The only way the password itself can be self-incrimination is if it's something along the lines of "fraudrealestateisfun". The government said, "Fine, don't tell us the content of the password: enter the password so that we can access the contents of what's behind it."
People's arguments that you have an expectation of privacy are irrelevant: you have a genuine expectation of privacy in your home. If the state shows there's a compelling interest to enter your home (i.e. obtains a warrant), you can't stop them. Similarly, you can't stop them from decrypting your data. Well, you can, but you're going to suffer as a result.
Similarly, you don't have to show your hiding places. Suppose you had an encrypted folder structure and one of the folders was hidden to someone who doesn't understand how to see hidden folders. You don't have to say "there's a hidden folder", just like you don't have to say, "There's a false floor." Encryption isn't a 'hiding place': they've found the data.
Encryption is a locked door. The state wants to know what's behind it. Opening your front door to the police holding a warrant isn't self-incrimination (i.e. it in no way points to your guilt or innocence). Similarly, entering the password to your encrypted drive isn't self incrimination if the state has proved you're the sole possessor of the device.
Although the only way the password content can be incriminating is via the language of the password, the fact that a password works on a particular machine may be incriminating. This is the only line of argument that could work, for what it's worth, and none of these 'privacy' lines of argument. "Your honor, the state has no compelling basis for thinking my client had possession or knowledge of the drive in question. Compelling my client to enter a password on the chance it could unlock the files would prove that they did have possession or knowledge of the drive." &c. But once the state can show it's your encrypted data, it's game over. Fortunately, it's this "foregone conclusion" line of argument that the EFF actually pursues, and not the 'Privacy' line that seems to be popular in these replies.
In particular note the precedent from Hoffman v. United States, which you can find in context at http://caselaw.lp.findlaw.com/scripts/getcase.pl?navby=case&..., which says The privilege afforded not only extends to answers that would in themselves support a conviction under a federal criminal statute but likewise embraces those which would furnish a link in the chain of evidence needed to prosecute the claimant for a federal crime.
Providing the password obviously could furnish a link in the chain of evidence needed to prosecute the claimant for a federal crime. Therefore it is protected.
Decryption is not about finding data which is inside something, it is about making sense of data you already have. Forcing someone to decrypt something is asking them to provide a plausible explanation of what the data means.
Do not get confused by real-world analogies. When you have a safe, you can map the space within the safe and be sure you aren't missing something. When you have data, you have no way to make sure that a given explanation is the right one.
If I have something illegal and incrementing on my encrypted hard drive, am I not helping incriminate myself by giving the password? That is the basis of the law, and if indeed you are incrementing yourself by providing a passphrase for an encrypted container, you don't have to provide it; in a nutshell you are dead wrong.
Your metaphors about a password being a locked door and this and that is nonsense, a password is not a locked door. A locked door is a locked door. An encrypted file that is password protected is an encrypted file that is password protected, I don't have to let anyone look at anything If I don't want to, regardless if they have a warrant; they will just bust in anyway.
When police have a warrant, lots of times they don't even knock on the door, but just barge their way in. They can attempt to do the same with the encrypted file, they can brute their way in, but you are not required by law to help them accomplish this.
"Although the only way the password content can be incriminating is via the language of the password,". This is you guessing and making things up. This is you spouting your opinion 100%. If I have something extremely illegal on an encrypted container, than giving the password is most certainly incriminating my own self. This fantasy you have that the only self-incrementing that can occur is if the password itself is a sentence stating guilt is the biggest load of bullshit I've read on ycombinator in a long time, wherever did you come up with this nonsense I'll never know.
Your attitude towards bending over and letting any government official rape you, is unsettling at the least, and a terrible sign of where our society is at the most. I pray there are as little people sharing your opinion out there as possible, else I weep for the future of society.
Also, please tell me what they could possibly do if one claims to have forgotten the passphrase? Presidents for years have gotten away with everything by stating, "I can't recall" on tough questions; who's to say with all the fuss and scary guns pointed at you during the raid, you totally forgot your passphrase? How could anyone ever prove you actually forgot it or not? Charged with obstruction of justice you say? Imagine if the contents on the encrypted container itself would get me into 10,000 times more trouble than an obstruction of justice charge, then obviously I've done the smart thing.
There is common sense, there is common decency, and there is the Law. As you must know, the law sometimes isn't sensible nor decent.
I think everyone here agree about the humane thing to do here: never ever force someone to either (i) incriminate herself, (ii) lying under oath, or (iii) risk contempt of court. Similarly, probably everyone here agree about the sensible attitude towards passwords: never force anyone to give hers.
But the letter of the Law isn't the same. And I think Boredguy8 was talking about the Law.
Detailed. But wrong. Although courts and DAs have tried to argue that a password is like a physical key, or tried to give you immunity for speaking the key, higher courts (e.g. the 5th circuit of appeals) regard giving the password as testimony - and therefor protected by the 5th.
Although passwords are new, combination locks are not. There is a lot of case law on this.
"In distinguishing testimonial from non-testimonial acts, the Supreme Court has compared revealing the combination to a wall safe to surrendering the key to a strongbox. The combination conveys the contents of one's mind; the key does not and is therefore not testimonial. A password, like a combination, is in the suspect's mind, and is therefore testimonial and beyond the reach of the grand jury subpoena. "
Edit: Why it matters in this case: FTA "the government seized an encrypted laptop from the home she shares with her family"
The government cannot prove that the laptop is hers. If she provides a password, and it works she has proven that the laptop is hers, and further that the contents are under her control. Therefor the act of provided the password would be testimony.
This is interesting. In all discussions on this subject, the comparison to physical keys comes up and the trivial conclusion is that passwords are not protected under the 5th amendment. If combinations to wall safes are protected by the 5th, I'd say the situation is clear cut: a password is exactly like the combination to a safe. You'd have to give up physical tokens required to login/boot a device, but not the subsequent password.
This interpretation is strengthened vastly by the fact that the EFF is arguing this case. They are not known for attempting to argue futile points.
a password is exactly like the combination to a safe
I disagree. A safe is a physical object that contains other physical objects. It can be forcefully open.
OK, maybe there are some very sophisticated safes that would act exactly like a password, not allowing to extract the objects inside without damaging them beyond recognition.
But I'd say it's the exception. Possibly helped by the safe manufacturers, the police will eventually access the contents of most safes.
This situation creates a different set of incentives. You can open your safe as soon as the judge requests it, or you can wait to be punished for refusing and the safe be opened forecefully later... that will uncover what you were hiding anyway.
Edit: I'd like to add that the punishment for not telling the password is a very, very, very bad idea. It's impossible to produce a password that you don't know. It's impossible to demonstrate that you don't know a password. It's impossible to demonstrate that a file is just a pile of random garbage instead of an encrypted one. Setting a punishment for things that are impossible to objectively know doesn't seem a good idea.
> A safe is a physical object that contains other physical objects. It can be forcefully open.
A computer is a physical object. A hard drive contains data, physically, much like papers in a safe contain data, physically.
And it can be forcefully opened, too - it's merely a matter of magnitude of effort. Cracking a safe could take hours or days, cracking a password could take millennia. It should not be my problem that the government has locksmiths with drills on staff, but not supercomputers capable of breaking encryption.
I suppose it depends on what it takes for the police to be allowed to forcefully open a safe. If the police obtains a warrant to search your premises, are they already allowed to forcefully open safes? I don't expect so, since they have only established 'probable cause' and are looking for evidence, contraband or what-have-you in general, but are not looking for anything specific of which they can reasonably suspect it is hidden in the safe.
I wouldn't expect the case law to be predicated on the fact that most safes can in fact be opened even if the combination is not supplied, specifically because, as you point out, there are safes that would destroy the evidence in such a case. The justification "meh, who cares if he gives the combination, we'll just open it forcefully and obtain the evidence anyway" doesn't hold for, probably the more important, cases.
The solution is to solve a technological problem with an analog solution -- don't know the password, and store it in behind a suitable physical barrier.
An example of this is a retail drop safe -- it can only be opened by specific people at a specific time.
At the end of the day, you need to weigh the options. If you are an attorney performing your ethical duty, you have an obligation to rot in jail while the illegal warrant is litigated.
"Detailed. But wrong...The government cannot prove that the laptop is hers."
I wrote, "the fact that a password works on a particular machine may be incriminating. This is the only line of argument that could work...it could...prove that they did have possession or knowledge of the drive." Seems like we're saying the same thing.
At issue here is likely the status of what constitutes a "Foregone Conclusion". In Fisher, the courts established that, "The existence and location of the papers are a foregone conclusion and the taxpayer adds little or nothing to the sum total of the Government's information by conceding that he in fact has the papers. Under these circumstances by enforcement of the summons 'no constitutional rights are touched. The question is not of testimony but of surrender.'"
In Boucher there's clearly not a foregone conclusion, and the motion to quash the grand jury subpoena was upheld because the password's production was "purely testimonial." Here, it might not be "purely testimonial."
Also, for what it's worth: having a password is certainly better than locking a system via biometrics. At least with a password, the law is (currently) indeterminate. Biometric locks: you're screwed.
So why can't everyone just claim they forgot their password? Additionally, what stops you from setting up some kind of hard drive degausser inside your case that is set to go off if the case is moved? Would you be responsible if the police officer removing your computer from your home inadvertently set off the degausser?
Not if you had it setup prior to any sort of court order to degauss the drive regardless of who tampers with your system or why. For example, Coca-cola might do that on a manufacturing system that controls the quantities and timing of the raw ingredients to produce the formula and is evidence only that they want to protect it. However, once the court has ordered you to turn over your system as evidence, you can't simply point and say "Sure, it's over there... take it" knowing full well that it will get wiped as soon as it's moved. That would be destruction of evidence.
I am not a lawyer. This type of device can have legitimate use as well though. Think about if you are the guy that knows the coca-cola recipe. The destruction of the recipe by hd degaussing is good when a competitor comes to your office and steals your computer. Though, you would need a pretty large degaussing device to erase the hd beyond forensic analysis.
Absolutely not. As another poster pointed out, if it predated the court order, it would be 100% legit. Say I wanted to make sure my data was safe in the event of theft? Wiping the data on movement would be a clear way to do that.
I thought about that, but wouldn't it only be destruction of evidence if YOU were the one that destroyed the evidence? Just because it was set off when the cop/FBI/whomever moved your computer doesn't mean you wanted it to happen, right?
Encryption is not just something computers can do. You can encrypt your handwritten notes. If you do so, can the government compel you to tell them what you have written? If they cannot, how is this different from having a machine act as your agent in the encryption?
Great point. I am reminded of organized crime outfits who keep two ledgers, the real one being encrypted. There has to be some case law on that somewhere.
I agree that this is the best analog. I posed the same question in a similar discussion a couple of weeks ago. Can the government compel a defendant to decode a handwritten note or provide the key to the cipher? If so, this is the applicable precedent, much more than safes or doors. As a sibling comment states, there has to be case law on this. I'd be interested in the comments from any HN users in the know.
I am not a lawyer, but note that the original article (describing an amicus brief filed by the EFF, which is essentially an argument submitted by a party not involved directly in the case) is talking about 5th amendment rights, not 4th amendment.
The 4th amendment covers search and seizure (the case of a locked file cabinet inside a home for which a proper search warrant has been obtained), while the brief is focused on the 5th amendment question--is providing a password testimonial? The key question is not whether the information on the laptop must be disclosed to the government (we assume the subpoena is proper and if the laptop were unencrypted, the government would have the right to use it at trial), but whether the act of providing the password demonstrates a key element of the crime: that the defendant had control over the laptop and can therefore be assumed to been aware of/responsible for the creation of its contents.
In other words, is providing the password a neutral fact--as in Hiibel vs. 6th Judicial District of Nevada, where the Supreme Court found a law requiring individuals to provide a name when stopped legally by law enforcement--or is it self-incriminatory?
The Supreme Court has ruled on similar questions in several instances. See http://volokh.com/posts/1197763604.shtml for a discussion from a law professor who specializes in 4th/5th amendment issues.
Encryption is not like a safe. In a safe, you close the door, lock it, and the contents remain unaffected. Cutting through the back of the safe would yield the same contents. In this way, safes are more like BIOS passwords. The password is written to the hard drive and the BIOS acts as a gatekeeper. However, there's no reason you couldn't use a BIOS designed to ignore the presence of a password.
If we were to design a physical analog to encryption, it would be more like a matter scrambler. You place your diamonds, jewels, insurance papers, etc. (or, in this case, incriminating evidence) onto a platform and enter a password. The contents of the platform are TRANSFORMED into a pile of pebbles, dirt, and dust which you sweep into a bag. The bag's contents are indistinguishable from anything else in your yard (Remember, GOOD encryption is indistinguishable from randomness as both encrypted data and random numbers do not compress well). The proper password will cause the matter scrambler to reproduce the valuables but otherwise will just yield more dirt, dust, and pebbles.
It is therefore an ACTIVE process to reproduce incriminating evidence in a case by decrypting data. One is not providing access to already existing evidence, one is PRODUCING it from pure garbage.
In the a whirlwind of broken analogies and broken precedent, one question seems to be largely missing: what grants the federal government the power to compel someone to assist in their own prosecution?
The 4th Amendment, via the warrant provision, grants the power to search places and seize persons or things. It does not grant the power to compel individuals to open their doors or put on their manacles.
The 5th states in part: "nor shall [any person] be compelled in any criminal case to be a witness against himself". Many act as if the existence of a specific prohibition is a grant of power in every other area.
Alexander Hamilton's objections in Federalist No. 84 seem quite prescient:
I go further, and affirm that bills of rights, in the sense and to the extent in which they are contended for, are not only unnecessary in the proposed Constitution, but would even be dangerous. They would contain various exceptions to powers not granted; and, on this very account, would afford a colorable pretext to claim more than were granted. For why declare that things shall not be done which there is no power to do? Why, for instance, should it be said that the liberty of the press shall not be restrained, when no power is given by which restrictions may be imposed? I will not contend that such a provision would confer a regulating power; but it is evident that it would furnish, to men disposed to usurp, a plausible pretense for claiming that power.
The great unintended consequence of modern constitutional arguments has been to change the perception of the federal government from one defined by a closed set of powers, into one defined by a closed set of prohibitions.
I am somewhat on the fence with this one.
If the police comes to your house with a warrant, they have the right to search your house.
You cannot actively stop them, but do you have to help them searching your place?
I.e. do you have to open the door or hand over the keys to the house? Or - maybe more to the point - show them where your hiding places are?
IANAL, but my gut reaction would be that on ethical grounds you do not have to help in the collection of evidence against you.
If the police cannot decrypt your drive that is their problem, not yours.
I was under the impression that previous rulings with regards to safes and keys did not carry over to combinations, i.e. one could be compelled to surrender a key but not the combination to a safe. Whatever the case, I think it's foolish to argue by analog.
Do you think the government ought to have the right to invade a person's mind and analyze its contents? I find that idea repugnant - under no circumstance should the mind be available to third party scrutiny. Personally, I consider my laptop as an extension of my mind. Much in the same way I don't go around sharing every errant thought I have with the world, I have password protected my laptop and encrypted its contents.
I concede that my personal feelings do not make for a convincing argument, so instead consider this: In the future, probably in the very near future, computers will directly interface with the brain and will provide all sorts of computational assistance - information search, number crunching, memory storage and lookup, communication we can hardly dream of... Cybernetic implants would indeed be an extension of one's mind, and I think most of you here would argue for its protection. The users of these devices would be living in a dystopia if they had to censor their thoughts and usage of their cybernetic brains!
And well, frankly, I don't see much of a difference between a neural interface and a digital (fingers) interface.
Do you think the government ought to have the right to invade a person's mind and analyze its contents? I find that idea repugnant - under no circumstance should the mind be available to third party scrutiny.
Government are already doing that. There are already numerous precedents for compulsory polygraph tests[1], which would provide a precedent to use a more effective mind interface.
Suppose you've been charged with a crime and the police have obtained a warrant to seize the contents of a safe you keep in your house. American courts have ruled that the 5th Amendment does not protect you from being compelled to open the safe.
That precedent doesn't bode well for this case. I don't see a qualitative difference between the contents of a safe and those of an encrypted drive.
One workaround: fail-deadly. Automatically wipe the encrypted data if the password isn't entered every n days. With a small enough n, the courts can't move fast enough to get the data before it's gone. (Whether this scheme constitutes obstruction of justice, I have no idea.)
The difference is that any safe can be opened anyway in a few hours. A judge faced with a defendant unwilling to reveal the combination to a safe would figure he was just making things difficult, order a locksmith and find him in contempt. Requiring people to reveal safe combinations doesn't change their legal rights, it just saves time and mess.
A properly encrypted disk is undecryptable by anyone, and owners have a genuine expectation of privacy for things on it. So revealing the key materially affects the evidence. It is clearly something the 5th amendment was meant to protect against.
Which raises the question, what if you had a safe that was practically impossible to open without the key? Let's say it's made of 100ft thick carbon nanotubes or it has a really good self-destruct mechanism. Do you get 5th amendment protection just because you have a really good safe? Doesn't seem quite right.
Not true. A properly encrypted disk can be opened in a few thousand or million years. The judge can just order a decryption specialist and find the defendant in contempt.
Unless you're saying it's about "how inconvenient" it is? Because there is no encryption on the planet that is 100% impossible to decrypt.
I am perhaps being a bit snarky, but I think it's a valid question. You pose it like disk encryption is impenetrable, which it is not.
Edit: normally I don't care about downvotes, but I would really like to know this time; why do you believe it not valid? I am interested in what you have to say.
OTPs are 100% impossible to decrypt in absence of the key material. Mathematically guaranteed.
Of course nobody uses OTPs with harddrives, but people most certainly do/have use OTPs manually.
Furthermore, citing the difference between "few thousand or million years" and "undecryptable by anyone" is unnecessarily pedantic, not to mention wrong. There have been no documented cases of people living more than a few years over one tenth of a thousand years, so such a drive would be undecryptable to anyone.
I haven't downvoted you, but I think OP made a valid point highlighting how encryption differs from a safe, while you are, in my opinion, nitpicking on details.
For the practical purposes of a trial, I believe a well encrypted drive is 100% impossible to decrypt, while a safe is relatively easy to open. Again, the point here is to assume good faith and think about a real situation, not if it's hypothetically possible to decrypt it.
You are right (I upvoted you :).
Given current technology it is not reasonable possible to decrypt strongly encrypted data, however - there is strong evidence that using quantum computers this task is a matter of seconds. This technology is well defined theoretically already, just not reasonably implementable so far, which might be just a matter of some decade of time. In this respect, an encryption is the virtual equivalent of a safe, yes.
There is a complete other point I want to bring to your attention - our computers not only contain evidence, they also (might) contain lot of private and sensitive data, things you don't want anybody to know and where constitutional protection might fit since it's unrelated (I'm not knowledgable in the respective laws though, that's why I say 'might'), like a mental cache, and also hyper-links to other unrelated storages and networks (you can store much more virtual things on a computer than in a physical safe) - this makes a computer and it's disk somewhat different from a safe. It can potentially contain anything and the government would get access to a chain of homes like wandering through worm-holes because they were given one important entry code. This might affect the privacy of several other people, and they might not agree with that procedure. What is the law saying here? Are we going to be forced to use seperate computers for each task? rofl.
Quantum algorithms such as Shor's Algorithm give us a complexity improvement, as in "make it easier to solve". They don't say a thing about how long it will actually take as the clock ticks. That's dependant entirely on hardware that 1) doesn't properly exist yet, and 2) will likely be incredibly slow for many years and will take quite a while to even become large enough to load the problem.
Given ldar15's assertion that you are not required to give up the combination to a safe, I wouldn't expect a court to be allowed to order the destruction of your property, unless they have strong evidence that something useful may be in the safe. But they usually don't: they want to open it because it may contain evidence. Not because they strongly expect it does.
> Whether this scheme constitutes obstruction of justice, I have no idea.
Not a lawyer but...
Courts seem to treat programs as proxies for their owners so if it's a program actively doing some kind of destruction then it probably would be. If you could ensure passively, that the data would become unusable after a certain time period it wouldn't.
A physical example would be an briefcase rigged with small explosives. Opening it without the code or waiting to long to enter the code would trigger it to destroy the contents. I imagine this would be considered willful destruction of the contents. On the other hand, if the materials inside could decay into ash in a short time peroid, then it's not willful destruction.
That would probably be the best defense. If the destruction was carried out as part of a regularly scheduled program instead of as a specific response to law enforcement's demand for the data, you might be alright.
Lots of companies automatically delete all email older than six months for this exact reason, actually.
According to a post I read a while back on the Cybercrime Blog, you cannot prevent authorities from opening the safe or refuse to hand over a physical key (with a lawful warrant, at least), but you are under no obligation to provide a combination. I'm pretty sure the combination thing was SCOTUS precedent, but I'm not 100% certain.
But you've handed them the data. You gave them (or let them take) the hard drive. You've opened the safe. Now they're expecting you to explain its contents and how they incriminate you.
I am required to open my safe for you. I am not required to decode the encryption I perform by hand (or with my graphing calculator).
i think they could argue obstruction/destruction of evidence with the dead-man's switch thing. although a legit counter argument is the wipe is a general security measure to protect the data. if we saw phones as if they were our credit/debit cards that would be a perfectly reasonable security measure to prevent against theft.
Most of comments and articles about this issue focus on encryption, but I'd argue that authentication is far more important part for this discussion.
When using stream ciphers you have two pieces of data of exactly the same length, which you merge (XOR) together to get a third piece of data.
(Stream ciphers are essentially just a way to extend your short piece of random data into the longer piece of data -- keystream -- of the message length).
Thinking this way, "key" is not at all like door key, not a combination lock, and not instructions for constructing data -- it's just another piece of data, which you possess, maybe in your mind only. It's called "key" only for convenience.
Now, after encryption, you own two pieces of information -- keystream and encrypted text. There is no right way to produce the original data unless you know what the original data is: any way of combining encrypted texts with any other data will produce correct results, but not always the original data. The meaning of the result depends only on interpretation; and the only way to learn with 100% certainty that the decrypted data is really the original data is to ask you (provided that you don't lie). For example, it is theoretically possible that "I love US" encrypted with one keystream and decrypted with a different keystream will produce "I'm a spy", but only you can certify that this interpretation is wrong, because you know what the original said. And the only way to learn this, is to ask you to testify against yourself.
In order to have an interpretation that the decrypted data is the original data with less than 100% certainty, but without having to ask you, is to use authentication. You have authenticated data, for example, by applying some authentication function, and providing the result of the authentication function along the encrypted text. What do authentication functions do? They tell, with some limited but high probability, that you used this keystream and/or that plaintext to produce encrypted text. Let's say, you used HMAC for authentication. By applying HMAC with your "key" (it can be derived from the encryption key or just a new piece of data), for example, to encrypted text, you certified that this "key" was used to encrypt original data. Is it an act of testifying against yourself to provide the piece of information (authentication key) that will tell with high probability that the original data is the decrypted data (or the keystream is the one used for encryption)?
(PS I know that courts don't deal with 100% certainties, but forget about it for a moment :)
I am not an American, but I can't imagine that this will ever hold up.
In a world where filing cabinets and office safes are vanishing, the courts would be cutting off access to a major source of evidence they need for successful prosecutions. Financial crimes would become much harder to prosecute, and many "digital" crimes could become impossible.
I just cant imagine your government allowing that. The only alternative I can imagine is them making unbreakable encryption illegal for civilian use.
Illegal strong encryption was, in fact, the law for many years. It was changed only when it was realized that the lack of robust security was harming the emerging "e-commerce" markets. Certainly it wasn't due to a concern about 4th and 5th amendment rights.
Certainly the export of strong encryption technology was illegal, but the domestic use was not as far as I'm aware. Which law made strong encryption illegal?
Would it be totally ridiculous to argue that the encryption key is more like instructions for constructing data?
"Take these raw materials, and run the machine according to these instrctions:" seems functionally equivalent to "take this chunk of useless data, and run the machine according to this decryption key:". An incorrect decryption key produces data, it just produces garbage data, yes? This would be the same as providing poor instructions to the machine.
In this way, the court isn't asking you to reveal evidence, they're asking you to construct if for them.
Once it's been encrypted, it's been destroyed. "Decrypting" is analogous to "rebuilding".
The decryption key doesn't construct data anymore than the combination to a safe constructs the papers inside it. The data exist independently of anyone's ability to read them.
I disagree. It is entirely possible to have a set of bits the can be 'decrypted' with different keys producing different results. One key might produce a set of cartoon pictures, another might produce financial records. The simple safe analogy seems to break down around this. Only one key unlocks a safe. Every key can be used to decrypt something that is encrypted, but unlike a safe, its not guaranteed what goes in comes out. I would argue that the data only exists if it can be read and that providing a mechanism for reading the data is establishing the existence of the data.
What does that mean for XORing your data with an equal-sized chunk of truly random data (pulled from, say, http://www.random.org/ )? From an information standpoint, the data is gone because the result is also truly random, and doesn't exist any more except in the combination of the output and the key.
That's all a matter of perception though, no? Encryption is capable of storing data, therefore it can be used legitimately to do that. Just like most people use fans to cool people down during the summer, but people also use fans on large semi-rectangular pieces of metal to create hovercars.
I support the EFF in this case because the government is trying to compel this woman to assist in her own prosecution and I feel that is just plain wrong.
The counter argument is that the encrypted hard drive is like a locked filing cabinet in your house, which can be searched if a proper warrant is obtained.
One could also say an encrypted hard drive is like the GPS location of a coffin containing a dead body. Can the authorities compel you to reveal the GPS coordinates of the body? If you deny any knowledge or reveal that you "forgot" the coordinates, could you be compelled to provide access to the evidence? What about GPS coordinates to a stash of drugs? At what point does revealing incriminating information become protected by the 5th amendment?
Until there is a law on the books or a judicial precedent it's debatable.
The state/prosecution understands this process and will move forward until the above debate is settled.
I understand it as providing your passphrase/word is providing what you 'know', one of the three tiers of authentication. This in it self is testimony.
IANAL, but the 5th circuit appeals court has ruled that the 5th amendment means that a person cannot be forced to give up the combination to a lock. It is informational, and it is testimony.
Any discussion of a physical key is without merit. A physical key, is not the same as a "encryption key". For the purpose of law, an "encryption key" is the same as a combination to a safe.
There's actually a ton of precedents on this. Google 5th amendment and combination lock.
The reason it is testimony is because if you provide a password and it works then you've just proven that the contents are yours: you have incriminated yourself. If the prosecution can prove that the contents are yours without the password, then at that point you can be forced to give up the password.
Takeway: your encrypted drive had better have a different password than your login, and you'd better be able to deny that it is yours.
People's arguments that you have an expectation of privacy are irrelevant: you have a genuine expectation of privacy in your home. If the state shows there's a compelling interest to enter your home (i.e. obtains a warrant), you can't stop them. Similarly, you can't stop them from decrypting your data. Well, you can, but you're going to suffer as a result.
Similarly, you don't have to show your hiding places. Suppose you had an encrypted folder structure and one of the folders was hidden to someone who doesn't understand how to see hidden folders. You don't have to say "there's a hidden folder", just like you don't have to say, "There's a false floor." Encryption isn't a 'hiding place': they've found the data.
Encryption is a locked door. The state wants to know what's behind it. Opening your front door to the police holding a warrant isn't self-incrimination (i.e. it in no way points to your guilt or innocence). Similarly, entering the password to your encrypted drive isn't self incrimination if the state has proved you're the sole possessor of the device.
Although the only way the password content can be incriminating is via the language of the password, the fact that a password works on a particular machine may be incriminating. This is the only line of argument that could work, for what it's worth, and none of these 'privacy' lines of argument. "Your honor, the state has no compelling basis for thinking my client had possession or knowledge of the drive in question. Compelling my client to enter a password on the chance it could unlock the files would prove that they did have possession or knowledge of the drive." &c. But once the state can show it's your encrypted data, it's game over. Fortunately, it's this "foregone conclusion" line of argument that the EFF actually pursues, and not the 'Privacy' line that seems to be popular in these replies.