Stacks Image 1030
Stacks Image 1069


To view the archive, click here.



Can the Police Search My Phone? Updates on the iArrest in the Post-Riley World

A couple of years ago, we blogged on the ever-growing topic of cell phone privacy in the age of the smart phone and, specifically, whether the police can search a phone without a warrant after its owner has been arrested. The Supreme Court had recently decided Riley v. California,[1] which established that police cannot look through a phone without a warrant just because its owner was arrested. Riley, however, was not the end of the story. New questions about the extent of access that law enforcement can obtain into a personal cell phone arise constantly, due to our society’s ubiquitous use of smart phones and the enormous amount of private data (along with potential information about their owners’ whereabouts, activities, and contacts) they contain. We know from Riley that the police can’t confiscate your phone and look at whatever they want just because they arrested you. But that hasn’t stopped investigators from confiscating phones, nor from looking for the information contained in them. Now they just have to get a warrant first, right? Well, it turns out, it’s not that simple.

One of the biggest questions is no longer whether the police need to get a warrant (they know they need one), but rather, after they have the warrant, whether (from a practical perspective) they can access the information in the phone – and whether they can compel phone owners and manufacturers to help them do it. The level of privacy that cell phones and other electronic devices should be accorded has received a lot of news coverage this year. Apple and the FBI made headlines in February when a federal judge ordered Apple to “assist” the FBI “in enabling the search of” the iPhone used by Syed Rizwan Farook, one of the attackers in the December 2015 shooting that killed fourteen people in San Bernardino.[2] The FBI had, as required by Riley, obtained a search warrant for the phone. But they were unable, practically speaking, to gain access to the information in the phone because they couldn’t unlock it. They did not have the pass code, and “because of the phone’s security features, they risk[ed] losing the data permanently after 10 failed attempts to enter [it].”[3]

So they sought (and were granted) an additional court order pursuant to the All Writs Act,[4] compelling Apple to give the FBI “reasonable technical assistance” that would allow agents access to the phone’s data.[5] Apple loudly refused and filed a Motion to Vacate the order, arguing that the All Writs Act (a general statute authorizing the federal courts to “issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law”)[6] did “not provide a basis to conscript Apple to create software enabling the government to hack into iPhones.”[7] While many thought the issue would eventually travel to the Supreme Court, the legal battle was rendered moot when the FBI, aided by an unidentified outside group (and reportedly at very great expense),[8] managed to extract the information it wanted from the iPhone without Apple’s assistance.[9]

The FBI’s workaround may have delayed, but will not ultimately prevent, the inevitable legal showdown between the needs of effective law enforcement in investigating crimes in the cyber age and the rights of individuals to privacy in their phones (and consequently, of companies seeking to protect that privacy on behalf of their customers). It also sparked questions and concerns about the government’s use of “some type of hack” to “get past Apple’s daunting encryption” system,[10] including the potential cost to taxpayers of such hacking jobs. Apple is not the only cell phone manufacturer to face government requests for assistance in accessing locked phones. Google has reportedly been asked to help the government unlock at least nine Android smart phones, and unlike Apple, Google has the technical capacity to remotely reset device passwords for a large percentage of its devices without having to write new software or redesign the phones’ encryption systems.[11]

Left with little but questions and the near-guarantee of either a major legal battle or extensive use of public funds to obtain data contained in a locked iPhone, law enforcement officers have begun to look for encryption workarounds (i.e., practical ways to get phones unlocked and access the data they contain). If the police could potentially compel Apple to write software allowing them to unlock your phone, perhaps they could just as easily get a court order forcing you to provide them with your passcode yourself. And if not that, maybe they could compel you to provide other biometric identification “unlock” methods. For example, for phones with Touch ID or another fingerprint recognition feature, law enforcement officers have requested and some judges have granted warrants compelling the phone’s owner to place their fingerprint on it and thereby unlock it.[12] Concerns have surfaced in the press regarding law enforcement’s capacity to compel phone owners to unlock their Android devices using Trusted Voice, a feature of Google’s Pixel smartphone that recognizes the owner’s voice and allows them to say “OK Google” instead of entering a passcode to unlock.[13] Obtaining the forced assistance of a phone’s owner in unlocking the phone presents complicated questions involving not only the Fourth Amendment’s protection against unreasonable searches and seizures, but also the Fifth Amendment and the possibility that one’s own actions in unlocking a phone are testimonial and protected by the privilege against self-incrimination. So, are the police allowed to get a court order compelling you to unlock your phone for them?

The law is nowhere near certain at this point, but many on both sides of criminal law (defense attorneys and law enforcement agencies) believe the answer with respect to passcodes is no. Fingerprints and other identification methods, however, are another story. In a slip opinion in 2014 that has since been widely relied upon and cited in the press, a Virginia circuit court judge agreed.[14] There, both the victim and defendant in a case brought under Virginia Code § 18.2-51.6 (Strangling Another Causing Wounding or Injury) told police that the assault at issue was or could have been recorded and transmitted to the defendant’s cell phone. Police had been unable to gain access to the recording, however, because the phone was protected by passcode and fingerprint. The state asked the court to compel the defendant to provide both.[15]

The Virginia judge first concluded that the phone’s contents alone were not protected by the privilege against self-incrimination (even were they to contain “incriminating assertions of fact or belief”) because, just as with documents that were created voluntarily, the defendant’s act of creating the contents was not compelled.[16] Thus, as long as the contents of the phone were “obtained pursuant to a validly executed warrant” and otherwise obtained without issues “raised under the Fourth Amendment,” the contents themselves were admissible.[17] The issue, then, was narrowed to whether compelling the defendant to provide his own passcode or fingerprint would violate his Fifth Amendment privilege against self-incrimination, which would occur only if the requested court order involved “(1) compulsion of a (2) testimonial communication that is (3) incriminating.”[18] A court order compelling the defendant to provide a passcode would clearly be “compulsive,” and based on the defendant’s previous admissions, “the production of the passcode or fingerprint would [have] be[en] incriminating.” So the only question remaining was “whether a passcode or a fingerprint is ‘testimonial communication.’”[19]

In an analysis that subsequent legal arguments have generally adopted, the judge held that the fingerprint was not a testimonial communication, but the passcode was. Specifically, compelling a fingerprint was no different from requiring a defendant “to submit to fingerprinting, photography, or measurements, to write or speak for identification, to appear in court, to stand, to assume a stance, to walk, or to make a particular gesture,”[20] none of which are protected by the Fifth Amendment privilege under U.S. Supreme Court precedent, because “[t]he act of exhibiting such physical characteristics is not the same as a sworn communication . . . that relates either express or implied assertions of fact or belief.”[21] Accordingly, the judge granted the government’s motion to compel with respect to the fingerprint.

The passcode, however, was another story. The court analogized to case law involving document production, where the “act of production itself could qualify as testimonial if conceding the existence, possession and control, and authenticity of the documents tends to incriminate him or her.”[22] The act of production itself is not protected if the “existence and location” of the information itself is a “foregone conclusion” and the defendant’s “conceding that he in fact has the documents” adds “little or nothing to the sum total of the Government’s information,”[23] a concept known as the “foregone conclusion doctrine.”[24] Here, however, the judge held that the passcode was not a “foregone conclusion” because “it is not known outside of Defendant’s mind. Unlike a document or tangible thing, such as an unencrypted copy of the footage itself, if the password was a foregone conclusion, the Commonwealth would not need to compel Defendant to produce it because they would already know it.”[25]

The court reasoned that forcing the defendant to provide his passcode was equivalent to “telling an inquisitor the combination to a wall safe,” rather than merely “surrender[ing] the key to a strongbox,” and that “forcing [him] to reveal the password” would be “requiring him to divulge through his [own] mental processes.”[26] Essentially, “[u]nlike the production of physical characteristic evidence, such as a fingerprint, the production of a password forces the Defendant to ‘disclose the contents of his own mind.’”[27] Providing the passcode was testimonial, and as such could not be compelled.

A similar approach appears to be developing in the context of corporate phones and business records. In a 2015 insider trading case, the SEC sought an order to compel the Defendants to disclose passcodes for their work smartphones.[28] There, the SEC argued that the defendants were “corporate custodians in possession of corporate records, and as such c[ould not] assert their Fifth Amendment privilege in refusing to disclose their passcodes.”[29] The Eastern District of Pennsylvania distinguished work smartphones with employee-created secret passwords from “corporate records,” and concluded that “the personal thought process defining a smartphone passcode not shared with an employer is testimonial.”[30] Even though their phones were owned by the defendants’ employer, the SEC “[wa]s not seeking business records but [instead] Defendants’ personal thought processes,” and therefore the defendants could “properly invoke their Fifth Amendment right.”[31]

The court also disagreed with the SEC’s argument under the foregone conclusion doctrine: that “any incriminating testimonial aspect to Defendants’ production of their personal passcodes already is a foregone conclusion because [the SEC] can show Defendants were the sole users and possessors of their respective work-issued phones.”[32] The court held that independent knowledge of possession of the phone was inadequate, and that the government needed to show instead “what is actually on the device.”[33] The SEC had “proffer[ed] no evidence rising to a ‘reasonable particularity’” that “any of the documents it alleges” actually “reside[d] in the passcode protected phones.”[34] The court then distinguished between the SEC’s broad request for passcodes (and therefore access to the defendants’ entire phone contents) and other “foregone conclusion” computer password-related cases involving child pornography, where law enforcement had already independently ascertained through website or computer monitoring that the encrypted devices had accessed unlawful material.[35]

Thus the currently prevailing analysis indicates that phone owners cannot be forced to provide their passcodes to law enforcement, but they can be compelled to provide their fingerprints (or potentially other biometric identifying information). But this is hardly well-settled or reliable law. Two unpublished opinions from a state trial court and a federal district court do not bind the rest of the nation, and both leave room for additional argument under the foregone conclusion doctrine. Indeed, in the Huang order, the SEC’s foregone conclusion argument failed because it simply did not present any evidence that the information it sought existed on the smartphones at issue. One could certainly imagine a situation where the government could obtain some independent verification of what it sought on the phone (for example, as in the cases distinguished in the Huang order, a particular user’s access to a child pornography website, or perhaps even firsthand witness testimony of the individual making a recording or taking a picture on his or her phone). While the Fifth Amendment won’t allow law enforcement to compel a phone owner to provide a passcode allowing a government fishing expedition, doing so in order to find specific evidence whose existence is independently verified remains an open question.

Some have suggested that this analysis and applicable Fourth and Fifth Amendment doctrine need a reboot for the smart phone context. After all, the entire idea of distinguishing between passcodes and biometric identifying access information, while consistent with past Supreme Court Fourth and Fifth Amendment precedent, seems a bit specious here. Isn’t compelling you to provide your password or your fingerprint basically the same thing? They both grant access to your phone, after all. “It’s an odd split in logic, because fingerprints and passcodes now do the same thing: unlock information.”[36] On the other hand, fingerprints and passcodes are not equally helpful to law enforcement (or, necessarily, equally intrusive to phone owners). Unlike using passcodes (a fairly certain method of accessing a phone), fingerprint-based unlocking doesn’t always work for law enforcement. Oftentimes police still can’t get into a phone even if its owner is compelled to provide a fingerprint.[37] To say nothing of the many iPhone owners who do not use Touch ID, even Touch ID phones demand a passcode as a security measure when the phone has not been unlocked for 48 hours[38] or for the first unlock after powering back up.[39]

These questions and new ones continue to arise as law enforcement agents try new and different encryption workarounds to access phone data that could constitute evidence of crime. In one very sweeping example, DOJ applied for a search warrant of a property in California authorizing agents to “depress the fingerprints and thumbprints of every person who is located at the subject premises during the execution of the search” and “who is reasonably believed by law enforcement to be a user of a fingerprint sensor-enabled device.”[40] While few other details have surfaced, it appears that this warrant was ultimately executed.[41] Orin Kerr, a law professor at George Washington University writing for The Volokh Conspiracy, [42] analyzed this “encryption workaround” attempt and raised an important question: does the Fifth Amendment really even apply all that often in the investigative context?[43] Well, in a sweeping search involving multiple people other than an investigation’s target or suspect, maybe not.

As Kerr explains, “executing a warrant usually does not lead to a situation of Miranda custody for people present, and under Salinas v. Texas, the Fifth Amendment privilege is unavailable outside of Miranda custody unless the person formally asserts it.”[44] So, “any Fifth Amendment issues would come up only when the officer tells the person to unlock the phone and the person responds by formally asserting his right to silence (or else the person is already under arrest).”[45] Witnesses and bystanders aren’t typically under Miranda custody or under arrest, nor do they typically formally assert their right to silence, particularly if they do not feel they’ve done anything incriminating. Followed to its logical conclusion, this is a potentially powerful investigative tactic. Police could find incriminating evidence about their investigation’s target on someone else’s (e.g., a friend or associate’s) phone, such as text message or social media activity sent by the target that would show the target’s potentially incriminating conduct or thought process. Once police know that the target sent it, the existence of such information in the target’s own phone history is arguably a foregone conclusion, potentially justifying compelled access into the target’s phone itself, right? Well, maybe. We just don’t know yet.

In the meantime, the void of legal uncertainty surrounding law enforcement and cell phone data access leads to a plethora of smaller practical issues that confront judges, police officers, prosecutors, and defense attorneys on a regular basis. For example, in Riley, both defendants “conced[ed] that officers could have seized and secured their cell phones to prevent destruction of evidence while seeking a warrant,” a concession that the Court called “sensible.”[46] But is that seizure still reasonable where officers know – even if they can get a warrant – that they are unlikely to be able to unlock the phone? And given the challenging and potentially lengthy legal process that could be involved as police attempt to find a way to unlock and obtain information from the phone, how long can they reasonably keep it? In a headline-making case in Los Angeles earlier this year, the FBI hung onto an iPhone for about six months, and was not able to unlock it despite having obtained a fingerprint unlock warrant.[47]

We can certainly expect future litigation in this area. While the law has clearly begun to recognize an expectation of privacy and constitutional protection in your phone and the information contained therein, the extent of that protection remains murky. And let us not forget that the police can access some types of smartphone information – such as present and historical location and GPS information – from other entities (like wireless carriers) and through other technologies without the phone owner’s involvement at all. In that case, the Fifth Amendment provides no protection, and the Fourth Amendment is typically satisfied as long as there was a valid warrant based on probable cause[48] (or, in some cases, possibly even if there wasn’t).[49] But that is a matter for another post, on another day.

By Chelsy Knight Weber, Esq., Consulting Counsel to the Eichner Law Firm, licensed to practice in the District of Columbia, New York, and Connecticut

[1] Riley v. California, 134 S. Ct. 2473, 2486 (2014).

[2] In re Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, No. ED 15-0451M, Order [hereinafter Apple Order] (C.D. Cal. Feb. 16, 2016), available at https://assets.documentcloud.org/documents/2714005/SB-Shooter-Order-Compelling-Apple-Asst-iPhone.pdf; Eric Lichtblau, N.Y. Times, Judge Tells Apple to Help Unlock iPhone Used by San Bernardino Gunman, Feb. 16, 2016, available at http://www.nytimes.com/2016/02/17/us/judge-tells-apple-to-help-unlock-san-bernardino-gunmans-iphone-html?_r=0.

[3] Lichtblau, supra note 2.

[4] 28 U.S.C. § 1651.

[5] See sources cited supra note 2.

[6] 28 U.S.C. § 1651.

[7] In re Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, No. CM 16-10 (SP), Apple Inc’s Motion to Vacate Order Compelling Apple Inc to Assist Agents in Search [hereinafter Apple Opposition] (filed C.D. Cal. Feb. 25, 2016), available at www.wsj.com/public/resources/documents/applefiling.pdf.

[8] Alfred Ng, N.Y. Daily News, FBI Paid More than $1.3 Million to Hack into the San Bernardino Terrorist’s iPhone – Found No Links to ISIS, Apr. 21, 2016, available at http://www.nydailynews.com/news/national/fbi-paid-1-3-million-unlock-san-bernardino-iphone-article-1.2610445.

[9] Joel Rubin, James Queally & Paresh Dave, L.A. Times, FBI Unlocks San Bernardino Shooter’s iPhone and Ends Legal Battle with Apple, for Now, Mar. 28, 2016, available at http://www.latimes.com/local/lanow/la-me-ln-fbi-drops-fight-to-force-apple-to-unlock-san-bernardino-terrorist-iphone-20160328-story.html.

[10] Id.

[11] Swati Khandelwal, The Hacker News, Google Has Also Been Ordered to Unlock 9 Android Phones, Mar. 30, 2016, available at http://thehackernews.com/2016/03/unlock-google-android.html.

[12] Jose Pagliery, CNN Money, FBI Wasn’t Able to Unlock iPhone, Even with a “Fingerprint Unlock Warrant,” May 12, 2016, available at http://money.cnn.com/2016/05/12/technology/fbi-fingerprint-iphone/; Thomas Fox-Brewster, Forbes, Feds Walk Into a Building, Demand Everyone’s Fingerprints to Open Phones, Oct. 16, 2016, available at www.forbes.com/sites/thomasbrewster/2016/10/16/doj-demands-mass-fingerprint-seizure-to-open-iphones/#525189348d9d.

[13] Thomas Fox-Brewster, Forbes, Cops Could Force Google Pixel Users to Voice-Unlock Their Phones, Nov. 2, 2016, available at http://www.forbes.com/sites/thomasbrewster/2016/11/02/ok-google-unlock-my-phone-for-the-feds/#666e9895947f.

[14] Commonwealth of Virginia v. Baust, No. CR14-1439 (Va. 2d Cir. Ct. Oct. 28, 2014).

[15] Id. at 1 (“This matter is before the court on the Commonwealth’s Motion to Compel the Production of the Passcode or Fingerprint to Encrypted Smartphone.”).

[16] Id. at 2.

[17] Id. (citations omitted).

[18] Id. at 3 (quoting United States v. Authement, 607 F.2d 1129, 1131 n.1 (5th Cir. 1979)).

[19] Id. at 2.

[20] Id. at 3 (citations omitted).

[21] Id. (citations omitted).

[22] Id. (citations omitted).

[23] Id. (citations omitted).

[24] For additional analysis of the foregone conclusion doctrine in the context of encrypted electronic devices, see Dan Terzian, Forced Decryption as a Foregone Conclusion, 6 Cal. L. Rev. Cir. 27 (2015), available at http://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=1069&context=clrcircuit.

[25] Id. at 5.

[26] Id. at 4 (quoting United States v. Kirschner, 823 F. Supp. 2d 665, 669 (E.D. Mich. 2010)).

[27] Id.

[28] Securities & Exchg. Comm’n v. Huang, et al., No. 15-269, Opinion (E.D. Pa. Sept. 23, 2015), available at https://www.washingtonpost.com/news/volokh-conspiracy/wp-content/uploads/sites/14/2015/09/Huang.pdf.

[29] Id. at 2.

[30] Id.

[31] Id. at 4.

[32] Id. at 6.

[33] Id.

[34] Id. (citations omitted).

[35] Id. at 7.

[36] See Pagliery, supra note 12.

[37] Id.

[38] Id.

[39] Kate Cox, Consumerist, Feds Use Search Warrant to Make Everyone in Building Unlock Their Phones, Oct. 19, 2016, available at https://consumerist.com/2016/10/19/feds-use-search-warrant-to-make-everyone-in-building-unlock-their-phones/.

[40] In re Search, Notice of Filing Memorandum of Points and Authorities in Support of Search Warrant Application, (C.D. Cal. May 9, 2016), available at https://www.documentcloud.org/documents/3143273-Mass-Fingerprint-Case-Redacted-Copy-1.html.

[41] Fox-Brewster, supra note 12.

[42] Orin Kerr, The Volokh Conspiracy, Can Warrants for Digital Evidence Also Require Fingerprints to Unlock Phones?, Oct. 19, 2016, available at https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/10/19/can-warrants-for-digital-evidence-also-require-fingerprints-to-unlock-phones/.

[43] Id.

[44] Id.

[45] Id.

[46] Riley, 134 S. Ct. at 2486.

[47] Pagliery, supra note 12.

[48] See United States v. Jones, 132 S. Ct. 945 (2012).

[49] See id.; Brad Heath, USA Today, Police Secretly Track Cellphones to Solve Routine Crimes, Aug. 24, 2015, available at http://www.usatoday.com/story/news/2015/08/23/baltimore-police-stingray-cell-surveillance/31994181/.

Disclaimer: The information in this blog is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained in this blog should be construed as legal advice from The Eichner Law Firm or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this blog should act or refrain from acting on the basis of any information included in, or accessible through, this blog without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country, or other appropriate licensing jurisdiction.