I previously linked to an article about a Federal Court case regarding a prosecutor’s ability to force you to give up the password needed to decrypt a hard disk. The defendant in the case, accused of bank fraud, argued that she has a Fifth Amendment right against self-incrimination.
Well, this week the judge ordered the defendant to give up the password so the laptop could be decrypted. The case wasn’t definitively settled – the order was only given because the prosecutor could already prove the laptop was hers, so the password itself wasn’t incriminating, even though the information on it might be. If the computer had multiple owners or if the disk had been found and only circumstantially connected to the defendant, it’s possible they would have ruled differently.
I previously asked “What’s to stop the defendant from saying they forgot the password?” At the Volokh Conpiracy, there’s a lengthy answer – basically, if you claim to have forgotten the password and it’s an obvious dodge, you’d be held in contempt.
There are probably some clever technological workarounds to this issue – I think that this method from Bruce Schneier could probably be adapted for the purpose of dodging forced decryption. The article is about taking a laptop across international borders – he advocates an additional layer of encryption with an impossible to remember key that’s forwarded or kept with a trusted friend. Of course you can’t do that every time you log on/off your computer – but there might be a “cloud” solution, where a 2nd key is stored offline, and is automatically deleted after a certain period of time if unused. That way, if you’re arrested, you only have to hold out for a little while (presumably by appealing the order to give up the password) – by the time you are no-kidding forced to give the password up, you can honestly say the disk can’t be decrypted.