Fifth Amendment’s Application To Encryption and Biometric Information

In this article, we plan to discuss the Fifth Amendment implications of requirements to digitally identify oneself, for example by facial or thumbprint recognition.

The spread of data-encryption services has made the retrieval of information more difficult for law enforcement officials.  Over half the attempts the FBI made to unlock devices in 2017, for example, were thwarted by encryption.  As such investigatory bodies would have it, the government could simply compel a suspect to hand over the password.  Their biggest obstacle, however, remains to be the Fifth Amendment.

Fifth Amendment jurisprudence has come to bear on this issue in the past decade, yet remains somewhat unsettled.  Back in 1975, Fisher v. United States set a foundation for the issue.  The case involved the IRS attempting to compel the defendants to give up certain documents, which they refused on the grounds that they would be incriminating themselves, and were protected by the Fifth Amendment.  The Supreme Court ruled that the Fifth Amendment’s words: “[n]o person … shall be compelled in any criminal case to be a witness against himself” only protect a suspect from having to communicate incriminating testimonialevidence, and that the production of that case’s physical evidence wouldn’t compel the person to “restate, repeat or affirm the truth of it.”  The Court later fleshed out the term testimonial in a case regarding the subpoena of bank records and said that it’s “[t]he contents of an individual’s mind [that] fall squarely within the protection of the Fifth Amendment.”  Generally, the courts don’t protect people from having to produce physical evidence, which is not considered “testimony” or the “contents of an individual’s mind.”

The courts have attempted to reconcile the concession that producing evidence has “communicative aspects of its own” by distinguishing passcodes from biometric data.  The former requires communicative divulgence and the latter is more often a physical feature that can be subpoenaed.  This distinction became known as the “Act of Production” principle.

So far, the weight of judicial opinion has been that the production of biometric data, such as a fingerprint or one’s face, “is no more testimonial than furnishing a blood sample.”  Many courts, like the Circuit Court of Virginia Beach, and the Court of Appeals of Minnesota have said it is incidental that such features can be used to unlock an electronic device. So, their production is not testimony. Other courts, like the Northern District of Illinois, by citing to Riley v. California, have bootstrapped Fifth Amendment concerns to Fourth Amendment concerns, emphasizing the difference between mere physical evidence and “forced fingerprinting to unlock an Apple electronic device that potentially contains some of the most intimate details of an individual’s life.” Overall, biometric passwords, which are typically thought to be more convenient and secure in real life, are much less so legally.

Another key distinction of the Fisher case came to be known as the “foregone conclusion” exception to the “act of production” principle.  It states that one justification for compelling the divulgence of information other than physical evidence (such as simple passcodes) is if the government already knows of its existence, possession and authenticity; this renders the production itself of no import (in that case, the IRS claimed it already knew all the information its requested documents contained, it merely wanted them as a formality and to expedite the case).  The Eleventh Circuit codified this exception and stated that the government could obtain a password without running afoul of the Fifth Amendment if it knows the defendant has it, and knows with “reasonable particularity” that the device contains incriminating evidence.  The Third Circuit gave even more credence to the “foregone conclusion” exception and only required that the government knows that the password exists, is authentic, and is in the possession of the suspect.  In other words, it’s a “foregone conclusion” that the suspect has the password.

All approaches do little to really answer the underlying question needed in Fifth Amendment jurisprudence: is a “password” to be conceptualized as an independent item, or as an item definitionally intertwined with the incriminating evidence it can uncover, and the Supreme Court will need to rule on this modern question eventually.  Until it does, your information is safer from the government when encrypted with a passcode that requires testimony to unlock, than it is with biometric data that can be directly subpoenaed.

At our law firm, we help clients navigate through privacy, cybersecurity, and technology-related issues.  Please don’t hesitate to contact us with any questions or concerns.