In July 2017, Katelin Eunjoo Seo called police in Hamilton County, Indiana, claiming that she’d been raped.
As part of the investigation, she allowed Detective Bill Inglis to view her Apple iPhone 7 Plus. With Seo’s consent, Inglis also did a forensic download of its contents, after which he handed it back to her.
After investigating the phone, the tables turned. Inglis decided not to pursue charges against the alleged rapist. Rather, he began to investigate Seo herself for what looked like stalking and harassing of the alleged rapist – identified as “D.S.” in court documents.
When Inglis questioned D.S., he explained that he was getting up to 30 phone calls and text messages from Seo’s phone, and that at some point, whoever was sending the messages switched their phone number on a daily basis – likely by using a third-party app, Inglis suspected.
On 19 Jul, 2017, Seo was charged with felony stalking, intimidation, theft, and harassment for allegedly trying to harass D.S. into either marrying or impregnating her. When police arrested her at her workplace that day, they seized what looked like the same iPhone they’d seen in her possession before.
The state got a warrant to search that phone on 8 August, 2017. This time, however, Seo didn’t willingly unlock it for them. This time, she refused to unlock the phone, citing her right against self-incrimination under the Fifth Amendment to the Constitution of the United States.
Initially, a trial court agreed with the state, holding Seo in contempt. But last week, in a split decision, the Indiana Court of Appeals overturned the contempt charge, saying that it agrees with Seo.
From the majority opinion of the lengthy decision in Katelin Eunjoo Seo v. State of Indiana, written by Judge Paul Mathias:
A modern smartphone, with its central purpose of connecting its owner to the Internet and its ability to store and share incredible amounts of information in ‘the Cloud’ of online storage, is truly as close as modern technology allows us to come to a device that contains all of its owner’s conscious thoughts, and many of his or her unconscious thoughts, as well. So, when the State seeks to compel a person to unlock a smartphone so that it may search the phone without limitations, the privacy implications are enormous and, arguably, unique.
During oral arguments on 1 May, Seo’s counsel argued that requiring her to disclose her password was the same as requiring her to disclose the “contents of her mind,” a violation of her Fifth Amendment rights against self-incrimination.
That, in fact, has been a refrain heard in other court cases that have distinguished between compelled fingerprint unlocking of phones v. production of passcodes: a fingerprint is something that we “are” (and which is captured when police book a suspect), whereas a password is something that we “know,” and hence can be considered testimony that can self-incriminate.
The state pushed back, maintaining that it was a “foregone conclusion” that Seo knew her passcode and that there were text messages to D.S. on the device, making the Fifth Amendment argument inapplicable. She had, after all, already given them her passcode once before.
The Court of Appeals – which included judges Mathias, Melissa May and Patricia Riley – grappled with the fact that existing Fifth Amendment caselaw focuses on self-incrimination in the context of physical documents, not electronic data. Mathias, for one, noted that data stored on iPhone 7 models is encrypted, meaning that it’s unintelligible to outsiders – a far cry from paper documents that previous caselaw pertained to.
That difference played an important role in reversing the trial court’s decision to compel a passcode from the unwilling Seo. From Mathias’s decision:
We consider Seo’s act of unlocking, and therefore decrypting the contents of her phone, to be testimonial not simply because the passcode is akin to the combination to a wall safe as discussed in Doe [a reference to Doe v. United States, 487 U.S. 201 (1988)]. We also consider it testimonial because her act of unlocking, and thereby decrypting, her phone effectively recreates the files sought by the State.
Besides which, the state doesn’t just want Seo’s passcode: it wants to use the passcode to get into her iPhone for its entire contents:
Thus, for the foregone conclusion doctrine to apply, the State must be able to describe with reasonable particularity the discrete contents on Seo’s phone – e.g., all texts to D.S. created on Seo’s iPhone – that it is compelling her to not only produce, but to re-create by entering her passcode and decrypting the contents of the phone. This is a burden the State has not met.
The majority also held that the search warrant failed to describe with reasonable particularity the digital information it covered.
There are considerable differences between paper and electronic records, and those differences make it tough to apply existing Fifth Amendment caselaw to Seo’s and similar cases, Mathias concluded. To that end, he created a structure “for resolving decryption requests from law enforcement authorities” and asked reviewing courts of last resort to consider following it.
The Indiana Lawyer summed up the structure’s tenets:
- Requiring the decryption of data should be recognized as data recreation and, thus, strictly limited.
- Law enforcement will have legitimate need of encrypted data in some instances.
- Law enforcement requests that are identified as bona fide emergencies should be supported by “a warrant that describes the other imminent crime(s) suspected and the relevant information sought through a warrant.”
- Law enforcement should be required to seek digital data through third parties in non-emergency situations.
- Fourth Amendment exceptions and state analogues should be inapplicable or strictly limited in “the search and seizure of digital data stored on devices owned or controlled by that defendant, or from ‘Cloud’ subscriptions that defendant owns or uses.”
Despite last Tuesday’s decision, the case against Seo can continue, the majority wrote in a footnote.
Source : Naked Security