Indiana Supreme Court Says Compelled Decryption Of Smartphones Violates The Fifth Amendment

from the maybe-some-federal-legislation-will-make-this-all-irrelevant dept

Two years ago, the Indiana state Appeals Court ruled residents could not be compelled to unlock devices by law enforcement -- not at the drop of a warrant. To compel the production of a password, law enforcement needs to have a certain amount of information in hand before it can ask courts to hit uncooperative criminal suspects with contempt charges.

The Appeals Court decision raised an interesting point about device encryption. Without decryption, the alleged criminal evidence is nothing more than a scramble of bits and bytes of no use to anyone. With the correct password in place, the data is reintegrated into something usable -- which turns the production of a password into a testimonial act.

In a very real sense, the files do not exist on the phone in any meaningful way until the passcode is entered and the files sought are decrypted. Thus, compelling Seo to unlock her phone goes far beyond the mere production of paper documents at issue in Fisher, Doe, or Hubbell. Because compelling Seo to unlock her phone compels her to literally recreate the information the State is seeking, we consider this recreation of digital information to be more testimonial in nature than the mere production of paper documents.

The state appealed the decision but there's nothing positive waiting for it at Indiana's top court. (via EPIC)

The state Supreme Court says compelling production of passwords violates the Fifth Amendment. The state wanted to rely on the "foregone conclusion" exception, but the court says [PDF] it doesn't have enough information on hand to start bypassing Constitutional protections.

[A] suspect surrendering an unlocked smartphone implicitly communicates, at a minimum, three things: (1) the suspect knows the password; (2) the files on the device exist; and (3) the suspect possessed those files. And, unless the State can show it already knows this information, the communicative aspects of the production fall within the Fifth Amendment’s protection. Otherwise, the suspect’s compelled act will communicate to the State information it did not previously know— precisely what the privilege against self-incrimination is designed to prevent.

The state doesn't have this information. In fact, an investigator admitted during testimony he was hoping to find evidence on the seized phone -- which definitely isn't the same thing as knowing what's contained in the device.

Even if we assume the State has shown that [Katelin] Seo knows the password to her smartphone, the State has failed to demonstrate that any particular files on the device exist or that she possessed those files. Detective Inglis simply confirmed that he would be fishing for “incriminating evidence” from the device. He believed Seo—to carry out the alleged crimes—was using an application or internet program to disguise her phone number. Yet, the detective’s own testimony confirms that he didn’t know which applications or files he was searching for:

"There are numerous, and there’s probably some that I’m not even aware of, numerous entities out there like Google Voice and Pinger and Text Now and Text Me, and I don’t know, I don’t have an all-encompassing list of them, however if I had the phone I could see which ones she had accessed through Google."

Compelling production of passwords without these conclusions in place is pretty much the equivalent of beating a confession out of a suspect. It forces someone to produce testimonial evidence to be used against them in court -- evidence still unknown to investigators.

In sum, law enforcement sought to compel Seo to unlock her iPhone so that it could then scour the device for incriminating information. And Seo’s act of producing her unlocked smartphone would provide the State with information that it does not already know.

The court goes on to explain why compelling phone passwords is not comparable to more analog versions of evidence gathering, much of which revolves around limited sets of paper documents targeted with subpoenas. The quantity of information the average smartphone contains makes these Constitutional protections even more crucial.

Smartphones are everywhere and contain everything. They have become such “a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.” Riley v. California, 573 U.S. 373, 385 (2014)...

Citing a prior compelled production case, the state court says this about the increasing irrelevance of analog comparisons.

Hubbell further illustrates the considerable difference between complying with a court order to produce an unlocked smartphone and complying with a documentary summons. Recall that, in Hubbell, the Government had not shown that it had any prior knowledge of either the existence or location of 13,120 pages of documents. Though not an insignificant amount of information, it pales in comparison to what can be stored on today’s smartphones. Indeed, the cheapest model of last year’s top-selling smartphone, with a capacity of 64 gigabytes of data, can hold over 4,000,000 pages of documents—more than 300 times the number of pages produced in Hubbell. It is no exaggeration to describe a smartphone’s passcode as “the proverbial ‘key to a man’s kingdom.’”

The court then goes further, suggesting the "foregone conclusion" doctrine may be completely unworkable when applied to smartphones.

Such unbridled access to potential evidence on her iPhone—or any smartphone—raises several complex questions. For example, if officers searching a suspect’s smartphone encounter an application or website protected by another password, will they need a separate motion to compel the suspect to unlock that application or website? And would the foregone conclusion exception apply to that act of production as well? Suppose law enforcement opens an application or website and the password populates automatically. Can officers legally access that information? Or what if a suspect has a cloud-storage service—like iCloud or Dropbox—installed on the device, which could contain hundreds of thousands of files. Can law enforcement look at those documents, even though this windfall would be equivalent to identifying the location of a locked storage facility that officers did not already know existed? Such complexity is neither necessary nor surprising: the foregone conclusion exception is, in this context, a low-tech peg in a cutting-edge hole.

The court says cops have other options -- options that don't bypass Constitutional protections.

At the same time, we emphasize that there are several ways law enforcement can procure evidence from smartphones without infringing on an individual’s Fifth Amendment rights. For example, officers could try to obtain information from third parties under the Stored Communications Act. Alternatively, two companies—Cellebrite and Grayshift—offer law enforcement agencies affordable products that provide access to a locked smartphone. Or officers could seek an order compelling the smartphone’s manufacturer to help bypass the lock screen. And if law enforcement wants to get into a smartphone for reasons other than prosecution, they can offer immunity to the device’s owner. But the State cannot fish for incriminating evidence by forcing Seo to give unfettered access to her iPhone when it has failed to show that any files on Seo’s smartphone exist or that she possessed those files.

This pretty much ends compelled encryption of smartphones in this state. The reasoning delivered here by the state's top court makes it almost impossible to satisfy the "foregone conclusion" standard needed to avoid violating the Fifth Amendment. Law enforcement agencies will have to seek other routes into locked devices. They'll no longer have the threat of indefinite jailing for contempt charges to hold over uncooperative suspects.

Filed Under: 5th amendment, compelled decryption, indiana, smartphones

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    mcinsand, 30 Jun 2020 @ 7:25am

    compelled encryption: a responsible government would require it

    Encryption is not just a luxury that only criminals can afford. We now have enough computing power to safely bank, order things, and pay bills online. Doing so without encryption is irresponsible, and an NSA that actually cared about national security, an FBI that actually cared about reducing crime, would push for the strongest possible backdoor-free encryption to protect the country's citizens.

    Vault 7 was a good demonstration of the stupidity required to believe that keeping vulnerabilities unpatched and 'secret' helps our national security. Vulnerabilities and backdoors make everyone less secure, and there are thousands more law-abiding citizens than there are criminals where the only evidence they leave is on their smartphones.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.