Florida man won't be compelled to reveal iPhone passcode, yet
The state's top court, however, may be asked to intervene
Florida's Fourth District Court of Appeals has granted a petition by a defendant not to be forced to reveal his iPhone passcode and iTunes password, based on the US Fifth Amendment's protection against self-incrimination.
The defendant, a minor referred to as G.A.Q.L in his petition against the State of Florida, was involved in a car crash in which one of the passengers died. Police investigating the accident asked a lower court to force the defendant to reveal his iPhone passcode and iTunes password, both of which were needed to search the device because of a pending iOS software update. The lower court granted the state's request and ordered the minor to comply.
The appellate ruling to disallow forced passcode production conflicts with a previous decision elsewhere in the state's judicial system, State v. Stahl (2016), which found that that the government, aware of the documents it was seeking on an iPhone, could require a person to reveal a device passcode.
Phone crypto shut FBI out of 7,000 devices, complains chief g-manREAD MORE
"This case adds to the disagreement over how to analyze compelled decryption orders in the context of passcodes," said Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, in an email to The Register.
The court hearing Stahl, Florida's Second District Court of Appeals, made its ruling based on the foregone conclusion doctrine which holds that the act of revealing a passcode isn't protected testimony when the government can establish that the evidence it seeks exists, is in the possession of the accused, and is authentic.
Pfefferkorn explains that courts grappling with the issue of encrypted devices have agreed that revealing a passcode is testimonial, meaning it cannot be forced, per the parameters of the US Fifth Amendment protection against having to testify against oneself.
The foregone conclusion doctrine, articulated in the US Supreme Court's Fisher v. United States (1976), provides an exception under which passcodes can be compelled. However, courts haven't been consistent in the way they apply this doctrine.
"Some courts have focused on the passcode itself, whereas others have focused on the documents on the phone," explained Pfefferkorn. "That is, some courts ask: Based on the other evidence the government has, is it a foregone conclusion that the defendant knows the passcode?"
"Other courts ask: Based on that other evidence, are the existence, authenticity, and defendant's control over the files on the phone a foregone conclusion? Stahl sided with the line of cases that have picked the first way as the right way to analyze the Fifth Amendment foregone-conclusion issue; this new case went with the latter."
Courts in other jurisdictions have accepted the Stahl interpretation of the foregone conclusion doctrine, as can be seen in a California case this year where the defendant was required to provide the passcodes to decrypt his iPhone, hard drive and Alienware laptop.
Authorities also have the option to access locked devices by applying the owner's finger to a fingerprint sensor or the owner's face to a facial recognition system, because biometric access is not considered protected testimony.
In deciding to disallow the government's passcode revelation demand, Florida's Fourth District Court of Appeals relied on a ruling from the United States Court of Appeals for the Eleventh Circuit, which oversees Florida’s federal trial-level courts among others.
The Eleventh Circuit in a 2012 case held that compelled passcode production is prohibited if the foregone conclusion doctrine does not apply. That is to say, the government cannot force people to reveal the passcode of a device unless it knows the accused knows the passcode and it knows the accused's device contains specific evidence.
However, the Fourth District Court of Appeals disagrees with Second District's conclusion in Stahl that being forced to reveal a passcode fails to qualify as protected testimony. In its decision, the Fourth District Court of Appeals said:
It is critical to note here that when it comes to data locked behind a passcode wall, the object of the foregone conclusion exception is not the password itself, but the data the state seeks behind the passcode wall. To find otherwise would expand the contours of the foregone conclusion exception so as to swallow the protections of the Fifth Amendment. For example, every password-protected phone would be subject to compelled unlocking since it would be a foregone conclusion that any password-protected phone would have a passcode. That interpretation is wrong and contravenes the protections of the Fifth Amendment.
In a phone interview with The Register, Stephanie Lacambra, criminal defense staff attorney at the Electronic Frontier Foundation, said, "With this split between the Second and Fourth Districts in Florida, it's only a matter of time before this goes to the Florida Supreme Court."
The case could go further still if the State of Florida or the defendant, unhappy with the outcome at the state level, asks for and receives review by the US Supreme Court.
Lacambra agrees with the Fourth District's reasoning. Courts have been misapplying the foregone conclusion doctrine, she said, because they separate the passcode from the information it reveals. "They're not trying to get at the passcode but the files behind them," she said.
Lacambra argues that compelled passcode revelation and forcing people to supply biometric patterns to unlock devices is inherently testimonial because doing so translates unintelligible information into readable form. ®
Sponsored: Becoming a Pragmatic Security Leader