The police want your phone data. Here’s what they can get — and what they can’t.
Phones hold gigabytes of potential evidence, but the government’s ability to access them depends on a patchwork of court decisions and laws that predate the technology.
Our lives are in our phones, making them a likely source of evidence if police suspect you’ve committed a crime. But as we’ve seen in recent cases of suspected terrorists with passcode-protected iPhones that Apple refused to help the FBI unlock, it’s not always as simple as getting a warrant and breaking down a metaphorical door.
When the key to unlock your phone is in your own mind or on the tip of your finger, it becomes a legal question that judges have to rely on decades-old, pre-modern-technology precedent to answer. And in many places, this question hasn’t yet been answered.
Here are some of the main ways the government can get information off of your phone, including why they’re allowed and how they’d do it.
Law enforcement wants access to third-party data on your phone. What can it get?
Short answer: Whatever it wants (with the right court order).
Long answer: Depending on what law enforcement is looking for, it may not need physical possession of your device at all. A lot of information on your phone is also stored elsewhere. For example, if you back up your iPhone to Apple’s iCloud, the government can get it from Apple. If it needs to see whose DMs you slid into, law enforcement can contact Twitter. As long as they go through the proper and established legal channels to get it, cops can get their hands on pretty much anything you’ve stored outside of your device.
You do have some rights here. The Fourth Amendment protects you from illegal search and seizure, and a provision of the Electronic Communications Privacy Act of 1986 (ECPA) dictates what law enforcement must obtain in order to get the information. It might be a subpoena, court order, or warrant, depending on what it’s looking for. (WhatsApp actually does a good job of explaining this in its FAQ.) A section of the ECPA, known as the Stored Communications Act, says that service providers must have those orders before they can give the requested information to law enforcement.
But, assuming the government has the right paperwork, your information is very obtainable.
“Basically, anything that a provider has that it can decode, law enforcement is getting it,” Jennifer Granick, surveillance and cybersecurity counsel for the ACLU’s speech, privacy, and technology project, told Recode.
Note that this only covers service providers. If law enforcement wants to get WhatsApp messages you exchanged with a friend from your friend’s phone, it doesn’t need a warrant as long as your friend is willing to hand the information over.
“You don’t have a Fourth Amendment interest in messages that have been received by someone else,” Andrew Crocker, a senior staff attorney for the Electronic Frontier Foundation, told Recode.
If your friend refuses to willingly hand over what the police want, they can still get it — they just have to get a warrant first.
Law enforcement wants access to personal data on your phone. Can they do that?
Short answer: If your phone is protected by a passcode or biometric unlocking features, there’s a chance cops can’t gain access to your personal data. But that’s not guaranteed.
Long answer: In addition to data hosted by a third party, there’s a lot of information that can only be gained from access to your phone. For example, the data in iCloud backups is only as recent as the last time you uploaded it and it only includes what you choose to give it — assuming you back your phone up at all. Encrypted messaging services like WhatsApp don’t store messages on their servers or keep track of who is sending them to whom, so the only way for police to access them is through either the sender or receiver’s devices. And as we’ve explained above, the government can get WhatsApp messages from the person you’re communicating with, but it can do so only if they know who it is in the first place.
So how exactly would someone other than you — cops, for instance — get access to that data? If your phone doesn’t have a password or law enforcement is able to access it using specialized passcode cracking tools like Cellebrite or GrayKey — and they have the necessary search warrant to do so — then it’s all theirs. But if your phone is locked with a passcode and law enforcement can’t hack into it, the Fifth Amendment may be your friend.
Essentially, the Fifth Amendment says you can’t be compelled to give self-incriminating testimony. (This amendment is perhaps known best to you as that dramatic moment on Law & Order when the person on the stand says, “I plead the Fifth.”) Testimony, in this case, is defined as revealing the contents of your own mind. Therefore, civil rights advocates say, the government can’t force you to tell them your phone’s password.
Most courts seem to agree with this, but that’s not always enough. There is what is known as the foregone conclusion exception. That is, a defendant’s testimony is not self-incriminating if it reveals something the government already knew, and the government can prove that prior knowledge. In this case, the defendant’s testimony is a foregone conclusion — a predictable outcome.
So, for phone passwords, the government can and does argue that revealing the password only shows that the phone belongs to the defendant. If the government has enough proof to establish the phone’s ownership, that’s a foregone conclusion that the defendant would also know its password. Some courts have interpreted this to require the government also to show it has knowledge of the specific pieces of evidence that it expects to find on the device.
This exception comes from a 1976 US Supreme Court ruling. In Fisher v. United States, someone being investigated for tax fraud gave documents prepared by his accountant to his lawyer. The IRS wanted those documents; the defendant said that producing them would be self-incriminating and therefore was protected by the Fifth Amendment. The Supreme Court sided with the IRS, ruling that since the existence and location of the tax documents was a “foregone conclusion,” the act of producing them didn’t tell the government anything it didn’t already know.
Obviously, a 44-year-old decision over tax papers doesn’t take into account how information can be stored today, nor how much.
“The EFF’s position is that the foregone conclusion exception is very narrow and should never apply in these passcode cases,” Crocker said.
But without further guidance from the Supreme Court, it’s largely been left up to interpretation by lower courts, with state courts considering their state constitution’s provisions as well as the federal. The result, Crocker says, is “a total patchwork of [decisions from] state Supreme Courts and federal courts.”
For example, in 2019, Massachusetts’ highest court forced a defendant to reveal his phone’s passcode while Pennsylvania’s highest court ruled that a defendant could not be compelled to unlock his computer. Indiana’s and New Jersey’s highest courts are both considering compelled passcode disclosure cases. On the federal side, the Third Circuit Court of Appeals ruled that a defendant could be compelled to unlock multiple password-protected devices, even though the defendant claimed he couldn’t remember his passwords. The Eleventh Circuit Court of Appeals, on the other hand, ruled the other way in a different case.
“It’s very much in flux,” Crocker said. “Eventually, the US Supreme Court could get involved and resolve this.”
There are other ways to protect your phone. Some phones can use fingerprints, facial recognition, and iris scanners to unlock instead of passwords. Law enforcement is allowed to use people’s bodies as evidence against them, for instance by compelling them to participate in suspect lineups or provide their DNA. So, if the police can take your fingerprints, can’t they use them to unlock your phone? Again, courts are all over the map on this.
“The issue with biometrics is, is it testimonial?” Granick said. “The courts have not entirely decided that, but there have been a couple courts recently that said biometrics is basically the modern technological equivalent of your passcode.”
Crocker says courts should consider that the evidence police can get from your fingerprint is much more restricted and known than what they can get when your fingerprint unlocks a phone. So far, though, he says, courts have been more likely to rule that the Fifth Amendment does not apply to biometrics than they are that it applies to passcodes.
Yet another factor to consider here is that, while it’s impossible for police to read your mind and get your passcode, they can hold a phone up to your face or press your finger on it to bypass the biometric lock. And while your lawyer can (and should) argue that any evidence found this way was illegally obtained and should be suppressed, there’s no guarantee they’ll win.
“It’s fair to say that invoking one’s rights not to turn over evidence is stronger than trying to have the evidence suppressed after the fact,” Crocker said.
So, all things considered, if you’re worried about law enforcement getting access to your phone, your safest bet is to just use a passcode.
Sadly, I have died. Law enforcement wants to unlock my phone but they can’t get my password due to my aforementioned death. What happens now?
Short answer: Your Fourth and Fifth Amendment rights generally end when you do. But other parties have rights, too, and those might be enough to keep the government out of your phone.
Long answer: That brings us to Apple’s fight with the Feds. This isn’t about your Fourth or Fifth Amendment rights anymore; for the most part, you lost those when you died. (That said, law enforcement might have to get the right paperwork if they were looking for evidence against someone else on your phone — after all, their Fourth Amendment rights are still intact). If law enforcement can’t get into your device on its own, it may well be the phone’s manufacturer’s rights that come into question.
Attorney General Bill Barr claimed last month that the only way the FBI could access a dead suspected terrorist’s phones is if Apple unlocked those phones. The government has made this argument before. In 2016, the United States tried to use the All Writs Act, which dates back to 1789, to force Apple to create a “back door” that would give the FBI access to the San Bernardino shooter’s locked phone. Apple refused, saying the government could not force it to create “a crippled and insecure product” that it would not have built otherwise. But there was no resolution here, as the FBI was able to access the phone through other means and dropped its case before a court could rule on it. We might get more clarity on the issue, however, if Barr follows through on his threats and tries to compel Apple to unlock the two phones owned by the gunman in the December 2019 shooting at a Pensacola, Florida, naval air station.
You may have noticed by now that, while many of the cases concerning phones and passcodes are recent — some are even still making their way through the legal system — the cases cited to make legal arguments are decades or even centuries old. The wheels of justice turn slowly, and judges are often forced to use decisions about access to pieces of paper to inform their rulings about access to devices that hold tremendous amounts of personal information: who we talk to, when, and about what; where we were yesterday, last month, or three years ago; what we spent money on or got money for; our calendars, photos, emails, and contacts. These devices hold tens or even hundreds of gigabytes of data on almost everything about us.
You may not be able to control what law enforcement can get from someone else or what they do with your phone once you’re dead. But, with so much uncertainty surrounding what the government can force you to do with it when you’re alive, it’s a good idea to check out your legal options before handing over that passcode.