Reviewing how third parties could potentially enforce decryption of encrypted data, like that held in personal digital devices


The viewpoint is particularly in relation to North America's Fifth Amendment right to avoid self-incrimination and that no person shall “be deprived of life, liberty, or property, without the due process of law”. Written by Aloni Cohen and Park Sunoo, the following article was also published in the Harvard Journal of Law and Technology [204] A handful of the more compelling highlights include;


Encrypted data alone may be an insufficient basis for a government or agency to gain either a warrant or approval for continued investigation. In other words, data being encrypted can prohibit the ability to prove a necessity for conducting further investigations


The seizing of a device can be differentiated from enforcing the device's owner to comply with say the physical act of completing biometric unlocking [or various forms of equivalent password entry]. As with the ordering of finger-print scanning for retrieving newly readable encrypted data, the act results in "compelled decryption"


Presence of additional [random] data may or may not indicate that there is indeed noteworthy or worthwhile encrypted content. Without the password data appears randomized when encrypted and as such, it could actually just be random data. This ambiguity or uncertainty does not allow presence of seemingly random data to represent a ‘forgone conclusion' which would thereby mandate compelled decryption. In fact and quite obviously, decryption of random data is impossible - be it compelled or otherwise


Headline cases and controversies of the FBI compelling Apple to decrypt user's data somewhat misses the point. Both external third party's operational stipulations are essentially concurrently mandated. With end-to-end or personal encryption capacities, only the user(s) and not say a corporation would hold the ability for said data's decryption. In such comparisons, to have either external third party [i.e. anyone other than users themselves], holding data decryption capacities would be, for those users, to trust a corporation in a manner directly akin to trusting a government or agency itself


GPS and other personal digital device capacities, such as voice-search, may allow new and increasingly complex methods for agencies and corporations to, partially or fully, independently automate largely comparable forms or types of compelled decryption, whilst possibly doing so without the owner's knowledge


In light of the Fifth Amendment, the very act of compelled data decryption must be predicated on the authentic existence of pertinent, underlying [encrypted] data. To quote the article, “Neither the courts nor the academic literature on compelled decryption have clearly distinguished between physical and conceptual existence”


Thoroughly researched and reasonably well detailed, the article touches on a range of interesting considerations and cases

While ongoing refinement of legislation will undoubtedly clarify formal procedures yet, your capacity for making and keeping choice personal is one to never forget

news +


law &