Jan. 24, 2019
When you think about digital privacy (if you think about digital privacy), the section of the Constitution that most immediately comes to mind is probably the Fourth Amendment—you know, the one that promises that the government needs probable cause and a warrant to arrest you or search your house, papers, and effects (as well as your phones, computers, and hard drives).
But there’s also a set of debates centered instead on the Fifth Amendment and when the government can force you to decrypt those seized devices. That was already a messy issue with a lot of disagreement between different courts, but a judge in California issued a ruling last week that makes compelled decryption even trickier to sort out using the Fifth Amendment.
In a nutshell, the Fifth Amendment (among other things) grants people the right not to “be compelled in any criminal case to be a witness against” themselves. That’s relatively straightforward when you’re just answering questions in court. But if you’re told to decrypt your iPhone by the government, is that actually a form of testimony covered by the Fifth Amendment?
The crucial case for understanding when something is covered by the Fifth Amendment dates back to a 1957 Supreme Court ruling revolving around whether a man named Joseph Curcio, who served as the secretary-treasurer of a union, could use his Fifth Amendment privileges to refuse to answer questions about where certain union records and books were located. The Supreme Court ruled that he was permitted to refuse to answer those questions because forcing him “to testify orally as to the whereabouts of nonproduced records requires him to disclose the contents of his own mind. He might be compelled to convict himself out of his own mouth. That is contrary to the spirit and letter of the Fifth Amendment.”
The idea that the Fifth Amendment protects the contents of your mind is important when it comes to encryption because, for instance, that’s where you store your phone passcode or computer password. Under this reasoning, the government can compel you to turn over the key to your safe, but it cannot force you to reveal the combination because only one of those is the contents of your mind. But when it came to searching and seizing safes, this was never really an issue. Armed with jackhammers, drills, and explosives (or whatever one uses to break into safes), there was no physical safe that the government would be unable to get into once it had acquired a warrant.
Encryption thrust this contradiction about keys and combinations front and center, however, because law enforcement is unable to decrypt some devices. But while compelling people to turn over passwords and other decryption keys located in their minds has been complicated because of the Fifth Amendment, biometric compelled decryption has generally been relatively straightforward. After all, your fingerprint and your retina are very clearly not the contents of your mind. This distinction—something you have versus something you know—has led people to assume that compelling a suspect to use their fingerprint to unlock their phone was kosher under the Constitution, an assumption a Virginia circuit court judge confirmed in 2014.
But last week, Magistrate Judge Kandis Westmore of the U.S. District Court in Oakland, California, issued a ruling denying a search warrant that dealt with both Fourth and Fifth Amendment rights and profoundly misunderstand the latter. The warrant request was for digital devices, and in it, law enforcement officers also requested “the authority to compel any individual present at the time of the search to press a finger (including a thumb) or utilize other biometric features, such as facial or iris recognition, for the purposes of unlocking the digital devices found in order to permit a search of the contents as authorized by the search warrant.”
Westmore denied the warrant because of that provision, writing in her opinion that “utilizing a biometric feature to unlock an electronic device is not akin to submitting to fingerprinting or a DNA swab” because “in this context, biometric features serve the same purpose of a passcode” and “if a person cannot be compelled to provide a passcode … a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device.”
It’s a strange moment to worry about Fifth Amendment privileges for compelled decryption; usually that’s a fight that comes after a warrant is issued and devices have been seized, not before. (Westmore also argues in her opinion that the biometric request violates the Fourth Amendment because it does not request biometrics from a specific person and the warrant is therefore too broad. That’s a valid reason to deny a warrant, but it’s odd that she then brings up so many Fifth Amendment issues as well.)
Westmore goes to great pains in her opinion to explain why compelling someone to touch their thumb to their iPhone is different from compelling them to give their fingerprints for old-fashioned purposes. She writes:
A finger or thumb scan used to unlock a device indicates that the device belongs to a particular individual. In other words, the act concedes that the phone was in the possession and control of the suspect, and authenticates ownership or access to the phone and all of its digital contents. Thus, the act of unlocking a phone with a finger of thumb scan far exceeds the “physical evidence” created when a suspect submits to fingerprinting to merely compare his fingerprints to existing physical evidence (another fingerprint) found at a crime scene, because there is no comparison or witness corroboration required to confirm a positive match.
But all of her reasoning completely ignores the fundamental idea that what the Fifth Amendment protects is the contents of your mind—not the pattern of your fingertip or anything else about your physical attributes. Just because fingerprints and passwords can both be used for the same purpose when it comes to encryption does not mean that they are both testimony or should both be treated in the same way under the law.
And it’s important to note that, even when it comes to passwords and nonbiometric decryption, there’s a huge, very ambiguous loophole in the Fifth Amendment protections for the contents of your mind. It’s called the foregone conclusion exceptionbecause it allows the government to compel certain types of information from people so long as that information is already a “foregone conclusion.” In other words, if the government already knows everything about the contents of your encrypted device, then it can sometimes compel you to turn over the decrypted contents on the grounds that you’re not providing them with any new information—and if you refuse, you can be held in contempt of court. For instance, in a child pornography case in Pennsylvania, an ex-cop was held in prison for years because he refused to decrypt hard drives even after investigators found that the hashes of files on those drives matched the hashes of known child pornography files, making their contents a foregone conclusion.
Other courts have been a little less clear on exactly how much the government needs to know about the contents of a digital device to use the foregone conclusion exception. Some say that the contents of the device must be known, while others seem content to compel decryption so long as the ownership of the device and the owner’s knowledge of the encryption key have been established. For instance, in a Massachusetts case in 2014, a court ordered a man to decrypt his computer because law enforcement officers had already established that the computer belonged to him and that he had the decryption key, so the act of his decrypting its contents would reveal nothing new to the government.
In short, there’s already a lot of uncertainty and disagreement about when courts should be able to compel decryption of devices—and Westmore’s opinion will only make things less clear and more complicated.