Technology

Using Your Mind?

The fragmented caselaw over gaining access to password-protected devices

By Pierre Grosdidier

Can authorities compel a suspect to surrender the password to a protected device?1 The caselaw in this area is surprisingly unsettled.2 Generally, a suspect cannot be forced to verbally surrender a password because such an act is a compelled and incriminating testimonial communication.3 The touchstone of Fifth Amendment protection is the government’s inability to force a suspect “to use ‘the contents of his own mind’” to his or her prejudice.4 Therefore, a suspect can be obligated to surrender a safe’s key, but not its combination.5

But, the Fifth Amendment suffers an important exception under the “foregone conclusion” exception. A suspect may be compelled to produce documents if the authorities can show that they know of their existence, location, and authenticating evidence with reasonable particularity. In that case, the suspect’s production is not testimonial because it adds nothing to the authorities’ knowledge of the documents’ properties, which are a foregone conclusion. The suspect enjoys no Fifth Amendment protection because the act of production does not compel the incriminating use of the mind.6

Courts have applied the foregone conclusion exception to adjudicate access to encrypted devices in different ways. In In re Grand Jury Subpoena Duces Tecum Dated March 25, 2011, the suspect invoked the Fifth Amendment to refuse to produce unencrypted devices that authorities suspected contained child pornography.7 The U.S. Court of Appeals for the 11th Circuit held that the decryption and production of the devices’ contents would amount to testimony by the suspect that he had “knowledge of the existence and location of potentially incriminating files, . . . possession, control, and access to the encrypted portions of the drives,” and the ability to decrypt the files.8 The court reasoned that the act of production would require the use of the suspect’s mind and could not be characterized as a merely physical act. Moreover, the foregone conclusion exception did not apply because the government did not show with reasonable particularity that it knew what the encrypted devices contained nor that the suspect could access them. For these reasons, the court held that the suspect properly invoked his Fifth Amendment privilege.9 In a similar case, the U.S. Court of Appeals for the 3rd Circuit upheld a district court’s contempt order against a suspect who refused to decrypt hard drives because prosecutors adduced ample evidence that the devices contained incriminating contraband.10

In G.A.Q.L. v. State of Florida, prosecutors sought to compel a minor involved in an ethylated and deadly car accident to produce iPhone passcodes.11 Prosecutors argued that the act of surrendering the passcodes was not testimonial because their existence, custody, and authenticity were a foregone conclusion. A Florida court of appeals disagreed. It held that the foregone conclusion exception applied to the documents hidden behind the passcodes—the actual target of the inquiry—not to the passcodes. To hold otherwise would gut the Fifth Amendment’s protections because “it would be a foregone conclusion that any password-protected phone would have a passcode.”12 The court concluded that in the absence of any specifics, let alone any reasonable particularity, as to the documents sought on the iPhone, the foregone conclusion exception did not apply and it quashed the district court’s order.13

The Massachusetts Supreme Judicial Court reached the opposite result in Commonwealth v. Jones, a case of alleged sex trafficking.14 The court held that in a case of compelled decryption, the knowledge sought is the passcode, not its device’s contents, and that the suspect can only be compelled to enter the passcode to unlock the phone, but not disclose it.15 Therefore, the foregone conclusion exception applied only when prosecutors showed beyond a reasonable doubt that the suspect knew the passcode.16

Jones is one of the few cases that has addressed the applicable standard for the foregone conclusion exception. In United States v. Spencer, the court held that applying the “reasonable particularity” standard to compelled decryption was “nonsensical.”17 The court reasoned that this standard applied to a situation where physical evidence could be described with more or less specificity, but was inapplicable in a situation where a sus-pect either could or could not decrypt a device. The court opted instead to place the burden on the government to show that the suspect could decrypt a device by clear and convincing evidence.18 TBJ

NOTES

1. SeePierre Grosdidier, Can authorities compel a suspect to use his or her biometrics to unlock a digital device?, Circuits, Sept. 2019, at 7.
2. For a more in-depth analysis of this topic, seeOrin
S. Kerr, Compelled Decryption and the Privilege Against Self-Incrimination,97 Tex. L. Rev. 4.
3. Sec. & Exch. Comm’n v. Huang,No. 15-269, 2015 WL 5611644, at 4 (E.D. Pa. Sept. 23, 2015) (act of producing passcodes is testimonial in nature).
4. In re Grand Jury Subpoena Duces Tecum Dated March 25, 2011,670 F.3d 1335, 1342, 1345 (11th Cir. 2012).
5. Id.at 1345; In re Search of [Redacted] Wash., D.C., 317 F. Supp. 3d 523, 535 (D.D.C. 2018) (mem. op.).
6. In re Grand Jury Subpoena Duces Tecum Dated March 25, 2011,670 F.3d at 1344.
7. Id.at 1337–39.
8. Id.at 1346.
9. Id.at 1352.
10. United States v. Apple MacPro Comput.,851 F.3d 238, 248 (3rd Cir. 2017).
11. 257 So. 3d 1058, 1059 (Fla. Dist. Ct. App. 2018).
12. Id.at 1063.
13. Id.at 1065; compare with State v. Stahl,206 So.3d 124,(Fla. Dist. Ct. App. 2016) (foregone conclusion exception applies to passcodes, which are the target of prosecutors’ inquiry).
14. 117 N.E.3d 702 (Mass. 2019).
15. Id.at 711 nn. 9, 10.
16. Id.at 714; see also State v. Pittman,452 P.3d 1011 (Or. Ct. App. 2019) (same).
17. No. 17-cr-00259, 2018 WL 1964588, at *3 (N.D. Cal. Apr. 26, 2018).
18. Id.

This article, which was originally published in the December issue of Circuits, has been edited and reprinted with permission.

PIERRE GROSDIDIER also includes data privacy and unauthorized computer access issues and litigation. Prior to practicing law, he worked in the process control industry. Grosdidier holds a Ph.D. from Caltech and a J.D. from the University of Texas. He is a member of the State Bar of Texas, an AAA Panelist, a registered P.E. in Texas (inactive), a member of the Texas Bar Foundation, a fellow of the American Bar Foundation, and the State Bar of Texas Computer & Technology Section secretary for 2019-2020. Grosdidier was the section’s webmaster and CircuitseJournal co-editor for 2018-2019.

{Back to top}