The Fifth Amendment, Decryption and Biometric Passcodes
The spread of commercially available encryption products has made it harder for law enforcement officials to access to information that relates to criminal and national security investigations. In October, FBI Director Christopher Wray said that in an 11-month period, the FBI had been unable to extract data from more than 6,900 devices; that is over half of the devices it had attempted to unlock. It’s a “huge, huge problem,” Wray said.
Published by The Lawfare Institute
in Cooperation With
The spread of commercially available encryption products has made it harder for law enforcement officials to access to information that relates to criminal and national security investigations. In October, FBI Director Christopher Wray said that in an 11-month period, the FBI had been unable to extract data from more than 6,900 devices; that is over half of the devices it had attempted to unlock. It’s a “huge, huge problem,” Wray said. One might think that a way around this problem is for the government to order the user to produce the password to the device. But such an order might face a big hurdle: the Fifth Amendment. A handful of cases have emerged in recent years on the applicability of the Fifth Amendment to demands for passwords to encrypted devices. The protections afforded by the amendment depend on, among other things, whether the password involves biometric verification via a unique physical feature, or the more typical string of characters (passcode). As we will see, the government has a bit more leeway under the Fifth Amendment to insist on the decryption of personal computing devices using biometric passwords that—as in the new iPhone X—are increasingly prevalent.
The Fifth Amendment
The Supreme Court recognizes “the Fifth Amendment does not independently proscribe the compelled production of every sort of incriminating evidence, but applies only when the accused is compelled to make a testimonial communication that is incriminating.” For information to be testimonial, the Supreme Court has said, “an accused's communication must itself, explicitly or implicitly, relate a factual assertion or disclose information ... The expression of the contents of an individual's mind falls squarely within the protection of the Fifth Amendment.”
The Fifth Amendment and Compelled Decryption: Biometric Verification vs. Passcodes
Biometric Verification
Courts are in relative accord that the Fifth Amendment doesn’t protect against the production of physical features or acts. For example, the Fifth Amendment does not bar the compelled production of a person’s voice, blood, handwriting or visage; although the features may be incriminating, they have no testimonial or communicative nature. Specifically, the court notes in United States v. Wade that “[i]t is compulsion of the accused to exhibit his physical characteristics, not compulsion to disclose any knowledge he might have.” Relying on these cases, the Circuit Court of Virginia Beach and Court of Appeals of Minnesota agreed that, as with any physical feature, the government can compel a suspect to produce a biometric password. Indeed, the court in State v. Diamond held, “the task that Diamond was compelled to perform—to provide his fingerprint—is no more testimonial than furnishing a blood sample, providing handwriting or voice exemplars, standing in a lineup, or wearing particular clothing.”
Notably, a federal district court in northern Illinois recently found that the production of a biometric password wasn’t analogous to production of physical evidence. The court, citing Riley v. California, reasoned, “We do not believe that a simple analogy that equates the limited protection afforded a fingerprint used for identification purposes to forced fingerprinting to unlock an Apple electronic device that potentially contains some of the most intimate details of an individual's life (and potentially provides direct access to contraband) is supported by Fifth Amendment jurisprudence.” Although its reasoning is grounded in Fourth Amendment privacy concerns, the court opened the door for Fifth Amendment protections of biometric passwords. While biometric passwords are touted as more convenient, secure measures of authentication, they are less so when the government requests the production thereof.
Passcodes
In contrast to a purely physical biometric password, the Fifth Amendment offers greater protections for passcodes. Though not itself an encryption case, Fisher v. United States is the cornerstone of our understanding on how the Fifth Amendment applies to compelled production of a password. In Fisher, the IRS ordered two taxpayers to produce incriminating documents. The defendants challenged the order, claiming that the content of the documents was incriminating and therefore protected by the Fifth Amendment. The court disagreed, holding the government’s request for the documents, “d[id] not compel oral testimony; nor would it ordinarily compel the taxpayer to restate, repeat, or affirm the truth of the contents of the documents sought. Therefore, the Fifth Amendment would not be violated by the fact alone that the papers, on their face, might incriminate the taxpayer, for the privilege protects a person only against being incriminated by his own compelled testimonial communications.” However, the court was clear: while the content was itself not protected, the act of production could be testimonial irrespective of the content. The court reasoned, “[t]he act of producing evidence in response to a subpoena nevertheless has communicative aspects of its own, wholly aside from the contents of the papers produced. Compliance with the subpoena tacitly concedes the existence of the papers demanded and their possession or control by the taxpayer.” The court thus recognized that, in some instances, the Fifth Amendment protects the act of production.
Despite the act of production principle, the court in Fisher reasoned that “[t]he existence and location of the papers are a foregone conclusion, and the taxpayer adds little or nothing to the sum total of the Government's information by conceding that he, in fact, has the papers. Under these circumstances ... ‘no constitutional rights are touched. The question is not of testimony, but of surrender.’” This is referred to as the “foregone conclusion” exception to the “act of production” doctrine. In short, the Fifth Amendment is not implicated if the government knows of the existence, possession and authenticity of incriminating evidence, because the production thereof contains no testimonial import. Both the act of production and foregone conclusion doctrines are important to our understanding of how the Fifth Amendment protects against the compelled production of our passwords.
To date, only two federal appellate courts have applied the Fifth Amendment to compelled decryption in the context of passcodes. The Eleventh Circuit in In Re: Grand Jury Subpoena (U.S. v. Doe) held that the government can’t compel a person to produce a password unless it knows the person possesses the password and knows, with reasonable particularity, that the device contains incriminating evidence. In the case, the government conducted an investigation of the defendant whom it suspected was sharing child pornography. Law enforcement executed a search warrant on his room and lawfully seized seven devices, all of which were encrypted. While the government knew the devices were the defendant’s, it didn’t know whether any incriminating files were stored on the drives. Invoking the act of production doctrine, the court held that “the decryption and production would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.” Because the existence, possession and authenticity of the content on the device wasn’t a foregone conclusion, the Fifth Amendment protected the act of producing a decrypted device. Many courts, both federal and state, agree with the Eleventh Circuit’s interpretation and application of the foregone conclusion doctrine. (For examples, see here, here and here.) It is worth noting that often times, as shown in U.S. v. Doe, the government employs the use of contempt orders to incentivize the compelled decryption of devices. But the efficacy of contempt sentences depends on whether the suspect is in custody and, when in custody, the suspect’s perceived consequences of conviction. First, if a suspect is dead, out of the country or otherwise absent, the threat of contempt is effectively useless as there is no one available to suffer the consequences of confinement. Second, even if a suspect may be held in contempt, the potential consequences of conviction may outweigh the consequences of a contempt sentence, thereby reducing the incentive to comply with an order to decrypt. For example, in U.S. v. Apple Macpro, the suspect has spent over two years in contempt and remains confined indefinitely, despite the fact that his conviction may not result in a life sentence. For this suspect and possibly many others, a contempt charge may be perceived as more lenient than the charge for the underlying crime.
A different interpretation has emerged in the Third Circuit’s decision in Apple Macpro. The court upheld a contempt order that was issued when the defendant refused to comply with a decryption order. The lower court applied the foregone conclusion doctrine using the Eleventh Circuit’s approach and ruled that because the government knew of incriminating content on the phone with reasonable particularity, there were no Fifth Amendment implications. However, while the appeals court approved, the judge also argued (in a footnote) that:
It is important to note that we are not concluding that the Government’s knowledge of the content of the devices is necessarily the correct focus of the “foregone conclusion” inquiry in the context of a compelled decryption order. Instead, a very sound argument can be made that the foregone conclusion doctrine properly focuses on whether the Government already knows the testimony that is implicit in the act of production. In this case, the fact known to the government that is implicit in the act of providing the password for the devices is "I, John Doe, know the password for these devices." Based upon the testimony presented at the contempt proceeding, that fact is a foregone conclusion.
Put simply, the court reasons that all the government needs to know in order to compel the production of a password is simply that the password exists, that it is in the possession of the suspect and is authentic. According to the court, when a suspect produces a password, that act is simply a narrow testimonial assertion relating only to the password, not the incriminating content on the device. To date, the Florida Court of Appeals is the only court to adopt this line of reasoning. Orin Kerr, writing on the application of the foregone conclusion doctrine, has a similar interpretation of it: “To know whether entering a password implies testimony that is a foregone conclusion, the relevant question should therefore be whether the government already knows that the suspect knows the password.” Commenting on Apple Macpro, Kerr notes, “It’s dicta, but it’s ‘very strong’ dicta. The issue will live for another day without a circuit split. But given that I think the footnote is correct, I hope it will be followed in future cases.”
Questions to Consider Concerning Evolving Password-Based Technology
Electronic device users face important questions of how secure they want their devices—and from whom. If one’s primary desire is to guard against the government, biometric passwords—such as Apple’s TouchID or FaceID—may not deliver the desired protection. Apple may have a solution to address the concerns illustrated above. iPhone users can use TouchID (a fingerprint password) and, when necessary, tap the power button five times to temporarily disable the setting and return to a traditional passcode. While this has been deemed the “cop button,” the feature is more likely to be used in cases of emergency.
Moreover, the discussion in this post raises potential issues with password managers such as Dashlane and LastPass. These applications use fingerprint ID technology to guard dozens, if not hundreds, of the user’s passwords. This presents two issues. First, biometric passwords are afforded fewer constitutional protections. Second, and more importantly, the application, if accessed by the government, would present law enforcement with an entire catalog of a user’s character-based passcodes. The act of producing the passcodes contained in the application wouldn’t require the user to produce any testimonial information and thus the traditional Fifth Amendment implications concerning the compelled production of the stored passcodes would be limited. Under the principles discussed, these types of applications may provide users the least amount of protection against the government.