Naked Security Naked Security

Court says suspect can’t be forced to reveal 64-character password

We have to protect the constitutional rights of the innocent, and that can mean shielding guilty-as-hell child abusers, the court said.

The dry facts: A US court has come down in favor of Fifth Amendment protections against forced disclosure of a 64-character passcode in a child abuse imagery case = an important interpretation of whether forced password disclosure is the modern equivalent of an unconstitutionally coerced confession.

The gut punch: The defendant is a man previously convicted over distribution and possession of child abuse imagery who, on the ride over to his arraignment, openly chatted with cops about how much he likes watching sexual videos featuring 10- to 13-year-old victims.

The ruling, handed down last Wednesday, quoted appellant Joseph J. Davis’s response when asked for his passcode:

It’s 64 characters and why would I give that to you? We both know what’s on there. It’s only going to hurt me. No f*cking way I’m going to give it to you.

Agents from the Office of the Attorney General (OAG) were investigating a child abuse imagery ring that led them to Davis’s apartment twice: once in 2014, and again in 2015. They said that his computer had repeatedly used a peer-to-peer file-sharing network, eMule, to share the imagery, which OAG agents received and confirmed to be illegal.

Davis was charged with two counts relating to disseminating child abuse imagery and one relating to criminal use of a communication facility. In 2015, prosecutors filed a pre-trial motion to compel Davis to give up that 64-character key to his encrypted computer. Davis responded by invoking his Fifth Amendment right against self-incrimination.

A lower court focused on whether the encryption was testimonial in nature, and, thus, protected by the Fifth Amendment – as in, would handing over his password be the same as revealing the contents of his mind?

As part of its analysis, the lower court had looked to the foregone conclusion exception to the Fifth Amendment. That standard keeps cropping up in these compelled-unlocking cases: it allows prosecutors to bypass Fifth Amendment protections if the government can show that it knows that the defendant knows the passcode to unlock a device.

In order to apply the foregone conclusion standard, the government has to show that it knows that the evidence it wants is authentic and that it actually exists, and that a defendant has or controls it.

Well, in Davis’s case, they knew it all, the lower court found: they knew his computer had hard-wired internet access only; Davis admitted it was encrypted with TrueCrypt, said that he was the only user and the only one who knew the password, and that he’d “die in prison” before giving up that password; and that the state was pretty sure there was child abuse images on there.

In other words, we’re not going to learn anything that we don’t already know, the lower court ruled, so cough up that password: the foregone conclusion standard has been met.

The case went to appeal, and thus was an important question about password disclosure vis-a-vis the Fifth Amendment and the foregone conclusion standard decided last week.

In a 4-3 decision in Commonwealth v. Davis, the Pennsylvania Supreme Court ruled against the lower court on Wednesday, finding that disclosing a password is, in fact, testimony that’s protected by the Fifth Amendment’s privilege against self-incrimination.

The court decided that unlocking and decrypting a mobile phone or computer is, in fact, what the Electronic Frontier Foundation (EFF) calls “ the modern equivalent” of coercing a confession or forcing a suspect to lead police to incriminating evidence.

The EFF had filed a friend of the court brief in the case, arguing that the foregone conclusion exception applies only when an individual is forced to comply with a subpoena for business records, and only when complying doesn’t reveal the contents of their mind.

”Sometimes a shelter to the guilty”

The Pennsylvania Supreme Court agreed. It noted in its ruling that sometimes when protecting the rights of the innocent, you also wind up shielding those who are guilty scumbags:

Requiring the Commonwealth to do the heavy lifting, indeed, to shoulder the entire load, in building and bringing a criminal case without a defendant’s assistance may be inconvenient and even difficult; yet, to apply the foregone conclusion rationale in these circumstances would allow the exception to swallow the constitutional privilege. Nevertheless, this constitutional right is firmly grounded in the ‘realization that the privilege, while sometimes a shelter to the guilty, is often a protection to the innocent.’

The decision is considered a big win for privacy-rights advocates. The EFF:

This ruling is vital because courts must account for how constitutional rights are affected by changes in technology. We store a wealth of deeply personal information on our electronic devices. The government simply should not put individuals in the no-win situation of choosing between disclosing a password = and turning over everything on these devices – or instead defying a court order to do so.

Recent, related cases

This isn’t the first such decision. Some, but certainly not all, courts have similarly decided that compelled password disclosure amounts to a violation of Fifth Amendment rights against self-incrimination.

One example is the decision that came out of the Florida Court of Appeal in November 2018: it’s one of at least two such cases that have involved an intoxicated person who crashed their car, leading to the injury or death of passengers, then refused to unlock their iPhone for police.

In Florida, the court refused a request from police that they be allowed to compel an underage driver to provide the passcode for his iPhone because of the “contents of his mind” argument about the Fifth Amendment.

But the Florida court also went beyond that, saying that whereas the government in the past has only had to show that the defendant knows their passcode, with the evolution of encryption, the government needed to show that it knew that specific evidence needed to prosecute the case was on the device – not just that there was a reasonable certainty the device could be unlocked by the person targeted by the order.

If prosecutors already knew what was on the phone, and that it was the evidence needed to prosecute the case, they didn’t prove it, the Florida court said at the time.

Regardless of the “foregone conclusion” standard, producing a passcode is testimonial and has the potential to harm the defendant, just like any other Fifth Amendment violation would, the Florida court said. It’s not as if the passcode itself does anything for the government. What it’s really after is what lies beyond that passcode: information it can use as evidence against the defendant who’s being compelled to produce it.

And yet, just last month, a court ordered a woman who was high on meth when she crashed into a tree, seriously injuring one adult and five children passengers, to type in her iPhone password so police could search the device.

Supreme Courts in both Indiana and New Jersey are currently considering similar cases.