If someone wants to view your photos or contacts on your passcode-protected iPhone they may be able to gain access to the device with Siri.
But if the federal authorities in the US want to see the contents of your phone in the old fashioned way – by asking you your password – they won’t get any help from the judicial system.
So says Judge Mark Kearney of the federal district court in Eastern Pennsylvania who recently ruled that passcodes on all such smartphones are protected by the Fifth Amendment of the US Constitution.
The ruling came as an insider trading case between the Securities and Exchange Commission and two ex-employees of credit card company Capital One drew to a conclusion on Wednesday.
The two men in question – Bonan Huang and Nan Huang – were charged with illegal insider trading. They are said to have used their positions as data analysts – along with privileged information about consumer retail corporations – to make stock market bets on as many as 170 companies, turning an initial $150,000 investment into $2.8 million via illegal profiteering.
When the pair were dismissed by the bank they were forced to return the smartphones they’d been issued, prompting the SEC to request access to the devices so it could search for evidence of their alleged wrongdoing.
The issue, though, was whether the defendants could be compelled to give up passcodes, chosen by themselves, but applied to devices provided by their employer.
Where personal devices are concerned, the answer to that question has generally been a resounding “no,” but the SEC argued that, in this case, the smartphones were actually owned by the company and only provided to its employees.
Under US law, defendants can generally be compelled to hand over evidence, even if it is self-incriminating, if its existence has already been confirmed. What the government cannot do, however, is force someone to grant access to potentially self-incriminating evidence in cases where it has no specific knowledge that the evidence it seeks exists.
So, in this case, the SEC argued that because it knew the smartphones were used by the defendants, asking them to unlock them merely provided access and did not wilfully incriminate them.
Judge Kearney disagreed though, noting in his analysis that the existence of evidence on the devices had not been proven:
The SEC focuses on the contents of the underyling documents contained on the device, claiming without any cited evidence, there are Bank records on the smartphones.
Furthermore, the judge said the fact that the SEC was was asking for passcodes meant it was looking into the defendants’ personal thought processes rather than searching for specific documents on the smartphones.
That, combined with the fact that the bank had asked Huang and Huang (as well as its other employees) to assign their own passcodes to the devices without keeping a written record of them (for security purposes), meant the pair were well within their rights to claim Fifth Amendment protection.
So, unless the SEC can now somehow prove that the handsets do indeed contain incriminating documents, it looks as though the only option available to it will be to appeal the ruling in a higher court.
Until such time as a firm and final ruling is made on passcodes applied to corporate devices, businesses may end up enforcing a policy of fingerprint-only authentication to the devices it hands out to employees – judges have previously ruled that biometric data does not reveal anything a defendant knows and therefore cannot possibly lead to any self-incriminating testimony.Follow @Security_FAQs