by Diego Wright*
Law enforcement agencies are increasingly seeking to compel the disclosure of passwords from the owners of password-protected encrypted devices, such as cell phones. Does the government have the right to compel this disclosure? In this Contribution, Diego Wright (‘22) argues that the Fifth Amendment right against self-incrimination protects an individual from being forced to disclose their passcode when analyzed under the “foregone conclusion” doctrine unless the government can demonstrate they already know the testimonial communications tacit in the act of providing the passcode.
The notion that “the public has a right to every man’s evidence” is well established in American jurisprudence.1 However, the Fifth Amendment guarantees that “[n]o person . . . shall be compelled in any criminal case to be a witness against himself.”2 Where the government seeks to compel the defendant to produce evidence, these two rights squarely conflict. Though the Fifth Amendment most obviously protects verbal or written testimony, the Supreme Court has acknowledged that some actions may be sufficiently communicative to also warrant constitutional protection.3
In Fisher v. United States, when considering whether the government could compel production of documents, the Court reasoned that where production of the documents sought is a “foregone conclusion,” the production of those documents by the accused has so little testimonial value as to not be protected under the Fifth Amendment.4 In other words, where the government already knows of the existence, control, and authenticity of the documents they seek, the accused may be compelled to produce the documents.5
The “foregone conclusion” doctrine originally considered the production of physical evidence like documents. Its application to the digital context may seem straightforward—after all, a digital file is not all that different from a physical one. In practice, the application is not so simple because of encryption. Encryption is a technology which at its most basic transforms legible data into illegible data via a reversable algorithm. This process usually involves a password without which the information within the device is practically inaccessible. The idea to obfuscate information is not new—ciphers have historically achieved similar results6—but encryption’s ubiquity complicates the production of digital documents pursuant to a subpoena or court order.
The basic problem is this: if the government has lawfully obtained a search warrant to search through an individual’s encrypted cell phone, but is prevented from accessing the contents of the phone due to password protection, can the government compel the owner of the phone to produce the password? Courts have attempted to answer this question by treating the situation as a document production and applying the foregone conclusion doctrine. This article will argue that, assuming the foregone conclusion doctrine applies here, the government must demonstrate with reasonable particularity that (1) the accused knows the password to the device, (2) that the files the government seeks exist on the device, and (3) that the accused possesses or controls those files.
It is not obvious how to adapt the foregone conclusion doctrine, originally intended for physical document production, to the context of an encrypted device. In a scenario involving a cell phone, it is often the case that the phone itself is subject to a search warrant, and only after failing to access the contents of the phone is a court order obtained compelling disclosure of the password.7 This is unlike a case like United States v. Hubbell where the documents sought by the Independent Counsel were only ever subject to a grand jury subpoena duces tecum.8 Critically, the doctrine focuses on to what extent the government can demonstrate knowledge about the documents sought.9 Nonetheless, courts applied the doctrine to cell phone production scenarios and have ended up at two competing answers for what is analogous to the documents: the cell phone contents, or the cell phone password.10 The critical question in this analogy is what does the act of unlocking a cell phone really communicate?11
Courts requiring the government to demonstrate knowledge about the cell phone contents have done so because they believe “[g]iving law enforcement an unlocked smartphone communicates to the [government], at a minimum, that (1) the suspect knows the password; (2) the files on the device exist; and (3) the suspect possesses those files.”12 The Indiana Supreme Court reasoned in Seo v. State that the act of production in response to a court order or subpoena tacitly communicates information about the contents of the phone.13 As a result, to satisfy the foregone conclusion doctrine, these testimonial communications must be known to the government already.
Those courts which require the government only to demonstrate knowledge about the cell phone’s passcode believe that the act of unlocking the phone only communicates knowledge about the passcode itself.14 Some of these courts have specifically noted that they are opposed to requiring any further demonstration of information because to do so would be to “import Fourth Amendment privacy principles into a Fifth Amendment inquiry.”15
Courts have additionally considered the implications of what kind of passcode a person chooses to use for their cell phone. Phones allow people to use a variety of passwords or patterns as method to unlock phones, including biometric locks such as fingerprints or facial recognition. It is clearly established that the body of a person as evidence is not protected by the Fifth Amendment.16
The standard the government needs to meet in either analogy is generally “reasonable particularity.”17 This standard has no bright-line definition, but rather depends on the facts of the case at hand. For example, in State v. Andrews, local law enforcement could demonstrate that they knew a passcode existed and that the contents of the phone were password protected.18 Further, law enforcement could establish that the defendant possessed the phone and that he had operated it such that his knowledge of the passcode was established.19 The Court in Andrews required a showing with regard to the cell phone passcode, but noted that had they required a showing with regard to the cell phone contents instead, law enforcement would still have met this burden because they had supplementary information from communication data warrants and witness cooperation which established knowledge of the contents of the phone they sought.20
Similarly, in State v. Stahl the court reasoned that because the phone “could not be searched without entry of a passcode,” a passcode “must exist.”21 The state used “cell phone carrier records,” the defendant’s identification of the phone, and the “corresponding phone number” to show that the phone belonged to the defendant, and inferred from that information that the defendant must know the passcode.22 Lastly, the court noted that the foregone conclusion doctrine cannot be “seamlessly applied” to new technology, and insofar as the doctrine can be applied, the court held that the passcode is authentic if it can be used to open the phone.23 Other courts have required a similar kind of showing to meet these requirements.24 Ultimately, a “mere inference that evidence may exist” is insufficient to satisfy the foregone conclusion doctrine.25
If the foregone conclusion doctrine is to be applied to the production of cell phone contents pursuant to a search warrant, care must be taken to not allow this doctrine become a rubber stamp. The holding of the Supreme Court of Illinois in Seo v. State best analogizes the doctrine from the context of the production of physical documents to that of digital document production. By understanding that the important consideration of the doctrine in Fisher, and later Hubbell, was about the documents ultimately produced, the court in Seo recognized that the act of unlocking the phone communicates testimonial and potentially incriminating information regarding the information produced from the phone. Unlocking a phone communicates this information in the same way that physically obtaining and handing over the documents in Fisher or Hubbell would communicate information about those documents.26 Thus, to properly satisfy the foregone conclusion doctrine in situations involving a cell phone, law enforcement must demonstrate with reasonable particularity that the accused knows the password to the phone, that the files sought exist on the phone, and that the accused possessed those files.27
Opponents of this standard may argue that this is trying to get law enforcement to jump through the Fourth Amendment hoop twice. This is not the case. Though it is true that the Fifth Amendment does not address privacy, it does deal with self-incrimination.28 When a person is asked to provide the passcode to their phone in the context of a criminal investigation into that person, complying with that order communicates incriminating information.29 This leads to the additional point that law enforcement has absolutely no interest in the passcode itself. It is simply a tool to access the information within the cell phone. Allowing law enforcement to gain access to these devices by compelling the very person who stands to suffer from any information gained therein violates the principles underlying the doctrine.
The government compels production of documents because they believe that the documents will be useful to them in some matter or investigation.30 By reviewing these documents, the government hopes to learn relevant and important information related to their investigation or case. This is exceedingly obvious but it must be stressed to understand how the doctrine should be applied. Additionally, this standard is not impossible to meet; in fact, the Supreme Court of New Jersey stated that had they adopted this standard, the police in State v. Andrews would have met it.31
From a policy perspective, it would be unwise to apply the foregone conclusion doctrine in a weak manner. Constitutional precedent from decades ago has been troublesome to apply to modern technology. In Riley v. California and Carpenter v. United States, the Supreme Court recognized that cell phones are unique items and declined to directly apply old precedent.32 Chief Justice John Roberts wrote for the majority in Riley that cell phones were “such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.”33 The Court in Carpenter recognized that cell phones presented unprecedented privacy concerns, noting that people “compulsively carry cell phones with them all the time” which allows a cell phone to “track nearly exactly the movements of its owner.”34 Though these cases deal directly with the Fourth Amendment, the same considerations apply to the right against self-incrimination as well which “serves to protect the innocent who otherwise might be ensnared by ambiguous circumstances.”35 Given the ease with which police can attain a search warrant that allows access to all parts of a cell phone, the unique nature of these devices demands rigorous protection.36
Proponents of applying the foregone conclusion doctrine to a cell phone passcode argue that to do otherwise would be to overly limit law enforcement’s ability to investigate crime.37 Professor Orin Kerr argues that encryption introduces “password gates” into what would otherwise be “routine searches.”38 Though the possibility of inaccessible data is troublesome, this argument fails to consider that a search through a cell phone is anything but routine. Where the summonses in Fisher compelled production of specific sets of tax documents, some search warrants for a cell phone authorize searches of an enormous wealth of data including messages, call and voicemail records, financial documents, and real-time geolocation data.39 The enormity of information that police can access through a single warrant of a cell phone or a computer is unlike search warrants of bygone days, and modern precedent should reflect that.
Law enforcement would like people to believe that obtaining information is impossible in these situations without the ability to compel production of the password. This is untrue.40 There are several methods to bypass cell phone encryption, including cracking the passcode.41 In 2016, Apple refused to comply with the FBI’s court order demanding they assist the FBI in an investigation into a mass shooting in San Bernardino.42 Though the cell phone passcode in that situation was a major hurdle for the government, it was ultimately bypassed by a third-party company. It is true that these methods can be expensive and time consuming, perhaps to such an extent that it is impractical for some situations.
Even if this is so, other alternatives exist to obtain this information such as third-party search warrants. The government has issued subpoenas to third parties ordering them to provide information for decades.43 The government can obtain cell phone carrier records.44 The government can issue search warrants to companies compelling those companies to provide information about their users.45 Emails, messages, photos, geolocation data, and so much more are backed up on cloud storage systems, and these companies expect search warrants from police—so much so that many of them have pages on their websites stating their policy for such requests.46 It is certainly possible that law enforcement is unable to obtain all of the information they seek through these kinds of third party warrants. However, this information may be used to supplement a motion before the court compelling disclosure of a cell phone passcode.
The Fifth Amendment right against self-incrimination exists to prevent the government from forcing a person to provide evidence against themselves. Justice Louis Brandeis wrote with great prescience in his dissent in Olmstead v. United States that “[t]he progress of science in furnishing the Government with means of espionage is not likely to stop with wire-tapping.”47 Since Justice Brandeis wrote that nearly a century ago, law enforcement’s ability to eavesdrop, intercept, and otherwise obtain private information for use in investigations has grown tremendously. Though perhaps an irritating barrier to law enforcement, cell phone encryption protects many citizens’ most private and intimate data. The foregone conclusion doctrine should not be construed such that it allows “compulsory production of our most private” information.48 Requiring law enforcement to demonstrate some knowledge about what they seek from a cell phone, while certainly somewhat burdensome to law enforcement, maintains the underlying principles of the doctrine, as established in Fisher, and protects the unique nature of a cell phone, which was recently recognized by the Supreme Court.
* Diego Wright is a J.D. Candidate (2022) at New York University School of Law. This piece is a commentary on a problem produced for the 2021 Herbert Wechsler National Criminal Law Moot Court Competition, hosted by the University at Buffalo School of Law. The question presented was whether the “foregone conclusion” doctrine developed in Fisher v. United States, 425 U.S. 391 (1976), in application to the compelled disclosure of a cell phone passcode, requires the government to demonstrate knowledge of the existence of the passcode or to instead demonstrate knowledge of the identity and contents of the specific files and items that it seeks on the cell phone via an expansive search warrant. The views expressed in this contribution do not necessarily represent the views of the author. The article is a distillation of one side of the argument assigned to the team.
1. Trump v. Vance, 140 S. Ct. 2412, 2420 (2020).
2. U.S. Const. amend. V.
3. Fisher v. United States, 425 U.S. 391, 410 (1976) (explaining, for example, that complying with a subpoena for documents “tacitly concedes the existence,” control, and authenticity of the documents by the person compelled).
4. Id. at 411.
5. See United States v. Hubbell, 530 U.S. 27, 44–45 (2000).
6. E.g., United States v. Burr (In re Willie), 25 F. Cas. 38, 39 (C.C.D. Va. 1807) (No. 14,692e) (considering whether a defendant may be compelled to decipher a letter in their own treason trial).
7. See e.g., State v. Pittman, 367 Or. 498, 501 (2021).
8. Hubbell, 530 U.S. at 31.
9. Id. at 44–45 (holding that because the Independent Counsel had no prior knowledge of the existence of the documents sought, the doctrine’s requirements were not met).
10. Compare Seo v. State, 148 N.E.3d 952, 957 (Ind. 2020) (“[E]ntering the password to unlock the device is analogous to the physical act of handing over documents.”) with State v. Andrews, 243 N.J. 447, 479 (2020), cert. denied sub nom. Andrews v. New Jersey, No. 20-937, 2021 U.S. LEXIS 2547 (U.S. May 17, 2021) (“[W]e find that the foregone conclusion test applies to the production of the passcodes themselves, rather than to the phones’ contents.”).
11. See generally Orin S. Kerr, Compelled Decryption and the Privilege Against Self-Incrimination, 97 Tex. L. Rev. 767 (2019).; Laurent Sacharoff, Response, What Am I Really Saying When I Open My Smartphone?, 97 Tex. L. Rev. Online 63 (2019).
12. Seo, 148 N.E.3d at 955.
13. Id. at 957.
14. Pittman, 367 Or. at 518 (holding that defendant unlocking a cell phone using a passcode communicates knowledge of the passcode); Andrews, 243 N.J. at 480 (the same).
15. Andrews, 243 N.J. at 479; see also Commonwealth v. Davis, 220 A.3d 534, 556 (Pa. 2019) (Baer, J., dissenting) (“This Court should not alleviate concerns over the potential overbreadth of a digital search in violation of Fourth Amendment privacy concerns by invoking the Fifth Amendment privilege against self-incrimination, which offers no privacy protection.”).
16. Holt v. United States, 218 U.S. 245, 252–53 (1910) (explaining that the right against self-incrimination does not exclude an individual’s person from being used as evidence); see also Schmerber v. California, 384 U.S. 757, 763–65 (1966) (holding that an individual may be compelled to submit to a blood test); Gilbert v. California, 388 U.S. 263, 265–67 (1967) (holding that an individual may be compelled to provide a handwriting exemplar); United States v. Wade, 388 U.S. 218, 222–23 (1967) (holding that an individual may be compelled to provide a voice exemplar).
17. See, e.g., In re Grand Jury Subpoena Duces, 670 F.3d 1335, 1346–47 (11th Cir. 2012); Pittman, 367 Ore. at 519.
18. 243 N.J. 447, 480 (2020), cert. denied sub nom. Andrews v. New Jersey, No. 20-937, 2021 U.S. LEXIS 2547 (U.S. May 17, 2021).
19. Id. at 480–81.
20. Id. at 458–59, 481.
21. 206 So. 3d 124, 136 (Fl. Dist. Ct. App. 2016).
24. See, e.g., United States v. Apple Mac Pro Comput., 851 F.3d 238, 248 (3d Cir. 2017) (finding a sworn affidavit, lack of dispute of ownership of devices, a sexually explicit image, user logs, witness testimony, and over 2,000 videos and photos to be sufficient evidence in a child pornography case); Andrews, 243 N.J. at 480 (finding the trial court record showing possession and use of phone by defendant sufficient); United States v. Spencer, No. 17-cr-00259-CRB-1, 2018 U.S. Dist. LEXIS 70649, at *3 (N.D. Cal. Apr. 26, 2018) (finding sufficient showing where defendant conceded ownership of, and provided password to, the phone that was found in his residence).
25. Pollard v. State, 287 So. 3d 649, 657 (Fl. Dist. Ct. App. 2019).
26. See Seo v. State, 148 N.E.3d 952, 955–58 (Ind. 2020); see also Sacharoff, supra note 11, at 68 (“Entering the password to open the device is analogous to the physical act of handing over the papers.”).
27. See Seo, 148 N.E.3d at 957.
28. See Fisher v. United States, 425 U.S. 391, 411–12 (1976) (reiterating that the Fifth Amendment protects against compelled self-incrimination and not the disclosure of private information).
29. See Seo, 148 N.E.3d at 957.
30. E.g., Fisher, 425 U.S. at 393–94 (describing the IRS-compelled production of documents for use in a tax fraud investigation); United States v. Hubbell, 530 U.S. 27, 30–31 (describing how the Independent Counsel subpoenaed documents to determine whether plea bargain terms were violated); United States v. Fridman, 974 F.3d 163, 171 (2d Cir. 2020) (describing how the IRS sought bank account documents related to a tax-evasion investigation); United States v. Oriho, 969 F.3d 917, 920 (9th Cir. 2020) (describing a district court’s pretrial repatriation order in a fraud and money laundering investigation).
31. State v. Andrews, 243 N.J. 447, 481 (2020) (“Although we reach that decision by focusing on the passcodes, we note that, in this case, we would reach the same conclusion if we viewed the analysis to encompass the phones’ contents.”), cert. denied sub nom. Andrews v. New Jersey, No. 20-937, 2021 U.S. LEXIS 2547 (U.S. May 17, 2021).
32. Riley v. California, 573 U.S. 373, 386 (2014) (holding that cell phones may not be searched incident-to-arrest without a warrant); Carpenter v. United States, 138 S. Ct. 2206, 2217 (2018) (holding that the third-party doctrine is not applicable to cell site location information and a warrant is required to search and seize such data).
33. Riley, 573 U.S. at 385.
34. Carpenter, 138 S. Ct. at 2218.
35. Slochower v. Bd. of Higher Educ., 350 U.S. 551, 557 (1956); see, e.g., Carpenter, 138 S. Ct. at 2271 (Gorsuch, J., dissenting) (stating that the Court should reconsider Fifth Amendment doctrine in light of majority opinion); Riley, 573 U.S. at 406–07 (Alito, J., concurring) (calling for a rebalancing of law enforcement and privacy interests in context of searches of a cell phone).
36. See Sacharoff, supra note 11, at 72.
37. See Kerr, supra note 11, at 790–99 (arguing that encryption password gates and the possibility of “going dark” motivate narrower interpretation of the foregone conclusion doctrine’s application).
38. Id. at 794.
39. Fisher v. United States, 425 U.S. 391, 394–95 (1976). But cf. State v. Andrews, 243 N.J. 447, 487 (N.J. Sup. Ct. 2020), cert. denied sub nom. Andrews v. New Jersey, No. 20-937, 2021 U.S. LEXIS 2547 (U.S. May 17, 2021) (noting that the original search warrant had no limit but was later narrowed to permit only a search of the phone and message icons of an iPhone).
40. Cf. Riley v. California, 573 U.S. 373, 408 (2014) (Alito, J., concurring) (noting that “modern technology [is] making it easier and easier for both government and private entities to amass a wealth of information about the lives of ordinary Americans”).
41. Cracking an encrypted device refers to uncovering or decrypting the data on the device without knowing the password. This can be done via exploits or simply guessing and checking, though depending on the strength of the password this may take anywhere from seconds to decades.
42. Eric Lichtblau & Katie Benner, Apple Fights Order to Unlock San Bernardino Gunman’s iPhone, N.Y. Times (Feb. 17, 2016), https://www.nytimes.com/2016/02/18/technology/apple-timothy-cook-fbi-san-bernardino.html.
43. See Doe v. United States, 487 U.S. 201, 202–03 (1988) (explaining how the government served subpoenas on foreign banks and eventually obtained the sought information).
44. See, e.g., State v. Stahl, 206 So. 3d 124, 136 (Fl. Dist. Ct. App. 2016) (noting that reasonable particularity established with respect to possession of the cell phone due in part to cell phone carrier records obtained by the state).
45. Jennifer Valentino-DeVries, Tracking Phones, Google Is a Dragnet for the Police, N.Y. Times (Apr. 13, 2019), https://www.nytimes.com/interactive/2019/04/13/us/google-location-tracking-police.html (explaining how “geofence” warrants can provide law enforcement with user information for a specific area and time).
46. E.g., Google, https://policies.google.com/terms/information-requests (last visited June 30, 2021); Snap, Inc., https://snap.com/en-US/safety/safety-enforcement (last visited June 30, 2021); Apple, https://www.apple.com/legal/privacy/law-enforcement-guidelines-us.pdf (last visited June 30, 2021); Facebook, https://www.facebook.com/safety/groups/law/guidelines/ (last visited June 30, 2021).
47. 277 U.S. 438, 474 (1928) (Brandeis, J., dissenting).
48. Fisher v. United States, 425 U.S. 391, 432 (1976) (Marshall, J., concurring).