Keeping up with technology is difficult enough, let alone when the law needs to do so, but hope springs eternal. For those who have followed my writings and/or presentations over the last few years, my criticism of decisions involving the search and seizure of personal mobile devices through compelled biometrics should come as no surprise (for example, see here and here). Since mobile devices went mainstream, mobile device manufacturers and application providers have been working on ways to better protect your data from unauthorized access, with biometrics leading the charge. Unfortunately, biometric access has created a conundrum — when the government seeks access to data on your mobile device, the balance between their right to access such data and your personal privacy has been anything but settled. Given a recent ruling in the Northern District of California, all of that may be about to change.
First, a little background is necessary to frame the problem. The Fifth Amendment of the U.S. Constitution expressly guarantees that “no person shall be compelled in any criminal case to be a witness against himself.” Our nation’s founders intended this protection to operate as an important check on governmental power when collecting evidence directly from a defendant. In essence, the Fifth Amendment prohibits the government from forcing you to provide testimony against yourself that may incriminate you or “otherwise provide the State with evidence of a testimonial or communicative nature.” And therein lies the rub — what exactly is meant by “testimonial”?
In assessing caselaw, the courts have interpreted “testimonial” to mean “when the accused is forced to reveal his knowledge of facts relating him to the offense or from having him share his thoughts or beliefs with the government.” This creates a very troubling conundrum with respect to this evolution of technology — compelling you to divulge knowledge of something that may incriminate you (such as the passcode on a mobile device) is prohibited, but compelling you to provide a physical characteristic (such as presenting yourself in a lineup, being required to use your voice to provide an identifying characteristic, or being compelled to provide a fingerprint or face to open your mobile phone) is not?
With the evolution of technology, I have been part of a growing group of practitioners who have been proffering the argument that this traditional interpretation of “testimonial” evidence is untenable. Unlike the use of a fingerprint or lineup to identify an individual, the use of biometrics such as fingerprints or facial ID to unlock a mobile device is not being used for identification purposes, but to access information that could not otherwise be accessed without compelling the passcode in violation of the device owner’s Fifth Amendment rights.
In an order denying application for a search warrant, a federal judge in California seems to be following this train of thought (and arguably going even further). Specifically, the district court judge found probable cause for the government to search the subject’s premises, but denied the government the right to compel the owner of the device (actually, who they believed to be the owner of the device) to unlock the device using its “biometric features,” finding the request to be overbroad under the Fourth Amendment because the affidavit had identified the subjects. The court held that “that the Application does not establish sufficient probable cause to compel any person who happens to be at the Subject Premises at the time of the search to provide a finger, thumb or other biometric feature to potentially unlock any unspecified digital device that may be seized during the otherwise lawful search.”
With respect to the Fifth Amendment, the court recognized the challenges presented by technology outpacing the law, correctly framing the issue as “whether the use of a suspect’s biometric feature to potentially unlock an electronic device is testimonial under the Fifth Amendment.” In reiterating the proposition that testimonial evidence need not be limited to verbal or written communication, the court zeroed in on biometrics and how they differ from providing DNA or fingerprints. First, passcodes are still required on such devices as an added level of security under certain circumstances (such as upon restart of the device), so governmental urgency for a warrant to compel the use of a biometric when the government cannot otherwise compel a passcode for such information is itself suspect: “[i]t follows…that if a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device.”
Second, the court distinguished use of biometrics to identify the individual from use of biometrics to access private information about that individual:
Thus, the act of unlocking a phone with a finger or thumb scan far exceeds the “physical evidence” created when a suspect submits to fingerprinting to merely compare his fingerprints to existing physical evidence (another fingerprint) found at a crime scene, because there is no comparison or witness corroboration required to confirm a positive match. Instead, a successful finger or thumb scan confirms ownership or control of the device, and, unlike fingerprints, the authentication of its contents cannot be reasonably refuted. … Thus, the undersigned finds that a biometric feature is analogous to the nonverbal, physiological responses elicited during a polygraph test, which are used to determine guilt or innocence, and are considered testimonial.
In fact, the court even addressed the foregone conclusion doctrine, finding it does not apply because the government had no prior knowledge of the existence or knowledge of documents to be produced (i.e., from the device). Specifically, the court noted that forcing the use of biometrics to unlock the mobile device and view the contents could be self-incriminating and not be a foregone conclusion (such as, for example, a cloud application like Dropbox that would be “tantamount to identifying the location, and ultimately producing the contents, of a locked filing cabinet that the Government did not know existed.”)
I realize that reasonable minds may disagree on these points (as the courts have), but it is my hope that this decision (and other orders it has cited) push this argument past its moment of inertia, inducing other courts to embrace the need for understanding the nature of technology in addressing such fundamental rights (especially when the government may be able to obtain the data from other means) rather than simply letting technology rotely (and unintentionally) undermine them. For all intents and purposes, this may be the beginning of caselaw holding all logins equal. Make no mistake — now that’s something you can put your finger on.
Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at [email protected].