As smartphones become increasingly complicated, so do the legal implications for these small devices that hold “the privacies of life.” Riley v. California, 134 S. Ct. 2473, 2494 (2014). Many companies allow their employees to access company data from their personal phones under “bring your own device” or “BYOD” policies. BYOD conventions blur the line between the corporate and personal, and raise interesting questions about whether and how the government can access these devices as part of a government investigation.
One recently litigated issue is whether law-enforcement officials, during a search, can compel a person to disclose passwords or apply his or her fingerprint to access a touch-enabled device. See, e.g., Thomas Fox-Brewster, “Feds Walk Into A Building, Demand Everyone’s Fingerprints to Open Phones,” Forbes, Oct. 16, 2016 (referring to subpoena issued by the U.S. Attorney’s Office for the Central District of California). Including such a request in a traditional search warrant raises both Fourth and Fifth Amendment implications. While the traditional jurisprudence is somewhat ill-equipped to handle these new technological challenges, guidance is emerging from modern courts, including two 2017 decisions.
In February, the Northern District of Illinois rejected the portion of a search-warrant application requiring any individual present at the subject premises at the time of the search to provide a fingerprint to unlock a device. In re Application for a Search Warrant, --- F. Supp. 3d ----, 2017 WL 758218 (N.D. Ill. Feb. 16, 2017). Important to the court in drawing its conclusion was the lack of factual grounds for such a sweeping search. Notably, the warrant did not identify either the devices to be searched or the expected evidence to be located on them with any particularity. Analyzing the proposed search under the Fourth Amendment prohibitions against unreasonable search and seizure, the court made clear that it was not protecting the fingerprint, but rather the method of obtaining the fingerprint. Based on the information presented to the court, the government was not justified in “seeking the authority to seize any individual at the subject premises and force the application of their fingerprints.”
Considering the Fifth Amendment protections for testimonial evidence, the court acknowledged case law holding that depressing a fingerprint is more akin to a physical act than a testimonial one. However, it found that “[b]y using a finger to unlock a phone’s contents, a suspect is producing the contents on the phone. With a touch of a finger, a suspect is testifying that he or she has accessed the phone before, at a minimum, to set up the fingerprint password capabilities, and that he or she currently has some level of control over or relatively significant connection to the phone and its contents. The court also acknowledged long-standing precedent that the Fifth Amendment does not protect a person against compulsory fingerprinting. Nonetheless, it found that the circumstances presented by modern smartphones cannot have been contemplated by courts in prior eras.
In conclusion, the court noted that its decision was not a blanket prohibition against forced fingerprinting in all situations involving smartphones. Particularly where there is an individualized showing of the connection between the device and the conduct, established Fourth and Fifth Amendment jurisprudence may provide for such access.
The presence of such particularized facts generally explains why in March the Third Circuit affirmed a decryption order in the face of similar Fifth Amendment objections. United States v. Apple MacPro Computer, 851 F.3d 238 (3d Cir. 2017). In this case, the government lawfully seized certain devices, including password-protected iPhones and encrypted hard drives. After the target of the investigation refused to provide the passwords to decrypt the hard drives, the government obtained a court order compelling their decryption. The target objected to the order on the grounds that providing the password would violate his Fifth Amendment privilege against self-incrimination. The court applied the foregone-conclusion rule, an exception to the Fifth Amendment protections against productions that are by their nature testimonial. Under that doctrine, the Fifth Amendment does not protect acts of production which do not add much “to the sum total of the government’s existing information.” Here, because the government already had incriminating evidence from the other devices, as well as testimony from the target’s sister about the files likely to be located on the drives, any testimonial component of producing the passwords would be a foregone conclusion.
Direction on these issues in the context of a corporate search remains scant. In a 2015 decision, the Eastern District of Pennsylvania addressed whether employees had a Fifth Amendment privilege against disclosing their passwords for company-issued smartphones. Securities and Exchange Commission v. Huang, Civil Action No. 15-269, 2015 WL 5711644, at *1 (E.D. Penn. Sept. 23, 2015). The court relied heavily on company policy that corporate officials did not know individual employees’ smartphone passwords in ruling that the employees could not be compelled to reveal them. Because the information was uniquely in the minds of the individuals, revealing the passwords was testimonial in nature and therefore protected.
As law enforcement continues to adapt to the rapid pace of technology, these issues will continue to evolve. Attorneys on both sides of a criminal case need to be mindful of the critical balancing act between Constitutional protections and lawful efforts to obtain evidence in the digital age.
Eileen H. Rumfelt is with Miller & Martin, PLLC in Atlanta, Georgia.