Florida Appeals Court Says Producing Passwords Is Testimonial And Protected By The Fifth Amendment

from the A-CHALLENGER-APPEARS dept

The Florida State Appeals Court is bucking the trend on compelled decryption. While most courts have held forcing someone to relinquish the password to a locked device does not raise Fifth Amendment issues, this court has decided that act is testimonial in and of itself. This makes the state's demand unconstitutional and sends it up the ladder to the state's highest court. (via FourthAmendment.com)

The facts of the case may play a role in future deliberations. It involves a drunk driving accident. Phones belonging to the driver and passenger were were taken from the crashed car. The search of the driver's phone didn't go far, thanks to it being locked with a password. Prosecutors sought an order compelling password production but were met with arguments from the driver's lawyer claiming this would violate his Fifth Amendment rights. The appellate court agrees. From the decision [PDF]:

[R]evealing one’s password requires more than just a physical act; instead, it probes into the contents of an individual’s mind and therefore implicates the Fifth Amendment. The very act of revealing a password asserts a fact: that the defendant knows the password.

This is normally where the "foregone conclusion" standard is set -- the one that allows the government to bypass Fifth Amendment protections if it can show it knows the defendant knows the password to unlock a device. That's (usually) the only conclusion the government needs to reach. It does not need to show that it knows evidence needed to prosecute the case resides on the device. It only needs to tie the device to the defendant and show that there's a reasonable certainty the device can be unlocked by the person targeted by the order.

When applying this standard, courts usually don't consider production of passwords testimonial. And if it is, it's only verifying a fact the government has already shown it knows. Often, the government is forbidden to use this particular evidence -- that the defendant unlocked the phone -- against the person in court.

This court goes a different direction. It says, foregone conclusion or no, the production of passwords is testimonial and has the potential to harm the defendant just like any other Fifth Amendment violation would. The court notes the government gains nothing by obtaining a password. It wants what the password provides: access to information that might be used as evidence against the person supplying the password.

Here, the state seeks the phone passcode not because it wants the passcode itself, but because it wants to know what communications lie beyond the passcode wall. If the minor were to reveal this passcode, he would be engaging in a testimonial act utilizing the “contents of his mind” and demonstrating as a factual matter that he knows how to access the phone. As such, the compelled production of the phone passcode or the iTunes password here would be testimonial and covered by the Fifth Amendment.

Rather than use a standard used elsewhere, the court demands more from the government than a reasonable certainty the phone's owner knows how to unlock the phone. It needs to show the evidence it seeks can be found on the device.

Below and on appeal, the state’s argument has incorrectly focused on the passcode as the target of the foregone conclusion exception rather than the data shielded by the passcode, arguing that “because the State has established the existence of the passcode and iTunes password, evidence on the Petitioner’s cell phone, and that he can access the content of his phone,” the compelled search was acceptable. Similarly, the trial court specifically held that the “existence, custody, and authenticity of the passcodes are a foregone conclusion” in the order appealed. This holding, which focuses on the passcodes rather than the data behind the wall, misses the mark.

On this subject, we again disagree with the Second District. In Stahl, the court focused on the “reasonable particularity that the passcode exists,” a fact that the state had established. 206 So. 3d at 136 (emphasis in original). However, this is not the proper focus of the inquiry—it is not enough to know that a passcode wall exists, but rather, the state must demonstrate with reasonable particularity that what it is looking for is in fact located behind that wall. Contrary to the Stahl court’s conclusion, which the trial court adopted, the “evidence sought” in a password production case such as this is not the password itself; rather, it is the actual files or evidence on the locked phone. Without reasonable particularity as to the documents sought behind the passcode wall, the facts of this case “plainly fall outside” of the foregone conclusion exception and amount to a mere fishing expedition.

This is where the facts of the case may result in a ruling that aligns with the trial court's take on the "forgone conclusion" exception, but still denies access to the phone's contents. Everyone carries a phone. Drunk drivers are like sober drivers. That a drunk driver was carrying a phone at the time of an accident does not make it likely that evidence of the crime -- drunk driving -- will be found on the driver's phone. The court goes back to its "fishing expedition" comment, pointing out the state barely has any reason to search the phone at all, much less attempt to weaken Fifth Amendment protections in the process.

Here, the state’s subpoena fails to identify any specific file locations or even name particular files that it seeks from the encrypted, passcode-protected phone. Instead, it generally seeks essentially all communications, data, and images on the locked iPhone. The only possible indication that the state might be seeking anything more specific was the prosecutor’s statement at the hearing that the surviving passenger had been communicating with the minor via Snapchat and text message on the day of the accident and after the accident, a fact that the trial court briefly mentioned in its order but did not appear to rely on in reaching its conclusion.

The concurring opinion raises another issue seldom touched on in other password-related rulings. The "foregone conclusion" exception to the Fifth Amendment is, like the "good faith" exception, something fabricated by courts rather than by laws or Constitutional amendments. As such, it cannot be applied to oral testimony -- such as the relinquishment of passwords to law enforcement.

[H]ere, the State sought to compel the oral production of the requested information. The foregone conclusion exception has not been applied to oral testimony, and for good reason. In Fisher, the court explained that compelling a taxpayer to produce documents “involves substantial compulsion. But it does not compel oral testimony; nor would it ordinarily compel the taxpayer to restate, repeat, or affirm the truth of the contents of the documents sought.” Based on what the production in Fisher would not do, the Supreme Court allowed the government to compel the production of documents. Requiring the accused to orally communicate to the government information maintained only in his mind would certainly compel oral testimony. So, in my view, the basis for granting the petition is not that the State failed to satisfy the requirements of the foregone conclusion exception. Rather, the petition should be granted because the foregone conclusion exception is inapplicable to the compelled oral testimony sought in this case.

Of course, the workaround here is to have defendants punch in the passwords themselves or write them down. The latter would produce more issues than having them punch in the codes, but either way, it should be apparent -- at least in Florida -- that these alternate methods are being deployed to sidestep a precedential Fifth Amendment decision by the court.

The "foregone conclusion" exception is rarely applied in this fashion. A state-level appeals court decision isn't going to change things in the rest of the nation. But it does give defendants something to refer to when challenging compelled password production. And it also suggests the exception itself is being rethought in light of tech advancements that have made it possible for people to carry several houses-worth of documents with them at all times, protected only by a password the government can almost always obtain -- either through use of the exception or with indefinite jailing on contempt charges.

Fourth Amendment protections have undergone several adjustments over the past decade as courts seek to catch up with technology. The Fifth Amendment is due for the same overhaul.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 5th amendment, compelled decryption, encryption, florida, passwords, self incrimination