Skip to content
Naked Security Naked Security

Passcodes are protected by Fifth Amendment, says court

The government isn't really after the password, after all; it's after any potential evidence it protects. In other words: fishing expedition.

There was an underage driver at the wheel, driving on a Florida highway. Police say he was speeding.
When he crashed, one of the passengers in his car died. At the hospital, a blood test showed that the minor had a .086 blood-alcohol content: slightly over the legal limit of .08% for non-commercial drivers.
According to court documents, police found two iPhones in the car: one that belonged to a surviving passenger and one that allegedly belonged to the driver. The passenger told police that the friends had been drinking vodka earlier in the day and that she’d been talking with the driver on her iPhone.
The police wanted the driver’s phone, so they got a warrant to search it for data, photos, text messages, and more. They also sought an order compelling the minor to hand over the passcode for the iPhone and for an iTunes account associated with it.
And this is where we get into the evolving world of the Fifth Amendment and compelled passcode disclosure. Last Wednesday, 24 October, the Florida Court of Appeal quashed a juvenile court’s order for the defendant – identified only by his initials, G.A.Q.L., since he’s a minor – to disclose his passcodes.
A trial court had agreed to compel the disclosure, given that “the act of producing the passcodes is not testimonial because the existence, custody, and authenticity of the passcodes are a foregone conclusion.”
No, the Appeal Court said last week, we disagree. As other, but certainly not all, courts have decided, compelled password disclosure amounts to forcing the defendant to disclose the contents of his own mind – a violation of Fifth Amendment rights against self-incrimination.
The “foregone conclusion” standard keeps cropping up in these cases. It allows prosecutors to bypass Fifth Amendment protections if the government can show that it knows that the defendant knows the passcode to unlock a device.


The latest from the Florida Court of Appeals put a twist on that: whereas the government in the past has only had to show that the defendant knows their password, in this case, the court says that the government needs to show that it knows that specific evidence needed to prosecute the case is on the device, not just that there’s a reasonable certainty the device can be unlocked by the person targeted by the order.
If prosecutors already knew what was on the phone, and that it was the evidence needed to prosecute the case, they didn’t prove it, the court said last week. From the order to quash the password:

Because the state did not show, with any particularity, knowledge of the evidence within the phone, the trial court could not find that the contents of the phone were already known to the state and thus within the “foregone conclusion” exception.

Regardless of the “foregone conclusion” standard, producing a passcode is testimonial and has the potential to harm the defendant, just like any other Fifth Amendment violation would, the Florida court said. It’s not as if the passcode itself does anything for the government. What it’s really after is what lies beyond that passcode: information it can use as evidence against the defendant who’s being compelled to produce it:

Here, the state seeks the phone passcode not because it wants the passcode itself, but because it wants to know what communications lie beyond the passcode wall. If the minor were to reveal this passcode, he would be engaging in a testimonial act utilizing the “contents of his mind” and demonstrating as a factual matter that he knows how to access the phone. As such, the compelled production of the phone passcode or the iTunes password here would be testimonial and covered by the Fifth Amendment.

We know that a phone owner very likely knows their passcode. Focusing on the passcode misses the mark, the court said.

Below and on appeal, the state’s argument has incorrectly focused on the passcode as the target of the foregone conclusion exception rather than the data shielded by the passcode, arguing that “because the State has established the existence of the passcode and iTunes password, evidence on the Petitioner’s cell phone, and that he can access the content of his phone,” the compelled search was acceptable. Similarly, the trial court specifically held that the “existence, custody, and authenticity of the passcodes are a foregone conclusion” in the order appealed. This holding, which focuses on the passcodes rather than the data behind the wall, misses the mark.

The government is really after any and all documents it can get at once it knows the passcode. In other words, these grabs for passcodes amount to fishing expeditions:

It is not enough to know that a passcode wall exists, but rather, the state must demonstrate with reasonable particularity that what it is looking for is in fact located behind that wall. Contrary to the Stahl court’s conclusion, which the trial court adopted, the “evidence sought” in a password production case such as this is not the password itself; rather, it is the actual files or evidence on the locked phone. Without reasonable particularity as to the documents sought behind the passcode wall, the facts of this case “plainly fall outside” of the foregone conclusion exception and amount to a mere fishing expedition.

It’s not enough for the government to infer that there’s evidence on the phone, the court said. Just because it belonged to the driver doesn’t mean anything – after all, pretty much everybody owns a phone, and that doesn’t necessarily point to those devices holding evidence of crimes.

Here, the state’s subpoena fails to identify any specific file locations or even name particular files that it seeks from the encrypted, passcode-protected phone. Instead, it generally seeks essentially all communications, data, and images on the locked iPhone. The only possible indication that the state might be seeking anything more specific was the prosecutor’s statement at the hearing that the surviving passenger had been communicating with the minor via Snapchat and text message on the day of the accident and after the accident, a fact that the trial court briefly mentioned in its order but did not appear to rely on in reaching its conclusion.

Of course, there are always the tactics of having defendants write down their passcodes or having them unlock their own phones. But those are basically just a way to get around the Fifth Amendment, this case suggests.
State court decisions don’t have the power to change the way passcode-disclosure/Fifth Amendment cases are decided throughout the country. But it is one more decision that defendants will be able to refer to when fighting forced disclosure.
That won’t necessarily keep defendants from being left to rot in jail indefinitely until they produce passcodes, but, well, it’s not nothing, either.


7 Comments

I know this will be shocking, but the Appeals court misunderstands the primary case it cites. I’m not making an opinion either way on this case, but it’s vastly different from In re Grand Jury Subpoena, 670 F.3d.
The cited case was a child porn case where the government was alleging John Doe had terabytes of child porn in a seganographically enclosed partition on a drive where they had decrypted other parts. They alleged that they knew based on testimony that John Doe had porn, therefore it must be on this drive and he must know the password. They had not established that there was an actual encrypted partition as opposed to just random data, that if the partition existed John Doe knew the password, or that if both of those were true it contained porn.
That’s totally different from this case. In this case Joe Minor had a DUI and there are claims he has stored conversations about that DUI. The court wants access to his stored communications. It’s well established that he has communications on the phone and has access to them, the thing at issue is the content of those communications. I think the jury is out on whether that’s a Fifth Amendment issue, but the particularity concerns in In re Grand Jury Supoena are irrelevant to this case.

There is a further point here, they can’t compel you to unlock your phone when they are able to get the information from another source (such as a phone provider). If they really wanted the communications they could just ask the phone provider or snapchat for the conversations, but they aren’t doing that because the court here is right, it’s a fishing expedition.

It’s a tough one. For security/privacy I want the best. So where possible, I keep passwords in my head (there are no back doors there – yet!). But then criminals can and do take the same approach – so I see this much like the ‘encryption back door’ argument and feel less surprised that some of the big tech giants are encouraging password-less authentication….

Since there are no solutions, only trade offs, It’s far more important to protect the criminal along with all of us. Government entities have no power over people except for criminals. So they keep making more things a crime. When you become a criminal for doing what’s right, or refusing to do wrong, you understand

Two comments:
1) Do not rely on the Supreme Court ruling as they have in the past. The next case to go to the justices will encounter a different political perspective.
2) If there is no passcode, one can not be compelled to provide it.
Using a string of letters, numbers and symbols is only a single avenue of “What You Know” authentication. There are others which are superior. Moreover, either “What You Have” and/or “What You Are” as additional factor(s) could well render any narrow judicial decision irrelevant.
We’ve a choice whether to take security seriously. If maintaining privacy is paramount, relying on a single string is silly.

I heartily agree with Point #1. I would like to comment regarding Point #2:
“There are others which are superior. Moreover, either “What You Have” and/or “What You Are” as additional factor(s) could well render any narrow judicial decision irrelevant.
We’ve a choice whether to take security seriously. If maintaining privacy is paramount, relying on a single string is silly.”
Multi-factor authentication is much better than single-factor for keeping your device(s) safe from thieves, snoops, children, etc. However, here is an article from this very site, two years ago and four years ago, respectively:
https://nakedsecurity.sophos.com/2016/05/02/la-judge-forces-woman-to-unlock-iphone-with-fingerprint/
https://nakedsecurity.sophos.com/2014/11/03/police-can-demand-fingerprints-but-not-passcodes-to-unlock-phones-rules-judge/
The gist of the articles indicate that biometrics (Something You Are) are not shielded by the Fifth Amendment the way known information, like passcodes, are.
Further, something in your possession, like a Smart Card or key fob (Something You Have) can simply be confiscated or obtained by use of a warrant.
Therefore, while multi-factor authentication is superior as general security, in a case like this or one similar, the passcode (Something You Know) is the only thing which will protect you.

all of this begs the question as to what about locking mechanisms based on retinal scan or fingerprint scan? The service provider cannot provide any content, but time and date stamps of communications [calls and texts] should be available for a specific phone number. Not sure what privacy rights are maintained by Snapchat — but it doesn’t appear to be an “expedition” if the request is narrowed down to a limited, unique time frame….

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?