We all know that smartphones and similar devices contain enormous quantities of personal and private information. Not surprisingly, for that reason, the government considers them a treasure trove of potential evidence in criminal investigations. Most courts have now concluded that forcing an individual to provide the password for a smartphone to a law enforcement agent runs afoul of the Fifth Amendment's privilege against self-incrimination. A split in the federal courts has begun to emerge recently, however, as to whether compelling an individual to provide a fingerprint or other biometric data to unlock a smartphone amounts to a similar constitutional violation. This article will discuss two recent representative cases reflecting the divergent views on this issue.

Passwords and Biometric Identifiers

When smartphones first appeared back in 2007, the most pressing issue for law enforcement was how to quickly gain access to them, especially under exigent circumstances. In those early days, devices only had a password or passcode which typically only could be obtained from the owner of the phone. Assuming the owner refused to unlock the device, law enforcement would seek to compel the owner to do so by means of subpoena or court order, triggering a Fifth Amendment objection. The outcome basically turned on whether requiring an individual to provide a password could be considered a “testimonial” communication worthy of constitutional protection.

In resolving this issue, courts primarily looked to well-established Supreme Court precedent. Under United States v. Doe, 487 U.S. 201, 212 (1987), the court held that “[a]n act is testimonial when the accused is forced to reveal his knowledge of facts relating him to the offense or from having to share his thoughts and beliefs with the government.” From that proposition lower courts could easily conclude that forcing one to reveal his or her password or passcode, a product of some deliberate cogitation and acquired knowledge on the owner's part, was necessarily “testimonial” and hence protected under the Fifth Amendment. See, e.g., United States v. Kirschner, 823 F. Supp. 2d 665 (E.D.Mich. 2010).

In 2013, Apple introduced the iPhone 5s with Touch ID, which allowed users to unlock their devices either by entering a standard passcode or by using a fingerprint. In 2017, Apple also introduced Face ID with the iPhone X which allowed access by means of facial recognition. These biometric identifiers have complicated what was previously settled law on smartphones because traditionally courts have routinely allowed law enforcement to compel production of fingerprints, blood, handwriting, photographs and voice samples. Should fingerprints and facial recognition be treated more like passcodes and passwords in the smartphone context? Two recent cases reflect a split of authority on that question.

Northern District of California Protective of Privacy

In Matter of the Search of a Residence in Oakland, California, 354 F. Supp. 3d 1010 (N.D. Calif. 2019), Magistrate Judge Kandis Westmore denied a search warrant application by the government that sought permission to compel any individual at the location in question to provide biometric identifiers to unlock any electronic device found at the scene.

The warrant arose in an investigation of two individuals allegedly using Facebook Messenger to extort money by threatening to distribute a video of the victim. The government requested the ability to seize various items including mobile phones and computers at a residential location. In addition, the application sought authority to compel any individual present at the time of the search to press a finger or utilize other features such as facial recognition for the purpose of unlocking digital devices found in the search.

As a threshold matter, while the court found probable cause existed to search the premises in question, it rejected the request to compel any individual at the scene to unlock his or her device as insufficiently particularized under the Fourth Amendment. The court similarly rejected the government's request to search and seize all devices, including those of non-suspects, found at the premises.

But the court went on also to consider the Fifth Amendment implications of the government's request. The court held that even if probable cause existed to seize devices based on a reasonable belief they belonged to a specific suspect, that alone would not permit the Government to compel a suspect to waive a Fifth Amendment right against self-incrimination. In particular, the court focused its inquiry on whether the compelled use of biometric identifiers to unlock a device was testimonial under the Fifth Amendment, along the same lines as compelled use of passcodes.

The court started with the proposition that testimony was not restricted to verbal or written communications. Acts that imply assertions of fact, the court noted, can constitute testimonial communication. The court acknowledged that certain acts, while incriminating, are not within the scope of the privilege, such as furnishing a blood sample, submitting to fingerprinting, standing in a lineup, or providing a handwriting sample. But the court found that utilizing a biometric feature to unlock an electronic device was not akin to fingerprinting or a DNA swab for two key reasons.

First, biometric features served the same purpose as a passcode, which is to secure the owner's content, rendering them for all practical purposes as functionally equivalent. Indeed, the court observed that as an added layer of security, in some instances the devices will not accept the biometric feature and will require the user to type in a passcode, such as when the device has been restarted. If a person cannot be compelled to provide a passcode because it is a testimonial communication, the court reasoned, then a person cannot be compelled to provide a finger, thumb, iris or other feature to unlock the same device.

Second, the court found that requiring someone to affix their finger to a device was fundamentally different than requiring a suspect to submit to fingerprinting. “A finger or thumb scan used to unlock a device indicates that the device belongs to a particular individual … the act concedes that the phone was in the possession and control of the suspect, and authenticates ownership or access to the phone and all of its digital contents” In that sense, the court opined, the compelled act of unlocking a phone far exceeds the physical evidence created when a suspect submits to fingerprinting to merely compare his prints to existing prints found at a crime scene because there is no comparison or witness corroboration required to confirm a positive match. Based on this difference, the court found the compelled use of biometric identifiers is more akin to “the nonverbal, physiological responses elicited during a polygraph test,” to determine guilt or innocence, which is routinely considered testimonial. See also In re Application for a Search Warrant, 236 F. Supp. 3d 1066, 1073 (N.D. Ill. 2017) (using fingerprint to place someone at a location starkly different from using it to access a database of someone's most private information; In re A White Google Pixel 3XI, 2019 U.S. Dist. LEXIS 83300 (D. Idaho, June 6, 2019) (compelled use of fingerprint to unlock phone violates Fifth Amendment).

A Pro-Government Ruling in the Nation's Capital

Magistrate Judge G. Michael Harvey six months earlier came to a very different conclusion In the Matter of the Search of [Redacted], 317 F. Supp. 3d 523 (D.D.C. 2018). The government sought permission to compel a specific subject (under investigation for computer fraud) to provide biometric identifiers to unlock devices falling within the scope of a search warrant. Recognizing the novelty of the issue, the court appointed the D.C. Federal Public Defender as amicus curiae to submit its views on the lawfulness of the government's request.

After finding the warrant satisfied the Fourth Amendment's particularity requirement assuming it was tailored to a single known suspect reasonably believed to be the owner of the device, the court then proceeded to discuss the more difficult Fifth Amendment implications of the requested relief. As in the Northern District of California, the inquiry turned on whether the use of an individual's biometric features could be considered testimonial.

The starting point for the Federal Public Defender was the Supreme Court's decision in United States v. Hubbell, 530 U.S. 27 (2000). In Hubbell, the court considered whether a witness' response to a subpoena calling for the production of categories of documents could be deemed testimonial. The witness invoked the Fifth Amendment and refused to state whether any of the responsive documents were in his possession or control. After being granting limited immunity, the witness was compelled to produce documents in response to the various designated categories which eventually led to his prosecution. Normally a document subpoena would not run afoul of the Fifth Amendment but under these circumstances the Supreme Court held that “the act of producing documents in response to a subpoena may have a compelled testimonial aspect” where as a result of compliance the witness in effect was admitting that the “papers existed, were in his possession or control, and were authentic.” The Federal Public Defender equated the warrant application to the production of documents in Hubbell, asserting that “the compelled use of biometric features to unlock a phone or computer is 'inherently testimonial' because it 'would implicitly communicate that the suspect possessed or controlled the device with incriminating evidence.”

The Magistrate Judge, however, disagreed. While acknowledging the line between testimonial and non-testimonial communications under the Fifth Amendment was not crystal clear, the court found the compelled use of the subject's biometric features was more akin to the surrender of a wall safe's key than being forced to give up the safe's numerical combination, and hence permissible. Specifically, the court noted that the government's proposed procedure would not require the subject to divulge any information or reveal the contents of his mind or his thought process (as would be the case with a password). Under those circumstances, the court held, the compelled use of a biometric feature amounted to the functional equivalent, from a legal standpoint, of simply taking a blood or handwriting sample, which clearly was permitted under the Fifth Amendment. Finally, in response to the Public Defender's argument that the use of a fingerprint might nevertheless be testimonial because it not only unlocked the device but also translated (and thus assembled) encrypted data into a useable format, the court disagreed as a technical matter, noting that it would appear the decryption process was accomplished by the machine and not through any mental effort on the part of the subject.

Conclusion

The Northern District of California probably has the better of the argument and its reasoning will likely be followed by more courts in the future. Electronic devices have always included a password option. A biometric feature such as a fingerprint obviates the need to expend mental energy on a password but that is a meaningless distinction in the 21^st century. From a functional standpoint, enabling a biometric feature is still a deliberate measure requiring a modicum of effort which is intended to accomplish the same purpose as a traditional passcode: protecting enormous quantities of private information from inadvertent or unauthorized disclosure.

From a public policy standpoint, as technology continues to develop, the government eventually may regain the upper hand by, for instance, using 3-D replicas of pre-existing fingerprint samples to activate a sensor or displaying high-resolution photos sophisticated enough to fool Face ID. Until then, while the Northern District of California approach may preclude law enforcement agents from being able to gain immediate non-consensual access to smartphones, the government still retains a formidable array of tools under the Stored Communications Act and by means of search warrants and subpoenas to gather vast amounts of this kind of information from third party service providers.

Evan T. Barr is a partner at Fried Frank Harris Shriver & Jacobson. He previously served as an Assistant U.S. Attorney in the Southern District of New York. Megan Howe, an associate at the firm, assisted in the preparation of this article.