Court Says Fifth Amendment Covers Smartphone Passcodes, But It's Hardly A Victory For Constitutional Rights
from the blueprint-for-fifth-amendment-evasion-currently-in-progress dept
A recent opinion issued in a prosecution by the Securities and Exchange Commission seems to indicate the government can’t force members of the public to hand over passwords without violating the Fifth Amendment. But the details suggest something else: that this is limited to a very specific set of circumstances and is not in any way precedential, at least not at this point.
The courts have previously weighed in on the legality of forcing people to basically provide incriminating evidence against themselves through the compelled relinquishment of passwords. Back in 2013, a magistrate judge rejected an order compelling a defendant to decrypt a seized hard drive by providing the government with his password. A year later, the Massachusetts Supreme Court came to the opposite conclusion: that the compelled production of passwords did not have Fifth Amendment implications.
The DOJ has argued that it does have the right to demand passwords to unlock seized items and actually found a judge that agreed with it. In that case, the court found that unlocking a device was no different than producing documents at the government’s request — distancing it from the “compelled speech” against a person’s own interests that the Fifth Amendment is supposed to guard against.
This case falls along those same lines, but the legal conclusions are a bit different.
The Securities and Exchange Commission (SEC) is investigating Bonan and Nan Huang for insider trading. The two worked at the credit card company Capital One as data analysts. According to the complaint, the two allegedly used their jobs as data analysts to figure out sales trends at major U.S. companies and to trade stocks in those companies ahead of announced company earnings. According to the SEC, they turned a $150,000 investment into $2.8 million.
Capital One let its employees use company-owned smartphones for work. Every employee picked his own passcode, and for security reasons did not share the passcode with Capital One. When Capital One fired the defendants, the defendants returned their phones. Later, as part of the investigation, Capital One turned over the phones to the SEC. The SEC now wants to access the phones because it believes evidence of insider trading is stored inside them.
But here’s the problem: The SEC can’t get in. Neither can Capital One. Only the defendants know the passcodes. And the defendants have refused to disclose them. As much as Capital One may want to aid the SEC in prosecuting its former employees, it can’t.
The SEC sought an order to compel the production of the passcodes. The suspects refused on Fifth Amendment grounds. This brings us to the tricky details of this case, which suggest it won’t become an across-the-board Fifth Amendment-protected “right” to deny the government access to password-protected devices and storage.
The government argued for the compelled production of passwords using the “foregone conclusion” doctrine.
The doctrine, introduced in Fisher v. United States, says that the Fifth Amendment doesn’t block complying with a court order when the testimonial part of complying with a court order is a foregone conclusion. In other words, if the government already knows the testimonial part of complying with the order, and they’re not seeking to prove it from the order, then you can’t use the Fifth Amendment to avoid compliance with the order.
In the government’s creative interpretation of the doctrine, the production of passcodes would be no more than the defendants acknowledging they used the phones Capital One supplied them with — something the government already knows and which has been confirmed by Capital One. Therefore, there are no Fifth Amendment implications. The judge disagreed, correctly pointing out that the government was seeking access to documents possibly contained on the phones, rather than simply seeking to confirm what it already suspected: that the phones were used by the defendants.
By using one thing to achieve another, the government was stretching its “foregone conclusion” to cover any evidence discovered on the unlocked phones. If the defendants have reason to believe incriminating documents resided on those phones, they are well within their Fifth Amendment rights to refuse the government’s request. Or so you would think.
Should the SEC ultimately succeed with this interpretation of the “foregone conclusion” doctrine, it will have compelled incriminating testimony. It claims that it’s merely seeking to confirm ownership by seeing if the passcodes unlock the phones. But once they’re unlocked, it can compel the production of documents. Should these prove to be incriminating, it already has the defendants’ admissions that these are their cell phones.
So, this case is less about securing Fifth Amendment rights than the government exploring options on how to obtain permission to compel defendants to hand over access to possibly incriminating information. If the court holds firm in its view of the government’s true aims, it will be a small win for constitutional rights but one unlikely to be applied broadly.
As Orin Kerr points out in a second post on the case, some unanswered questions point towards the government being able to successfully argue that simply providing a password to a locked device isn’t self-incriminating testimony.
If this analysis is right, then the password is incriminating because it provides a link to the evidence. The government could grant the defendants immunity, but it would need to be use and derivative use immunity — that is, immunity not just from the actual testimony but from what the testimony would reveal.See Counselman v. Hitchcock, 142 U.S. 547, 585 (1892). The defendants should win. That’s where Jonathan comes out, and it might be correct.
But I’m not sure. Here’s my question: Does the “link in the chain” test include a merely causal link — that is, a link in the chain to the evidence? Or does “link in the chain” mean that the testimony was part of the evidence of guilt but not enough to prove the entire offense — that is, a link within the body of evidence? If testimony is solely of value for its causal connection to evidence, and it has no evidentiary value itself, is the testimony incriminating?
If the government can argue that compelled production of passwords that leads to the discovery of incriminating material is merely causal (rather than the password itself being evidence of guilt), it may be able to skirt the Fifth Amendment entirely. This has obvious implications in the ongoing law enforcement war on encryption. With no firmly established legal footing for the argument that demanding passwords violates the Fifth Amendment, password-protected encryption will be ultimately no more safe than leaving everything unlocked and in plaintext.
So, while the court has — for the moment — denied the government’s request to compel the production of passwords, the underlying legal entanglements don’t exactly bode well for the future of the Fifth Amendment.
Filed Under: fifth amendment, passcodes, phone, self-incrimination
Comments on “Court Says Fifth Amendment Covers Smartphone Passcodes, But It's Hardly A Victory For Constitutional Rights”
Distinction without meaning
If the prosecution isn’t allowed to force someone to answer question like “Tell us where/what the murder weapon is” then they absolutely shouldn’t be able to force someone to provide a password.
In both cases the fact that the one forced to talk was able to provide the answer creates a solid and damning link between the suspect and the evidence. If they knew were the weapon was, then it’s very easy to argue that that’s because they were the ones who placed it there. Likewise if someone is able to provide a password to an encrypted device/drive, it proves that they have access to it.
In both cases while the compelled information may not be a notable piece of evidence on it’s own, what it reveals, and what it leads to, can absolutely be incriminating, meaning in both cases compelling the information should be barred by the fifth.
Re: Distinction without meaning
If the prosecution isn’t allowed to force someone to answer question like “Tell us where/what the murder weapon is” then they absolutely shouldn’t be able to force someone to provide a password.
I don’t think that’s the same question. Asking for a password would be more like demanding the key to a locked door or safe. You’d need a search warrant or court order to do it, but I don’t see the difference between compelling someone to turn over a key and compelling them to disclose a password.
Re: Re: Distinction without meaning
The catch on BOTH scenarios: you have the right to remain silent and not incriminate yourself after you have been arrested! Before arrest it’s anything goes. Yes, the authorities should make their case airtight by obtaining a warrant to compel the disclosure. It is no different than a court order to show cause or provide documents.
Re: Re: Distinction without meaning
Demanding someone turn over a key would be a better comparison, yes, but even then I’d still argue that the Fifth should apply.
The fact that you can produce the key/’key’ links you to the locked/encrypted container, which is a solid piece of potentially incriminating evidence. A safe or HD filled with incriminating evidence is useless if you can’t link it to someone after all.
If the safe/HD does indeed contain incriminating evidence, able to be used against the owner, then providing the ability to unlock it, and establishing a link of ownership/control should be considered no different than someone being forced to provide the incriminating evidence directly.
If you can’t be forced to directly provide self-incriminating evidence, it shouldn’t be allowed for someone to force you to do so indirectly.
Re: Re: Re: Distinction without meaning
I would agree with you, if the ownership of the safe/HD was unknown. In that case, a person being compelled to produce the key would be self-incriminating, as it would demonstrate access/ownership to the evidence locked inside.
However, if the ownership/control of the safe/HD is already known, then a person’s ability to open/decrypt it is not self-incriminating. The police already know it’s theirs, and the warrant/order is just allowing them to see what’s inside.
In this case, the SEC and Capital One know who used the phones, so it would seem to me that the second case applies.
Re: Re: Re: Distinction without meaning
Re: Re: Re:2 Distinction without meaning
I’m going to go with ‘working as intended’ for that. The government and/or police don’t get to bypass constitutional protections just because it’s ‘too hard’ to comply with them.
If they’re not allowed to force you to hand over self-incriminating evidence when they can bypass you entirely to get it, they shouldn’t be able to force you to do so simply because they have to go through you to get it.
Invoke Regan
I can’t remember.
I can’t remember.
I can’t remember.
…
Re: Invoke Reagan
That might not go over well with the Department of Justice.
Or maybe it would:
Wouldn't it be easier...
.. to just claim you forgot the passcode? I mean, we’ve had sitting presidents use that excuse before and it worked.
Re: Three words:
Contempt of court.
You can claim that you don’t remember, but if they don’t believe you they just toss you in a cell until you ‘remember’, and the real fun bit regarding contempt of court is that it has no maximum sentence, meaning they could conceivably keep you locked up until you either handed over the password or died of old age.
(And for added fun, if you do ‘remember’ at some point, and they really feel like twisting the knife, they can hit you with perjury charges or charges for lying during an investigation, in addition to any other charges you might face thanks to the decrypted info you handed them via the password.)
Re: Re: Three words:
Re: Re: Re: Three words:
Not true,
http://abcnews.go.com/2020/story?id=8101209
14 Years for Contempt, based on the Judge’s estimate that he had money and simply did not want to pay it. Despite a 2nd Judge looking into his transactions and not finding anything.
He was only let out because the Judge felt that putting him in jail would no longer get him to comply with the order.
http://www.nytimes.com/2007/02/16/business/16jail.html?pagewanted=all&_r=0
8 Years of contempt for a case that had a max stay of 8 years.
Contempt charges can and have been abused.
Re: Re: Re:2 Three words:
Re: Re: Re:2 Three words:
Besides, if you’re really paranoid about this sort of thing, just don’t memorize the key at all. Put it in a file on a different machine somewhere and set it to delete if a “reset button” isn’t clicked every 24 hours or something.
Then, if you’re ever arrested, by the time they get around to questioning you, charging you, arraigning you, serving you with a warrant, then scheduling a contempt hearing before the judge when you refuse to comply, the file will have auto-deleted and you can honestly say that not only don’t you know the password, but that you never di know it, and you have no way of ever knowing it.
Re: Re: Three words:
Re: Re: Three words:
You can claim that you don’t remember, but if they don’t believe you they just toss you in a cell until you ‘remember’
Don’t they need a better reason than “I don’t believe you”, like some actual evidence that you’re lying?
Re: Re: Re: Three words:
While I would like to think so, given the fact that several courts haven’t seen any problem compelling people to hand over passwords, asserting that the Fifth doesn’t apply, I don’t hold much hope that sanity would prevail if a judge got annoyed enough.
From another view
The phones were the property of Capital One.
When they were fired they returned the phones to Capital One.
If they did not delete the ‘personal’ information from the phone does that information now belong to Capital One?
Can the government compel them to turn over the passwords to inspect Capital Ones property. How would this be different that if they knew the only password to a data server?
How is this insider trading? It is outsider trading.
Re: Re:
because we said so and the only people allowed to use the system to cheat are the actual rich people behind it all.
Distinction without meaning
The government is not interested in the password for its own sake but wants it in order to authenticate potentially incriminating evidence on the phone.
Giving the government the password is testimonial because it authenticcates the person as the owner of the information.
And the court has long held that if you are compelled to offer testimony leading to physical or derivative evidence, both the testimonial act and the derived evidence must be excluded at trial.
Even Professor Kerr recognizes that the act of entering or disclosing the password might be testimonial and incriminating if it authenticates something.
Same huh?
“the court found that unlocking a device was no different than producing documents at the government’s request”
A judge that was able to critically think would have came up with a better analogy:
“Not unlocking a device is like producting documents locked in a safe. The government is free to hire an expert capable of unlocking the safe to obtain its contents”
I would think that all they would need to show is that the passcode could be inevitably obtained via brute force methods, and that would end the discussion. Now if the content of the phone was encoded with, say, aes256 or similar, the inevitability of the discovery would be much lower.
For just a passcode to access the phone, there isn’t much here.
Re: Re:
Given there’s no such thing as perfect encryption, every password could be eventually cracked, so it would come down to a matter of time. Can you force someone to hand over the password if it would theoretically take a week? A month? A year? 5 years?
If they can crack the code, they should be required to prove it by doing so, the other person shouldn’t be compelled to hand over the key to potentially incriminating evidence just to save time.
Re: Re: Re:
I think there are two different issues at hand. A lock code, which generally is of limited number of characters, gestures, or similar is pretty much a no-brainer. You can easily calculate how long it would take to inevitably unlock the phone, and work from there.
If that amount of time is less than the statute of limitations, it should be a slam dunk.
When it comes to deeper encryption, you not only hit the question of how long is “too long” but also the question of intent. A simple phone lock may exist only to stop your phone from butt dialing someone. Encryption, especially strong flavors, suggests more intention to make something private.
There is the other question, which is given unlimited computer resources, how long would it take to break even the most severe of encryption schemes by brute force. Think about the amount of computing power current chasing diminishing bitcoins. Can you imagine if they were put to work instead knocking down encryption with a $1000 bounty for each one done? Would that fall into a reasonable time frame or inevitable discovery by the courts?
One thing is for certain: If you have a cell phone in your possession or in your home when you are arrested or a warrant is executed, it’s reasonable to think that it may belong to you. No passcode is required to show that while not a given, it’s very likely. The 5th amendment issue seems very narrow in application here (ie, not sure that any further incrimination occurs…). With lock codes easy enough to brute force, there is little in the game here.
Re: Re: Re: Re:
Modern encryption, with long keys and correct usage, will survive attack using every computer on earth for longer any record of why the crack is being attempted are likely to survive.
Re: Re: Re:2 Re:
You just tossed in a whole lot of ifs and maybes, which don’t add up to much.
What percentage of people are going to use very long key encryption to start with? How many can do it without writing the key down somewhere because they will forget it?
let’s consider the math too on a 1024 bit:
The most efficient method known to factor large integers, and the method used in the factorization record listed above, is via the number field sieve (NFS) – which is much faster than a brute force attack (where every combination is tried), so a brute force attack would have taken much longer than even this. The Lenstra group estimated that factoring a 1024-bit RSA modulus would be about 1,000 times harder than their record effort with the 768-bit modulus, or in other words, on the same hardware, with the same conditions, it would take about 1,000 times as long. They also estimated that their record achievement would have taken 1,500 years if they normalized processing power to that of the standard desktop machine at the time – this assumption is based on a 2.2 Ghz AMD Opteron processor with 2GB RAM.
So 1500 years for a single computer, or put 1500 solder desktops on the job and get it in a year. Oh oops, it’s not that hard, is it?
2048? just up that by 1000 times the machines. Certainly not “all the computers in the world”, but perhaps a couple of Google Datacenters worth. Still in the range of the possible – and that is to do it in a year.
Now if you have a crime with 25 year statute of limitations, you can divide either of those down by a factor of 25. In the first case, 75 desktops would certainly get it within that time, and is certainly believable. In the second case, 75,000 desktops would be enough.
Now, the real question would be at what point would the courts accept a theoretical achievement instead of an actual one?
Re: Re: Re:3 Re:
I think you factor is out by several orders of magnitude, as there is a much larger increase in difficulty when going form 1024 to 2048 compared with 768 to 1024. Polynomial problems go up in difficulty by a power of the size, therefore the increase in difficulty between n^768 to n^1024 is very much smaller than that between n^1024 to n^2048. Modern key lengths are now often 4096, and some are 8192 bits long. These are way beyond what a single computer centre can reasonably deal with, where reasonably is within a human lifetime.
Which of the thousands of disk encryption keys that the authorities want cracked, do they tackle with any amount of computing power that they can assemble. It would not be worth attempting to decrypt messages encrypted with such weak keys, as the messages would be piling up faster than they can be decrypted,
The difference in my view
There is a point here that, in my opinion, makes all the difference in the world in this case:
These phones are the property of Capital One, not the people who set the passcodes. On this basis alone, it seems that it should be possible to compel the users to reveal the passcodes to Capital One.
Re: The difference in my view
To reference another topic we discuss here frequently; if you can’t open it, you don’t own it.
Re: The difference in my view
These phones are the property of Capital One, not the people who set the passcodes. On this basis alone, it seems that it should be possible to compel the users to reveal the passcodes to Capital One.
That would be contract issue, wouldn’t it?
Re: Re: The difference in my view
“That would be contract issue, wouldn’t it?”
I don’t think so. Cops go to Capital One and ask permission to unlock the phones. Capital One says “sure” and attempts to get the unlock codes from the employees.
The employees failing to turn over the codes isn’t a contract issue, it’s the property owners being denied the use of their own property. A bit like if you loaned your house key to someone, but they refused to turn the key over to someone else when you ask.
Re: Re: Re: The difference in my view
The property at issue would have to be the encrypted information, since Capital One has complete freedom to use the phones themselves. If they don’t need the information, they can factory reset them and use them as normal. So it seems to me they would need to demonstrate (I don’t know to what standard of proof) that the information belongs to Capital One in order to compel the ex-employees to reveal it. Something of a catch-22.
Re: Re: Re:2 The difference in my view
“The property at issue would have to be the encrypted information, since Capital One has complete freedom to use the phones themselves. If they don’t need the information,”
True enough. That changes nothing of substance, though. Capital One owns every byte on those phones.
BRILLIANT, make a distinction of what IS, covered by the 5th, so that everything else is NOT, covered by the 5th
Twisting the constitution for those that know no better
Nothing new here
“In the government’s creative interpretation of the doctrine”
is at the beginning to most criminal prosecutions and warrant-less spying and wiretapping.
What this is about
This is about proving ownership of the content of the phone.
If you give the password, you prove that you had access to the phone and anything on the phone. As long as you cant be compelled to prove ownership, they can’t draw as strong of a link between the contents and you as a person.
This is the same as claiming ownership of set of plans to burn down a building. If the government has the plans but no link, you can’t be forced to create the link via your own testimony.
Capital One had power over their employee up to the point he was fired. At that point they are in possession of the cell phone and can freely wipe it and return it to service. They even have it in the handbook to NEVER give your password to anyone for any reason and that IT will never ask for your password.
Re: What this is about
Two points:
1) Capital One should have had the serial number of the phone linked to the employee who had the phone, so the employee putting in the passcode to prove it was their phone doesn’t matter. If Capital One didn’t have that linked already, that’s not the fault of the employee.
2) If it was a locked door/safe, the authorities would be allowed to just crack open the item in question, so that means they should be allowed to crack whatever encryption there is protecting the data on the phone. It’s not like their friends at the NSA can’t already do it trivially.
Papers, please
I think we can come up with a reasonable analog to this problem in the physical world.
To me, it seems the answer is no, because revealing the location of the papers inevitably leads to the defendant’s incrimination. Therefore, to compel the defendant to reveal the location is to compel him to inevitably incriminate himself: a violation of Fifth Amendment Right.
Likewise, as mentioned in the article, the password seems to lead inevitably to incrimination and should be subject to Fifth Amendment protection.
Inherent Right?
Court Says Fifth Amendment Covers Smartphone Passcodes, But It’s Hardly A Victory For Constitutional Rights
A citizens rights only apply when the government, through it’s biased/byzantine judicial system, say they do.
Property
These phones are the property of Capital One, not the people who set the passcodes. On this basis alone, it seems that it should be possible to compel the
users to reveal the passcodes to Capital One.
No that would not work, the FIfth Amendment is applicable even in a civil proceeding between two private parties.
The government can’t bby proxy compel a render of property to produce a murder weapon or dead body, just because it is suspected it’s somewhere on property rented by a corporation.
One thing is for certain: If you have a cell phone in your possession or in your home when you are arrested or a warrant is executed, it’s reasonable to
think that it may belong to you. No passcode is required to show that while not a given, it’s very likely. The 5th amendment issue seems very narrow in
application here (ie, not sure that any further incrimination occurs…).
Yes, it’s possible, but under the foregone conclusion exception to the FIfth Amendment the government must actually have prior proof that the individual being compelled is also the actual owner.
So mere conjecture ore reasonable suspicion or even probable cause is not enough to overcome the Fifth Amendment.
Actual knowledge which must rise to reasonable particularity is required in order to satisfy the foregone conclusion test.
In the 11th circuit case, the government hasd probable cause that the suspect had en crypted something, but it lacked actual knowledge.
And the takeaway is that you can’t compensate for the lack of knowledhge by compelling the suspect to fill the evenditary gap.
Three words:
No, this case was different.
He did not plead the Fifth but simply refused to sign forms obligating the banks to disclose possible asetts belonging to him.
Forgetting the passcode is not enough
I think if you are in that situation you should reset the passcode to a random passcode in front of a witness. Your eyes should be closed/covered so that nobody knows the passcode. That way you can state before a judge that you don’t know the passcode. Why did you do it? To protect your 5th amendment rights.
The comments on those two WP posts explain it somewhat better.
The kicker is that the court drew an analogy to where an accused person has a locked safe or lockbox that may contain evidence. Existing precedents say that prosecutors may demand you turn over the key — but they may not demand you turn over the combination if it’s a combination lock.
And the password on your phone is more like that combination.
Re: Re:
I was actually wondering if the key vs. combination distinction was still recognized. I’m waiting for the government to go linguistically literal, and claim an ‘encryption key’ is equivalent to a physical key because people call it a key.
So the government cannot access all of our phones? The encryption is too tough, they lack the computing power? All the manufacturers aren’t working with the government to provide access? Smart phones are secure and private?
Great explanation, Tim! Can’t Judges jail a defendant indefinitely for failing to comply with a court order? Such as a order to produce a password that unlocks a device.
The logic behind this indefinite detention is that the defendant can end their indefinite detention at any time by complying with the court order to produce the password.
But what if the defendant claims to have forgotten the password? How can the defendant end their indefinite detention if it’s impossible for them to comply with the court’s orders?
Sorry, I forgot my password.