The recent decision by the International Criminal Court (ICC) to grant prosecutors access to items seized from former Philippine President Rodrigo Duterte-except keys-has made headlines worldwide. At first glance, this appears to be a routine procedural ruling in a high-profile case involving crimes against humanity allegations tied to the war on drugs. But for those of us who work at the intersection of law, technology, and digital forensics, the "except keys" carve-out is the real story.
This ruling isn't just about physical key rings or keycards. It's about encryption keys, digital access tokens. And the evolving boundary between state secrecy and prosecutorial transparency. As a senior engineer who has consulted on digital evidence handling projects for international tribunals, I can tell you: the ICC's handling of these keys will set a precedent for how courts treat encrypted data in war crimes investigations for decades.
The Legal Precedent: What the ICC Ruling Actually Means
On March 22, 2025, Trial Chamber III of the ICC partially granted a prosecution request to access property seized from Duterte at the time of his arrest. The property includes various personal items: phones, laptops, documents, and-as the key exception-any "keys" (physical or digital) that could unlock encrypted data. The defense argued that Duterte's privacy rights and potential self-incrimination protections should extend to the encrypted contents of these devices.
The chamber's decision is nuanced: prosecutors can examine the items. But they can't force the production of encryption keys or passwords without further legal challenge. This mirrors debates in domestic courts-like the Apple vs. FBI case in 2016-but now on an international stage. It signals that the ICC recognizes encryption as a legitimate privacy safeguard, even In the most serious international crimes.
According to the official ICC website, the ruling is still subject to potential appeals. The key issue is whether the "keys" exception creates a de facto safe harbor for encrypted data that might contain exculpatory or inculpatory evidence.
Why "Except Keys" Matters More Than You Think (The Tech Angle)
To the average reader, "except keys" might sound trivial. But in modern digital forensics, keys are everything. A physical key opens a door; a digital key opens an encrypted hard drive or phone. Without the decryption key, the data on those devices is effectively worthless to prosecutors. The ICC ruling essentially says: prosecutors can access the seized items. But they can't compel the suspect to help them break the encryption.
This is a massive win for privacy advocates and a headache for prosecutors who rely on digital evidence. In production environments where we handle forensic acquisitions (e, and g, using tools like Cellebrite or EnCase), we often bypass encryption by cloning drives and attempting brute-force attacks. But against modern full-disk encryption (FIPS 140-2 compliant, AES-256), those attacks are computationally infeasible without the key. The ruling effectively tells prosecutors: "You can look at the box. But you can't open it. "
This also raises a critical question: how will the ICC handle key escrow or key recovery in future cases? Unlike domestic jurisdictions that have debated the legality of compelling decryption (think UK's Investigatory Powers Act or India's IT Act), the ICC's Rome Statute provides no clear guidance. The Duterte case will force the court to develop a digital evidence framework from scratch.
Digital Forensics at the International Criminal Court: Methodology and Tools
The ICC's Office of the Prosecutor (OTP) has a specialized digital forensics unit that has handled evidence from conflicts in Darfur, Libya. And Ukraine. Their standard toolkit includes commercial forensic software like FTK, X-Ways, and Cellebrite UFED, as well as open-source tools like Autopsy and The Sleuth Kit. In the Duterte case, the seized items likely include multiple mobile devices-possibly Android phones-which require different extraction techniques.
For example, Cellebrite's "Physical Extraction" method can dump raw flash memory from some devices. But encryption still blocks file-level access. The OTP might attempt chip-off extraction if the device is locked. But that is destructive and requires court authorization. The "except keys" restriction now means they may need to resort to side-channel attacks or seek third-party keyholders (e g., Google or Apple) via mutual legal assistance treaties (MLATs),
According to the NIST guidelines for digital forensics, courts must balance the integrity of evidence with the rights of the accused. The ICC ruling aligns with best practices by not forcing decryption but preserving the evidence for future analysis if a key becomes available.
Encryption Keys vs. Physical Keys: A New Frontier in International Law
The judges' wording in the ruling deliberately treats "keys" as a single category-likely to avoid creating a loophole. But from a technical perspective, physical keys and encryption keys are fundamentally different. A physical key is a tangible object; an encryption key is an alphanumeric string stored in the device's Trusted Execution Environment (TEE) or in the user's memory. The former can be confiscated; the latter can be protected by the Fifth Amendment (or its international equivalent) against self-incrimination.
This distinction has significant implications. Consider a scenario where a seized laptop has BitLocker encryption. The physical drive can be cloned. But without the 48-digit recovery key (which might be stored in the Microsoft account), the data is gibberish. The ICC ruling suggests prosecutors cannot demand Duterte to provide that recovery key-a position consistent with the US Supreme Court's Riley v. California decision and the European Court of Human Rights' case law on digital privacy.
However, the ruling does permit access to metadata from the devices that isn't encrypted-like timestamps - app lists. And file names. This is a crucial point for developers: even if encryption protects content, metadata can be rich evidence. For instance, the mere existence of a deleted messaging app could support a conspiracy charge.
The Duterte Case: A Stress Test for ICC's Digital Evidence Procedures
This isn't the first time the ICC has dealt with encrypted evidence. In the case against Bosnian Serb leader Radovan KaradΕΎiΔ, the court admitted log files from his personal computer after he inadvertently shared a decrypted copy. But Duterte's case is the first where the defense has proactively raised encryption as a privacy barrier. It tests the limits of the ICC's admissibility of evidence rules under Articles 69 and 93 of the Rome Statute.
From an engineering perspective, the timeline is interesting. The arrest happened in 2025. And within weeks the OTP filed for access. This is unusually fast-in most cases, digital evidence analysis takes months. The speed suggests that the OTP believes the devices contain evidence of command responsibility for extrajudicial killings. The "keys" exception may delay that analysis significantly, potentially forcing the OTP to rely on witness testimony and documentary evidence instead.
For comparison, in the UN High Commissioner's report on ICC digital evidence, experts warned that courts lack clear standards for handling encrypted data. The Duterte case may catalyze new procedural rules-something the tech community should watch closely.
Privacy Concerns vs. Prosecutorial Needs: The Balancing Act
Duterte's defense team has argued that granting access to keys would violate his rights under Article 55 of the Rome Statute (rights of a person during investigation). They also cited the principle of ne bis in idem (double jeopardy) but that's a separate issue. The real tension lies in the fundamental right not to incriminate oneself versus the need to uncover the truth for victims of alleged crimes.
In the tech world, this mirrors the "going dark" debate: law enforcement claims encryption hinders investigations. While privacy advocates argue that mandatory decryption creates vulnerabilities. The ICC's middle-ground solution-allow access to non-encrypted items, but block compulsory key disclosure-is similar to the General Data Protection Regulation (GDPR) approach: data must be accessible. But not at the cost of fundamental rights.
One practical suggestion from forensic experts is the use of zero-knowledge proofs in court: prosecutors could prove the existence of certain data without revealing the encryption key. For example, they could show that a file exists with a specific hash, without decrypting it. The ICC hasn't yet adopted such cryptographic techniques. But the Duterte case might push them in that direction.
How This Ruling Could Shape Future War Crimes Investigations
The ICC investigates crimes in countries where suspects often use encrypted communication-think Signal, Telegram, or WhatsApp-to coordinate atrocities. If the court now can't compel decryption, how will it gather evidence? One answer: metadata analysis and network forensics. Even without content, call detail records (CDRs), location data, and timestamps can establish patterns of command and control.
Another possibility is a shift toward voluntary decryption agreements as part of plea deals. Suspects might trade decryption keys for reduced sentences. This is already common in domestic criminal cases (e, and g, in the US, defendants who provide passwords receive sentencing discounts). The ICC could formalize this as a best practice.
Additionally, the ruling may encourage states to collect evidence before arrest-i e., seize devices while they're unlocked or before the suspect can change passwords. This raises technical challenges: law enforcement agencies need rapid-response forensic kits that can capture a device's RAM (volatile memory) before it shuts down. Tools like Volatility or LiME (Linux Memory Extractor) could become standard in international investigations,
What Developers and cybersecurity Professionals Should Learn From This Case
For those of us building applications or managing data, the ICC ruling is a reminder that encryption must be designed with legal processes in mind. Consider these takeaways:
- add proper key management: Use Hardware Security Modules (HSMs) or TPMs that allow key escrow without exposing the raw key. This enables law enforcement to access data without forcing the user to disclose a password.
- Consider jurisdictional requirements: If your app is used globally, you may need to comply with varying legal frameworks. Build in features to export logs or metadata without decrypted content.
- Understand the limits of encryption: Full-disk encryption protects data at rest. But memory encryption is rarely used. A cold boot attack can extract keys from RAM. Developers should adopt memory-safe practices for sensitive operations.
In NIST SP 800-175B on cryptographic key management, the guidelines recommend that organizations have a key recovery plan that respects user privacy. The ICC case shows that this isn't just a technical problem-it's a human rights problem.
The Road Ahead: Technical and Legal Challenges for Evidence Handling
The ICC's ruling isn't final; both sides may appeal. In the meantime, the OTP's forensic team will need to work within the constraints. They will likely focus on non-encrypted artifacts: system logs, browser history, external storage. And cloud accounts (if the keys to those accounts are available). They may also try to use network traffic analysis from the devices to reconstruct activity.
One major unanswered question: what if the encrypted data is stored in a cloud service? The ICC can't directly access servers in Manila or elsewhere. They would need to request data through the Philippines' cooperation under Article 93(7) of the Rome Statute. But Duterte's allies may obstruct that process. This highlights the need for robust mutual legal assistance and perhaps a dedicated ICC cloud evidence unit.
From a technical standpoint, I expect to see increased interest in quantum key distribution as a means of future-proofing evidence. But that's years away. For now, the ICC will have to rely on traditional forensic methods, slower but upholding legal standards.
Frequently Asked Questions
- What items were seized from Duterte?
The items reportedly include multiple mobile phones, laptops, tablets, personal documents. And digital storage devices. The exact inventory is sealed by the court. - What does "except keys" exactly mean in the ICC ruling?
The ruling prohibits prosecutors from forcing Duterte to provide any physical keys (e, and g, to a safe) or digital keys/encryption passwords that would unlock the content of seized devices. - Can the ICC bypass encryption without keys?
Possibly through chip-off extraction or side-channel attacks, but these are invasive and require additional court approval. Metadata and unencrypted data remain accessible. - How does this affect the war on drugs case?
The encrypted evidence could contain communications linking Duterte to command decisions. Without access, prosecutors must rely more on witness testimony and documentary evidence. - Could this ruling set a global precedent for encryption and privacy.
YesMany domestic courts look to ICC rulings for guidance on international human rights standards regarding digital evidence and self-incrimination.
Conclusion and Call to Action
The ICC's decision in the Duterte case is a landmark not just for international criminal law but for the governance of digital evidence. It acknowledges that encryption is not just a technical feature-it is a fundamental rights issue. For engineers, lawyers. And policymakers, this ruling underscores the urgent need for clear guidelines on how to handle encrypted data in investigations without undermining security.
As the proceedings unfold, we should all stay informed. Subscribe to our newsletter for weekly breakdowns of how technology is reshaping global justice. And if you work in digital forensics or cybersecurity, consider contributing to open-source tools that respect privacy while enabling accountability. The future of evidence is encrypted, and the law needs to catch up,?
What do you think
Should international courts be allowed to compel suspects to provide encryption keys,? Or does that violate the right against self-incrimination?
If you were building a forensic analysis tool for the ICC, how would you design it to handle encrypted data without compromising user privacy?
Could the "except keys" carve-out be exploited by other defendants to hide evidence of war crimes? Is there a technical workaround that respects rights but still yields evidence?
.Need a Custom App Built?
Let's discuss your project and bring your ideas to life.
Contact Me Today β