Can Police Make Me Unlock My Phone?

  • Nov 1 2018

Cops trying to determine phone passwordYou have been arrested, and the police have confiscated your cell phone. They have obtained a warrant to search the contents, but your phone is locked. Can you be forced to give up the password? What if they ask for your thumbprint (or FACE) to unlock your phone?

For a while, it looked as though a case coming out of the circuit court in Tampa might eventually find its way to the Florida Supreme Court — or beyond — on this very question. But, Florida’s Second District Court of Appeal managed to dodge the issue, and the defendant later took a plea.

Courts elsewhere have reached conflicting results where an alphanumeric password is involved, but have uniformly ruled that you have no Fifth Amendment protection if the phone can be unlocked with a fingerprint or facial recognition software.

In the aforementioned Tampa case, a narcotics and weapons detective stopped the defendant, Montanez, for a supposed minor traffic violation, having already called in a K-9 unit to justify a search of the vehicle. The dog alerted, and the search turned up misdemeanor amounts of cannabis, a loaded automatic pistol in the glove box with a loaded high-capacity magazine, and something that field tested as THC oil. The defendant was arrested on possession charges.

In the course of securing the defendant’s two cell phones, the detective saw an incoming text message on one saying “OMG did they find it.”

The state obtained a warrant to search the contents of the two phones, on the strength of the detective’s affidavit that they likely contained data that would be relevant to proving the pending charges. Of course, no additional evidence would be required to prove possession, beyond the fact of possession itself, which was already established.

If the state was hoping the phones would contain evidence to support more serious charges, such as trafficking, the affidavit did not mention this. But certainly this does look like a fishing expedition by the State and law enforcement.

The warrant included language requiring Montanez to provide passwords to unlock the phones, but he did not do so. In a hearing on an order to show cause why he should not be held in contempt of court, the defendant said he could not remember the passwords because the phones were new. The court found Montanez to be in contempt and sentenced him to be held in the county jail for six months or until he “remembered” the codes.

Montanez sought a writ of habeas corpus from the Second District Court of Appeal, arguing: (a) that the underlying warrant was defective because the state had not established probable cause to believe that either phone contained information relevant to the possession charges as such; and (b) that he had not been afforded due process in the show cause hearing, both because the trial court was precluded by local administrative rules from reviewing the validity of the warrant and because he was not permitted to offer his inability to remember the passwords as mitigation.

The Second District Court of Appeal granted the writ and vacated the sentence, but only on the latter, rather narrow, procedural ground. On remand, the trial court would not have been precluded from again finding Montanez in contempt, provided it “scrupulously” followed the requirements of Florida Criminal Procedure Rule 3.840, affording him notice and an opportunity to be heard. The validity of the warrant itself would come up later, on a motion to suppress any evidence that might have been disclosed if the phones are unlocked.

In seeking the warrant, and in opposing the writ petition, the state relied on a recent decision of the Second District Court of Appeal itself, State v. Stahl, 206 So. 3d 124 (Fla. 2d DCA 2016), which held that a defendant could be compelled to produce a password to unlock a phone where the state had established probable cause that the phone itself had been used in committing the offense — in the particular case, “video voyeurism.”

In support of his writ petition, Montanez argued that Stahl did not apply, because in the present case there was no “nexus” established between either of the phones and the possession offenses actually charged. The appeals court did not find it necessary, just yet, to reach this argument.

The Stahl court had ruled that disclosing a password was not itself a “testimonial” act and therefore did not implicate Fifth Amendment self-incrimination concerns. This would have become an issue in the Montanez case, had the defendant not accepted a plea to close out his case.

The Stahl court saw no meaningful difference between requiring a defendant to unlock a phone using a fingerprint or a facial recognition app, and requiring him to provide a password. At the time, at least one state trial court, in Virginia, had said a fingerprint is not “testimonial” because it does not involve disclosing “the contents of [the defendant’s] mind.” More recently, the Minnesota state supreme court reached the same conclusion.

Although disclosing a password would seem to imply an acknowledgment by the defendant — i.e., testimony — that he had access to or control over whatever data was on the phone, the Stahl court applied the “foregone conclusion” doctrine, Fisher v. United States, 425 U.S. 391 (1974), to determine that this did not signify where the state had already established the “existence, possession, and authenticity” of the information it sought — that is, the password itself, not the contents of the phone. Because the phone was locked, there must be a password (existence), if the defendant had been able to use the phone, he must know the password (possession), and if the password in fact unlocks the phone, it must be authentic.

For whatever reason, counsel for the defendant in Stahl did not seek review of that decision by the state supreme court. No other Florida appeals court has yet ruled on the matter. Other courts have reached conflicting results. The Stahl court cited Commonwealth v. Gelfgatt, 11 N.E.3d 605 (Mass. 2014), supporting its decision, but also noted United States v. Kirschner, 823 F. Supp. 2d 665 (E.D. Mich. 2010), to the contrary.

The federal appeals court for the 11th Circuit, which includes Florida, ruled in Grand Jury Subpoena Duces Tecum Dated March 25, 2011, 670 F.3d 1335 (11th Cir. 2012), that the “foregone conclusion” doctrine could not apply where the government had not shown that the materials it was seeking (alleged child pornography) actually existed on the encrypted device.

Until the Florida courts find an appropriate case in which to decide the question, it appears that the data accessible through your phone would be better protected by an alphanumeric password, rather than by fingerprint or facial recognition software. The Freedom of the Press Foundation recommends the following as best practices for “activists and journalists”:

1. Encrypt your phone so that an alphanumeric password is required to open it.
2. Change your settings so that the phone locks immediately when it enters “sleep” mode or when you power it down.
3. Change your settings so that your text app does not show any part of a message unless you open the app.
4. Lock your SIM card with a passcode.
5. Use “strong” passphrases, two-factor authentication, and different passwords for different accounts.
6. Frequently delete your browsing history.

This seems like good advice for the rest of us as well.

Posted in: Criminal