By Freddie C. Dyroff IV, CCPA, CBE
Can a court compel you to provide your password to government authorities? Does the type of password you use result in a different answer? With encryption methods becoming ever more entangled with a person’s being, and courts disagreeing on the application of the Fifth Amendment to the “unlocking” of digital devices, it is critical to comprehend the current methods of encryption and the distinctions between them.
The Fifth Amendment has traditionally been used to protect a witness from testifying against their own best interests. An important point here is that the communication must be testimonial in nature to be protected. The Fifth Amendment prevents a witness from being compelled to answer the question, “Why were you at the bank the morning it was robbed?” since answering truthfully may incriminate the witness.
Is it correct to view the disclosure of a device’s password as “testimony?” One might assume that giving a password would be self-incriminating testimony if there is illegal content on the password-protected device and thus the criminal defendant may be protected by the Fifth Amendment. As it turns out, the courts are split.
Applying the Fifth Amendment, a narrow majority of the Pennsylvania Supreme Court, in Commonwealth v. Davis [i] decided in favor of a criminal defendant’s right to avoid self-incrimination by disclosing a password to his device, because the Court reasoned that the act of providing a password to be “testimony” against oneself. As noted above, under the Fifth Amendment a statement is protected if it is testimonial in nature. The federal courts, however, have created a gaping exception to the Fifth Amendment. Where the federal courts differ from Davis is in what they consider to be testimonial. Federal courts, such as in U.S. v. Apple MacPro Computer [1], have ruled that if the “testimony” inherent in disclosing a password is a “foregone conclusion” then that is an exception that allows the court to compel a witness to provide the password to a device in the witness’ possession. For example, if a prosecutor can prove the witness knows what is on the password-protected device AND that the witness can access the device in question, then it is considered a foregone conclusion that the witness’s testimony about the password would not add anything new to the equation. Since the witness cannot add anything with their statements, they are considered non-testimonial in nature and thus the Fifth Amendment does not protect the password from compelled disclosure.
Although the rules and exceptions have been applied to this technology-complicated landscape, the law is only as good as its ability to address real-world situations. The rulings mentioned above only scratch the surface of the possible scenarios that will come into play with encryption. One readily foreseeable scenario involves a criminal suspect who uses a randomly generated one-time access code to log into a device. The suspect cannot possibly know the access code in advance but does know how to create such an access code. Would providing the instructions to create an access code be equivalent to telling police where the body is buried? To take the scenario one step further, what if the application the suspect uses to generate the access code is on his phone that is also password protected? Would the suspect be compelled to provide one but not the other? As we can see, a simple password is relatively straightforward in how it is handled under the Fifth Amendment. However, once encryption goes beyond passwords the waters become murky.
Electronic devices have evolved so that access can be gained by other methods. More devices, especially mobile ones, are being unlocked through fingerprints, iris scans, FaceID, or a key card. These methods may not be considered testimonial and thus not protected by the Fifth Amendment from disclosure. These physical methods of decryption are analogous to a key that unlocks a safe. The key itself is non-testimonial as it does not change or require the contents of the accused’s mind to unlock the safe.
Furthermore, most devices today have more than one method of access. A device with which most readers are familiar is an Apple iPhone. The latest models use FaceID, literally the user’s unique face, as the primary way to unlock the device and a PIN or password if FaceID is unsuccessful. It appears that, under the Pennsylvania Supreme Court’s ruling, one method – password or PIN disclosure – is testimonial, and the other – FaceID – is not. Would the prosecutor be within her right to unlock the device by holding the phone up to the user’s face because the user’s face is not “testimony?” Or does the presence of a Fifth Amendment-protected password preclude the prosecutor from accessing the phone, according to some courts, because disclosure of the password is self-incriminating “testimony?” The courts have not ruled on a face-recognition case, and different courts may come to different conclusions.
Technology is evolving much faster than courts can play catchup. Will encryption evolve in such a way that a device can be unlocked with a mere thought which may be protected by the Fifth Amendment? Or will biometrics take over, and the act of unlocking a device would be simply a state of being for a person? The reader may view these hypotheticals as “science fiction.” However, according to a recent article, Elon Musk is currently developing “Neuralink” which is a system that would be implanted into a person’s brain/spinal column to assist with computing and bridge the gap between computers and humans [ii]. Computer implants are much closer to reality than some may think, and if they are implemented and used, in part, to unlock your devices, it really is quite literally “the contents of your mind” at play.
Who knows what the future of technology will bring to affect the application of the Fifth Amendment? For now, knowing the nuances of the existing technology landscape and how the law applies is an important first step in understanding the nuances and predicting the future.