Florida man won't be compelled to reveal iPhone passcode, yet

The state's top court, however, may be asked to intervene

Florida's Fourth District Court of Appeals has granted a petition by a defendant not to be forced to reveal his iPhone passcode and iTunes password, based on the US Fifth Amendment's protection against self-incrimination.

The defendant, a minor referred to as G.A.Q.L in his petition against the State of Florida, was involved in a car crash in which one of the passengers died. Police investigating the accident asked a lower court to force the defendant to reveal his iPhone passcode and iTunes password, both of which were needed to search the device because of a pending iOS software update. The lower court granted the state's request and ordered the minor to comply.

The appellate ruling to disallow forced passcode production conflicts with a previous decision elsewhere in the state's judicial system, State v. Stahl (2016), which found that that the government, aware of the documents it was seeking on an iPhone, could require a person to reveal a device passcode.

The FBI seal on a building

Phone crypto shut FBI out of 7,000 devices, complains chief g-man


"This case adds to the disagreement over how to analyze compelled decryption orders in the context of passcodes," said Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, in an email to The Register.

The court hearing Stahl, Florida's Second District Court of Appeals, made its ruling based on the foregone conclusion doctrine which holds that the act of revealing a passcode isn't protected testimony when the government can establish that the evidence it seeks exists, is in the possession of the accused, and is authentic.

Pfefferkorn explains that courts grappling with the issue of encrypted devices have agreed that revealing a passcode is testimonial, meaning it cannot be forced, per the parameters of the US Fifth Amendment protection against having to testify against oneself.

The foregone conclusion doctrine, articulated in the US Supreme Court's Fisher v. United States (1976), provides an exception under which passcodes can be compelled. However, courts haven't been consistent in the way they apply this doctrine.

"Some courts have focused on the passcode itself, whereas others have focused on the documents on the phone," explained Pfefferkorn. "That is, some courts ask: Based on the other evidence the government has, is it a foregone conclusion that the defendant knows the passcode?"

"Other courts ask: Based on that other evidence, are the existence, authenticity, and defendant's control over the files on the phone a foregone conclusion? Stahl sided with the line of cases that have picked the first way as the right way to analyze the Fifth Amendment foregone-conclusion issue; this new case went with the latter."

Courts in other jurisdictions have accepted the Stahl interpretation of the foregone conclusion doctrine, as can be seen in a California case this year where the defendant was required to provide the passcodes to decrypt his iPhone, hard drive and Alienware laptop.

Authorities also have the option to access locked devices by applying the owner's finger to a fingerprint sensor or the owner's face to a facial recognition system, because biometric access is not considered protected testimony.

In deciding to disallow the government's passcode revelation demand, Florida's Fourth District Court of Appeals relied on a ruling from the United States Court of Appeals for the Eleventh Circuit, which oversees Florida’s federal trial-level courts among others.

The Eleventh Circuit in a 2012 case held that compelled passcode production is prohibited if the foregone conclusion doctrine does not apply. That is to say, the government cannot force people to reveal the passcode of a device unless it knows the accused knows the passcode and it knows the accused's device contains specific evidence.

However, the Fourth District Court of Appeals disagrees with Second District's conclusion in Stahl that being forced to reveal a passcode fails to qualify as protected testimony. In its decision, the Fourth District Court of Appeals said:

It is critical to note here that when it comes to data locked behind a passcode wall, the object of the foregone conclusion exception is not the password itself, but the data the state seeks behind the passcode wall. To find otherwise would expand the contours of the foregone conclusion exception so as to swallow the protections of the Fifth Amendment. For example, every password-protected phone would be subject to compelled unlocking since it would be a foregone conclusion that any password-protected phone would have a passcode. That interpretation is wrong and contravenes the protections of the Fifth Amendment.

In a phone interview with The Register, Stephanie Lacambra, criminal defense staff attorney at the Electronic Frontier Foundation, said, "With this split between the Second and Fourth Districts in Florida, it's only a matter of time before this goes to the Florida Supreme Court."

The case could go further still if the State of Florida or the defendant, unhappy with the outcome at the state level, asks for and receives review by the US Supreme Court.

Lacambra agrees with the Fourth District's reasoning. Courts have been misapplying the foregone conclusion doctrine, she said, because they separate the passcode from the information it reveals. "They're not trying to get at the passcode but the files behind them," she said.

Lacambra argues that compelled passcode revelation and forcing people to supply biometric patterns to unlock devices is inherently testimonial because doing so translates unintelligible information into readable form. ®

Other stories you might like

  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Europol arrests nine suspected of stealing 'several million' euros via phishing
    Victims lured into handing over online banking logins, police say

    Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.

    The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.

    On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • Broadcom sketches out VMware ambitions that stretch from mainframe to cloud
    Engineers, sales teams told to stick around, customers promised more 'choice' – to buy from Symantec or CA

    Broadcom has made its first public comment in weeks about its plans for VMware, should the surprise $61 billion acquisition proceed as planned, and has prioritized retaining VMware's engineers to preserve the virtualization giant's innovation capabilities.

    The outline of Broadcom's plans appeared in a Wednesday blog post by Broadcom Software president Tom Krause.

    Continue reading

Biting the hand that feeds IT © 1998–2022