It has been almost a decade since Apple first offered encryption on iPhones, but the legal fight over compelled decryption remains a pitched battle. A recent volley saw the Massachusetts Supreme Judicial Court double down on the wrong side of recurring litigation over when, if ever, the government can force someone to decrypt a digital device that has been seized pursuant to a valid search warrant. As encryption winds its way into the U.S. Supreme Court’s vocabulary, defense lawyers and advocates should pay careful attention to these developments – and be prepared to confront them in court.
Encryption is as omnipresent as computers, tablets, and smartphones. Yet the Supreme Court has not provided guidance on the constitutional implications of compelling a suspect to decrypt a digital device (for example, by unlocking a cell phone). The Court has recently and repeatedly recognized that cell phones demand Fourth Amendment privacy protections due to the immense volume and nature of the personal data they contain. But it has been silent so far on compelled decryption, which implicates the Fifth Amendment right against self-incrimination. As a result, lower courts have created a patchwork of different legal frameworks for viewing the compelled decryption problem.
Recently, in Commonwealth v. Jones, Massachusetts held that compelled decryption does not violate the Fifth Amendment, provided that the government can prove the owner has knowledge of the passcode beyond a reasonable doubt. So, at least in Massachusetts, if the government can show you know the passcode to your phone, then you can be forced to decrypt it. In such circumstances, the court reasoned, doing so would not disclose to the government anything it did not already know; any incriminating facts that would be conveyed by the act of decryption are a “foregone conclusion.”
The problem with this test, of course, is that it is really no test at all — people tend to know the passcodes to their own phones. An alternative view, endorsed by the Eleventh and Third Circuit Courts of Appeals, applies the Fifth Amendment more broadly than does Massachusetts. As outlined in a new primer from the National Association of Criminal Defense Lawyers’ Fourth Amendment Center (where I work), the realities of modern technology require such rethinking of old doctrines to adequately safeguard constitutional rights into the future.
From a doctrinal perspective, there are a few hoops to clear for the Fifth Amendment privilege against self-incrimination to apply: the evidence sought must be (1) compelled, (2) incriminating, and (3) testimonial. The first two requirements are easily satisfied when a court orders a suspect to decrypt a device that is likely to contain evidence inculpating the suspect in a crime. But courts have not yet come to a consensus on whether passcodes are “testimonial.” In general, the Supreme Court has said that whether evidence is “testimonial” turns on whether the government is forcing someone to “disclose the contents of his own mind,” contrasting the secret combination to a wall safe with surrendering the key to a strongbox. A combination is something people know, unlike the bumps and ridges of a key. Who could pick out their own front door key from a lineup? As a result, many lower federal courts have correctly likened a passcode to a secret safe combination.
But there is one potential exception to take into account: the “foregone conclusion” doctrine. Created by the Supreme Court in the 1976 case Fisher v. United States, the doctrine generally holds that the Fifth Amendment doesn’t apply if the “testimony” would add “little or nothing to the sum total of the Government’s information.” But the Supreme Court has never applied the exception beyond business documents, noting that there may be “special problems of privacy” where more private documents, like a diary, are at issue. And even if the doctrine does apply, it still begs the question: what does the government have to prove it knows before forcing a person to decrypt their phone or computer? Is it enough to show that someone knows their own passcode? Or is something more required? Should the government have to prove that the device contains known evidence attributable to the individual?
Unlike Massachusetts, the Eleventh Circuit has required the government to show that it knows the location, existence, and authenticity of the purported evidence with reasonable particularity. This requirement is important, as there is no way to tell the difference between relevant files and blank space on an encrypted device; the data in its encrypted form would appear to be random characters in each instance, giving no indication of whether it contained evidence of a crime, or no data at all. Consequently, the Eleventh Circuit found it insufficient for the government to allege that there maybe incriminating data on the defendant’s encrypted hard drives when the government does not know what data, if any, is on them. The Third Circuit applied the same test five years later. In U.S. v. Apple Macro Computer, the court found the criteria satisfied based on testimony that the defendant had shown his sister hundreds of images of child pornography on the encrypted drives at issue in the case.
The Eleventh and Third Circuits focused on whether the government already knew what the suspect had stored on the device. While the government need not precisely identify the files it seeks, the requirement aims to prevent “fishing expeditions” by requiring the government to demonstrate some knowledge that the evidence it is after actually exists on the device. The Massachusetts Supreme Court, however, did away with this requirement, requiring only that the government show beyond a reasonable doubt that the defendant knows the passcode.
Courts are further split on whether compelling the use of a biometric key (e.g., FaceID, TouchID) is different from a passcode. While some courts have linked compelling the input of biometric keys to taking a fingerprint or mugshot, more recent decisions have found the analogy lacking in a digital context. For example, the Northern District Court of California found that “biometric features serve the same purpose of a passcode, which is to secure the owner’s content, pragmatically rendering them functionally equivalent.” Drawing on the Supreme Court’s landmark 2014 decision in Riley v. California, the court explained that “mobile phones are subject to different treatment than more traditional storage devices, such as safes, and should be afforded more protection.” Likewise, in 2017, the Northern District of Illinoisdismissed the analogy to fingerprinting, explaining that when a suspect uses their finger to unlock their phone, they are demonstrating that they have accessed the device before, and that they have some level of control and authority over the phone.
In light of these recent decisions, there was some hope that the Massachusetts Supreme Court would rethink its precedent on compelled decryption – especially now, with the benefit of the U.S. Supreme Court’s landmark decisions on cell phone privacy in Riley and Carpenter. Sadly, Massachusetts declined the invitation and furthered a rule that risks reducing the Fifth Amendment to a formality. It also widened the split among courts on what test to apply in compelled decryption cases, making it increasingly likely that the Supreme Court will address the question.
Until that time, however, defense attorneys should be sure to educate themselves on the basics of compelled decryption, and come equipped with the best cases to ensure the protections of the Fifth Amendment continue to apply in the digital age.