One of the most important issues that I raise in all my lectures at the Mandatory Continuing Legal Education organized by different providers in the Philippines and talks in other fora concerning cyber privacy, data security, and cybercrimes deal with the matter of encrypted content in a person’s or suspect’s electronic devices which are the subjects of searches and seizures, warrantless or not, by the police.
This matter has become an intriguing topic in human rights circles because of the differences in treatment by the law, legal enforcement officers and judicial authorities in different jurisdictions.
In the United Kingdom, the Regulation of Investigatory Powers Act (RIPA) criminalizes the willful non-disclosure of access codes, computer passwords and decryption keys or “keys to protected information” that custodians have in their possession if these keys are relevant in a national security case or child indecency case. The custodian can be imprisoned for five years. In other cases where these codes or keys are not disclosed, the custodians can be jailed for two years.
The Office of the Solicitor General in Australia pushed for an amendment to the Australian Telecommunication Interception Act that would have made it a crime for possessors of pass codes and decryption keys, upon being asked by law enforcement agents, not to reveal such keys, When the said law was finally passed in 2015, it required that “(w)here a service provider encrypts retained data, the service provider must retain the technical capability to decrypt and disclose relevant retained data in a useable form in accordance with a lawful request or requirement under the TIA Act or Telecommunications Act.”
Dr. Atty. Ramiscal lecturing for the MCLE Seminars for the IBP Lanao del Norte
In the Philippines, the Cybercrime Prevention Act authorizes the police, in the search, seizure and examination of computer data to “order any person who has knowledge about the functioning of the computer system and the measures to protect and preserve the computer data therein to provide, as is reasonable, the necessary information, to enable the undertaking of the search, seizure and examination” (Sec. 15). The I.R.R. of the law does not actually add anything to what was said in the law. The 2015 Draft Manual on Cybercrime Investigation by the Department of Justice makes the existence of full disk encryption as a “consideration” in the acquisition of computer data and advises the use of “trusted tools” when volatile data is suspected to have been encrypted. It did not specifically task the law enforcement agents investigating the suspect of asking the latter for decryption keys to decode the encrypted content.
Dr. Atty. Ramiscal in one of his MCLE lectures for the IBP Leyte
Encrypted content is difficult or computationally infeasible to decrypt in cases where the cryptographic software or product used, employed cipher keys that are sufficient in strength, and which there is no efficient algorithm or known attack that can break it. Even if the police manage to make a mirror copy or forensic copy of the hard disk drive of the computer, the encrypted content that resides on this drive may not be decoded or extracted by the police.
Dr. Atty. Noel G. Ramiscal with IBP CALMANA Pres. Atty. John Ibe
As people become more aware of the need to protect their privacy, they will resort to using encryption software which can make investigation of cybercrimes definitely more challenging for the police, who may be tempted to resort to shortcuts. It is in this instance where the police might be tempted to ask, threaten, coerce or cajole a suspect to give up the decryption key or access codes. So the question posed by this article becomes utterly relevant. Unfortunately, there is no Philippine jurisprudence or rule employed by the police on this matter. 
In all my MCLE lectures this year on cybercrimes, or electronic evidence, including those for the Integrated Bar of the Philippines Chapters of CALMANA (February 6, 2016), Laguna (February 13, 2016), Makati (March 12, 2016), Leyte (April 29, 2016), Negros Oriental (May 17, 2016) and the latest being Lanao del Norte (July 12, 2016), I apprise the lawyers/attendees of several US cases where the courts have decided that the police have no right to request the disclosure of access codes or decryption keys, as violative of the person’s right against self-incrimination.
Dr. Atty. Ramiscal with some of the gorgeous lawyers and the fabulous Judge Dottie of IBP Lanao del Norte
In 2010, the U.S. District Court for the Eastern District of Michigan in United States v. Kirschner addressed whether a defendant’s Fifth Amendment privilege against self-incrimination extended to the defendant’s computer password. The court analogized a computer password to a wall safe combination that only resides in someone’s mind, in fact it is a product of the mind. This information is testimonial, without which the government cannot pursue its case, and being so, it is therefore protected by the right against self-incrimination.
In a 2012 case, the Eleventh Circuit applied the same principle to decryption keys concerning Doe, a YouTube user who was investigated by the government for sharing child pornography. Since the electronic devices that Doe utilized were all encrypted, the prosecutor ordered him to decrypt the devices. Doe challenged this as a violation of his right against self-incrimination which the Eleventh Circuit upheld. It held that the “decryption and production of the hard drives’ contents would trigger Fifth Amendment protection because it would be testimonial, and that such protection would extend to the Government’s use of the drives’ contents.” The court stated that, “[t]he touchstone of whether an act of production is testimonial is whether the government compels the individual to use the ‘contents of his own mind’ to explicitly or implicitly communicate some statement of fact” that could be incriminatory, and without which the government would not be able to prove its case.
Dr. Atty. Ramiscal with IBP Lanao del Norte Pres. Atty. Gandamra and host Atty. Canizares Mindalano
So defense counsels can look up these cases if their clients accused of any form of cybercrime were placed in a similar situation. However, as I have stressed in my lectures, there is one U.S. case that is an exception to the ruling in these two cases. This case involved Sebastian Boucher who was investigated by the U.S. government for online child pornography. When he was apprehended, his laptop was accessed by a forensic expert who was able to view thousands of child pornography images. But when his laptop was shut down, upon rebooting the police were not able to open the files again because the encryption mechanism kicked in. Boucher refused the police’s order to hand over his decryption key. This time around the court supported the police because, it is already a “foregone conclusion” that his e-devices contained child pornographic images which were already seen by the forensic expert, and thereby solidifying the existence of probable cause against him. So Philippine government prosecutors can utilize the principle found in this case to argue for the government’s right to be presented the access codes or decryption keys to encrypted hard drives or e-devices the incriminating contents of which were already partially viewed by law enforcement agents.
Dr. Atty. Ramiscal receiving an appreciation plaque from IBP Leyte Pres. Atty. Patick Santo and Atty. Nick Esmale reading the citation
I would like to thank all the IBP Chapters officers and staff who had welcomed me and enjoyed their time with me: the fabulous Makati lawyers who gifted me with lemon oil and raspberry vinegar which proved unforgettable; the amiable CALMANA lawyers who were truly hospitable; the convivial Laguna lawyers who were quite appreciative of my insights; kudos to the Negros Oriental/Dumaguete lawyers (IBP Pres. Atty. Riconalla, Attys. Rocky, Elton and Nabi) and staff (Maricar Habanilla, et al) who went all out in making sure that my mother and me were satisfied with our food and accommodation, thank you to the crispy chicharon that lasted for about a week and a half!; heartfelt thank yous are in order to the IBP Iligan lawyers, in particular, their Chapter President, Atty. Khanini Gandamra, Atty. Diosdado Español and Atty. Edgardo Prospero who treated us at Tomyum, the lovely host, Atty. Annabelle Canazares Mindalano, Atty. Angel Lim (who so graciously and generously ferried my mom and me to our destinations and who shared with us his love of music), the very helpful student Ms. Aleah Rakhim, the accommodating IBP staff, Ms. Carandang and Ms. Arguson, and to everyone who made us feel so welcome in Iligan despite the very short stay we had there [the Cheding and dodol are very much appreciated!]; and finally, especial, especial, especial thank yous to all the Leyte lawyers, Attys. Hasmin, Chap, Matriano, Nick Esmale, and of course my UP schoolmate, bar topnotcher and a top notch human being, Atty. Patrick Santo for the grand Tacloban experience! My mom and I are still gushing about the food at Ocho-ocho and we trust we can go back there someday! It was truly an honor and privilege to have met and shared my advocacies with you all! God Bless Us! Insha Allah!
Philippine Law Bytes: TheCyberLawyer Issues by Dr. Attorney Noel Guivani Ramiscal 