CFP96 Plenary Session

Before the Court: Brief for the Appellant

This CFP session will be an appeal of the following (fictional) Appeals Court decision:
Argued February 29, 1995 Decided December 25, 1995

No. 953213

UNITED STATES OF AMERICA,
APPELLEE
v.
CHARLES F. WOODBURY,
APPELLANT


Brief for the Appellant

INTRODUCTION

This is a case about applying traditional Constitutional restraints on the Government's access to private information to the new Electronic Age. As individuals expand their everyday lives onto electronic frontiers through media such as the Internet and electronic mail, they seek, as in everyday life, to establish privacy for those intimate matters conducted in the electronic world. And with the dawn of cyberspace, the security of information has become far more important than it ever was before, for information is the medium, the currency, the lifeblood of electronic communication and commerce. Nevertheless, with the Cryptography Control Act of 1995, the Government seeks to treat the privacy of individuals as necessarily subordinate to the State's own interests. But as has been shown before, and will again be demonstrated below, the genius of the United States Constitution is that it is not a static set of rules intended to preserve the status quo, but a living document which adapts to protect the rights of individuals as our society grows and develops -- even into cyberspace.

STATEMENT OF THE CASE

In March of 1995, an unidentified informant implicated the defendant, Mr. Woodbury, (falsely, as it turns out) in a scheme to distribute narcotics via connections made on the Internet. In the process of investigating Mr. Woodbury, law enforcement officials established wiretaps on the two telephone lines leading into his home. The first line was used for voice communication; the second was used as a data line for the transmission of facsimiles and computer communications.

A number of the messages transmitted on the second line were encrypted with "Cypherpunks Labs Automated Messenger 3.01" (CLAM), a computerized encryption program using a 128-bit key to encode electronic documents. Use of such a powerful encryption scheme or possession of files encrypted by such a scheme is criminalized under the Cryptography Control Act of 1995 ("CCA" or "Act"), unless a copy of the decoding key is filed with a Government escrow agency. CCA 10(a),(b). The key used to encrypt the messages sent over the second line was not on file with Government key escrow agencies when they attempted to decrypt those messages, and subsequent attempts to crack the cipher without the key failed.

Using the manifestly weak evidence of narcotics trafficking gathered from line one, and the presence of encrypted documents without a filed key on line two, the DEA obtained a warrant to search Woodbury's home. The police were not able as a result of the search to link Woodbury to drug-related crimes, and he was cleared of those charges by the jury at trial. However, the Government's seizure of Woodbury's personal computer turned up a number of files encrypted with CLAM. No evidence has been presented as to the dates of the files' origin and encryption. Nevertheless, Woodbury was convicted by the trial court of violations of the CCA for using strong encryption without having a key on file with the Government. The United States Court of Appeals for the Thirteenth Circuit affirmed that conviction, and Woodbury appeals to this Court.

ARGUMENT

I. THE CCA VIOLATES THE FIRST AMENDMENT IN ITS OVERBREADTH, COMPULSION OF SPEECH, CHILLING EFFECT ON ASSOCIATION RIGHTS, AND ABRIDGMENT OF THE RIGHT TO ANONYMOUS SPEECH.

While much of the discussion of key escrow provisions has rightly focused on the Fourth Amendment and general privacy interests, see Section II, infra; see also, Christopher E. Torkelson, The Clipper Chip: How Key Escrow Threatens to Undermine the Fourth Amendment, 25 Seton Hall L. Rev. 1142 (1995); Charlene L. Lu, Note: Seeking Privacy in Wireless Communications: Balancing the Right of Individual Privacy with the Need for Effective Law Enforcement, 17 Hastings Comm/Ent L.J. 529 (1995), there are also insurmountable hurdles posed by the First Amendment to the mandatory key escrow scheme established by the CCA. A challenge to the CCA as substantially overbroad is in order, as it regulates speech on the basis of its content, has a significant effect on associational rights, and regulates the manner of speech. With the establishment of a facial overbreadth challenge, Mr. Woodbury may assert his own rights and those of others who will be brought within the truly sweeping character of this statute. See, e.g., Board of Airport Commissioners v. Jews for Jesus, Inc., 482 U.S. 569 (1987). The CCA has a constitutionally unacceptable chilling effect on the speech of all users of cryptography for whom there is not even probable cause to suspect any illegal activity. The constitutional interests we assert here are of course to be balanced against state interests. But this Court requires that Government action burdening speech on the basis of its content meet strict scrutiny -- serving compelling state interests, and being narrowly tailored to serve those interests. If speech mixed with conduct is involved, a slightly different test (set forth particularly in Section I.A.2., infra) is imposed, but the protection of the underlying speech still requires that the least restrictive alternative be followed to accomplish the Government's objective. United States v. O'Brien, 391 U.S. 367, 376 (1968). Although the interest asserted by the United States in preventing crime is undoubtedly compelling, the means used under the CCA are not tailored in any sense. By reaching all uses of cryptography, the CCA trods all over the First Amendment.

A. The CCA is Substantially Overbroad.

When a statute reaches both constitutionally protected speech and speech alleged to be without such protection, it is overbroad and subject to facial invalidation. Board of Airport Commissioners, 482 U.S. at 474. While the standing doctrine generally holds that a party before a court may only invoke her own rights, not those of another, overbreadth is an exception to that requirement designed to protect First Amendment interests. See Brockett v. Spokane Arcades, Inc., 472 U.S. 491, 502 (1985) (citing United States v. Raines, 362 U.S. 17, 21 (1960)); see generally Allen v. Wright, 468 U.S. 737 (1984). Decisions of this Court have indicated that the overbreadth must be "substantial," but where pure speech, associational rights, or time, place and manner restrictions on expressive conduct are involved, that requirement is met. Broadrick v. Oklahoma, 413 U.S. 601, 612 (1973). Because the CCA is not in any way subject to a narrowing construction limiting it to a constitutional scope, see id. at 613, an overbreadth challenge is appropriate here. Thus, even were this Court to find that the CCA is constitutionally applicable to Mr. Woodbury, it must consider the rights of other parties reached by the sweeping character of the statute. Overbreadth analyses of a statute consider both the asserted rights on the party before the court and those other parties who may be fairly swept within the reach of the statute "because of judicial prediction or assumption that the statute's very existence may cause others not before the court to refrain from constitutionally protected speech or expression." Id. at 612.

Sections 1 and 2 below illustrate that the overbreadth doctrine under the Broadrick test applies here because the CCA's restrictions on speech are content-based, demanding strict scrutiny of its provisions. Section 3 shows that even if this Court finds that the CCA restricts only conduct associated with speech, the Broadrick test still requires the overbreadth analysis. Section 4 presents three paradigmatic cases to illustrate the CCA's clearly unconstitutional burden on speech interests besides Mr. Woodbury's.

The CCA requirement that a key be filed with the Government for possible use in the future is only applicable to a person when encryption is in fact used. CCA, 10. This may seem to be an attempt to avoid overreaching in the regulation of encryption, but in fact has the insidious effect of making the act of filing a key a statement that the person has documents important enough to use strong cryptography. See also Section II.C, infra (arguing that the escrow requirement interferes with the development of an expectation of privacy); Section III.A, infra (arguing that it requires individuals to reveal that they have something they wish hidden); cf. Fed. R. Evid. 801(a) (defining "statement" as an oral or written assertion, or nonverbal conduct if intended by a person as an assertion). Even more significantly than if such a statement were required to be made to a private party, this required disclosure must be made to the Government. There is no question that regulatory burdens such as reporting requirements may be placed on business information in this context, see e.g., Schaumburg v. Citizens for a Better Environment, 444 U.S. 620 (1980); Secretary of State of Maryland v. Joseph H. Munson Co., 467 U.S. 947 (1984), but in the case of private individuals, such demands are patently unconstitutional unless narrowly tailored to serve a compelling state interest. "Mandating speech that a speaker would not otherwise make necessarily alters the content of the speech...[and is] a content-based regulation of speech." Riley v. National Federation of the Blind, 487 U.S. 781, 795 (1988).

2. CCA Fails to Pass Constitutional Muster Under the Strict Scrutiny Standard, Particularly in Its Utter Absence of Any Tailoring to the Asserted Government Interest.

Content-based restrictions on speech are "subject to exacting First Amendment scrutiny." Id. at 798. This requires both a compelling state interest, and narrow tailoring of the means used to further that interest. See, e.g. Simon & Schuster v. New York State Crime Victims Board, 502 U.S. 105 (1991). In its case against Mr. Woodbury, the Government asserts its incontestably compelling interest in preventing crime. But it makes no showing whatsoever as to how this Act is tailored to protect speech interests, let alone narrowly so. Indeed, the CCA is not tailored at all -- it applies to every person in the country who chooses to use cryptography, regardless of whether the Government even has reason to suspect that person is using cryptography to commit a crime. Because the CCA chooses to chill speech through a content-based regulation, without even attempting to limit its scope so mandatory key escrow carefully furthers the asserted goal of crime prevention, it must be struck down.

3. Even if the Key Escrow Provisions Do Not Reach Pure Speech, Overbreadth Review is Still Appropriate.

It is settled constitutional doctrine that the applicability of overbreadth analysis does not completely depend upon the reaching of "pure speech." Broadrick, 413 U.S. at 615. The "speech-conduct" mix is enough, but requires that "the overbreadth of a statute must not only be real, but substantial as well, judged in relation to the statute's plainly legitimate sweep." Id. We concede that the Act may be tailored so as to be constitutional -- it may certainly be applied against those who have in some sense forfeited many rights, such as convicted felons, see infra Section I.B.2. -- but the language of the statute and intent of the Congress is so far beyond that narrow category that the overbreadth here is plainly substantial.

The key and the document encrypted are constitutionally protected as pure speech, but if this Court finds that they are separable, it should apply the test adopted in O'Brien to determine whether the regulation that affects speech but claims to do so on grounds other than regulating the content of the speech should nonetheless be struck down. In O'Brien, this Court required that the action taken be within the constitutional power of the Government, that it further an important Government interest unrelated to the freedom of expression, and that it be "no greater than is essential to the furtherance of that interest." O'Brien, 391 U.S. at 376. In sweeping every citizen who wishes to use strong cryptography for whatever reason under its tentacles, the CCA fails the narrow tailoring prong of the O'Brien test.

4. The CCA Is Overbroad Because It Chills Unquestionably Protected, and Even Privileged Speech, as Shown By Three Paradigmatic Cases

Three examples, before this Court because of the substantial overbreadth of the statute, best illustrate the unconstitutional unacceptability of the Government's strategy here. First are the run-of-the-mill users of cryptography who wish to connect their computers to the Internet while keeping personal papers private from potential intruders -- intruders who would have access to exactly the type of computing power that could break weaker cryptography. See generally James Fallows, An Outlaw in Cyberspace, N.Y. Times, Feb. 4, 1996, sec. 7, p. 14 (reviewing three recent books on the extensive hacking activities of Kevin Mitnick). Second is a group subject to harassment that wants to keep its membership list and internal memos secret, asserting the associational and anonymity rights of its members, fearing reprisal from the Government or from private parties. See NAACP v. Alabama ex rel. Patterson, 357 U.S. 449 (1958). Third are lawyers and clients who wish to ensure the confidentiality of their communications. See Trammel v. United States, 445 U.S. 40, 51 (1980) ("The attorney-client privilege rests on the need for the advocate and counselor to know all that relates to the client's reasons for seeking representation if the professional mission is to be carried out.") Each of these groups has a desire to encrypt files that is entirely unrelated to any criminal purpose, and has the need for strong encryption because of the interest of both Government entities and private parties in accessing the data they wish to keep private. The CCA forbids the use of strong encryption to all of them, unless they accept the Government's attempt to compel the statement that they have data important enough for strong encryption's use. This would have a plainly unconstitutional chilling effect on speech in each of the three cases, thus violating the First Amendment. Cf. Fisher v. United States, 425 U.S. 391, 420 (1976) (Brennan, J., concurring) (analogizing chilling effect of requiring exposure of private papers to that of exposure of private thoughts).

Particular instances of violation of speech rights will be covered in subsequent sections, but it is important to reiterate here the truly extensive character of the CCA. It contains no exceptions for encryption of any type of communication otherwise privileged, and specifically bars the use of technological means to attempt to protect that privileged communication absent the provision of the means to decrypt the communication to the Government. CCA, 10(a). This implicates general privacy rights protected in part under the First Amendment, see Stanley v. Georgia, 394 U.S. 557 (1969), though more generally under the Fourth, see Section II, infra, and also reaches core First Amendment speech interests in the cases set forth here. By reaching these matters while allowing no means for exception from the licensing requirements of the Act, the CCA is facially overbroad and a violation of the First Amendment.

Although the general analysis under overbreadth provides a proper background for the Court in making its decision, it will also be helpful to consider the particular elements of the claim as separate constitutional doctrines, each recognized by this Court in past cases, and to address the legally flawed claims of the Thirteenth Circuit.

B. The CCA Compels the Speech of All Users of Cryptography.

1. Consideration of a Compelled Speech Claim is Appropriate.

The Thirteenth Circuit erroneously concluded that Mr. Woodbury's compelled speech claim was not justicable because he had not complied with the escrow requirements of the statute. Slip op. at ____. Because of the substantial overbreadth of the CCA, his claims are not limited by his lack of compliance. Broadrick, supra; Slip op. at ____ (Axsmith, J., dissenting). This Court must thus consider the claim as if raised by a party who complied with all the provisions of the statute. See Section I.A, supra.

2. The CCA Compels the Speech of Mr. Woodbury and All Subject to the Act.

As explained above, the escrowing of a key makes a statement to the Government that the person filing possesses a document that they wish to keep secret through strong encryption. Thus, filing a key under the CCA is communicative action: it declares that the registrant possesses an encrypted document, has used encryption techniques, or is about to do so. In compelling this speech, the Government forces the individual to alter the contents of the document that would otherwise have been protected to account for the possibility of interception. Interception and decryption would of course be most likely by the Government, but by requiring that a key be transmitted to the Government, the CCA also increases the risk that the key itself could be intercepted by a private party and used to decrypt documents.

The Thirteenth Circuit attempts to avoid the conclusion that speech is compelled in this case by analogizing this claim to the requirement that drivers carry a license identifying them. But driving is not a constitutional right, and necessarily directly implicates the rights and lives of others. The encryption of private speech does not in any way have the broad import that the requirement that a drivers license be carried does. A proper analogy using the driver's license would be presented if license required to be carried contained a transmitter that at all times broadcast the position of the driver and the possessions in the car. Such a requirement would be patently unconstitutional.

Another, more appropriate use of the Thirteenth Circuit's driver's license analogy would be to point out that the CCA is, in effect, a licensing scheme requiring those who wish to truly ensure the privacy of their communications and personal thoughts to allow the possibility of Government decryption at a time unknown to them. Government licensing schemes have been a deep concern of this Court and of the development of free speech in Anglo-American law. See, e.g., City of Lakewood v. Plain Dealer Publishing Co., 486 U.S. 750 (1988). Such schemes were adopted in England for the particular object of chilling speech critical of the Government and any dissent from the established mores of the time. See Vincent Blasi, John Milton's Areopagitica and the Modern First Amendment, Communications Lawyer, vol. 14, no. 4 (Winter 1996), at 1. It is Pollyannaish at best to assume that this overly broad scheme could not be used in the same way. See generally Anthony Summers, Official and Confidential: The Secret Life of J. Edgar Hoover.

3. The CCA's Actions Are Not Narrowly Tailored to the Articulated Government Objectives.

The analogy to a motorist's claim that speed limits violate her right to travel in the Thirteenth Circuit's opinion is particularly inapposite. Speed limits are certainly restrictions on the right to travel, but they are narrowly tailored actions that serve compelling Government interests. Anti-cryptography legislation may be able to constitutionally reach those whose actions the Government has an almost irrebuttable criminal suspicion about, just as convicted felons may be denied the right to vote, or the right to bear arms. See, e.g., Baker v. Cuomo, 58 F.3d 814 (2nd Cir. 1995) (right to vote); United States v. Bartelho, 71 F.3d 436 (1st Cir. 1995) (right to bear arms). A provision denying the use of encryption to convicted felons, then, would clearly be narrowly tailored to serve a compelling Government interest. But it certainly may not reach everyone, and may not reach Mr. Woodbury through the State's (at best) weak wiretap warrant in this case. Even if it could reach Mr. Woodbury, the extensive character of the CCA and its lack of exception for other specifically protected speech renders it constitutionally unacceptable.

"A statute is narrowly tailored if it targets and eliminates no more than the exact source of the 'evil' it seeks to remedy." Frisby v. Schultz, 487 U.S. 474, at 485 (1988) (citation omitted). "A complete ban can be narrowly tailored, but only if each activity within the proscription's scope is an appropriately targeted evil." Id. The evil targeted here is crime, and the CCA only incidentally reaches those instances where cryptography is used as one of its elements. The compelled speech of revealing keys and the existence of encoded documents is too high a constitutional price to pay for deterrence and prosecution of the rare occasions that cryptography is used to further a crime.

C. The CCA Unconstitutionally Burdens Associational Rights

1. The Associational Rights of Members of Socially Disfavored Groups Are Violated by the CCA.

"Inviolability of privacy in group association may in many circumstances be indispensable to preservation of freedom of association, particularly where a group espouses dissident beliefs." NAACP v. Alabama, 357 U.S. at 462 (emphasis added). In NAACP, the Alabama branch of the civil rights organization had been served with a judicial order commanding them to produce their membership list as part of an action brought to harass their organizing activities in the state. With the existence of a key in the hands of the Government, the type of privacy claimed by the NAACP in their membership lists would be ephemeral at best. Without even the notice of a warrant being served, documents lawfully or unlawfully in the hands of authorities could become instantly useful for any Government purpose, legitimate or illegitimate. Knowledge of this fact among the membership and others would have exactly the result that this Court worried about in NAACP: "induc[ing] members to withdraw from the Association and dissuad[ing] others from joining it because of fear of exposure of their beliefs shown through their associations and of the consequences of this exposure." Id. at 463.

Instead of focusing on the real chilling effect on First Amendment activity that results from the CCA, the Government chooses to worry only about the alleged "unacceptable risk to the domestic tranquility and to the national security of the United States," CCA, 1(c), and the Thirteenth Circuit follows along without question, slip op. at ____. Such a docile approach to review of asserted Government purposes against speech rights is inconsistent with the jurisprudence of this Court. To offer another example, a group's dissident beliefs and vague assertions about taking power do not allow the Government to assume that their goal is in any sense violent action -- the burden is on the Government to distinguish even the advocacy of violence from incitement to imminent lawless action. Brandenburg v. Ohio, 395 U.S. 444, 447 (1969). Strong necessity must be shown before the Government may burden association rights through legislation like the CCA. No such necessity is presented by the Act itself or by the Thirteenth Circuit.

2. The CCA's Provisions Are Not Narrowly Tailored To the Asserted Government Interest in Preventing Crime.

The Government is certainly free to use its market power to restrict the broad dissemination of unbreakable encryption technology. See A. Michael Froomkin, The Metaphor Is the Key: Cryptography, the Clipper Chip, and The Constitution, 143 U.Pa. L. Rev. 709, 793-95 (1995). It is not, however, constitutionally permitted to bar its use altogether, or to unconstitutionally burden individual association rights to restrict its use, unless the state action taken were narrowly tailored to serve compelling Government objectives.

Again, the asserted Government interest in mandating escrow of encryption keys is the prevention of crime. The CCA is not narrowly tailored to serve this interest because its conditional ban on cryptography does not "eliminate[] no more than the exact source of the 'evil' it seeks to remedy." Frisby, 487 U.S. at 485. It clearly reaches the associational rights of dissident groups who would protect their privacy, but who have not committed any crime.

D. The CCA Unconstitutionally Burdens the Right to Anonymous Speech.

1. Mr. Woodbury's Rights to Anonymous Speech Are Clearly Before This Court, Even If The Facial Overbreadth Claims Are Ultimately Rejected.

It is first important to point out that Woodbury's right to anonymous speech is clearly before this Court even if the overbreadth analysis under which we have examined other applications of the statute is ultimately rejected. He has not somehow lost the right to claim this "since his identity has been known to the police throughout the investigation." Slip op. at ___. The right of anonymity under the First Amendment is not only anonymity against the Government, but the right to communicate ideas anonymously. "[A]n author's decision to remain anonymous, like other decisions concerning omissions or additions to the content of a publication, is an aspect of the freedom of speech protected by the First Amendment." McIntyre v. Ohio Elections Commission, 115 S.Ct. 1511, 1516 (1995). In both of this Court's major cases dealing with anonymous speech, the identity of the person seeking their right vindicated was known to the Government. See McIntyre; Talley v. California, 362 U.S. 60 (1960). Nor is it true that "there is no suggestion that [Mr. Woodbury] sought to communicate anonymously," Slip op. at ____. The encrypted nature of data sent out over Mr. Woodbury's data telephone line suggests exactly the opposite. Slip op. at ____. Only a user possessing Mr. Woodbury's key could decrypt the message sent over line two; he was thus anonymous to everyone who did not possess his key.

2. The Anonymous Speech Rights of Others are Unconstitutionally Burdened By the CCA.

In any case, because of the overbreadth claim, we are not wholly reliant on Woodbury's right to assert that the CCA unconstitutionally burdens the right to anonymous speech. For the purposes of this argument, we may in fact assume that Woodbury, or the lawyers or clients we posited in our third hypothetical above, was actually communicating anonymously.

The right to anonymous speech has been recognized in both the literary and political contexts by this Court, most recently in invalidating an Ohio requirement that flyers intending to influence an election contain the name and address of the person or organization distributing them. MacIntyre, supra. The CCA clearly reaches not only Mr. Woodbury, but also the anonymous pamphleteer who distributes her work over the Internet, or the recent author of the novel Primary Colors. The Government may not ban anonymity, or excessively burden it. Id. Because there is little reason not to extend this right to the professional realm, it may even cover the lawyer who encrypts her client memos so that only the client can read them. None of these people have committed any crime. There is no reason their speech should be burdened absent strong suspicion.

3. The CCA is Not Narrowly Tailored to the Asserted Government Interest in Preventing Crime.

For the same reasons articulated in Sections I.A.2 and I.B.2 supra, the CCA is not narrowly tailored to the Government's asserted interest in placing speech-dependent limits on cryptography to protect against potential crimes.

II. THE CRYPTOGRAPHY CONTROL ACT IS UNCONSTITUTIONAL UNDER THE FOURTH AMENDMENT BECAUSE IT CREATES A SCHEME OF SEARCHES AND SEIZURES WITHOUT PROBABLE CAUSE OR INDIVIDUAL SUSPICION.

In its efforts to maintain its access to the private lives of individuals through the medium of the Cryptography Control Act, the Government has violated Mr. Woodbury's Fourth Amendment rights by establishing a regime where it may begin searches of private computer files without probable cause or individual suspicion. Mandatory key escrow is a fundamental part of the scheme of searching for these digital documents, and as such must be the considered the starting point of a given search (strangely undertaken by the object of the search himself). Thus the requirement of filing keys is unconstitutional absent reason to suspect a particular user. The Government claims that it may dispense with the probable cause and individual suspicion requirements under the doctrine governing regulatory searches; however, as will be shown, this doctrine is wholly inappropriate for the analysis of the key escrow scheme.

A. Mandatory Key Escrow Constitutes a Search Under the Guidelines Established By This Court.

This Court has clearly established that a search begins when the Government first interferes with an individual's legitimate expectation of privacy. Maryland v. Macon, 472 U.S. 463, 469 (1985); United States v. Jacobsen, 466 U.S. 109, 113 (1984). Those who possess encrypted files clearly have such an expectation; indeed, the right to security in private papers under the Fourth Amendment is paradigmatic, and users of strong cryptography have openly and effectively expressed their desire to exercise that right.

Requiring users of encryption to file their keys with the Government infringes this expectation of privacy in two ways. First, mandatory key escrow requires that an individual disclose to the Government that she has something to hide. Under the CCA, the filing of keys is required only when an individual desires to use cryptography to secure the contents of his personal files. CCA, 10. Therefore, under the statutory scheme enacted, keys will be filed only when there are documents encrypted. Thus the filing of a key serves to inform the Government that the user has documents she wants kept private or secure against a search. This infringes the user's expectation of privacy by directing the Government toward a source of evidence whose existence the user has a right to keep unknown to the Government. The discovery of sources of evidence is the classic purpose of a search; the scheme embodied by the Act falls well within that category.

Furthermore, the CCA does not adequately describe the safeguards which escrow agencies must use to prevent the unauthorized disclosure of keys. Private citizens do, admittedly, have an expectation of privacy in personal information held by the Government. Whalen v. Roe, 429 U.S. 589 (1977) (medical records); Sheets v. Salt Lake County, 45 F.3d 1383 (10th Cir. 1995) (citing Whalen). However, the Court has held that this privacy may be infringed if the Government does not sufficiently protect the information it has in its custody. Whalen at 605; Sheets at 1387. While the procedural safeguards established by the CCA may be sufficient for a regular search (although not for a regulatory search, as discussed below), the statute remains unconstitutionally vague as to the physical safeguards for the critically sensitive information held by escrow agencies. This Court focused explicitly on physical safeguards in Whalen, looking even at the wire fence and alarm system surrounding the computers holding private medical files. Id. at 593-594. Without such safeguards clearly established, individuals cannot expect their keys to be adequately protected. Thus the Government violates their expectation of privacy, and consequently begins a search.

For these reasons, mandatory key escrow qualifies as a Fourth Amendment search, and therefore is unconstitutional because of its lack of cause and suspicion. Note that the purpose of the search initiated with the process of key escrow is not relevant for finding violations of the Fourth Amendment; a search need not be intended to produce evidence for criminal prosecutions. Even so, as will be demonstrated below, this is the hidden purpose of the CCA.

B. The Seizure of Encryption Keys As Required By the CCA Cannot Be Justified Under the Regulatory Search Exception to the Fourth Amendment.

The Government and the Thirteenth Circuit have attempted to justify the warrantless seizure of encryption keys without probable cause or particularized suspicion by appealing to the narrow regulatory search exception to the Fourth Amendment developed by this Court in Skinner v. Railway Labor Executives' Association, 489 U.S. 602 (1989) and National Treasury Employees Union v. Von Raab, 489 U.S. 656 (1989). However, the regulatory search doctrine as developed in these cases and their progeny is wholly inappropriate to the use of encryption, applying only to those who work in particularly hazardous positions or heavily regulated businesses, or who have consciously waived a certain level of privacy. Furthermore, while the Thirteenth Circuit states that the CCA is not intended as a law enforcement device, it is unquestionable that it will be used for law enforcement purposes against those persons possessing files encrypted with 64-bit keys before the passage of the Act. Moreover, the warrant requirement in the CCA does not in fact provide sufficient protection against the use of materials seized in a regulatory search in a later criminal proceeding.

1. The Regulatory Search Doctrine Does Not Apply to CCA's Search Regime.

a. The Regulatory Search Exception Is Inapplicable to Individuals Using Encryption Because the CCA Lacks the Appropriate Justification To Dispense With Individualized Suspicion and Probable Cause.

The Thirteenth Circuit attempts to apply the regulatory search exception to users of cryptography by claiming that the Government has "special Governmental needs, beyond the normal need for law enforcement." Von Raab at 665-66. Judge Mitchell then goes on to explain how a regulatory seizure of encryption keys is necessary to combat the efforts of "enemy agents, drug dealers, pornographers, pedophiles, and organized crime generally." Slip op. at __. As a preliminary comment, while Judge Mitchell has comprehensively listed those bogeymen which haunt law enforcement officials, he seems to have misread Von Raab to read "beyond the normal need of law enforcement" -- for these outlaws are the standard targets of law enforcement, not an external concern. As can be seen in the cases that follow and interpret Skinner and Von Raab, the "special Governmental needs" discussed in those cases have been uniformly limited to situations 1) where public safety is immediately and directly at risk, or 2) where the person searched has voluntarily given up some expectation of privacy by working in a heavily regulated industry or entering an area where privacy is commonly acknowledged as reduced. Neither of these description applies to the defendant, Mr. Woodbury, or to those who use cryptography in general.

i. Public Safety Is Neither Immediately nor Directly At Risk Because of the Use of Encryption.

In the cases which have followed Von Raab and Skinner, regulatory searches have been permitted where those being searched could cause "great human loss" before a less-intrusive investigative technique could detect the crime. Skinner at 628. Throughout the federal circuits this condition has been taken quite literally, with the result that this justification for a regulatory search applied only where public safety was immediately and substantially threatened. See United States v. Ross, 32 F.3d 1411, 1415 (9th Cir. 1994)(passenger on plane whose luggage was thoroughly searched not in "dangerous or sensitive position"); Taylor v. O'Grady, 888 F.2d 1189, 1199 (7th Cir. 1989)(only correctional officers in regular contact with prisoners, in a position to smuggle drugs or having access to firearms subject to urine testing); Stanziale v. County of Monmouth, 884 F.Supp. 140, 147 (D.N.J. 1995)("The nexus between the [sanitary] inspector's misconduct and the potential injury is too attenuated to justify the removal of...the individualized suspicion requirement."); Craft v. Pace of South Holland, 803 F.Supp. 1349 (N.D.Ill. 1992)(drug testing among public transit officials overbroad because applied to employees not in "safety sensitive" positions); Watson v. Sexton, 755 F.Supp. 583, 589 (S.D.N.Y. 1991)(Gov't officials driving cars: "When driving is only incidental to other duties that engage no safety concern, the employee's position is not safety sensitive."); Beattie v. St. Petersburg Beach, 733 F.Supp. 1455, 1459 n.1 (M.D.Fla. 1990)(although firefighters deal with public safety, they do not use firearms or use deadly force); cf. Rushton v. Nebraska Pub. Power Dist., 844 F.2d 562, 567 (8th Cir. 1988)(nuclear powerplant engineers subject to testing); Dykes v. SEPTA, 68 F.3d 1564, 1567 (3rd Cir. 1995)(bus driver subject to testing).

The Thirteenth Circuit argues that the use of cryptography presents a threat to public safety and national security because criminals may use the privacy thus granted to further their plans. But an encrypted document is unlikely to be the direct cause of harm, unlike drug or alcohol abuse; any harmful effects would be too remote temporally and causally to justify dispensing with the particularized suspicion requirement. Furthermore, even if cryptography could directly cause harm, it is hard to conceive how most users, including Mr. Woodbury, could be seen to be in a safety-sensitive position. Thus, the abstract threat which the use of cryptography in a criminal enterprise poses cannot justify a system of regulatory searches.

ii. Users of Cryptography Have Not Voluntarily Reduced Their Expectations of Privacy By Taking Jobs In a Heavily Regulated Industry or By Acting In a Sphere Where Privacy Is Reduced.

Courts following Von Raab and Skinner have also held those decisions to mean that persons choosing to work in a heavily regulated industry may have a "lessened privacy expectation against the Government's intrusion." Carelli v. Ginsburg, 956 F.2d 598, 604 (6th Cir. 1992) (horse racing industry heavily regulated and athletes thus subject to drug testing). However, cases using the heavily regulated industry justification have required either a showing of pervasive Government control, see, e.g., Skinner at 627, Lesser v. Espy, 34 F.3d 1301 (7th Cir. 1994)(rabbit farm for animal testing labs), or some reason to expect widespread problems requiring regulation, see Von Raab at 672 (agents having access to illegal drugs and dealing with drug-related crimes); Carelli at 605 (evidence that drug abuse common in racing industry); Beattie, 733 F.Supp. at 1459 (firefighting heavily regulated, but testing inappropriate because record did not show drug abuse problem).

Similarly, courts have held that individuals may be subject to regulatory searches when they participate in an activity where privacy is commonly acknowledged as reduced. In Vernonia School District 47J v. Acton, 115 S.Ct. 2386 (1995), the Supreme Court held that student athletes could be subject to drug testing because participation in school sports indicated a willingness to accept reduced privacy in locker rooms and with regard to standards of conduct. The Court drew a parallel to adult participation in heavily regulated industry. Id. at 2393. This justification was also applied recently to regulatory checks of welfare recipients, S.L., P.W., B.S. v. Whitburn, 67 F.3d 1299 (7th Cir. 1995), as well as the classic examples of entering a courthouse or passing through an airport metal detector. In all these cases, individuals took part in public activity where they knew they were subject to systematic searches.

Neither of the situations described above apply to a user of cryptography such as the defendant. Woodbury is obviously not an employee of a heavily regulated industry, at least not with respect to his private files, and he cannot be said to have participated in an activity where he knew he was subject to a warrantless search. Furthermore, the use of telephone lines to transfer encrypted files cannot be used to bootstrap him into one of these categories. If that were the case, wiretaps could be used randomly on any telephone line without a warrant or suspicion, as they clearly cannot. See Katz v. United States, 389 U.S. 347 (1967). For these reasons, as well as those stated above discussing the public safety justification, the regulatory search doctrine is inappropriately applied to a key escrow scheme.

b. Contrary To the Purpose of a Regulatory Search, the Terms of the CCA Are Aimed Toward the Gathering of Evidence For Criminal Prosecutions, Without Adequate Statutory Protection.

The Thirteenth Circuit claims that, according to the requirements of Von Raab, key escrow "seeks only to aid in the detection [of], and perhaps also deter, crimes that might otherwise be furthered by the use of encryption." Slip op. at ___; see Von Raab at 666. But while this claim is more than suspect with regard to users possessing files encrypted after the enactment of the CCA, it is plainly untrue with regard to those persons engaged in criminal activity and possessing files encrypted prior to the Act's passage. Furthermore, the Act cannot deter the use of cryptography for those who have already encrypted their files; the only reason to have such persons file their keys is so that the Government can have access to the private files they suspect (if not know) exist. It is unclear how detection of crime is not intended under the Act to result in criminal prosecution in any case; if such were not the intent, why would there be an explicit warrant requirement? Moreover, the system of enforcement of the Act indicates that it is intended to serve criminal prosecutions. The CCA contains no provisions for special enforcement of its criminal prohibitions. Thus, the only situation in which violations will be detected is in the course of a criminal investigation.[1]

But even if the hidden intent of the Act is ignored, the warrant requirement does not cure the inappropriate use of decrypted files in criminal prosecutions. According to Von Raab, evidence acquired pursuant to a regulatory search "may not be used in a criminal prosecution...without the [searched person's] consent." Von Raab at 666 (emphasis added). This Court specifically allowed an individual who is the possible target of prosecution additional protection to make up for the lack of particularized suspicion or probable cause; the CCA cannot replace that level of protection with a warrant issued after the fact.

Accordingly, the regulatory search exception cannot justify the specific provisions of the Act because they serve an improper purpose and offer insufficient protection to fall within that exception.

C. The CCA Creates Untenable Paradoxes In the Development of Legitimate Expectations of Privacy.

The CCA creates a unique constitutional curiosity by attempting to restrict the means by which a person may attempt to establish a legitimate expectation of privacy in computer files. Normally focusing on whether attempts at privacy were successful enough, courts and legislators have not previously faced the question of whether an attempt to keep papers private could be too successful. It is well-established that an expectation of privacy under the Fourth Amendment depends upon the steps taken to exclude others from object being searched. Rakas v. Illinois, 439 U.S. 128, 149 (1978). Writing in his concurrence to Rakas, Justice Powell clarified the holding of the Court, stating, "In considering the reasonableness of asserted privacy expectations, the Court has recognized that no single factor invariably will be determinative. Thus, the Court has examined whether a person invoking the protection of the Fourth Amendment took normal precautions to maintain his privacy -- that is, precautions customarily taken by those seeking privacy." Id. at 152. In the case of computer files, the traditional method used by those seeking privacy is encryption.

In most cases of private individuals, it is likely that sub-64-bit key encryption would be sufficient to protect against likely hackers, be they outsiders or simply curious children in the household. In that circumstance, weak encryption resembles the phone booth door in Katz. But for some, those individuals working with extremely sensitive information, weak encryption begins to resemble the bathroom stall door in United States v. White, 890 F.2d 1012 (8th Cir. 1989), cert. denied, 497 U.S. 1010 (1990) -- the right step to express a desire for privacy, but not effective enough to develop a legitimate expectation. It is constantly becoming more cost effective for large corporations or foreign Governments to crack files encoded under weaker encryption standards. See Froomkin, supra, at 738 ff. 46 or those who deal in information interesting to such parties, it is consequently becoming less reasonable to consider sub-CCA standard encryption as sufficient to provide everyday security.

This created a conundrum, because Congress realized that for the first time the steps that were necessary to insure Fourth Amendment protection could successfully prevent Government searches, unreasonable or otherwise. The situation came to resemble cases under the Fifth Amendment, where information was irretrievably locked within a witness' mind. The drafters of the Act resolved this situation by interfering with private individuals' development of Fourth Amendment privacy rights, restricting the use of effective cryptography. The drafting of the CCA thus created the legal curiosity of this case, because the only way to resolve their problem, as in Fifth Amendment cases, was to compel the user to aid in the decryption of the files to which they desired access. The legitimacy of this action under the Fourth Amendment has been discussed above. However, as will be seen below, the Fifth Amendment is designed to complement the Fourth in precisely these situations and offer relief for a case like Mr. Woodbury's -- where the Government wants him to assist his own prosecution.

III. THE KEY ESCROW REQUIREMENTS OF THE CCA VIOLATE THE FIFTH AMENDMENT PRIVILEGE AGAINST SELF-INCRIMINATION OF BOTH THE DEFENDANT, MR. WOODBURY, AND OTHERS USING EFFECTIVE ENCRYPTION TECHNIQUES.

The CCA attempts to solve the problem of unbreakable encryption by requiring that a person using cryptography hand over the translation keys, essentially forcing the user to share his sphere of privacy with the Government. But this step is unconstitutional under the Fifth Amendment, in that key escrow is a testimonial act that will incriminate individuals in the course of a criminal prosecution. First, the act of handing over translation keys is in all cases both testimonial and incriminating in and of itself, because it declares to the Government that the user has something to hide. This testimony is particularly harmful to persons like Mr. Woodbury, who are under suspicion for unrelated reasons. Second, mandatory key escrow is unconstitutional in a wider sense because it forces Mr. Woodbury and other users who have files suspected by the Government of being incriminating and which had been encrypted before the passage of the CCA to acknowledge the existence of, and assert control over, those files. Third, mandatory key escrow infringes Mr. Woodbury's right against self-incrimination because it requires not that he merely reveal, but that he repeat and restate the incriminating content of private documents.

A. The CCA Compels Users of Cryptography Like Mr. Woodbury To Admit That They Have Something To Hide Under Circumstances That Could Lead To a Substantial Risk of Prosecution.

As discussed above, the act of escrow informs the Government that an individual has something to hide, because the requirement of escrow is predicated upon actual encryption of files. Note that this is unlike the situation in Doe v. United States (Doe II), 487 U.S. 201 (1988), where the defendant was compelled to sign a consent directive authorizing foreign banks to release account information to the United States Government. This Court upheld the compelled signing against a Fifth Amendment challenge on the grounds that the directive, formulated at the instigation of the court and phrased hypothetically, did not reveal that there were in fact any such documents in existence: "Although the executed form allows the Government access to a potential source of evidence, the directive itself does not point the Government toward hidden accounts." Id. at 215. In the instant case, however, it is unreasonable to assume that individuals will go to the trouble of filing encryption keys if they do not possess encrypted files; thus the Government is informed by the act that the user has something to hide.

This information may place the user at substantial risk of criminal prosecution (as the Thirteenth Circuit would require, citing Marchetti v. United States, 390 U.S. 39 (1968)). In circumstances such as those of Mr. Woodbury, where the Government is suspicious of an individual for separate reasons unrelated to cryptography, the additional suspicion created by admitting to the Government that files are being concealed from outsiders could well be enough to cause law enforcement officials to institute a full-scale investigation or file an indictment.[2] Enabling the Government to detect crime in this fashion thus violates the Fifth Amendment by forcing suspected criminals to signal that they are due greater scrutiny if not immediate prosecution.

B. Mandatory Key Escrow Violates Mr. Woodbury's Fifth Amendment Rights By Forcing Him To Acknowledge That He Possesses Incriminating Files and Controls Those Files.

It is indisputable that many users of encryption, possibly including the defendant,[3] had been using strong encryption prior to the passage of the CCA. Mandatory key escrow thus presents a serious danger to those individuals who are the subject of criminal investigation, because the Government's demand for keys compels such users to testify that they are in control of and responsible for any encrypted files which the Government may already have in its possession. This compelled testimony is in clear violation of the Fifth Amendment. In Doe II, 487 U.S. at 209, this Court held that "the act of production could constitute protected testimonial communication because...by producing documents in compliance with a subpoena, the witness would admit that the papers existed, were in his possession or control, and were authentic." In essence, filing keys would force a criminal defendant to abandon the defense that the documents in question were not in fact his, or had been modified. Note that for these individuals with encrypted documents prior to the passage of the CCA, key escrow would not merely be potentially self-incriminating at an unspecified time in the future, but would actually be incriminating at the time of filing.

C. Forcing a Defendant To File Encryption Keys for Encoded Documents In The Possession of the Government Incriminates the User By Forcing Him To Restate and Repeat the Contents of Those Files.

It is unquestioned that "a person may not claim the [Fifth] Amendment's protections based upon...the contents...of the thing demanded." Baltimore City Dept. of Social Services v. Bouknight, 493 U.S. 549, 555 (1990). However, the Fifth Amendment does apply if a person is forced "to restate, repeat or affirm the truth of [its] contents." United States v. Doe (Doe I), 465 U.S. 605, 612 (1984). The compelled disclosure of encryption keys when the Government holds encrypted files requires that a user do just this, restate the contents of the documents in a form understandable to the Government. An encrypted document is not a locked strongbox. It does not in any sense contain or conceal another document understandable to law enforcement officials. It itself is the only document. When an escrowed key is used to decode such a document, it is not unlocking a container, but translating and restating the document for the Government as if from another language. Thus the disclosure of the key in effect requires the user to restate and explain the contents of an incriminating file, if in a condensed way. This is clearly forbidden by the Fifth Amendment.

CONCLUSION

To find for the Government in this case is to declare that the cherished personal liberties constitutionally protected under the prior decisions of this Court were conditioned upon the existence of State monitoring techniques sophisticated enough to defeat those personal rights. This Court must again affirm the protections of speech, association, privacy, and criminal procedure, assuring that only those who have forfeited their claim to these rights are forbidden from using strong cryptography. The CCA is unconstitutional and should thus be struck down. The judgment of the Thirteenth Circuit should be reversed.

Respectfully Submitted,

Jeffrey P. Hermes
Christopher M. Kelly
March 13, 1996


1 Incidentally and highly suspiciously, this also enables police to penalize people such as Mr. Woodbury whom they believe guilty of other crimes even if they cannot find sufficient evidence to convict for those crimes, while ignoring those not suspected of other offenses.

2 It has not been shown that Mr. Woodbury would have been required to escrow a key before the government had been suspicious of him for other reasons.

3 Because there is no record, there is no evidence one way or the other with regard to the date of the encryption of the files at issue in this case. For educational purposes, the appellant assumes that the documents on his hard drive were encrypted prior to the passage of the Act (which is at least a possibility) in order to demonstrate a potential constitutional weakness in the scope of the Act.


Back to CFP Moot Court page

Back to case overview page

Back to CFP96 home page


Last updated March 23, 1996
cfp96@mit.edu