Court Hinges Privacy Rights on Smartphone Settings
“Yes, compelling someone to reveal information on how to decrypt data is compelling testimony from that person. But obtaining information from a person’s mind is not what happens when agents pick a finger to apply to the sensor.”
—Judge Edmond E. Chang, qtd. in In re A white Google Pixel
2019 began with digital privacy activists rejoicing an apparent victory with a decision handed down by the United States District Court of Northern California. The case concerned whether or not law enforcement had the authority to compel a person to unlock a seized phone.
Police had applied for a search and seizure warrant for an Oakland residence in connection with two suspects of an extortion scheme. The warrant application asked to seize various electronic devices including cell phones and computers. Police also requested the ability to compel any individual in the vicinity to use any biometric feature, like a finger or thumbprint, facial recognition, or iris detection to unlock any devices subject to the warrant found in the residence at the time of the search.
Denying the search warrant application, the judge found that even with a warrant, police cannot force suspects to unlock electronic devices. The court held that unlocking a phone with a fingerprint is “fundamentally different” than taking a suspect’s fingerprint, for instance. This is partially due to the risk of identifying who has access to the phone, thereby potentially implicating the owner.
More shocking, the court argued that since biometric access is effectively a substitute for a password, the compulsory production of a fingerprint constitutes a compelled testimony, a violation of the 5th Amendment protection against self-incrimination. By giving police access to the phone’s contents, the individual who is subject to the search effectively becomes a witness against themselves. This 5th Amendment violation thereby makes the search unreasonable in terms of the 4th Amendment.
The conclusion of the case was applauded by privacy activists not only for stopping police from forcing people to open their phones for the government but for also narrowing what police could seize to only devices that were reasonably believed to be owned by suspects. The decision was a promising development after a string of defeats. Up until the Northern California District Court’s ruling, the only cases of note, State v. Diamond (2018) and In re the Search Warrant Application for [redacted] (2017) allowed police compel a person to use a fingerprint to unlock a seized cell phone.
However, the sentiment of victory was short lived. In a recent case heard by David Nye of the United States District Court for Idaho, Judge Nye took direct issue with the aforementioned Northern District of California ruling. The Idaho case, though similarly about a warrant application and phone search incident to arrest, decidedly gave great leeway to law enforcement to compel the unlocking of a phone.
Police in the state of Idaho initially applied for a warrant as part of a child pornography investigation. The provisions of the warrant application included permission to seize “mobile phones” if the phones could be used as evidence of the commission of the crime. The warrant application was authorized and upon execution, police seized a Google Pixel 3 XL from the bathroom of the suspect’s residence.
It was soon discovered that the phone required a swipe pattern or a fingerprint to unlock the screen to display its digital contents. The government again applied for an additional warrant to “press any finger and/or thumb of any hand against the sensor of the fingerprint reader used to unlock the…phone.”
Denying the additional warrant, the magistrate judge echoed the Northern California District ruling and stated that approving the application would have been a 5th Amendment violation by virtue of compelling the individual to produce self-incriminating testimony. On review, the U.S District Court Judge vacated the magistrate’s order denying the warrant.
The rationale behind the decision is that body parts, or “physical characteristics” should not be counted as “testimony”. The Supreme Court in the past has drawn a similar distinction. The principle issue in Doe v. United States (1988) concerned what constituted “testimony”. In Doe, the court specified that a testimony was a disclosure of the contents of the suspect’s mind.
The U.S District Court of Idaho recalled this differentiation, saying:
In [Doe v. United States, 487 U.S. 201 (1988)], the United States Supreme Court made a comparison between being compelled to surrender a key to a strongbox or safe containing incriminating documents (and how that would not be a testimonial act), and being compelled to reveal the combination to a safe (which would be a testimonial act)…The Court explained that whether an act was testimonial — and therefore unconstitutional — revolved around whether the act forced the defendant to ‘disclose the contents of his own mind.’
A conclusion from the Idaho case is that police forcing a person to turn over their passcode would be impermissible. But because applying a finger to a sensor is not a disclosure of the contents of the mind, the court did not see a Constitutional violation.
Riana Pfefferkorn of the Center for Internet and Society at Stanford Law School eloquently made the point that the court decided to “hinge a core constitutional right of all smartphone users — three-quarters of Americans — on how they use their phone’s UI.”
In short, if a person uses a password to unlock their phone they may be protected by the law. However, if they use biometrics, which is functionally equivalent in terms of gaining access to the phone, this reasoning says that there is no legal protection with respect to the 5th Amendment.
This deals a blow to those that use biometrics as part of their 2-factor authentication login or encryption management. Moreover, it jeopardizes cell phone users as many smartphones today bypass passcode requirements if a valid fingerprint is supplied by the user. This grants police the ability to circumnavigate the spirit of privacy laws and effectively renders constitutional protections of passwords useless.
While other courts have yet to weigh in, the direction of the case law is discouraging. However, the discordance between the Northern California and Idaho ruling is worth continuing to watch in the future as both districts are in the 9th Circuit.
* * *
This piece was originally published under a different title in The Startup (12/13/19). For more on privacy rights, see American Surveillance: Intelligence, Privacy, and the Fourth Amendment, by Anthony Gregory.