Yottabytes: Storage and Disaster Recovery

Sep 30 2015   1:06PM GMT

Do You Have to Give Up Your Phone Password? Not This Time

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Tags:
privacy
Security

Here we go again. Is an encryption key more like a physical key or the combination to a safe?

Courts have been deciding back and forth on the issue for several years now and, most recently, have decided that a phone password is more like the combination to a safe.

It matters because something that is the expression of one’s mind, like the combination to a safe, is protected under your Fifth Amendment rights not to incriminate yourself. A physical key, something you possess, is something you can be forced to produce.

This all came up when the Securities and Exchange Commission (SEC) began investigating Bonan and Nan Huang (who are not related to each other) for insider trading, writes Orin Kerr in the Washington Post.

“The two worked at the credit card company Capital One as data analysts,” Kerr writes. “According to the complaint, the two allegedly used their jobs as data analysts to figure out sales trends at major U.S. companies and to trade stocks in those companies ahead of announced company earnings. According to the SEC, they turned a $150,000 investment into $2.8 million.

“Capital One let its employees use company-owned smartphones for work. Every employee picked his own passcode, and for security reasons did not share the passcode with Capital One. When Capital One fired the defendants, the defendants returned their phones. Later, as part of the investigation, Capital One turned over the phones to the SEC. The SEC now wants to access the phones because it believes evidence of insider trading is stored inside them.”

But the SEC has been thwarted by Judge Mark Kearney, which ruled that the passwords were indeed protected by the Fifth Amendment. Exactly why is a very long how-many-angels-dance-on-the-head-of-a-pin discussion that lawyers love to have. But it boils down to whether the SEC actually wants the password itself, or access to the documents. And since it wants access to the documents, the proper way to approach it is to have the defendants enter the password, providing access to the documents but without revealing the password, Kearney writes.

And for people debating between company-provided cellphones and BYOD, that angle is involved, too: Is a password to a company-provided cell phone considered a corporate record? If it were, then the Fifth Amendment wouldn’t apply, but Kearney doesn’t believe it is.

Indeed, because Capital One specifically told the analysts to keep their passwords secret and not write them down, that made them products of the mind and not corporate records, Kearney writes.

As with other cases of this ilk, it’s likely that, eventually, the Supreme Court is going to need to rule on the issue.

To add an additional wrinkle, recall that a suspect can be forced to give up a fingerprint, if that’s being used to secure the phone. That’s because a fingerprint is something you have, similar to the way that you can be compelled to give up a blood sample to test for alcohol. (Consequently, what you’d want in an ideal is to protect a phone both through encryption and a fingerprint, but not all phones can do that.)

So all that business about not writing down your password? Turns out it was more right than you knew.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: