5th Amendment, Appeals Court, Fifth Amendment, Florida, foregone conclusion, Information Security, Law & order, Mobile, passwords, Privacy, Top News

Passcodes are protected by Fifth Amendment, says court

There was an underage driver at the wheel, driving on a Florida highway. Police say he was speeding.

When he crashed, one of the passengers in his car died. At the hospital, a blood test showed that the minor had a .086 blood-alcohol content: slightly over the legal limit of .08% for non-commercial drivers.

According to court documents, police found two iPhones in the car: one that belonged to a surviving passenger and one that allegedly belonged to the driver. The passenger told police that the friends had been drinking vodka earlier in the day and that she’d been talking with the driver on her iPhone.

The police wanted the driver’s phone, so they got a warrant to search it for data, photos, text messages, and more. They also sought an order compelling the minor to hand over the passcode for the iPhone and for an iTunes account associated with it.

And this is where we get into the evolving world of the Fifth Amendment and compelled passcode disclosure. Last Wednesday, 24 October, the Florida Court of Appeal quashed a juvenile court’s order for the defendant – identified only by his initials, G.A.Q.L., since he’s a minor – to disclose his passcodes.

A trial court had agreed to compel the disclosure, given that “the act of producing the passcodes is not testimonial because the existence, custody, and authenticity of the passcodes are a foregone conclusion.”

No, the Appeal Court said last week, we disagree. As other, but certainly not all, courts have decided, compelled password disclosure amounts to forcing the defendant to disclose the contents of his own mind – a violation of Fifth Amendment rights against self-incrimination.

The “foregone conclusion” standard keeps cropping up in these cases. It allows prosecutors to bypass Fifth Amendment protections if the government can show that it knows that the defendant knows the passcode to unlock a device.

The latest from the Florida Court of Appeals put a twist on that: whereas the government in the past has only had to show that the defendant knows their password, in this case, the court says that the government needs to show that it knows that specific evidence needed to prosecute the case is on the device, not just that there’s a reasonable certainty the device can be unlocked by the person targeted by the order.

If prosecutors already knew what was on the phone, and that it was the evidence needed to prosecute the case, they didn’t prove it, the court said last week. From the order to quash the password:

Because the state did not show, with any particularity, knowledge of the evidence within the phone, the trial court could not find that the contents of the phone were already known to the state and thus within the “foregone conclusion” exception.

Regardless of the “foregone conclusion” standard, producing a passcode is testimonial and has the potential to harm the defendant, just like any other Fifth Amendment violation would, the Florida court said. It’s not as if the passcode itself does anything for the government. What it’s really after is what lies beyond that passcode: information it can use as evidence against the defendant who’s being compelled to produce it:

Here, the state seeks the phone passcode not because it wants the passcode itself, but because it wants to know what communications lie beyond the passcode wall. If the minor were to reveal this passcode, he would be engaging in a testimonial act utilizing the “contents of his mind” and demonstrating as a factual matter that he knows how to access the phone. As such, the compelled production of the phone passcode or the iTunes password here would be testimonial and covered by the Fifth Amendment.

We know that a phone owner very likely knows their passcode. Focusing on the passcode misses the mark, the court said.

Below and on appeal, the state’s argument has incorrectly focused on the passcode as the target of the foregone conclusion exception rather than the data shielded by the passcode, arguing that “because the State has established the existence of the passcode and iTunes password, evidence on the Petitioner’s cell phone, and that he can access the content of his phone,” the compelled search was acceptable. Similarly, the trial court specifically held that the “existence, custody, and authenticity of the passcodes are a foregone conclusion” in the order appealed. This holding, which focuses on the passcodes rather than the data behind the wall, misses the mark.

The government is really after any and all documents it can get at once it knows the passcode. In other words, these grabs for passcodes amount to fishing expeditions:

It is not enough to know that a passcode wall exists, but rather, the state must demonstrate with reasonable particularity that what it is looking for is in fact located behind that wall. Contrary to the Stahl court’s conclusion, which the trial court adopted, the “evidence sought” in a password production case such as this is not the password itself; rather, it is the actual files or evidence on the locked phone. Without reasonable particularity as to the documents sought behind the passcode wall, the facts of this case “plainly fall outside” of the foregone conclusion exception and amount to a mere fishing expedition.

It’s not enough for the government to infer that there’s evidence on the phone, the court said. Just because it belonged to the driver doesn’t mean anything – after all, pretty much everybody owns a phone, and that doesn’t necessarily point to those devices holding evidence of crimes.

Here, the state’s subpoena fails to identify any specific file locations or even name particular files that it seeks from the encrypted, passcode-protected phone. Instead, it generally seeks essentially all communications, data, and images on the locked iPhone. The only possible indication that the state might be seeking anything more specific was the prosecutor’s statement at the hearing that the surviving passenger had been communicating with the minor via Snapchat and text message on the day of the accident and after the accident, a fact that the trial court briefly mentioned in its order but did not appear to rely on in reaching its conclusion.

Of course, there are always the tactics of having defendants write down their passcodes or having them unlock their own phones. But those are basically just a way to get around the Fifth Amendment, this case suggests.

State court decisions don’t have the power to change the way passcode-disclosure/Fifth Amendment cases are decided throughout the country. But it is one more decision that defendants will be able to refer to when fighting forced disclosure.

That won’t necessarily keep defendants from being left to rot in jail indefinitely until they produce passcodes, but, well, it’s not nothing, either.

Source : Naked Security

Previous ArticleNext Article
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Send this to a friend