Passcodes protect smartphone data, but they’re working a little too well as far as law enforcement is concerned.
Courts are increasingly having to grapple with the question of whether suspects should be compelled to unlock their phones for investigators. Adding to growing precedent, a federal judge in Pennsylvania said Wednesday that people cannot be forced to reveal passcodes, since that would violate the Fifth Amendment right against self-incrimination.
Judge Mark Kearney denied a motion to compel two defendants to disclose the passwords to their old work phones. The plaintiff, the Securities and Exchange Commission, wanted to access data on the phones, which are owned by Capital One. But the bank had told its employees not to write their passcodes down anywhere or tell them to anyone. As a result Capital One couldn't help the SEC unlock the phones even though the bank provided them to the agency. The defendants refused to provide the passcodes, saying it would infringe on their Fifth Amendment rights.
"Each party argues based on established legal precedent in non-smartphone contexts involving the interplay between corporate records and encrypted information on computers," Kearney wrote. "We find, as the SEC is not seeking business records but Defendants' personal thought processes, Defendants may properly invoke their Fifth Amendment right."
In a Virginia circuit court case from 2014, a judge decided that police could compel someone to unlock a smartphone using a fingerprint scanner, because a fingertip is like a fingerprint, cheek swab, or handwriting sample. But in that case, as in this one, the judge referred to an idea (first introduced in a 1988 John Paul Stevens Supreme Court dissent) that revealing "the contents of an individual's mind” is protected by the Fifth Amendment. It's basically the distinction between a safe that you open with a key and one that you open with a numeric code. Law enforcement can demand that you use the physical key to open the safe but can't insist that you disclose a code that is held in your mind.
"Since the passcodes to Defendants' work-issued smartphones are not corporate records, the act of producing their personal passcodes is testimonial in nature and Defendants properly invoke their fifth Amendment privilege," Kearney wrote. He also noted that the SEC hadn't done enough to show that there would be relevant evidence on the phones, even if they were unlocked.
Former federal prosecutor Orin Kerr suggested to Ars Technica that "Fifth Amendment issues raised by the content of the passcode could be addressed by having the defendants just enter in their passcodes rather than handing them over to the government." In that scenario, suspects would unlock the device so it could be evaluated without revealing the passcode.
Another option for law enforcement is cracking passcodes through brute force (using a computer to try all the possible number combinations until landing on the right one). Brute-force cracking gets more difficult, though, depending on factors like how many characters are in a passcode, whether it only includes letters and symbols in addition to numbers, and how strongly data on the device is encrypted.
The debate isn't over, but Wednesday's decision gives a little more strength to the humble passcode.