The Indiana Supreme Court recently issued a significant ruling severely limiting the extent to which law enforcement may compel a suspect to unlock smartphone security measures designed to protect user data.
In a 3-2 majority opinion, the court held that forcing a suspect to unlock a smartphone to provide access to the phone’s data, violates the suspect’s Fifth Amendment right against self-incrimination.
The decision presents another victory for privacy advocates, as courts in Florida, Wisconsin, and Pennsylvania have issued similar holdings in spite of several federal court rulings that compelled production of smartphone passcodes.
The State Supreme Court Decision
Police confiscated defendant Katelin Seo’s iPhone upon arrest and obtained a search warrant. Because the phone was locked, the state requested and the trial court ordered Seo to unlock her iPhone.
Seo refused, invoking her Fifth Amendment right against self-incrimination, and the trial court found her in contempt. The Indiana Court of Appeals reversed the trial court’s contempt order, finding it violated the Fifth Amendment, and the Indiana Supreme Court granted transfer..
The majority held that the compelled production of an unlocked smartphone is testimonial unless the state could demonstrate the “foregone conclusion” exception applies. Under the foregone conclusion exception, communicative aspects of an act may be rendered nontestimonial if the state can show that it already knows the information conveyed. Fisher v. United States, 425 U.S. 391, 410 (1976).
The state failed to make that showing in this case—one of the state’s witnesses confirmed that he would be “fishing for ‘incriminating evidence’ from the device.” Drawing on analogies from self-incrimination cases before the U.S. Supreme Court, the majority concluded that surrendering an unlocked device communicates, at least implicitly that (1) the suspect knows the password; (2) the files on the device exist; and (3) the suspect possessed those files. It is up to the state to prove that it already knows this information.
The court further opined that extending the foregone conclusion exception to the compelled production of an unlocked smartphone (1) fails to account for the unique ubiquity and capacity of smartphones; (2) may prove unworkable, because smartphones contain, in digital form, the “combined footprint of what has been occurring … in the owner’s life”; and (3) contradicts U.S. Supreme Court precedent concerning privacy interests implicated by smartphones.
Quoting former U.S. Supreme Court Justice Louis Brandeis, the court held: “Ways may some day be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home … [t]hat day has come.”
To that end, the court described other ways for law enforcement to obtain evidence from smartphones. Officers can try to obtain the information from third parties under the Stored Communications Act; by paying a third party service provider to access the smartphone; or by compelling the manufacturer to bypass the lock screen.
The dissenting justices argued the case was moot, yet the majority held that the state demonstrated continued interest in searching Seo’s phone; thus, Seo could face new or additional charges. The majority concluded by saying the case “presents a novel, important issue of great public importance that will surely recur.”
As more smartphones migrate to biometric security, this question will linger: is there (or should there be) a distinction between biometric security and a typed-in passcode? Courts remain split on this issue, with federal courts in Idaho, California, and Illinois holding biometric features to be testimonial, and courts in Washington, D.C., and Minnesota reaching opposite conclusions.
The majority analogized entering a password to unlock a device to the physical act of handing over documents—a distinction that fails to take into account that the passcodes on many modern smartphones not only function as the “key” to open the lock to the phone, but also as a component to the keys used to encrypt the device and often, data stored in a cloud.
The court further compared the files on a smartphone to documents ultimately produced during an investigation. By refusing to apply the foregone conclusion exception in this case, the majority admitted that it is difficult to apply entrenched Constitutional principles to constantly evolving technology.
Furthermore, although the majority opinion addresses the narrow issue of whether law enforcement can force an individual to unlock their phone, it implicates other key privacy considerations for both law enforcement and consumers.
Third parties continuously collect forensics from smart phones for law enforcement despite many attempts to curtail these activities. And in January 2019, a federal district court in California held that even if a person cannot be forced to provide biometric data to unlock a smart phone, data on the phone—such as Facebook Messenger communications—could still be accessed under the Stored Communications Act.
Although the Seo decision may be a victory for individual privacy, the battle between privacy, law enforcement, and jurisprudence continues.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Stephen E. Reynolds is a partner in Ice Miller LLP’s Litigation and Data Security and Privacy groups. He frequently advises clients on complex matters involving data security and privacy laws and serves on the board of directors of the International Association of Privacy Professionals (IAPP).
Guillermo Christensen is a partner in Ice Miller’s Data Security and Privacy and White Collar Defense Groups. He combines his experience as an attorney, a former CIA intelligence officer and a diplomat with the U.S. Department of State to shape and inform the advice he provides to clients on various enterprise risks involving cybersecurity and national security law.
Mason Clark is an associate in Ice Miller’s Data Security and Privacy group. He has experience working with state, national and international data privacy laws, including the European Union General Data Protection (GDPR) and the California Consumer Privacy Act (CCPA).
To read more articles log in.