The week of December 7, 2014

Can police force you to surrender your password?

By Rob Price

While most people by now know—or at least should know—the basics on how to protect themselves from cybercriminals, it’s less clear what your rights are when law enforcement come knocking. Can the authorities force you to surrender your passwords at the drop of the hat? Do they have the right to peruse your data at their leisure?

Like so many of these things, it all depends.

Where are you?

If you’re in the U.K., you’re tough out of luck. Brits can—and have—been jailed for refusing to surrender their passwords to authorities. In 2014, a computer science student was jailed for six months after refusing a court order to surrender his password “on the grounds of national security.”

Similar key disclosure laws also exist in Australia, with a six-month sentence awaiting those who don’t comply, as well as India (up to seven years), France (three years and a $56,000 fine), South Africa (10 years or $180,000), and elsewhere.

In the United States, however, there are certain protections in place. U.S. courts have ruled that a password and encryption key are classed as “knowledge”—and that the Fifth Amendment’s safeguards against forced incriminating testimony means there are constitutional protections against being forced to surrender them.

How is your data protected?

Let’s not get ahead of ourselves. You are using a (secure) password, right? In October 2014, a Virginia Circuit Court judge ruled that giving biometric data does not amount to divulging knowledge. As such, and unlike passwords, your fingerprint scan can be taken involuntarily if needs be—much much like a DNA sample or traditional fingerprint.

Who’s asking?

Remember: “Police can’t ‘force’ you to do anything,” points out Electronic Frontier Foundation (EFF) staff attorney Hanni Fakhoury. “They can ask for you password and you can give it to them, though that’s probably a bad idea without talking to a lawyer first.” Otherwise, it takes a court order to “force” you to do something.

Police can’t search your cellphone without permission. Even without a password, they need a warrant to search your device, or they’re breaking the law. (There’s an exemption if they believe the device is under immediate threat of destruction.)

Can a tech company protect you?

Your phone manufacturer/cloud storage provider/encryption software provider is under no obligation to be able to decrypt your data upon demand. When Apple decided that it didn’t want it to be possible for them to decrypt their customers’ data, that was perfectly legal, even if it did make certain people very angry—with one senior police officer claiming that the iPhone will “become the phone of choice for the pedophile” as a result.

But if they do have that capability, then expect them to exercise it when law enforcement comes knocking, lest they want to be found in contempt of court.

So if I store it myself, is it safe?

If only it were that simple. Turning over the password “is pretty clearly protected by the Fifth Amendment privilege against compelled incriminating testimony,” advices Fakhoury, but that’s not the end of it. “If the Fifth Amendment protects you, that doesn’t mean the government doesn’t get your cooperation”—meaning you might be expected to decrypt the device, but that anything found on it can’t be used against you in a court of law.

It also depends if the authorities already know what’s on the device. In one case where the defendant was accused of possessing child pornography, law enforcement had already seen some of the files prior to the device shutting down. The defendant was subsequently forced to surrender his password on the grounds that “providing access to the unencrypted Z drive adds little or nothing to the sum total of the Government’s information about the existence and location of the files that may contain incriminating information.”

If the devices under investigation are known to belong to you, the authorities are more likely to push for your password (even if it is still arguably unconstitutional), as compared to if they were in a shared property where plausible deniability might apply. The upshot of this is that law enforcement’s approach—and the legal recourse open to you—vary a great deal depending on the specifics of each individual case.

If you’ve reached this point, while you should still theoretically have constitutional protections, in practice there’s little more we can tell you. You should seek professional legal advice. Immediately.

What do I do?

The Electronic Frontier Foundation is a good place to start. It’s a nonprofit advocacy group that seeks to “[defend] your rights in the digital world.” It has a Know Your Rights guide last updated in October, and information on potential legal assistance can be found here. (Fakhoury has also written in more detail about the legal background; it can be found here.)

Another option is the American Civil Liberties Union, which aims to “defend and preserve the individual rights and liberties guaranteed to every person in this country by the Constitution and the laws of the United States.” The ACLU can be reached here.

Good luck.

Photo via Chris Potter/Flickr (CC BY 2.0) | Remix by Rob Price