Under what circumstances can a citizen be forced to unlock their smartphone for government inspection? On March 6, 2019, the Supreme Judicial Court decided Commonwealth v. Dennis Jones, in which the Court held that the government can compel a suspect to unlock their smartphone, and so disclose all of its contents, if it proves beyond a reasonable doubt that the suspect knows the passcode to the phone in question. The SJC held that the only “testimonial” aspect to an act of decryption is just the person saying that he or she knows the code to the target phone. Jones was the first decision from any state supreme court in the country to set out the constitutional rules around compelled decryption, which is one of the most significant self-incrimination issues in the digital age.

Northeastern alum Miranda Jang spoke with Appellate Attorney David Rangaviz, from the Committee for Public Counsel Services, who submitted an amicus brief in the Jones case, about the SJC’s decision and its implications for digital privacy. Rangaviz’s article on compelled decryption, Compelled Decryption & State Constitutional Protection Against Self-Incrimination, is forthcoming in the American Criminal Law Review. He also filed an amicus brief in support of Mr. Jones’s petition for certiorari, which the Supreme Court recently denied at its conference on November 15th. [Editor’s Note: We spoke with Rangaviz before certiorari was denied.]

Miranda Jang: Could you describe how compelling an individual to unlock their phone places them in a catch-22 situation like   of the Massachusetts Declaration of Rights attempts to avoid?

Attorney David Rangaviz: When confronted with a compelled decryption order, you have two choices. You’re either going to unlock your phone and open up for government inspection all the incriminating and non-incriminating details of your entire life—that’s one side of the catch-22—or you refuse, and the government could then do one of two things. Either not get into the phone and tell the jury, “Look, he refused to unlock the phone because he knew how bad the stuff on it was,” or they somehow are able to work around the encryption and get into the phone and then they can say, “Look at this bad stuff on the phone. He refused to unlock it because he knew how bad all the stuff was that you’re now looking at.” Plus, if you refuse to unlock your phone, you can be held in contempt and jailed until you agree to unlock it. So unlocking the phone and refusing to unlock it are both going to be used against you either way, and that’s exactly the catch-22 that Article 12 tries to avoid—where you’re in trouble, and potentially incriminating yourself, no matter what you do.

Jang: What do you think the implications of compelled decryption and the Jones decision will be for third-party privacy interests?

Rangaviz: It’s significant. By definition, everything in your phone implicates the privacy of all the people you interact with on a regular basis. The implications are enormous for third parties. That’s the nature of what’s on our phones; we’re all communicating with everyone at all times via different apps and texts and making videos and taking photos, and that’s the problem. There’s no way to cabin the search to just the things that implicate the owner’s privacy and no one else’s.

Of course, the warrant has to be particularized. It can’t just allow an unconstrained review of what’s on the entirety of the phone. That’s a matter of the Fourth Amendment and Article 14 of the Massachusetts Declaration of Rights. But those particularity rules have been pretty lax in how they’re interpreted. Plus, the Fifth Amendment prohibition on compelled self-incrimination is actually about privacy, as many past cases have recognized. So Justice Lenk was correct in her concurrence in Jones that the Fourth and Fifth Amendments cannot live in “splendid isolation.”

But Justice Kakfer’s opinion in Jones says that the source of privacy protection is just the Fourth Amendment, not the Fifth Amendment. If that’s true, you would hope that they would have really robust privacy protections and really robust particularity requirements and, under current SJC doctrine, they just don’t. That’s why it’s troubling, because it can get you into the entirety of the phone and implicate all of your privacy rights and everyone you interact with, so it’s a substantial concern.

Jang: Yes, definitely, especially because a lot of things that are in our phones now don’t really require consent for other people to have their information on your phone. All you have to do is open an app, look at a picture.

Rangaviz: Almost no one remembers passwords anymore. You can imagine a world where you’ve borrowed my phone to check your Gmail and now your Gmail password is stored in my phone, and now the police can get access to all the emails that have ever been logged into by anyone who’s ever used my phone to log into their email. Recently I’ve been working on a case that involves a cellphone extraction and you would be absolutely amazed at how much metadata and residual deleted data can be pulled up by the police when they conduct one of these extractions on a smartphone.

I don’t think it’s beyond the realm of possibility that they could get access to emails or apps for people who just borrowed your phone to check something, and now every email they’ve ever written is subject to police review because maybe I’d committed a crime and unlocked my phone, but the third party just happened to use my phone once in the distant past.

Jang: Then it also extends to the cloud. For people who have iPhones, everything is connected. Somebody has access to just your phone, they also probably have access to everything on your laptop, your watch, if you have an Apple watch. Scary stuff.

Rangaviz: It is scary stuff. Data does not even need to be on the phone to be accessible from the phone. Unlocking the phone for the government gives them access to all of the accounts accessible from the phone, regardless of where the data actually is stored. That level of intrusiveness is why we’re pushing back.

Jang: It’s also like everything that’s going on with Alexa and Echo and all the information that they carry but that’s even scarier, because we don’t know what information they carry.

Rangaviz: We don’t know when they’re listening. It’s called the Internet of Things. These devices that are interconnected. The thermostat that automatically goes to the right temperature the minute it feels your body heat walking into the room. The refrigerator that orders food when you run out of it. The Alexa that’s always listening. These devices are all increasingly becoming mini-computers that are connected to one another and getting all of this information that gives the government a mosaic that can reveal intimate details of a person’s entire life—where you go, who you interact with, what you do. If you have all that data, you can know everything about a person and that’s what the Supreme Court seems to recognize in Carpenter. And that’s what Justice Sotomayor wrote about in her concurrence in United States v. Jones, in the context of GPS monitoring.

If you take all those things together, this interconnected Internet of Things, it’s a pretty chilling world we’re headed towards. It’s a lot of data at the government’s fingertips, that they not only can access directly, but can actually compel you to turn over yourself.

Jang: Could you describe a little more how self-incrimination concerns are involved with a compelled decryption order, and why do you think that Jones decision did not really adequately address these concerns?

Rangaviz: There are obvious self-incrimination concerns. Compelled decryption raises a self-incrimination issue in the exact way I’ve already described. It’s forcing you, on threat of incarceration, to unlock the digital door to all of the contents of your phone—what Riley says has all the private information of your entire life. In addition to all that private information, if there’s suspicion that it could contain incriminating information, you’re also being forced to furnish all of the incriminating evidence that’s on your phone to help a government investigation in which you’re probably the target.

If you read the text of Article 12 of the Massachusetts Declaration of Rights, which is what my article is about, it actually says that “no subject shall … be compelled to accuse, or furnish evidence against himself.” That “furnish evidence” language is very different than the Fifth Amendment, which just says that no one can be “compelled in any criminal case to be a witness against himself.” What Jones says is that, despite its very different text, Article 12 somehow means the exact same thing as the Fifth Amendment. That, in my view, is wrong. Someone who unlocks their phone “furnishes” a mountain of “evidence” that the government will use to obtain a conviction. That language is why I think it’s such an easier and more obvious conclusion that the government can’t have the authority to compel you to unlock your phone, at least as a matter of state constitutional law, because our state constitution reads so differently than the Fifth Amendment. The irony of the heart of the Jones opinion is that they cite this “furnish evidence” language to justify higher standards under Article 12, but they don’t actually analyze what those words mean. Under Jones, you have to give the government the evidence that’s on your phone.

I don’t think there’s any person out there, lawyer or layman, who would think that “furnish evidence” doesn’t mean “give evidence.” But somehow they’ve read that language to only apply to testimonial communications, which is what causes this problem altogether and is why I wrote the article arguing that the doctrine itself has to change.

Jang: Yes, those are great points. Plus, some newer cell phone models do not have options to use traditional passwords but instead require things like…

Rangaviz: Biometrics.

Jang: Fingerprints, right, biometrics. How do you think the Fifth Amendment and/or Article 12 will respond to this in the future?

Rangaviz: That’s the heart of the reason why I think we need to re-examine the underlying doctrine altogether, because if we continue down this path where Article 12 only protects testimonial communications and it doesn’t protect private papers stored on a phone, then we might face a future where citizens have no protection against compelled biometric decryption at all.

Unlocking a phone with your finger doesn’t actually make any testimonial statement. When you enter the passcode to a phone, you’re telling the world “I know the passcode to this phone.” But the fact that you have a thumb, and place it on a given phone, is not saying anything. I can put my thumb on your phone just like I can put it on my phone, your phone won’t unlock and my phone will, but the placing of the finger on the phone doesn’t make any statement about whether the phone will unlock.  When you have technology that enables the government to get every private paper in your life, without even compelling you to make any testimonial statement, then we have to start questioning whether the Fifth Amendment only protects you against compelled testimonial communications. Like I said, I think it’s that much more obvious under Article 12, because it reads so differently.

Going back to the original understanding of the Fifth Amendment and Article 12, they quite obviously don’t apply just to compelled testimony. Everything I’ve read on this is unanimous. They were understood to apply to pre-existing private papers, like the contents of a modern smartphone. But that broader protection has been read out of the constitutional doctrine as a matter of law enforcement necessity—it will be harder to obtain convictions if the government can’t compel you to give over incriminating private documents. But that’s not what these constitutional provisions say and that’s not the history of what they were intended to mean, and if we don’t go back to that understanding then I think the technology is going to render self-incrimination protections obsolete very soon. If all it takes is pointing your phone at your face to unlock it then you’re not making a testimonial statement. All this litigation over compelled passwords is going to be obsolete, Jones is literally going to be wasted ink, because at a certain point passwords don’t exist anymore and it’s just the fact that you have a face or you have a thumb.

Jang: Yes.

Rangaviz: That’s how I see it. Now there are courts that have actually said using your thumb, using your face, they do have testimonial components to them just like entering a passcode. In my article, I describe that position as “admirably incorrect.” Those courts are warping the doctrine to address the obvious absurdity that would otherwise allow technology to render the Fifth Amendment obsolete. If you’re compelling someone to use their thumb to unlock their phone, it certainly feels like that implicates the Fifth Amendment. But what you’re doing there, if you don’t go back and examine first principles in the way I’m advocating, you’re just distorting the doctrine to reach a result that feels right and that is intellectually dishonest, when the intuition is correct but the doctrinal holding is wrong. Instead, when the doctrinally correct holding yields an absurd result, we should question the doctrine itself.

That’s the most troubling component of the march of this doctrine—technology rendering the constitution obsolete. That’s why I think we need to go back to first principles.

Jang: It’s really interesting because I was reading a paper where one of the judges said just what you were saying: the fact that you have a fingerprint and you touch door handles and your fingerprint gets everywhere, that fact alone is why there’s no privacy right to things like biometrics like facial recognition or fingerprints, but I think it’s becoming really outdated now.

Rangaviz: Current doctrine is doing this weird proxy fight over what is testimonial and what isn’t. Is it testimonial to give your passcode or to use your thumb? Who cares. People are not refusing to unlock their phones because they are worried that the government is going to learn something from the act of decryption. These cases are actually about what’s on the phone, so the legal analysis should also turn on what’s on the phone. People refuse to unlock their phones because they care about what’s on the phone and don’t want to give the government access to it.

So the current doctrine is waging this battle over the testimonial aspect of an act of decryption that is totally separate from the reality of what these cases are about. It’s over here in this area that is adjacent to, but actually unrelated to, what we’re really fighting over, which is the contents of the phone. If the doctrine isn’t about the derivative evidence from the act of decryption, it just feels silly.

For example, there’s a whole footnote in Jones saying that the government can compel people to hand over the device in an unencrypted state, but you have absolute constitutional protection against telling the government the code. That’s a distinction only a lawyer could love. They can force you to unlock it, but they can’t make you speak the code. You have absolute protection against telling the government the code, but they can force you under threat of prison to unlock it yourself and then hand it over to them. That just shows how far removed the analysis is from what’s actually going on in these cases.

We’re trying to translate these analog-era doctrines to this new digital context and, in this area at least, it’s just not working. This issue, and why it’s so interesting, is that it’s in this early germination phase in lower courts where there’s already multiple splits between state and federal courts on issues arising from compelled decryption. But there’s still not very many opinions on the issue. There’s a handful, maybe ten to fifteen. That’s why Jones is compelling, because it’s the first case to go up on certiorari to the Supreme Court and we’ll see if they take it.

Jang: Could you describe the foregone conclusion exception and what it looked like in the Fisher SCOTUS case and maybe explain how the exception operates now after the Jones decision?

Rangaviz: The foregone conclusion exception is, from a law enforcement perspective, a necessary corollary to the act of production doctrine created in Fisher. Because if the rule is that you cannot compel any testimonial communications, period, then from a defense perspective, that’s kind of okay. Because what that means is that, even if it’s a different rule, it still has the same effect—no compelled disclosures of documents. What the Supreme Court did in Fisher is they abrogated this case called Boyd from 1886, and what Boyd said is that, basically, it gave the Fifth Amendment the correct scope of protection. It said, “You can’t compel someone to hand over their private papers.”

So, Boyd didn’t limit it to just testimonial communications. It’s also about the derivative evidence that follows from the act of production. Fisher was a case that involved a document subpoena to an attorney for their client’s financial records. The Fisher Court massively narrowed the scope of the Fifth Amendment. They said it only applies to communications that are “testimonial.” So, as to a document subpoena, the documents themselves exist before the subpoena. You’re not compelling any statement about what’s actually contained within those papers by forcing someone to produce them in response to a subpoena, because if the contents of the papers are preexisting and voluntarily created then there’s nothing compelled back at the time you were making those financial documents because it happened weeks, months, years prior to the subpoena.

Under Fisher, the Fifth Amendment is only concerned with the contemporaneous testimonial communication that the target is forced to make at the moment he responds to the subpoena. Fisher said that, when you hand over documents, you’re making a statement about the existence of the documents, the authenticity of the documents, and that the documents fall into the category described in the subpoena itself. But you aren’t making any statement about the contents of the documents, because those contents pre-exist the compelled act of production.

Jang: So if that’s the act of production doctrine, what is the foregone conclusion exception?

Rangaviz: Well Fisher also created this corollary exception to the act of production doctrine called the foregone conclusion doctrine. If the government can show that it already knows any testimony implicit in handing over the documents—their existence, their authenticity, that they fall within the category of the subpoena—then you haven’t added to the government’s case by handing them over because you’ve just told them something they already know. Strictly in the testimonial sense, those statements are a “foregone conclusion” and they can be compelled.

What Gelfgatt did, and that was really the first case from a state Supreme Court on this issue, was it talked about the testimonial aspect of an act of decryption but it was a little bit ambiguous. What it suggested, in some places, is that not only are you, when you unlock your phone with a passcode, are you saying “I know the code” but you also might be saying something about what’s on the phone. That really matters, because it affects what the government has to know and prove to a judge in order to fall within the foregone conclusion exception and compel the decryption.

If the government only has to prove to a judge to get a compelled decryption order that you are capable of unlocking the phone, that’s much easier for them than if they had to prove to the judge that they already know what evidence they will find on the phone. Gelfgatt had, like I said, some ambiguous language on this point. What Jones was about when it started, and when I wrote my first amicus brief, was basically just translating the phrase foregone conclusion into a more recognizable standard of proof.

The SJC solicited amicus briefs on that question, and I wrote an amicus brief that said the correct standard is “beyond a reasonable doubt.” But the same day I filed my amicus brief, the Massachusetts Attorney General’s Office filed their own amicus brief. Their amicus brief said that the solicited question didn’t matter and that what they wanted the court to do was to clean up that ambiguous language in Gelfgatt and make clear going forward that the only testimony implicit in an act of decryption is the suspect making the statement, “I know the code.” And that was exactly what the SJC did in Jones. As a result, that is the only thing the government has to prove to fall under the foregone conclusion exception.

If you think about it, the foregone conclusion exception is pretty unprincipled. For example, it only applies to compelled actions like handing over documents, but not compelled testimony. Otherwise, you would allow the police to force a person to confess because they already know, as a “foregone conclusion,” that he’s guilty. So you can’t apply it to written or verbal communication, just compelled conduct like handing over documents. It just seems like an exception designed to get around the doctrine they’re establishing in Fisher. That’s what happened, that’s what Jones did, and that’s the state of the law in Massachusetts.

And, as I said, there’s a split on that. The Eleventh Circuit says that when you unlock your phone, you’re not only making the statement “I know the code,” you’re also making a statement about what’s on the phone. And so, the government has to prove that it already knows what’s on the phone to be able to force you to unlock it. The SJC in Jones says you’re just making the statement “I know the code,” so that’s all the government needs to show to force you to unlock it. That’s a classic split of authority that calls for higher review. Hopefully, the Supreme Court will intervene and start providing more protection. But it’s still early. Cases are pending on this in the New Jersey, Indiana, and Pennsylvania Supreme Courts. [Editor’s Note: On November 20th, the Pennsylvania Supreme Court decided Commonwealth v. Davis, holding (in a 4-3 decision) that a password cannot be compelled from a suspect under the foregone conclusion exception. The three dissenters agreed with the SJC’s approach in Jones.] Mr. Jones may not get relief, but the issue will reach the Supreme Court one day.

This interview has been edited for length and clarity.

Bios:

David Rangaviz is a staff attorney at the CPCS Appeals Unit.  He clerked for Justice Barbara Lenk of the Massachusetts Supreme Judicial Court, Magistrate Judge John Conroy of the U.S. District Court for the District of Vermont, and Judge Kent Jordan of the U.S. Court of Appeals for the Third Circuit.  Before joining CPCS, Dave worked as a trial attorney at the Maryland Office of the Public Defender and in private practice at Zalkind, Duncan, & Bernstein LLP.

Miranda Jang is a Privacy Law Senior Information Security Analyst at ACA Aponix in Boston Massachusetts. A graduate of Northeastern University School of Law, she concentrated in privacy law, international business law, IP & Innovation, and health law & policy. Miranda is a Certified Information Privacy Manager and was a Legal Researcher for the International Association of Privacy Professionals (IAPP).

Handles: @MirandaRights19