Indiana Appeals Court Says Forcing Someone To Unlock Their Phone Violates The 5th Amendment

Passwords and PINs still beat fingerprints when it comes to the Fifth Amendment. But just barely. Nothing about the issue is settled, but far more cases have been handed down declaring fingerprints to be non-testimonial. Fingerprints are obtained during the booking process -- a physical, traceable representation of the suspect. If they can be obtained during booking, they can certainly be obtained again to unlock a device. A physical aspect of a human being can't be considered "testimonial" as far as courts have interpreted the Fifth Amendment.

Passwords are a different story, but not by much. In a handful of cases, courts have said the compelled production of passwords and PINs has no Fifth Amendment implications. Defendants, conversely, have argued compelled password production forces them to testify against themselves by facilitating the production of evidence to be used against them.

This argument hasn't had much success. Judges have frequently found password production to be just as non-testimonial as a person's fingerprint. The argument here is that all law enforcement wants is a password, not the production of evidence. Under the "foregone conclusion" theory, all the government has to prove is that the person being asked to unlock a device can unlock the device.

This decouples password production from its consequences: the production of evidence by defendants that the government will use against them in court. When this theory is applied, the Fifth Amendment is sidelined and replaced with the ultra-low bar of foregone conclusion.

But passwords aren't fingerprints and can be testimonial. Unlocking a device law enforcement is going to search for evidence states clearly that a person owns or controls the device and its contents. That makes it very easy for the government to link a device's illicit contents to the person who was ordered to unlock it.

A case from Indiana's Court of Appeals -- via FourthAmendment.com -- addresses these arguments with a bit more sympathy for compelled testimony arguments. The government argued there's nothing testimonial about a password. The court, in a lengthy decision [PDF], disagrees.

[W]e consider [Kaitlin] Seo’s act of unlocking, and therefore decrypting the contents of her phone, to be testimonial not simply because the passcode is akin to the combination to a wall safe as discussed in Doe. We also consider it testimonial because her act of unlocking, and thereby decrypting, her phone effectively recreates the files sought by the State. As discussed above, when the contents of a phone, or any other storage device, are encrypted, the cyphertext is unintelligible, indistinguishable from random noise. In a very real sense, the files do not exist on the phone in any meaningful way until the passcode is entered and the files sought are decrypted. Thus, compelling Seo to unlock her phone goes far beyond the mere production of paper documents at issue in Fisher, Doe, or Hubbell. Because compelling Seo to unlock her phone compels her to literally recreate the information the State is seeking, we consider this recreation of digital information to be more testimonial in nature than the mere production of paper documents.

The court also says there's nothing to the government's argument that unlocking a phone for police is somehow different -- and less of a Fifth Amendment issue -- than turning over a password to police.

[B]ecause we believe that electronic data and the devices that contain it are fundamentally different than paper documents and paper storage, we reject the State’s attempt to distinguish between compelling Seo to convey her passcode to the State and compelling Seo to simply unlock her phone by entering the passcode itself. It is a distinction without a difference because the end result is the same: the State is compelling Seo to divulge the contents of her mind to obtain incriminating evidence.

This decision shores up Fifth Amendment arguments against compelled decryption and password production. The state appeals court then goes further, instructing state judges and law enforcement agencies to seek less invasive -- and less constitutionally-problematic -- methods of obtaining evidence.

Going forward, we ask reviewing courts of last resort to consider the following structure for resolving decryption requests from law enforcement authorities: 1. Requiring a defendant to decrypt digital data should be legally recognized for what it is—coerced recreation of incriminating evidence— and compulsory process for that purpose should be strictly limited for precisely that reason. 2. In some instances, law enforcement officials will have legitimate need of digital information that is protected by encryption. 3. If the law enforcement request is a bona fide emergency, with verified concern about the possibility of further and immediate serious criminal acts, a warrant that describes the other imminent crime(s) suspected and the relevant information sought through a warrant, both with reasonable particularity, will likely satisfy Fourth and Fifth Amendment requirements. 4. In non-emergency situations, law enforcement should be required to first seek the digital data it wants from third parties, such as internet “cloud” sources, cellphone companies, or internet providers (ISPs), where a defendant has practically, if not explicitly, consented to production upon legal process from a court of competent jurisdiction. 5. Exceptions to the Fourth Amendment and its state analogues, such as the plain view doctrine and the good faith exception, should be inapplicable to, or strictly limited in, the search and seizure of digital data stored on devices owned or controlled by that defendant, or from “Cloud” subscriptions that defendant owns or uses.

It's a thoughtful decision that runs contrary to many rulings covering the same subject. But it is limited to the state of Indiana, so it's not going to undo any federal precedent. But it does give those representing clients facing demands for password production another citation in their favor. More importantly, it sets a new baseline for lawful demands for data production, wresting control away from law enforcement agencies unlikely to impose these constraints of their own.