
Forcing suspects to reveal phone passwords is unconstitutional, court says - LeoNatan25
http://arstechnica.com/tech-policy/2015/09/forcing-suspects-to-reveal-phone-passwords-is-unconstitutional-court-says/
======
abakker
All we really need is a real passcode, and then a second special passcode that
wipes the phone instantly if typed.

so, my normal code might be 123456, but if someone asks what my code is and I
say 345678, then the phone does a data wipe that isn't obvious from the
outside, and just deletes all credentials, cookies, history, documents, etc.

Is this workable?

~~~
ctdonath
Not a new idea. There has long been a meme going around that if you enter your
ATM PIN backwards, it will let you access your bank account but silently calls
the police to your location (AFAIK it's just an urban myth). False passwords
have a much older history than that.

Investigators are going to take a very dim view of such events, and probably
didn't get to the point of demanding access without having documented sensible
reason to believe the evidence is there - and may very well have actionable
proof that you destroyed evidence, which will not turn out in your favor.

~~~
tehwebguy
My home security system has a "duress code" that will disable the alarm sound
and silently alert the company. It's not the reverse of the normal one, it's a
different one that can be set.

~~~
cbhl
How likely are you to actually remember the code when you're under duress,
though?

~~~
tsotha
You could make it an easy one. Say your normal code is 5829. The panic code
should be something like 1111. You'll never key it in accidentally, and people
have codes like that, so it won't tip off an assailant.

~~~
rhizome
the thing is, it's not the worst thing in the world if a bad person guesses
it.

------
zipfle
The guy quoted at the end seems to think it's the passcode itself that would
be incriminating, rather than the contents of the phone. Weird. I've seen a
theory that compelling someone to disclose a password can be incriminating
because it is the same as asking them to admit that they stored the data in
the first place, and obviously there's a case to be made that compelling
disclosure of the data on the phone could be self incriminating, but the idea
that the password would be something like yesiinsidertraded4 is new to me.

Edit: I missed the part where he's a former federal prosecutor. Mystery
solved.

~~~
ikeboy
Do you have any passwords that would be _embarrassing_ to you if they came
out? Can you imagine someone that breaks the law might have an encryption
password that was incriminating?

~~~
15155
That's actually an interesting thought:

If my password is "iKilledColonelMustardWithACandlestick" \- and it's actually
an incriminating fact, how does that factor into potentially self-
incriminatory discovery?

~~~
scintill76
This sounds too much like something Barry Zuckerkorn would come up with, so
maybe not a good idea.
[http://arresteddevelopment.wikia.com/wiki/Barry_Zuckerkorn](http://arresteddevelopment.wikia.com/wiki/Barry_Zuckerkorn)

------
snowwrestler
This concerns me a little bit, actually.

I know there are folks here on HN who believe that they should have an
absolute power to exclude the government at all times. I'm not one of them,
though. Particularly in situations where law enforcement has obtained a lawful
warrant, I think they should have a way to get that information. People do
commit crimes, and the police do need to solve them.

One way to grant the police access is to somehow give them privileged access
to the encryption. For me, this idea is dead on arrival. There is no way to
grant privileged access to the police without dangerously weakening the
encryption in general. I'm a believer that encryption, properly implemented
without backdoors, creates a lot more good than bad.

So what does that leave? It leaves compelling the owner of the phone to unlock
it. If the police get a warrant to search your house, you are legally required
to unlock the door and let them in. It seems to me that a passcode on the
phone serves exactly the same purpose.

So, my concern is that if compelling the phone owner to unlock is not an
option, it will put a lot more pressure behind the idea of encryption
backdoors, as the "only option" to give law enforcement the power they need to
do their jobs.

~~~
navait
Given that key escrow failed eventually, what is different today that would
make backdoors possible?

~~~
LinuxBender
There is no need for a back door. Phones are not encrypted once the user
accesses them. The carriers can push and pull any files to or from the phone
over the air. Some of them do not require a warrant. I was always told to
never ask for one.

------
msluyter
Any lawyers (or wanna be lawyers) want to chime in -- is your thumbprint
protected in the same way? I can see how the 5th amendment prevents them from
compelling you to reveal your passcode, but does it prevent them from grabbing
your thumb and using TouchID to unlock your phone? (That, or, just using a
thumbprint provided during booking or whatnot...)

~~~
slinkyavenger
From what I've read in the past, it doesn't cover your thumbprint. [1]

Thumbprints are physical, so they don't get the same protections. It's kind of
like having a physical key to a physical lock. It's not self-incrimination for
law enforcement to take that key and use it in the lock.

Same with writing your passcode on a piece of paper. It's no longer a matter
of self-incrimination if they find that and use it.

[1]: [http://arstechnica.com/tech-policy/2014/10/virginia-judge-
po...](http://arstechnica.com/tech-policy/2014/10/virginia-judge-police-can-
demand-a-suspect-unlock-a-phone-with-a-fingerprint/)

------
norea-armozel
I'm glad they've narrowed the conditions to compel suspects of revealing
passwords. It just seems that it was too wide open for just any minor hint of
suspicion was enough (sans warrant) to do these fishing expeditions. If they
got reasonable suspicion then they need to get a friggin' warrant. I just
don't get why law enforcement is getting so sloppy these days.

~~~
talmand
I think it's the result of the easy-going attitude of such things in the past
in the effort to appear tough on crime. When they were given such lenient
rules of how they approached crimes and suspects. Rules that are now being
slowly taken away from them, as unconstitutional, but are still trying to
operate as if they are still there.

------
izzydata
I assume there is no difference between being forced to reveal a phone
password and being forced to reveal a password to some other system such as a
PC, encrypted container or website?

~~~
lamby
Here's a somewhat-related quote from patio11 that I often refer back to:

> Developers have a cultural quirk where they believe that, e.g., "file
> sharing is not theft" / "manipulating a URL can't be a crime" / "laws about
> disclosing protected information invariably contain a public policy
> exception which comports to the temperament of the dev community" are
> axiomatic and thereby create an internally consistent legal system which
> fails to falsify those axioms but also fails to meaningfully resemble the
> legal system we actually operate in.

> This results in developers sincerely believe things like "Your Bitcoins are
> unprotected by the legal system because nobody can steal a number", which is
> a proposition that is absurd to the legal system as "JavaScript is not a
> programming language" is to a programmer.

([https://news.ycombinator.com/item?id=7367312](https://news.ycombinator.com/item?id=7367312))

In other words, no. There is—and should be—nothing special about computers.

~~~
Karunamon
File sharing is _not_ theft, and there's unambiguous legal precedent to that
effect. Really bad example. Stop conflating two laws that mean different
things.

Nothing special about computers? Okay. "Persons, papers, and effects" no
longer means emails, computer files, or anything other than physical, tangible
documents that existed when that law was drafted. I really don't think that's
the world you want to live in, or the argument you really want to be making.

The fact that the legal system thinks there's "nothing special about
computers" is the cause of a great deal of difficulties that should not exist
in a sane world. This is a world with new concepts that _did not exist_ when a
lot of our laws were written, and it doesn't make much sense to presuppose
that there is or even can be a 1:1 mapping between the tangible and the not,
all of the time.

~~~
lamby
> Stop conflating two laws that mean different things.

Can you point out where I did?

~~~
Karunamon
You're being intentionally obtuse here since it's literally the first words of
my post. You did quote someone else and pretty much endorsed it, but that
quote contains a pernicious falsehood.

~~~
lamby
Pretty sure he is making a wider point about techie attitudes to the legal
system, nothing actually specific about file sharing out of context.

------
tormeh
Forcing the suspect to input the password still looks legal, according to the
last paragraph. They just can't force you to tell them the password.

------
ClintEhrlich
There's a more elegant solution: the government should be allowed to compel
you to disclose your password if probable cause exists to search your device
_but_ only subject to an evidentiary privilege that prevents your knowledge of
the correct password from itself being admitted as evidence to prosecute you.

~~~
Lawtonfogle
And what happens if you don't know the password or have forgotten it? I have
old encrypted files and lost devices that have passwords I no longer remember.

~~~
MichaelGG
That's what judges are for, right? They'll review the evidence and judge if
you're likely to actually have forgotten the password, or are just saying so.
If you're traveling with a phone or laptop that appears to have been in-use by
you, and don't know the password to it, chances are you're not being truthful.
Otherwise, you'd have a plausible alibi story (I just bought this phone off
Craigslist; here see the email and the ad).

------
blendo
I think this ruling marks the recognition that the information processing
performed by the devices we carry has, in a legal sense, "merged" with the
thoughts we carry in our heads, and are now worthy of the same fifth amendment
protections.

I'm in favor, but for some reason this also makes me a little worried.

------
suneilp
If backdoors legislation is passed, would there be any economic effect?
Personally, I wouldn't be interested in doing anything more than "basic" stuff
with my phone and would not feel compelled to upgrade phones so soon.

As for computing devices, aside from proprietary systems like Windows and
Macs, do we not have reliable options that allow us to use uncompromised
encryption?

Whats to stop app developers for embedding encryption packages or would they
be forced to use compromised solutions?

Can you stop a person from building a secure line over a compromised medium,
if that is even doable?

~~~
Jtsummers
This is the reason (along with probably constitutional issues) I'm not
terribly concerned about most of this sort of talk [0]. It seems to me that
it'd be a temporary problem, mostly with proprietary systems, that would be
resolved in a few years. Sort of like the encryption export issues in the 90s,
and the OpenSSH project being hosted in Canada.

[0] Ok, I'm not concerned about it actually happening. The part of it that
bothers me is the otherwise seemingly-sane individuals who _agree_ with these
backdoors. It's very difficult to discuss the issue with some of them because
their interest in it is largely driven by emotions, specifically a desire for
security and justice/revenge/control of criminal/terrorists/whatevers.

------
pvaldes
Why they should really need your password?. They can ask the telephone company
for a saved copy of your incoming and outcoming calls in the last year so they
have already (or can trace) the 90% of the interesting data in your phone.

This seems also protect the policy from the temptation of doing stupid things
that could lead to future lawsuits against them (like leaking photos of you
drunken in a party, of from your girlfriend naked brushing her teeth and
so...)

------
MengerSponge
This seems reasonable. Anybody want to play internet lawyer to explain why you
can't/shouldn't be compelled to unlock a fingerprint protected device?

~~~
ams6110
The analogy I've often heard is that it's like a safe. Presented with the
proper warrants, you can't refuse to open a safe on the basis of the 5th
ammendment.

~~~
derekp7
But what if the safe had documents in it which was written in a language that
only you know? Is there any circumstances where you could be compelled to
translate them?

~~~
mc32
Some bookkepers for crime organizations have from time to time used their own
notation to keep the books. Typically, they have not been sophisticated enough
to hide malfeasance, in addition, the shadiness of it is often enough evidence
of wrongdoing, or at least leads to forensic accounting which reveals tax
evasion.

------
eslaught
Can someone comment on what level of court this decision was made at, and how
final this decision is likely to be (i.e. how many more appeals are possible
at this point)?

------
staunch
I'm glad when the courts uphold the U.S. Constitution in a meaningful way. I
have faith America will sort its shit out.

But we shouldn't have to rely on the law alone. We should be able to rely on
technology to make it impossible to compel people to give up their most
intimidate data. Computing devices have become an extension of the mind and no
one on earth has a right to the contents of your mind.

------
vectorEQ
bet is not unconstitutional to force someone to give up pw of PC though? :/

~~~
ltnately
From my limited understanding, the difference is the government having a
reasonable level of certainty that the device in question contains the
evidence they're looking for.

The analogy I would use is a locked closet full of file boxes. If the
government is certain that the files relating to a specific crime are in the
closet, then you can be compelled to assist them in opening your closet or
face an obstruction of justice charge. However if the police suspect you of a
crime and suspect that you're the type of person who would keep the evidence
in your locked closet that is not enough compel you to open the closet so the
police can check up on their hunch.

In this case, I read it as the men are suspected of insider trading and the
government believes that they would have used their cell phones to communicate
about the deal and the phones contain evidence of such. There is no actual
evidence that the phones were used and so they're not obstructing the police
in obtaining evidence the police know is there, but rather preventing the
police from poking around to see if the evidence exists at all.

~~~
beeboop
I find it odd that they aren't just able to get the data from the carriers.
The only reason it'd be on the device but not the carrier/Facebook/Twitter/etc
servers is if they encrypted the messages, but they would probably mention
this if it were the case.

------
ck2
So is Stingray and what the TSA does to you at the airport but I guess we are
never going to address that.

~~~
ctdonath
Here's hoping we're making progress toward ending TSA's fishing expedition.
Given the concerns about mass murder being preventable via a security check,
at least establishing that TSA's job is ONLY to watch for explosives et al,
and may not act on discovery of other harmless (to the flight & passengers)
contraband.

------
draugadrotten
The police will stop forcing suspects and will start inducing cooperation.

------
jonknee
When Apple said they can't turn over data the FBI said that means adorable
children will die. I wonder what they will have to say about this?

