FBI Director James Comey spoke Thursday at Brookings about the FBI’s concerns with how encryption can frustrate search warrants in lawful investigations. The scope of Comey’s remarks goes beyond Apple’s new iOS8 operating system design, but much of it focused on the question of device encryption raised by Apple’s new policy. I wanted to focus on one aspect of Comey’s remarks, the question of whether the government can get access to the contents of encrypted devices directly from a suspect in a criminal case. Here’s Comey:

Finally, a reasonable person might also ask, “Can’t you just compel the owner of the phone to produce the password?” Likely, no. And even if we could compel them as a legal matter, if we had a child predator in custody, and he could choose to sit quietly through a 30-day contempt sentence for refusing to comply with a court order to produce his password, or he could risk a 30-year sentence for production and distribution of child pornography, which do you think he would choose?

I think Comey is wrong that the Fifth Amendment is a “likely” barrier in the cell phone context, because in most of the typical cases, when the government knows who is the owner of the phone, the Fifth Amendment shouldn’t be a problem. But let me put that issue aside for now and focus instead on the rest of Comey’s comment, and specifically his concern that the punishment for refusing to comply with a court order to produce a password would be so low that the bad guys will just make a rational decision to take the lesser contempt punishment.

One answer to this problem might be to have a different punishment for refusal to comply with a decryption order. Under current law, a refusal to decrypt could be met with civil or criminal contempt sanctions. In theory, criminal contempt sanctions can be very severe. The statute does not impose a maximum punishment. But my understanding is that criminal contempt punishments are largely up to the trial judge, within the confines of 18 U.S.C. 3553, so punishments are not predictable.

AD
AD

Consider a thought experiment. What if Congress enacted a new statute that directly links punishment for the refusal to the punishment for the crime under investigation, so that the punishment for refusal to comply would be set as the punishment for the underlying offense? To be clear, I’m not endorsing this idea. I think it’s worth considering, and it seems better than some other legislative options, but I’m offering it as a thought experiment rather than as my “final answer.” (Sorry if that seems academic and professorial. Not having to pretend you know all the answers is one of the great things about being a professor.)

Let me hum a few bars and see if you like the tune. Imagine a new criminal offense:

18 U.S.C. ____ Willful Refusal to Comply With A Decryption Order
(a) Whoever willfully refuses to comply with a decryption order issued by a court of competent jurisdiction in an ongoing investigation into an offense against the United States is punishable as one who has committed the offense against the United States.
(b) Definitions
(1) “Decryption order” means any lawful writ, process, order, rule, decree, warrant, or command requiring the subject of the order to enter in a password, passcode, or key so as to decrypt or otherwise make readily available encrypted data;
(2) “Willfully refuses” means an intentional and continuing refusal not based on (i) a good-faith assertion of the Fifth Amendment privilege prior to a final judicial ruling on whether the individual has such a privilege, (ii) a valid assertion of the Fifth Amendment privilege as determined by a final judicial ruling on whether the individual has such a privilege, or (iii) a good-faith inability to comply;
(3) “Court of competent jurisdiction” means any district court of the United States (including a magistrate judge of such a court) that has jurisdiction over the offense being investigated.

Under this proposed statute, if the subject of a court order in a federal investigation refuses to decrypt his data in a context when there is no valid privilege, the government could bring a prosecution for the refusal that would carry the same punishment as the offense under investigation. Consider Comey’s example of the child predator. Under the new statute, the punishment for refusal to decrypt would be the same 30-year sentence as the suspect would face for the production and distribution of child pornography.

AD
AD

This presumably changes the calculus from a target’s perspective. True, if a suspect was being investigated for a minor offense and actually had evidence of a major offense on his cell phone, he could rationally refuse and get the punishment for the minor offense. But if the suspect was being investigated for the same offense or a greater offense than he committed, the rational step would be to provide the password.

If Congress were actually to consider this proposal, there would be some hard issues that would have to be addressed. Consider two in particular. First, there’s the timing question. For example, what happens if a suspect refuses to comply for a week before finally changing his mind and complying? Does that count as a refusal? What if he waits until the morning of trial and then caves and enters in the password? What is the time window of the refusal to violate the statute?

Second, there’s the question of what limits there should be on this proposed offense in light of the potential for severe punishment. For example, perhaps the statute should only apply when the decryption order is a probable cause search warrant, or an order related to a probable cause warrant, rather than just any order. Or perhaps there should be a required showing of suspicion that the individual is himself guilty of the offense. Or perhaps the punishment should be the same as the underlying offense up to a certain point, but not including some particularly severe offenses. Or perhaps all three of these limits should be imposed. All of these are possible ways that the new authority could be cabined.

AD
AD

Some of these concerns could be addressed by having a new federal court order, a decryption order, that would have several limits on when it could be issued. You could then have a requirement that any order to decrypt must satisfy the requirements of the decryption order statute. The willful refusal offense could be a provision that is a part of that statute rather than a freestanding criminal offense, thus incorporating the limitations of the broader statute.

A benefit of the proposed willful refusal statute is that it would facilitate enforcing the law in the setting of federal criminal investigations while also allowing Apple and Google and other companies to have the most secure devices they can design. There would be no government-mandated backdoors or debates over expansion of CALEA on the front end. Instead, the government’s concerns could be met by a statute threatening a clear punishment, equal to the crime under investigation, on the back end — after a court has ruled that there is no Fifth Amendment privilege.

Anyway, that’s the idea. Feedback is very welcome in the comment threads.

[UPDATE: I have fiddled with the last paragraph a bit to improve clarity.]

AD
AD