nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Smartphone passcodes protected by the Fifth Amendment – US court

Fingerprint mobe locks, however … not so much

By Iain Thomson, 25 Sep 2015

The Feds can't make suspects give up their company-issued smartphone passcodes because doing so violates the Fifth Amendment of the US Constitution.

So ruled Judge Mark Kearney of the federal court in East Pennsylvania in the case of Securities and Exchange Commission v Huang, an insider-trading case brought against two ex-Capital One bank workers. While that's good news for the defendants, Bonan Huang and Nan Huang, it's very bad news for prosecutors.

The pair stand accused of running an insider-trading scam while they were employees of the bank from November 2013 to January 2015. The two ex-analysts are accused of using the financial institution's internal records to make stock market bets on as many as 170 companies, which turned a $150,000 stake into $2.8m of investments.

Capital One gave the two staffers smartphones but, as a security measure, let them pick the passcodes themselves. When the duo were fired by their bosses they handed back the mobiles, which the SEC – America's financial watchdog – wants to access to check for evidence.

The Pennsylvania court ruled on Wednesday that forcing the pair to unlock the passcode-protected devices would violate their constitutional rights – specifically the Fifth Amendment, which spells out the right against self-incrimination.

"We find, as the SEC is not seeking business records but defendants' personal thought processes, defendants may properly invoke their Fifth Amendment right," the judge wrote in his analysis [PDF].

"Absent waiver of the confidentiality attendant to this personal thought process, we cannot find the personal passcodes to the Bank's smartphones to be corporate records falling under the collective entity cases. We find Defendants' confidential passcodes are personal in nature and Defendants may properly invoke the Fifth Amendment privilege to avoid production of the passcodes."

Kearney also noted that the SEC hadn't actually proven that the smartphones in question held documents pursuant to the case. Since there's no way for the SEC to prove that incriminating documents are on the handsets, the agency can't force defendants to hand over their codes.

Oddly enough, this wouldn't be an issue if the smartphones in question used a fingerprint access system, rather than a passcode. Last year, a court ruled in Virginia that cops could force a suspect to unlock their phone using a fingerprint, since this is no different from being fingerprinted at a police station or giving a DNA swab.

It's a very fine legal distinction. A passcode is a thought process, which does get Fifth Amendment protection, whereas a biometric identifier is out in the open.

The SEC is bound to appeal the case and go to a higher court on this one. It's likely that the Supreme Court will eventually have to hear the case, but in the meantime, passcodes are protected. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing