Advancing Knowledge

Improving Skills

 

Passcode Disclosure Redux - Foregone Conclusion

Computer locked

 

I heard from a number of readers about the last Factum Probans, many expressing frustration with password protected phones and encrypted digital data that may hold evidence in criminal cases. First of all, thanks to everyone who

wrote; keep those cards and letters (well, emails, really) coming. Second, there’s a widely-shared frustration about striking the appropriate balance between our right to privacy and the need to lawfully gather digital evidence. After reading the many emails I started questioning whether or not I was being overly pessimistic about law enforcement’s ability to reach that evidence.  So, I’ve taken another look, hopefully to give us an idea of how to strike that balance in a way to protect privacy while still lawfully gathering important evidence of wrong doing.

PASSCODES = TESTIMONY, EXCEPT WHEN THEY DON’T

It remains true that most courts considering the issue have found that compelling one to reveal a passcode to unlock a smartphone (an oxymoron if ever there was one) or open an encrypted hard drive implicates the 5th Amendment’s protection against self-incrimination. That is, it’s a testimonial act forcing one to reveal facts relating to an offense or “sharing his thoughts and beliefs with the government.” United States v. Kirschner, 823 F.Supp.2d 665 (E.D.Mich. 2010). But it’s also true that there are circumstances that may tip the scales in favor of disclosure, circumstances that essentially establish that the disclosure of the passcode amounts to “telling the government what it already knows.” Commonwealth v. Gelfgatt, 468 Mass. 512, 11 N.E.3d 605 (2104).

Passcode Disclosure Redux - Foregone Conclusion

Computer locked

I heard from a number of readers about the last Factum Probans, many expressing frustration with password protected phones and encrypted digital data that may hold evidence in criminal cases. First of all, thanks to everyone who

wrote; keep those cards and letters (well, emails, really) coming. Second, there’s a widely-shared frustration about striking the appropriate balance between our right to privacy and the need to lawfully gather digital evidence. After reading the many emails I started questioning whether or not I was being overly pessimistic about law enforcement’s ability to reach that evidence.  So, I’ve taken another look, hopefully to give us an idea of how to strike that balance in a way to protect privacy while still lawfully gathering important evidence of wrong doing.

PASSCODES = TESTIMONY, EXCEPT WHEN THEY DON’T

It remains true that most courts considering the issue have found that compelling one to reveal a passcode to unlock a smartphone (an oxymoron if ever there was one) or open an encrypted hard drive implicates the 5th Amendment’s protection against self-incrimination. That is, it’s a testimonial act forcing one to reveal facts relating to an offense or “sharing his thoughts and beliefs with the government.” United States v. Kirschner, 823 F.Supp.2d 665 (E.D.Mich. 2010). But it’s also true that there are circumstances that may tip the scales in favor of disclosure, circumstances that essentially establish that the disclosure of the passcode amounts to “telling the government what it already knows.” Commonwealthv.Gelfgatt, 468 Mass. 512, 11 N.E.3d 605 (2104).

The reasoning applied by courts to justify compelling disclosure of a passcode is not especially easy to follow. After all, how can an act be testimonial in one situation but not another. The reasoning focuses on what the government knows about what’s on the encrypted device, rather than what it suspects or hopes might be found on the device.

A FOREGONE CONCLUSION

What is communicated by the act of punching in the passcode to a phone? For one, simply knowing the password confirms that that the data exists, encrypted or protected from prying eyes. For another, knowing the password 

tells the world that one owns or, at a minimum, has some control over what’s on the device. Knowing the passcode means one can store data on the device, retrieve that data when wanted, and – importantly in some cases – can send that data on to others. Lastly, producing the passcode tacitly admits that the data on the phone is the data the government wants to get. In other words, providing the passcode concedes the existence, custody, and authenticity of the data requested; compelling production of the passcode, or unencrypted copies of encrypted hard drives, is compelling testimony.

GETTING TO THE FOREGONE CONCLUSION

Consider a case where investigators know there is evidence on the encrypted device, perhaps because the suspect showed investigators some of it before turning off the device. In that case, the government arguably already knows the incriminating facts communicated by the act of typing in the passcode; the government already knows the suspect has control over the device, has some knowledge about what’s on the device, knows the device is encrypted, and knows the password. The act is still incriminating, but what makes it incriminating is already known by the investigators. This is what happened in In re Grand Jury Subpoena to Boucher, 2009 WL 424718 at *2 (D.Vt. Feb. 19, 2009) (Boucher II), that I wrote about in my last post.

So, the key to compelling production of the password is already knowing the incriminating testimony compelled by the act of producing the password.

No fishing Expeditions

Problem: The defendant knows the files/evidence exists on the device. One of the primary facts communicated by the act of providing the password is that defendant acknowledges that the files actually exist. While it may take a few intermediate logical steps to reach that conclusion, the reality is that the act of producing the thing demanded can only be accomplished by one who has the thing demanded.

Solution: The government knows of the existence and location of the files. If the government already knows that the files exist on the device, producing the passcode adds nothing to the government’s knowledge. In this case, the incriminating fact is already known. It’s important to keep in mind that investigators do not have to know the exact contents of the files; rather, just that they exist on the password-protected device. Boucher II, 2009 WL 424718 at *3 (citing In re Grand Jury Subpoena Duces Tecum Dated Oct. 29, 1992) (United States v. Doe), 1 F.3d 87, 93 (2nd Cir.1993), cert. denied, 510 U.S. 1091, 114 S.Ct. 920, 127 L.Ed.2d 214 (1994). This makes perfect sense. It simply means that law enforcement will not be allowed a fishing expedition into a digital device.

How much investigators need to know about the contents of the device is an open question. At least one court has raised, without answering, the question whether the inquiry should be limited to whether the suspect knows the password or not. United States v. Apple Mac Pro Computer, 851 F.3d 238, note 7 (3rd Cir. 2017). The court seems to have answered its own question in the negative in the body of its decision by acknowledging that “the Government must be able to ‘describe with reasonable particularity’ the documents or evidence it seeks to compel” for the foregone conclusion to apply. 851 F.3d at 247.

Problem: Producing the password establishes that defendant owns, possesses, or controls the data. This is one aspect of authentication. It is, in fact, the most incriminating testimony inherent in the act of producing the password; by doing so one is admitting control over the device and, by extension, the files on it.

Solution: The government has evidence establishing possession and control. Establishing possession and control is something investigators do every day. Sometimes the suspect will admit to possession and control. Other evidence of possession and control could include witnesses who can testify to seeing the suspect unlock the device in question, as happened in U.S. v. Apple Mac Pro when the defendant’s sister testified that she saw the defendant type in the password to show her child pornography stored on it. Of course, at some point the suspect could raise the SODDI defense (some-other-dude-did-it); essentially admitting that he has access but raising the possibility that other people – family or household member – also had access. That certainly goes to the ultimate issue of possession, but by admitting access at this stage eliminates the 5th Amendment issue surrounding production of the passcode.

HOW COMMON IS THIS PROBLEM?

Since we lead digital lives, privacy issues like this are going to come up. We see it already in disputes between law enforcement and the makers of smartphones that automatically encrypt data stored on our phones, and in headlines like “Murdered woman’s Fitbit data inconsistent with husband’s story, police say.” The Supreme Court of the United States will hear argument in the coming term and decide whether the 4th Amendment protects cellphone location data held by the cellphone service providers because the data is not voluntarily stored with the provider in the same way that, say, banking records are turned over and held by your bank. (The case is Carpenter v. United States, and I’ll be keeping a close eye on it and the arguments and decision will be in future blog posts.) What to do about password protected data is only one issue in myriad to be sorted out by appellate courts.

Little is certain, but there are things that law enforcement and prosecutors can do to uphold the Constitutional rights of suspects while maximizing the results of thorough investigations. First, know the outer limits and steer well-clear of them. Digital devices are ponds we can’t fish in. That is, unless we have permission. Many of the foregone conclusion cases rely on the fact that the defendant told investigators the passcode, or admitted knowing it, or even entered it once for the investigators.

It is pretty well settled that investigators need a search warrant to seize digital devices and a warrant to search the contents of digital devices. Build the case for the search warrant with an eye toward the fact that the device to be search is encrypted and password protected. What facts can be developed to establish existence, custody, and authenticity? Those facts are often the same used to establish probable cause to issue a warrant to search the contents of digital devices. When it comes to device passwords, there are no shortcuts.

Now I have a question for you, dear readers: what if the defendant refuses to comply with the court’s order to provide the password? Several of the cases about compelling passwords arise from contempt proceedings. I am researching what happens in the face of continued refusal. If you have any examples, please email me. I wonder if a defendant can throw a wrench in the gears by taking the punishment for contempt. Thinking as former defense lawyer, that might be the best advice. Any thoughts?

Print Email

What People are Saying about Herb's Trainings 

"Again, thank you for your time, knowledge, and efforts to share your experiences.  It was a great 2-days and I wish to learn much more."
Program Specialist assisting in Title IX investigations

"I just wanted to say thank you for such an excellent lecture. It was extremely insightful and definitely had me thinking about how I would begin to form how I would conduct interviews on such a difficult topic. It was nice for me (someone who's never interviewed a victim like that) to go in with no knowledge or bias and be able to completely absorb what you were teaching."
Law enforcement intern and future Law Enforcement Office
 

"Thank you so much for the really excellent presentation on Tuesday! Our entire team thought it was spot-on content-wise, and you offered it to the participants in a way that was easy for them to understand."
Program director, national TA provider