Welcome to another week of What's Next, your briefing on the intersection of technology and law. I'm Ben Hancock and this week I'm asking, when is decryption of data a “foregone conclusion,” and should your law firm be getting a piece of that cryptocurrency action? Also, mind what you store on the blockchain.

News tips? Events that should be on my radar? Email me at [email protected] or reach me on Twitter @benghancock. And tell your friends to subscribe.

|

Watch This Space: Inevitable Decryption

This is something sure to interest privacy policy wonks, encryption advocates, and criminal law practitioners. Last week, a federal magistrate judge in the Northern District of California ordered a defendant to decrypt secure folders on his iPhone and laptop, and an encrypted external hard drive, notwithstanding the Fifth Amendment. It's not the first time that's happened, but it is the first decision of its kind in the Ninth Circuit. And some say the judge's legal reasoning could mark an important shift in the law.

Here's the overview: The defendant, a California man, has been charged with possession and distribution of child pornography. There isn't any question whether he is the owner of the devices; he actually cooperated in unlocking the phone and the laptop. So the issue then becomes, can he be forced to give up the passwords for the encrypted folders and hard drive under what's called the “foregone conclusion” doctrine? Or would that be “testimonial,” and thus protected by Fifth Amendment privilege?

The foregone conclusion doctrine has something of a murky past. The Eleventh Circuit applied it in a 2012 decision, ruling that the government must show, with reasonable particularity, that it knows what it's looking for. Then Third Circuit last year ruled in a case with a similar fact pattern and reached a different result, but didn't resolve what the correct test is, as USC law professor Orin Kerr wrote for the Washington Post at the time.

Judge Jacqueline Scott Corley, in her order, takes a footnote from that Third Circuit ruling and really hammers it home: The correct test isn't whether the government knows what's on the device, but whether it has established that the defendant knows the password. “[T]he Court holds that if the respondent's knowledge of the relevant encryption passwords is a foregone conclusion, then the Court may compel decryption under the foregone conclusion doctrine,” she writes.

If that sounds subtle, it's not, says Dan Terzian, a lawyer at Duane Morris who has written extensively about the compelled decryption issue. With that as the standard, then “99 percent of the time, perhaps 99.9 percent of the time, [the government] is going to be able to get an order to decrypt,” Terzian told me. That's because most of the time in these types of cases, the government can provide evidence that the accused knows the password. It might be as simple as saying that a phone was in the defendant's pocket.

Kerr, who advocates for the password-focused application of the doctrine, agrees that the decision is significant and noted it could be a prelude to a circuit split on this issue. Comparing Corley's recent decision to the Eleventh Circuit approach, he told me: “One is a workable standard for law enforcement, one is not … so the stakes are quite high.”

>> Think Ahead: This may be the beginnings of another legal showdown over privacy. But it's not going to be Apple v. FBI. Most of these cases involve child pornography; it seems unlikely that the public would be able to abstract that away from the debate.

Trending: Facebook's Big Data Fallout

The landscape for Big Data isn't getting any easier – politically or legally. In the wake of revelations that Cambridge Analytica siphoned data from Facebook to fuel its voter influence campaign, the social media giant was hit with a lawsuit last Friday by Cook County alleging violations of Illinois fraud statutes, Ars Technica reports. It's not the first lawsuit to land on Facebook over the scandal, but it does appear to be the first filed by a government entity. The company is also being scrutinized by the Federal Trade Commission.

The county (which encompasses Chicago), is being repped by none other than Jay Edelson of Edelson PC. He's the guy behind the lawsuits against Facebook over biometric data. The general theory of the new case is that Facebook told consumers their personal data was being handled in accordance with user and software developer guidelines, when the opposite was true.

“Despite these material representations,” the complaint says, “Facebook permitted third parties, including Cambridge Analytica, to collect and harvest its users' personal data, including such sensitive information as their private messages, for purposes of profiling and targeting them with tailored messaging that would dependably influence and manipulate their behavior.” (Cambridge Analytica is also named as a defendant in the lawsuit)

It's not the only bad news for Facebook. A day earlier, Ars reported that the company — unbeknownst to users — had been gathering call log data from users of its Android app. (This apparently happened if users allowed the app to access their contacts in an earlier Android version.) I haven't spotted any lawsuits filed over this yet, at least not in federal court.

So with all this you might be wondering: Is the Big Data reckoning upon us?Will new restrictions be put in place? London-based Hogan Lovells privacy law partner Eduardo Ustaran argues in a post that regulators should be reaching for a different approach, and that companies should do a better job putting users in control of their data and sharing the benefits derived from it.

>> Takeaway: For Europe, Snowden was the inflection point that drove groundbreaking privacy litigation and law. This might be that moment for the U.S. But given the awkward politics and different approaches to privacy in the U.S., more incremental restrictions are probably in the offing.

In Futuro: Legaltech Startups to Know

Last week I wrote about a startup making a pitch at Y Combinator for a technology that can upload your brain, but only after it ….er, kills you. My colleague Gabrielle Orum Hernández write about some less lethal, legal-focused tech startups that also made an appearance at the event. Among them are Lawyaw, which aims to make processing legal documents smoother, and Callisto, sexual misconduct reporting software that says it can help figure out when more than one person has ID'd the same attacker. Check out more here.

Protocol: Law Firms (Crypto) Cashing In

If you're like me and haven't yet bought into the crypto bandwagon, you might have shared in that feeling of being left behind by the easy money train last fall when Bitcoin, Ethereum and a host of other “alt coins” were taking off. (I feel that less so now.) Well, law firms apparently weren't immune from that either. The Financial Times reports on how Magic Circle firms like Clifford Chance and Allen & Overy, as well as U.S. giants like Cooley and Latham & Watkins, are trying to get a piece of the initial coin offering action.

Despite the continuing regulatory uncertainty, the FT says, law firms are advising on small ICOs now “with a view to being first in line if they go mainstream.” Allen & Overy debt capital markets partners Phil Smith is quoted: “The minute that someone breaks cover and starts to use this on a wholesale basis, then there will be a rush [of demand].”

Your firm still standing on the sidelines? Walker Associates, a New York-based legal search firm, writes in a contributed piece for Legaltech Newsabout how firms can get in on the fintech wave. Quick tips: Avoid overspecialization in a sector, and get people who know how Washington works. “Regulation could alter the playing field overnight. The Office of the Comptroller of the Currency, in particular, is being closely watched to see if it will support the creation of a national banking charter for fintech firms.”

>> Think Ahead: Being ahead of the curve can be nice. But in a space that's pretty muddled, attempting to offer clarity seems challenging — if not downright risky. The SEC has been pretty consistent in reminding professionals (lawyers included) that they have to be cautious.

Dose of Dystopia

This is a whole new twist on “dirty money.” As most readers probably know, every “node” of the Bitcoin blockchain contains an entire copy of the ledger; that helps verify transactions made on the network. But researchers from two universities in Germany have found that people are putting some pretty questionable data on the blockchain – which means that your machine might have some legally dicey content on it too, The Register reports.

“[R]esearchers from RWTH Aachen University and Goethe University identified 1,600 files added to the Bitcoin blockchain, 59 of which include links to unlawful images of child exploitation, politically sensitive content, or privacy violations. The researchers suggest Bitcoin's blockchain can also be loaded with malware, something Interpol warned about three years ago but has not yet been documented in the wild.”

I heard about this over on one of my favorite nerdy podcasts, Linux Action News, (any other fans out there?) and the hosts explain that these links and other content are not stored in the open; they're “hashed,” although it's apparently not all that hard to view them. So is this just what governments anxious about cryptocurrency need to be able to start clamping down?The paper's authors write: “it could become illegal (or even already is today) to possess the blockchain, which is required to participate in Bitcoin. Hence, objectionable content can jeopardize the currently popular multi-billion dollar blockchain systems.”

That's it for this week. Keep plugged in with What's Next!