By Anna E. Bodi, ACLR Featured Blogger

Last year, cell phone users who follow United States Supreme Court decisions received landmark news about their personal privacy. In Riley v. California, the Court reversed a lower court ruling and unanimously held that, in general, without a warrant, the police may not search information contained on a cellphone seized from an individual who has been arrested.1 The Court found that cell phones are both quantitatively and qualitatively different from other objects that an arrestee might have on their person.2 In this day and age, “[t]he term ‘cell phone’ is itself misleading shorthand; many of these devices are in fact minicomputers that also happen to have the capacity to be used as a telephone.”3 As a consequence, the Court refused to extend the search incident to lawful arrest exception to the digital contents of cell phones. Instead, “officers must generally secure a warrant before conducting such a search.”4

Riley breaks new ground and begins to articulate how the Fourth Amendment applies in the digital age.5 Though a cornerstone, it leaves additional questions open for interpretation. For example, regarding the requirement that officers obtain a warrant, what happens next, after police obtain a warrant to search a cell phone? In October, a Virginia Circuit Court confronted this very issue when the Commonwealth sought to compel the defendant to produce the passcode or fingerprint to his encrypted smartphone.6 The court’s ruling showcases the challenges involved in applying existing law to the technology, functionality, and privacy expectations of a locked cellphone.

In the Virginia case, the defendant, David Baust, had allegedly assaulted a victim in his bedroom.7 The victim claimed that Baust constantly recorded the room in which the assault allegedly took place, and that the video recorder transmitted to Baust’s smartphone.8 The police obtained and executed a search warrant, retrieving (among other items) the smart phone.9 At the scene, both Baust and the victim stated that the recording device “could have possibly” recorded the assault and that the recording “may exist” on the phone.10 However, the phone was “locked” and could only be entered using a passcode or fingerprint.11 While Riley presented a Fourth Amendment question, the Virginia case centered around a Fifth Amendment issue: Is producing one’s passcode or fingerprint to allow access to digital information on a smartphone testimonial communication subject to the Fifth Amendment privilege against self-incrimination?12

At this point, the ears of iPhone users are probably perking up. Starting with the release of the iPhone 5s, users could opt to restrict entry to their phones by creating a passcode or by using a passcode and a fingerprint. For purposes of the Fifth Amendment, the Virginia court distinguished between these two methods of entry into a smart phone and came to different conclusions. The distinction turned on whether or not the passcode and fingerprint were “testimonial communication” covered under the Fifth Amendment.13 Judge Steven Frucci clearly stated that there is no question as to the compulsive nature of the motion to compel or the incriminating nature of the production of the fingerprint or passcode.14

Judge Frucci found that Baust could not be compelled to provide his passcode to access the smartphone, but could be compelled to produce his fingerprint to access the phone.15 Producing the passcode would require the defendant to divulge knowledge—information from his own mind, placing it in the testimonial realm.16 However, he concluded that a personal fingerprint does not require any similar knowledge—it is equivalent to a key that fits into a lock.17

This ruling might seem counter-intuitive to individuals utilizing the fingerprint encryption technology to ensure greater, not lesser privacy. It is marketed or discussed as potentially more secure than a passcode because it cannot be guessed—only your own fingerprint can unlock the device. However, when it comes to a search of the phone and motion to compel the production of the passcode or fingerprint, the Virginia court ruling would make it easier for the police to force an individual to give them the fingerprint “key” to the phone. The physical nature of the fingerprint lock exposes the vulnerability of the arrestee.

From a practical standpoint, or the standpoint of the average person not intimately familiar with the application of the Fourth or Fifth Amendment, the privacy distinction being made between passcode and fingerprint access makes little sense. The purpose of both the passcode and the fingerprint is to provide a barrier to entry into the phone. Functionally, both could be considered a key of sorts. Both could also be considered a requirement of the conveyance of some form of information before gaining entry. Though the alternative methods of entry into the phone require different types of conveyances of information, to the average smart phone user the legal distinction is not immediately apparent or even logical. Indeed, the average user might even consider the forced used of a fingerprint password to be the greater intrusion.

Going forward, perhaps the courts should look more closely at functionality, rather than technicalities involving the password mechanism. In this case, the passcode and fingerprint are functionally equivalent to smartphone users, yet they were found to be legally distinguishable. Even considering the Fifth Amendment, does this distinction make sense? Under the Virginia ruling, a person could be compelled to use their key to open a lockbox, but could not be compelled to provide a code to open the same box. When considering a physical container, the concept of incriminating oneself by providing a key versus a code seems somewhat clearer. Does it make sense that an individual may be compelled to provide police access to incriminating information by giving them a key, a physical conveyance, but not a passcode, which is testimonial? Taking a functional approach and using the lockbox analogy, perhaps the police would be able to compel the use of either the key or passcode.

As the Supreme Court made clear in Riley, however, a cell phone is different from a physical lockbox. It is in many ways an extension of the person. The Court acknowledged the expansive functionality of phones.18 The justices recognized that calling a cell phone a “phone” is a misnomer.19 Phones are portals to vast amounts of personal information— potentially a library’s worth of information. In describing cell phones in this manner, the Court asserted that they cannot be treated like any other object.20 The circumstances under which the police may access an individual’s phone have huge implications for individual privacy rights21 because of their wide use and extensive capabilities. Even in the age of printing and paper, people would rarely carry a vast amount of paper information on or near their person, as would be ordinary or expected of cell phone users. Looking to functionality and cell phones, perhaps neither a passcode nor fingerprint should be compelled under the Fifth Amendment.

The Virginia decision still leaves additional questions open. Is there a distinction between telling police a passcode and typing in the passcode so that police may gain access to a phone? The disclosure of the code could lead to other evidence that could be used against an individual in a criminal prosecution,22 but in typing the code, the individual does not have to provide any knowledge (testimony) directly to the police.

As technology becomes more and more associated with one’s person, both in the physical and informational sense, our legislatures, law enforcement officers, and courts will continue to face similar quandaries. Privacy and information are no longer strictly tangible, physical concepts. The more technology progresses, the more the legal system will have to address cutting edge digital age questions. Yet many of our laws have lagged behind technology and do not have special provisions for personal electronic technology and information. In Virginia, what is clear for now is that you should protect your phone using a password, not your fingerprint.