock his phone without violating the protection against self-incrimination guaranteed by the Fifth Amendment to the U.S. Constitution?
§ With respect to the Fifth Amendment, is there a substantive or legal difference between unlocking a device with a passcode and unlocking the device with a biometric identifier? Is entering a passcode a “testimonial act,” as some courts have held? Is a fingerprint different in any way?
§ What is the proper legal standard for compelling an individual to unlock a device?
§ Are there other circumstances that would enable the government to compel production of a passcode without undermining the Fifth Amendment?