A story is circulating around the blogosphere that using encryption is now considered evidence of criminal activity, at least according to a recent court decision. I think the misunderstanding started with this piece by Declan McCullagh, was then picked up by Bruce Schneier’s widely read blog, and spread from there to many other blogs (see, e.g., here, here, and here). Obviously, the idea that using encryption necessarily reflects criminal activity is rather silly; Internet users use encryption all the time for all sorts of legitimate reasons. As many critics of the new decision have noted, it makes no sense to see encryption as inherently linked to crime. But contrary to the blogospheric common wisdom, no court ever said it was.
Here is what happened in the case, State v. Levie, decided by the Minnesota Court of Appeals. (Warning: graphic, disturbing, and lengthy facts of the case ahead.) The defendant in the Levie case was charged with soliciting his young niece to take nude pictures of her for money. The niece testified that her uncle, the defendant, had asked to take nude pictures of her starting when she was 8 years old, and that when she was nine she agreed to let him do so on several occassions. The defendant took digital photographs of her and transfered them on to his computer. At one point, in late 2002, the defendant asked his niece to take a particularly vulgar photograph. The girl refused, and eventually the case was reported to the police. The defendant had been accused of child sex-related offenses before, and was known for hosting sleepover parties with 8-to-10 year-old girls.
The police seized the defendant’s computer pursuant to a search warrant and analyzed it using EnCase forensic software, a tool for analyzing hard drives that is commonly used by state and federal law enforcement. Presumably the goal was to recover the pictures of the victim that the defendant had taken before, as well as any other evidence that might verify the truth of her story. The EnCase software produces a report that explains the contents of the hard drive, and a detective created such a report in the case using the software.
Surprisingly, however, the report did not reveal the discovery of any nude photographs of the victim, or any other child pornography. The only evidence the report recovered was that someone had entered child-sex related search terms such as “lolita” into a web browser found on the hard drive, and that there was a folder in the computer labeled “research” that contained the text of the state statutes on child pornography. The report also found that the computer contained a copy of the encryption program PGP (pretty good privacy). The trial judge ended up excluding part of the report at trial, but admitted the portion of the report that disclosed the use of child-sex related search terms and the existence of PGP.
The niece’s testimony was the key evidence at trial. The contents of the computer was an issue only to the extent it corroborated or disproved her story. Although the opinion is not clear on this, it’s not hard to imagine why the contents of the computer were relevant. The girl had testified that the defendant had put nude pictures of her on his computer, but no pictures were recovered. The defense presumably argued that the lack of pictures showed the niece was lying. The government pointed to the Internet search terms as corroboration, and argued that the lack of photos on the defendant’s computer only reflected the fact that he was savvy enough to get rid of the images, hide them, or encrypt them because he knew the police were coming. The evidence of the defendant’s careful effort to hide the files and evade law enforcement was the downloaded text of the state statute and the copy of PGP. Not slam-dunk evidence, obviously, but not entirely irrelevant.
And that’s all that the Minnesota Court of Appeals held. Here is the analysis:
Appellant first argues that he is entitled to a new trial because the district court erred in admitting irrelevant evidence of his internet usage and the existence of an encryption program on his computer. Rulings involving the relevancy of evidence are generally left to the sound discretion of the district court. State v. Swain, 269 N.W.2d 707, 714 (Minn. 1978). And rulings on relevancy will only be reversed when that discretion has been clearly abused. Johnson v. Washington County, 518 N.W.2d 594, 601 (Minn. 1994). “The party claiming error has the burden of showing both the error and the prejudice.” State v. Horning, 535 N.W.2d 296, 298 (Minn. 1995).
Appellant argues that his “internet use had nothing to do with the issues in this case;” “there was no evidence that there was anything encrypted on the computer;” and that he “was prejudiced because the court specifically used this evidence in its findings of fact and in reaching its verdict.” We are not persuaded by appellant’s arguments. The record shows that appellant took a large number of pictures of S.M. with a digital camera, and that he would upload those pictures onto his computer soon after taking them. We find that evidence of appellant’s internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state’s case against him. See Minn. R. Evid. 401.
In sum, the court did not hold that encryption is a signal of criminal activity. All it did was say that in one case, where a crucial witness testified about the presence of a computer file on a computer, that the presence of encryption software on the computer in early 2003 was “at least somewhat relevant” to the question of whether the defendant was a skilled computer user who had intentionally removed any traces of that file from the hard drive.
UPDATE: I have sanitized the facts a bit more in reponse to a reader’s request. My apologies if the earlier version was more graphic than it needed to be.
Comments are closed.