Massachusetts High Court Permits Compelled Decryption of Seized Digital Evidence

By Cynthia J. Larose

Written by Matthew D. Levitt

Today, in Commonwealth v. Gelfgatt, No. SJC-11358 (Mass. June 25, 2014), a divided Massachusetts Supreme Judicial Court held that under certain circumstances, a court may compel a criminal defendant to provide the password to encrypted digital evidence seized by the government without violating either the Fifth Amendment or Article Twelve of the Massachusetts Declaration of Rights.  This is an interesting development in an emerging issue in the law that has yet to percolate its way to the United States Supreme Court. Moreover, as critical case evidence continues its migration from the physical to the digital realm, it is an issue we can expect to encounter with growing frequency, and is all but certain to eventually require resolution by the Supreme Court.

The Massachusetts high court’s decision hinged on the so-called “foregone conclusion” exception to the Fifth Amendment privilege against self-incrimination, which provides that an “act of production” is not testimonial “where the facts conveyed already are known to the government, such that the individual ‘adds little or nothing to the sum total of the Government’s information.’” Because the defendant, during his post arrest interview, had admitted his ownership and control over the seized computers, his knowledge of their encrypted files, and his knowledge of the password, the Court concluded that compelling him to provide that password “is only telling the government what it already knows.” Providing the password under such circumstances therefore was held not to violate the defendant’s privilege against self-incrimination under either the federal or state constitutions.

In a forceful dissent, two Justices disagreed with the Court’s opinion, stating that the compelled decryption was tantamount to forced self-incrimination.  Describing the potential sweep of the Court’s decision, the dissent stated as follows: “The court holds today that the defendant … may be ordered to enter decryption keys sequentially on each and every electronic device seized from his home, his home office, and his automobile, in order to provide law enforcement officers with unencrypted access to those devices.”

The true scope of the Court’s holding, however, may not become clear until trial courts begin applying it under various factual scenarios, and those applications are tested in the appeals courts. For now, all that is clear is that under certain circumstances, even industrial-strength encryption may not place digital files beyond the government’s reach.

Subscribe To Viewpoints

Published

Viewpoint Topics

Professionals

Author

Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.