Pa. Supreme Court: Compelled Disclosure of Password Violates Fifth Amendment

PBA Cybersecurity and Data Privacy Personal Devices, Recent Cases March 31, 2020

By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor LLP

 

The Supreme Court of Pennsylvania recently addressed the novel question of whether a person can be compelled to provide a password to allow law enforcement to access the contents of an encrypted device. Reversing an order of the Superior Court, the high court found in Commonwealth of Pennsylvania v. Davis, No. 56 MAP 2018 (Pa. Nov. 20, 2019), that compelling such disclosure violates the right against self-incrimination under the Fifth Amendment of the U.S. Constitution.

 

State investigators used internet-provider subscription information to connect defendant Joseph Davis to an internet-protocol address that allegedly was used to share child pornography on a peer-to-peer file-sharing network. When investigators executed a search warrant and seized a desktop computer, Davis acknowledged that he used it to watch pornography, he had previously been arrested for child pornography, and the computer was protected by a password that he refused to provide.

 

The Commonwealth charged Davis with disseminating child pornography, among other charges, and filed a motion to compel Davis to produce the computer’s password. Davis invoked the Fifth Amendment privilege, which protects against the forced provision of evidence that is self-incriminating and testimonial in nature.  The trial court granted the Commonwealth’s motion to compel, based on the “foregone conclusion” exception recognized by the U.S. Supreme Court in Fisher v. U.S., 425 U.S. 391 (1976). Fisher held that requiring certain defendant taxpayers to produce documents they had provided to their attorneys did not involve self-incriminating testimony in that the government was not relying on the “truth-telling” of the defendants to establish that the documents existed, were accessible to them, and were authentic because the government already knew these facts. The Superior Court affirmed the trial court in granting of the motion to compel.

 

On appeal to the Pennsylvania Supreme Court, Davis argued that production of the password was similar to providing the combination to unlock a safe or briefcase, which precedent held was testimonial in nature. He also argued that the “foregone conclusion” exception does not apply to computer passwords; instead, the exception applies only to documents that third parties could authenticate, rendering the defendant’s production of the document not a “truth-telling” endeavor. the Commonwealth counter-argued that the “foregone conclusion” exception logically applied to providing the password to an encrypted device because the “testimony” inherent in production of the password was a foregone conclusion.

 

The Pennsylvania high court reviewed the case law on the Fifth Amendment privilege, finding that it reveals a physical/mental production dichotomy: a person can be compelled to produce a physical key to a locked box, but not to reveal the combination to a safe. The court concluded that compelling disclosure of the password is testimony, because it requires one to reveal a memorized password and thus involves the contents of one’s mind. Additionally, the “foregone conclusion” exception is narrow, having been satisfied only once in 40 years of cases since Fisher, having not been extended beyond the context of business or financial records, and having never been applied to oral testimony. Accordingly, the Pennsylvania Supreme Court reversed and remanded the matter.

 

Three dissenting justices would have held the “foregone conclusion” applies to compelled disclosure of a password for an electronic device. Because the Commonwealth already had evidence of Davis’ guilt (from his own admissions), the password was needed merely to execute a lawfully obtained warrant, as opposed to requiring Davis to reveal his mental processes. The dissent also noted that the majority holding could produce inconsistent holdings with respect to passwords that rely on biometric features, like thumbprints or facial scanning, rather than memorization. The majority noted that only the latter situation was before it.

 

Davis adds to a line of precedent establishing that there may be greater legal protection for memorized passwords than for biometric-based passcodes. Just as one can be compelled to provide physical evidence like blood or DNA samples, one can be compelled to place a finger on a screen to unlock a fingerprint-based biometric password. Davis seems to apply to the situation where a password is not written down or obtainable from another physical location. It implicitly acknowledges the inherent challenges in obtaining a memorized password: even if a court were to order a defendant to produce the password, whether the defendant will (or perhaps even can remember and) provide it is a different story.

Sara Beth A.R. Kohut counsels clients issues relating to privacy, cybersecurity and data protection and works collaboratively to craft strategies for protecting information assets. She writes and speaks frequently on data protection and technology developments.

About: PBA Cybersecurity and Data Privacy

The Pennsylvania Cybersecurity and Data Privacy Committee analyzes cybersecurity issues and educates PBA members about legal, regulatory and industry standards that preserve the confidentiality of protected information.

Leave a Reply

Your email address will not be published. Required fields are marked *