iPhone user can be forced to produce the passcode to his phone, court rules
I have blogged a few times about the Fifth Amendment limits of forced decryption, especially in light of a case pending on the issue in the Third Circuit. Although that federal case is still pending, the Florida Court of Appeals (Second District) has handed down a new decision, State v. Stahl, on the same issue. Stahl holds that the government can force an iPhone user to hand over the passcode to unlock the phone so long as the government can show that the user knows the passcode.
I think Stahl is correct, and I thought I would explain the case and its reasoning.
The facts of Stahl are simple. Stahl has been arrested for allegedly surreptitiously taking pictures up the skirt of a female shopper in a clothing store. The police seized Stahl's iPhone 5, which they think he used to take the pictures. The police have a warrant to search the phone for the images he took to prove his crime. They can't get into the phone, however, because it is locked. The police asked Stahl for the passcode to his iPhone, but he refused to provide it.
The government then sought an order compelling Stahl to produce the passcode. "It is not entirely clear from the record," the court explains, "whether the State wants Stahl to testify to the passcode or to enter it into the phone." The issue in the case is whether the Fifth Amendment bars the order. The trial court concluded that it did because the government did not satisfy the foregone conclusion doctrine. Specifically, the government did not show with reasonable particularity what the contents of the phone were.
The Court of Appeals disagreed, ruling that the Fifth Amendment doesn't bar the order under the foregone conclusion doctrine because it's the foregone knowledge of the password, not the contents of the phone, that matter. Here's the analysis from Judge Black:
In order for the foregone conclusion doctrine to apply, the State must show with reasonable particularity that, at the time it sought the act of production, it already knew the evidence sought existed, the evidence was in the possession of the accused, and the evidence was authentic. In re Grand Jury, 670 F.3d at 1344.13
Although the State need not have "perfect knowledge" of the requested evidence, it "must know, and not merely infer," that the evidence exists, is under the control of defendant, and is authentic. United States v. Greenfield, No. 15-543, 2016 WL 4073250, *6-7 (2d Cir. Aug. 1, 2016). Where the foregone conclusion exception applies, "[t]he question is not of testimony but of surrender." Fisher, 425 U.S. at 411 (quoting In re Harris, 221 U.S. 274, 279 (1911)).
To know whether providing the passcode implies testimony that is a foregone conclusion, the relevant question is whether the State has established that it knows with reasonable particularity that the passcode exists, is within the accused's possession or control, and is authentic. See In re Boucher, 2009 WL 424718 at *3 ("The Government thus knows of the existence and location of the Z drive and its files." (emphasis added)). But see Baust, 89 Va. Cir. 267 ("Contrary to the Commonwealth's assertion, the password is not a foregone conclusion because it is not known outside of Defendant's mind." (emphasis added)).
The question is not the State's knowledge of the contents of the phone; the State has not requested the contents of the phone or the photos or videos on Stahl's phone. Cf. In re Grand Jury, 670 F.3d at 1346-47 (concluding that "[n]othing in the record before us reveals that the Government knows whether any files exist and are located on the hard drives" where the Government requested production of the contents of the hard drives). But see Huang, 2015 WL 5611644 at *3 (stating that, where the SEC sought passcodes and not the contents of the smartphones, "the SEC proffers no evidence rising to a 'reasonable particularity' any of the documents it alleges reside in the passcode protected phones." (emphasis added)).
The State established that the phone could not be searched without entry of a passcode. A passcode therefore must exist. It also established, with reasonable particularity based upon cellphone carrier records and Stahl's identification of the phone and the corresponding phone number, that the phone was Stahl's and therefore the passcode would be in Stahl's possession. That leaves only authenticity. And as has been seen, the act of production and foregone conclusion doctrines cannot be seamlessly applied to passcodes and decryption keys. If the doctrines are to continue to be applied to passcodes, decryption keys, and the like, we must recognize that the technology is self-authenticating-no other means of authentication may exist. Cf. Greenfield, 2016 WL 4073250 at *8 (recognizing "[i]mplicit authentication" of documents (alteration in original) (quoting United States v. Fox, 721 F.2d 32, 38 (2d Cir. 1983))). If the phone or computer is accessible once the passcode or key has been entered, the passcode or key is authentic.
The court concludes:
The trial court departed from the requirements of the law by considering only part of the standard used to determine whether a communication is testimonial and by burdening the State with proving the existence of incriminating content on Stahl's phone when that was not at issue. It further departed by requiring the State to establish existence beyond the reasonable particularity standard. Unquestionably, the State established, with reasonable particularity, its knowledge of the existence of the passcode, Stahl's control or possession of the passcode, and the self-authenticating nature of the passcode. See In re Boucher, 2009 WL 424718 at *3. This is a case of surrender and not testimony.
I think this analysis is right, at least assuming that the order would be to enter in the passcode rather than to state it. In particular, the court here recognized that disclosing or using a passcode does not imply any testimony about the contents of the phone. The foregone conclusion doctrine asks only whether the testimony implicit in the act was a foregone conclusion, not whether the status of particular files on the decrypted device were a foregone conclusion. Whether the Fifth Amendment applies boils down to whether the government can prove the person's knowledge of the password sought to be used. That's the key idea I was advocating in my earlier post, and it's the point that the 11th Circuit misunderstood in the In re Duces Tecum case in 2012. I'm glad to see that the court here gets it right.
If the order is to disclose the passcode rather than enter it in, I think the analysis ends up with the same rule but with a somewhat different doctrinal path. For more on my views of compelled password disclosure, as opposed to use, see this post.