Court Says Fifth Amendment Covers Smartphone Passcodes, But It's Hardly A Victory For Constitutional Rights
from the blueprint-for-fifth-amendment-evasion-currently-in-progress dept
A recent opinion issued in a prosecution by the Securities and Exchange Commission seems to indicate the government can't force members of the public to hand over passwords without violating the Fifth Amendment. But the details suggest something else: that this is limited to a very specific set of circumstances and is not in any way precedential, at least not at this point.
The courts have previously weighed in on the legality of forcing people to basically provide incriminating evidence against themselves through the compelled relinquishment of passwords. Back in 2013, a magistrate judge rejected an order compelling a defendant to decrypt a seized hard drive by providing the government with his password. A year later, the Massachusetts Supreme Court came to the opposite conclusion: that the compelled production of passwords did not have Fifth Amendment implications.
The DOJ has argued that it does have the right to demand passwords to unlock seized items and actually found a judge that agreed with it. In that case, the court found that unlocking a device was no different than producing documents at the government's request -- distancing it from the "compelled speech" against a person's own interests that the Fifth Amendment is supposed to guard against.
This case falls along those same lines, but the legal conclusions are a bit different.
The Securities and Exchange Commission (SEC) is investigating Bonan and Nan Huang for insider trading. The two worked at the credit card company Capital One as data analysts. According to the complaint, the two allegedly used their jobs as data analysts to figure out sales trends at major U.S. companies and to trade stocks in those companies ahead of announced company earnings. According to the SEC, they turned a $150,000 investment into $2.8 million.But here’s the problem: The SEC can’t get in. Neither can Capital One. Only the defendants know the passcodes. And the defendants have refused to disclose them. As much as Capital One may want to aid the SEC in prosecuting its former employees, it can't.
Capital One let its employees use company-owned smartphones for work. Every employee picked his own passcode, and for security reasons did not share the passcode with Capital One. When Capital One fired the defendants, the defendants returned their phones. Later, as part of the investigation, Capital One turned over the phones to the SEC. The SEC now wants to access the phones because it believes evidence of insider trading is stored inside them.
The SEC sought an order to compel the production of the passcodes. The suspects refused on Fifth Amendment grounds. This brings us to the tricky details of this case, which suggest it won't become an across-the-board Fifth Amendment-protected "right" to deny the government access to password-protected devices and storage.
The government argued for the compelled production of passwords using the "foregone conclusion" doctrine.
The doctrine, introduced in Fisher v. United States, says that the Fifth Amendment doesn’t block complying with a court order when the testimonial part of complying with a court order is a foregone conclusion. In other words, if the government already knows the testimonial part of complying with the order, and they’re not seeking to prove it from the order, then you can’t use the Fifth Amendment to avoid compliance with the order.In the government's creative interpretation of the doctrine, the production of passcodes would be no more than the defendants acknowledging they used the phones Capital One supplied them with -- something the government already knows and which has been confirmed by Capital One. Therefore, there are no Fifth Amendment implications. The judge disagreed, correctly pointing out that the government was seeking access to documents possibly contained on the phones, rather than simply seeking to confirm what it already suspected: that the phones were used by the defendants.
By using one thing to achieve another, the government was stretching its "foregone conclusion" to cover any evidence discovered on the unlocked phones. If the defendants have reason to believe incriminating documents resided on those phones, they are well within their Fifth Amendment rights to refuse the government's request. Or so you would think.
Should the SEC ultimately succeed with this interpretation of the "foregone conclusion" doctrine, it will have compelled incriminating testimony. It claims that it's merely seeking to confirm ownership by seeing if the passcodes unlock the phones. But once they're unlocked, it can compel the production of documents. Should these prove to be incriminating, it already has the defendants' admissions that these are their cell phones.
So, this case is less about securing Fifth Amendment rights than the government exploring options on how to obtain permission to compel defendants to hand over access to possibly incriminating information. If the court holds firm in its view of the government's true aims, it will be a small win for constitutional rights but one unlikely to be applied broadly.
As Orin Kerr points out in a second post on the case, some unanswered questions point towards the government being able to successfully argue that simply providing a password to a locked device isn't self-incriminating testimony.
If this analysis is right, then the password is incriminating because it provides a link to the evidence. The government could grant the defendants immunity, but it would need to be use and derivative use immunity — that is, immunity not just from the actual testimony but from what the testimony would reveal.See Counselman v. Hitchcock, 142 U.S. 547, 585 (1892). The defendants should win. That’s where Jonathan comes out, and it might be correct.If the government can argue that compelled production of passwords that leads to the discovery of incriminating material is merely causal (rather than the password itself being evidence of guilt), it may be able to skirt the Fifth Amendment entirely. This has obvious implications in the ongoing law enforcement war on encryption. With no firmly established legal footing for the argument that demanding passwords violates the Fifth Amendment, password-protected encryption will be ultimately no more safe than leaving everything unlocked and in plaintext.
But I’m not sure. Here’s my question: Does the “link in the chain” test include a merely causal link — that is, a link in the chain to the evidence? Or does “link in the chain” mean that the testimony was part of the evidence of guilt but not enough to prove the entire offense — that is, a link within the body of evidence? If testimony is solely of value for its causal connection to evidence, and it has no evidentiary value itself, is the testimony incriminating?
So, while the court has -- for the moment -- denied the government's request to compel the production of passwords, the underlying legal entanglements don't exactly bode well for the future of the Fifth Amendment.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: fifth amendment, passcodes, phone, self-incrimination
Reader Comments
Subscribe: RSS
View by: Time | Thread
Distinction without meaning
In both cases the fact that the one forced to talk was able to provide the answer creates a solid and damning link between the suspect and the evidence. If they knew were the weapon was, then it's very easy to argue that that's because they were the ones who placed it there. Likewise if someone is able to provide a password to an encrypted device/drive, it proves that they have access to it.
In both cases while the compelled information may not be a notable piece of evidence on it's own, what it reveals, and what it leads to, can absolutely be incriminating, meaning in both cases compelling the information should be barred by the fifth.
[ link to this | view in chronology ]
Re: Distinction without meaning
I don't think that's the same question. Asking for a password would be more like demanding the key to a locked door or safe. You'd need a search warrant or court order to do it, but I don't see the difference between compelling someone to turn over a key and compelling them to disclose a password.
[ link to this | view in chronology ]
Re: Re: Distinction without meaning
[ link to this | view in chronology ]
Re: Re: Distinction without meaning
The fact that you can produce the key/'key' links you to the locked/encrypted container, which is a solid piece of potentially incriminating evidence. A safe or HD filled with incriminating evidence is useless if you can't link it to someone after all.
If the safe/HD does indeed contain incriminating evidence, able to be used against the owner, then providing the ability to unlock it, and establishing a link of ownership/control should be considered no different than someone being forced to provide the incriminating evidence directly.
If you can't be forced to directly provide self-incriminating evidence, it shouldn't be allowed for someone to force you to do so indirectly.
[ link to this | view in chronology ]
Re: Re: Re: Distinction without meaning
However, if the ownership/control of the safe/HD is already known, then a person's ability to open/decrypt it is not self-incriminating. The police already know it's theirs, and the warrant/order is just allowing them to see what's inside.
In this case, the SEC and Capital One know who used the phones, so it would seem to me that the second case applies.
[ link to this | view in chronology ]
Re: Re: Re: Distinction without meaning
> links you to the locked/encrypted container,
> which is a solid piece of potentially incriminating
> evidence.
The difference is they wouldn't need you to produce the key to a safe, because if you refuse, they could just do it the hard way and drill it open.
With encryption, that option isn't available to the government. There is no "doing it the hard way" that doesn't involve tying up very expensive processing power for centuries.
Encryption really has opened up a whole set of legal issues that never needed to be addressed before, because in the past, the government could almost always work around a recalcitrant defendant. For the first time the government is faced with a tool that the ordinary citizen can use to completely thwart it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Distinction without meaning
If they're not allowed to force you to hand over self-incriminating evidence when they can bypass you entirely to get it, they shouldn't be able to force you to do so simply because they have to go through you to get it.
[ link to this | view in chronology ]
Invoke Regan
I can't remember.
I can't remember.
...
[ link to this | view in chronology ]
Re: Invoke Reagan
Or maybe it would:
[ link to this | view in chronology ]
Wouldn't it be easier...
[ link to this | view in chronology ]
Three words:
You can claim that you don't remember, but if they don't believe you they just toss you in a cell until you 'remember', and the real fun bit regarding contempt of court is that it has no maximum sentence, meaning they could conceivably keep you locked up until you either handed over the password or died of old age.
(And for added fun, if you do 'remember' at some point, and they really feel like twisting the knife, they can hit you with perjury charges or charges for lying during an investigation, in addition to any other charges you might face thanks to the decrypted info you handed them via the password.)
[ link to this | view in chronology ]
Re: Three words:
> they don't believe you they just toss you in a
> cell until you 'remember'
Well, if you know that by remembering, you're going to give them evidence of something serious, like a murder, then you have to weigh which is the lesser evil of your two options:
Sit in the county jail for a few months, or maybe a couple years on the outside, until the judge gets tired of it and vacates the contempt, or give them the code and send yourself to the state penitentiary for the rest of your life.
Me? I'd choose the former.
> and the real fun bit regarding contempt of court
> is that it has no maximum sentence, meaning they
> could conceivably keep you locked up until you either
> handed over the password or died of old age.
There's a big difference between theory and practice. In reality, no one has ever, nor would likely ever, be held in contempt for more than a few years, certainly not for multiple decades. Due process would prohibit it. And the longer they hold you, away from your belongings and files, the more realistic your claim that you can't remember the code, as memories fade over time, (especially for things like strings of random characters and numbers) and so their justification for the continuation of the contempt charge will in turn start to suffer.
There are solid judicial precedents which hold that contempt cannot be punitive, only coercive, and if the government cannot maintain reasonable proof that continued incarceration for contempt is likely to coerce cooperation, then the contempt charge must be vacated.
[ link to this | view in chronology ]
Re: Re: Three words:
http://abcnews.go.com/2020/story?id=8101209
14 Years for Contempt, based on the Judge's estimate that he had money and simply did not want to pay it. Despite a 2nd Judge looking into his transactions and not finding anything.
He was only let out because the Judge felt that putting him in jail would no longer get him to comply with the order.
http://www.nytimes.com/2007/02/16/business/16jail.html?pagewanted=all&_r=0
8 Years of contempt for a case that had a max stay of 8 years.
Contempt charges can and have been abused.
[ link to this | view in chronology ]
Re: Re: Re: Three words:
> that putting him in jail would no longer get
> him to comply with the order.
What do you mean, "not true"? Your story supports what I said. He was released after the judge determined there was no coercive effect of the contempt charge left.
[ link to this | view in chronology ]
Re: Re: Re: Three words:
Then, if you're ever arrested, by the time they get around to questioning you, charging you, arraigning you, serving you with a warrant, then scheduling a contempt hearing before the judge when you refuse to comply, the file will have auto-deleted and you can honestly say that not only don't you know the password, but that you never di know it, and you have no way of ever knowing it.
[ link to this | view in chronology ]
Re: Three words:
> some point, and they really feel like twisting the
> knife, they can hit you with perjury charges or
> charges for lying during an investigation
Ummm... no. Perjury, by definition, is lying under oath. People are rarely, if ever, under oath when talking with the cops during their investigation. Oaths don't come into play until the court proceedings.
Some states (and the feds) have separate offenses for lying to investigators about facts material to the investigation, but that's an entirely different offense from perjury, and even so, the government would have a hell of a time proving beyond a reasonable doubt that someone lied rather than just was able to recover a memory, as he claimed.
[ link to this | view in chronology ]
Re: Three words:
Don't they need a better reason than "I don't believe you", like some actual evidence that you're lying?
[ link to this | view in chronology ]
Re: Re: Three words:
[ link to this | view in chronology ]
From another view
When they were fired they returned the phones to Capital One.
If they did not delete the 'personal' information from the phone does that information now belong to Capital One?
Can the government compel them to turn over the passwords to inspect Capital Ones property. How would this be different that if they knew the only password to a data server?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Distinction without meaning
Giving the government the password is testimonial because it authenticcates the person as the owner of the information.
And the court has long held that if you are compelled to offer testimony leading to physical or derivative evidence, both the testimonial act and the derived evidence must be excluded at trial.
Even Professor Kerr recognizes that the act of entering or disclosing the password might be testimonial and incriminating if it authenticates something.
[ link to this | view in chronology ]
Same huh?
A judge that was able to critically think would have came up with a better analogy:
"Not unlocking a device is like producting documents locked in a safe. The government is free to hire an expert capable of unlocking the safe to obtain its contents"
[ link to this | view in chronology ]
For just a passcode to access the phone, there isn't much here.
[ link to this | view in chronology ]
Re:
If they can crack the code, they should be required to prove it by doing so, the other person shouldn't be compelled to hand over the key to potentially incriminating evidence just to save time.
[ link to this | view in chronology ]
Re: Re:
If that amount of time is less than the statute of limitations, it should be a slam dunk.
When it comes to deeper encryption, you not only hit the question of how long is "too long" but also the question of intent. A simple phone lock may exist only to stop your phone from butt dialing someone. Encryption, especially strong flavors, suggests more intention to make something private.
There is the other question, which is given unlimited computer resources, how long would it take to break even the most severe of encryption schemes by brute force. Think about the amount of computing power current chasing diminishing bitcoins. Can you imagine if they were put to work instead knocking down encryption with a $1000 bounty for each one done? Would that fall into a reasonable time frame or inevitable discovery by the courts?
One thing is for certain: If you have a cell phone in your possession or in your home when you are arrested or a warrant is executed, it's reasonable to think that it may belong to you. No passcode is required to show that while not a given, it's very likely. The 5th amendment issue seems very narrow in application here (ie, not sure that any further incrimination occurs...). With lock codes easy enough to brute force, there is little in the game here.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
What percentage of people are going to use very long key encryption to start with? How many can do it without writing the key down somewhere because they will forget it?
let's consider the math too on a 1024 bit:
The most efficient method known to factor large integers, and the method used in the factorization record listed above, is via the number field sieve (NFS) - which is much faster than a brute force attack (where every combination is tried), so a brute force attack would have taken much longer than even this. The Lenstra group estimated that factoring a 1024-bit RSA modulus would be about 1,000 times harder than their record effort with the 768-bit modulus, or in other words, on the same hardware, with the same conditions, it would take about 1,000 times as long. They also estimated that their record achievement would have taken 1,500 years if they normalized processing power to that of the standard desktop machine at the time - this assumption is based on a 2.2 Ghz AMD Opteron processor with 2GB RAM.
So 1500 years for a single computer, or put 1500 solder desktops on the job and get it in a year. Oh oops, it's not that hard, is it?
2048? just up that by 1000 times the machines. Certainly not "all the computers in the world", but perhaps a couple of Google Datacenters worth. Still in the range of the possible - and that is to do it in a year.
Now if you have a crime with 25 year statute of limitations, you can divide either of those down by a factor of 25. In the first case, 75 desktops would certainly get it within that time, and is certainly believable. In the second case, 75,000 desktops would be enough.
Now, the real question would be at what point would the courts accept a theoretical achievement instead of an actual one?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
I think you factor is out by several orders of magnitude, as there is a much larger increase in difficulty when going form 1024 to 2048 compared with 768 to 1024. Polynomial problems go up in difficulty by a power of the size, therefore the increase in difficulty between n^768 to n^1024 is very much smaller than that between n^1024 to n^2048. Modern key lengths are now often 4096, and some are 8192 bits long. These are way beyond what a single computer centre can reasonably deal with, where reasonably is within a human lifetime.
Which of the thousands of disk encryption keys that the authorities want cracked, do they tackle with any amount of computing power that they can assemble. It would not be worth attempting to decrypt messages encrypted with such weak keys, as the messages would be piling up faster than they can be decrypted,
[ link to this | view in chronology ]
The difference in my view
These phones are the property of Capital One, not the people who set the passcodes. On this basis alone, it seems that it should be possible to compel the users to reveal the passcodes to Capital One.
[ link to this | view in chronology ]
Re: The difference in my view
[ link to this | view in chronology ]
Re: The difference in my view
That would be contract issue, wouldn't it?
[ link to this | view in chronology ]
Re: Re: The difference in my view
I don't think so. Cops go to Capital One and ask permission to unlock the phones. Capital One says "sure" and attempts to get the unlock codes from the employees.
The employees failing to turn over the codes isn't a contract issue, it's the property owners being denied the use of their own property. A bit like if you loaned your house key to someone, but they refused to turn the key over to someone else when you ask.
[ link to this | view in chronology ]
Re: Re: Re: The difference in my view
[ link to this | view in chronology ]
Re: Re: Re: Re: The difference in my view
True enough. That changes nothing of substance, though. Capital One owns every byte on those phones.
[ link to this | view in chronology ]
Twisting the constitution for those that know no better
[ link to this | view in chronology ]
Nothing new here
is at the beginning to most criminal prosecutions and warrant-less spying and wiretapping.
[ link to this | view in chronology ]
What this is about
If you give the password, you prove that you had access to the phone and anything on the phone. As long as you cant be compelled to prove ownership, they can't draw as strong of a link between the contents and you as a person.
This is the same as claiming ownership of set of plans to burn down a building. If the government has the plans but no link, you can't be forced to create the link via your own testimony.
Capital One had power over their employee up to the point he was fired. At that point they are in possession of the cell phone and can freely wipe it and return it to service. They even have it in the handbook to NEVER give your password to anyone for any reason and that IT will never ask for your password.
[ link to this | view in chronology ]
Re: What this is about
1) Capital One should have had the serial number of the phone linked to the employee who had the phone, so the employee putting in the passcode to prove it was their phone doesn't matter. If Capital One didn't have that linked already, that's not the fault of the employee.
2) If it was a locked door/safe, the authorities would be allowed to just crack open the item in question, so that means they should be allowed to crack whatever encryption there is protecting the data on the phone. It's not like their friends at the NSA can't already do it trivially.
[ link to this | view in chronology ]
Papers, please
To me, it seems the answer is no, because revealing the location of the papers inevitably leads to the defendant's incrimination. Therefore, to compel the defendant to reveal the location is to compel him to inevitably incriminate himself: a violation of Fifth Amendment Right.
Likewise, as mentioned in the article, the password seems to lead inevitably to incrimination and should be subject to Fifth Amendment protection.
[ link to this | view in chronology ]
Inherent Right?
A citizens rights only apply when the government, through it's biased/byzantine judicial system, say they do.
[ link to this | view in chronology ]
Property
users to reveal the passcodes to Capital One.
No that would not work, the FIfth Amendment is applicable even in a civil proceeding between two private parties.
The government can't bby proxy compel a render of property to produce a murder weapon or dead body, just because it is suspected it's somewhere on property rented by a corporation.
One thing is for certain: If you have a cell phone in your possession or in your home when you are arrested or a warrant is executed, it's reasonable to
think that it may belong to you. No passcode is required to show that while not a given, it's very likely. The 5th amendment issue seems very narrow in
application here (ie, not sure that any further incrimination occurs...).
Yes, it's possible, but under the foregone conclusion exception to the FIfth Amendment the government must actually have prior proof that the individual being compelled is also the actual owner.
So mere conjecture ore reasonable suspicion or even probable cause is not enough to overcome the Fifth Amendment.
Actual knowledge which must rise to reasonable particularity is required in order to satisfy the foregone conclusion test.
In the 11th circuit case, the government hasd probable cause that the suspect had en crypted something, but it lacked actual knowledge.
And the takeaway is that you can't compensate for the lack of knowledhge by compelling the suspect to fill the evenditary gap.
[ link to this | view in chronology ]
Re: Re: Three words:
He did not plead the Fifth but simply refused to sign forms obligating the banks to disclose possible asetts belonging to him.
[ link to this | view in chronology ]
Forgetting the passcode is not enough
[ link to this | view in chronology ]
The kicker is that the court drew an analogy to where an accused person has a locked safe or lockbox that may contain evidence. Existing precedents say that prosecutors may demand you turn over the key -- but they may not demand you turn over the combination if it's a combination lock.
And the password on your phone is more like that combination.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The logic behind this indefinite detention is that the defendant can end their indefinite detention at any time by complying with the court order to produce the password.
But what if the defendant claims to have forgotten the password? How can the defendant end their indefinite detention if it's impossible for them to comply with the court's orders?
Sorry, I forgot my password.
[ link to this | view in chronology ]