One of the biggest tech stories of 2016 surrounded the case of the San Bernardino shooter, in which the FBI sought Apple’s help to unlock the attacker’s iPhone by creating a backdoor into the company’s mobile OS last spring. And while the furore over that incident has died down since, we still haven’t reached a resolution as to whether we have the right to keep our digital secrets under any circumstances.
The story that brings this debate back into focus concerns former Philadelphia police sergeant Francis Rawls, who was suspected of hoarding images of child sexual abuse on his computer in August 2015. When Rawls said he couldn’t remember the passwords to disable the FileVault feature that encrypts hard drives when you log out on your Mac, he was taken into custody for failure to comply with a federal court’s order.
As of today, Rawls has spent more than 16 months in a federal detention center without actually being charged with a crime.
Rawls was compelled by the court to decrypt the drives when local authorities cited the All Writs Act, a law enacted more than 227 years ago. It was previously used to coerce Apple to help bypass the security measures on the San Bernardino shooter’s iPhone. However, that case was dropped when the FBI found another way that cost them a million bucks – and revealed nothing of interest on the handset.
In examining whether Rawls should be released as he hasn’t yet been charged for possession of illegal pornography, the larger issue we should consider is whether people have a right to maintain their digital privacy.
We don’t yet have legislation to dictate how our data can be accessed by law enforcement agencies in criminal investigations, and what sort of assistance suspects must provide in these instances.
It might help to unpack Rawls’ case into two distinct issues: His alleged possession of images of child sexual abuse, and the act of keeping a secret.
With the former, if there is concrete evidence to prove that Rawls broke the law, I believe that he should be prosecuted to the fullest extent with a fair trial. But in keeping a secret by using encryptable hard drives, Rawls hasn’t done anything illegal.
I think that the choice and the right to keep something secret are sacrosanct – whether you do so by only storing it in your mind or by purchasing an encryptable device. As human beings, secrets, big and small, are fundamental to our complex lives. Choosing to keep digital secrets shouldn’t be grounds to raise suspicion about our actions and intentions.
In the US, the Fifth Amendment of the Constitution provides that no person shall be compelled in any criminal case to be a witness against himself, without due process of law. There are similar protections in the Indian Constitution and Canada’s Charter of Rights and Freedoms. That means that a person can’t be coerced to reveal something stored in their minds, like a decryption password.
If we consider a case like the one involving Rawls, we need to look at the evidence pointing to his wrongdoing and decide whether there’s even a need for Rawls to decrypt his data by recalling a password. Can the police prove unequivocally that he downloaded illegal content – which they can specifically identify – to those two hard drives that he owns, and that those files exist on those drives?
There’s most likely no way to prove exactly that, particularly the bit about those specific hard drives being used to store data. However, even in a case involving something as disturbing as child sexual abuse, we shouldn’t have to assist law enforcement in discovering evidence against ourselves.
The choice for a society to uphold the sanctity of our right to keep digital secrets doesn’t necessarily need to lessen the degree to which it investigates and prosecutes criminals. However, law enforcement will need to keep that right in mind when determining their approach towards investigating cases.
As if that isn’t tricky enough to come to terms with, things get especially complex when you think about how people might be compelled to divulge their digital secrets. If a hard drive is encrypted and the defendant says they don’t remember the password for it, as Rawls did, how do you get them to reveal what’s in their mind without throwing ethics out the window?
In October 2014, a Virginia court ruled that suspects can be asked to unlock their phones using their fingerprints; passwords and PINs stored in your memory were still safe. But last December, the Florida Court of Appeal’s Second District said that passcodes are not related to the contents of a locked or encrypted device, and as such, the law can demand that passwords be surrendered by suspects to help unlock data.
So where does that leave Rawls? Acting as a friend of the court, The Electronic Frontier Foundation (EFF) noted in a brief that (PDF) that “compelled decryption is inherently testimonial because it compels a suspect to use the contents of their mind to translate unintelligible evidence into a form that can be used against them. The Fifth Amendment provides an absolute privilege against such self-incriminating compelled decryption.”
As Ars Technica explains, the appeals court’s decision on whether to release Rawls or continue to detain him won’t end this debate, because circuit courts of appeal in the US aren’t obligated to follow the decisions of their sister circuits; it’ll take a call from the Supreme Court to determine how such instances are handled in the future.
But before that happens, we need to think about how important secrets are to us as a species and as a society. Should we unlock our private data just because a key exists?
Let me know what you think by writing in at [email protected], or share your thoughts in the comments.
Update (23 March 2017): As of today, The Guardian reports that Francis Rawls has been in prison for roughly 18 months without being charged with a crime, for refusing to unlock his encrypted hard drives. He may remain there indefinitely until he complies with the court’s request.