return to table of content

Suspects can refuse to provide phone passcodes to police, court rules

ejb999
104 replies
21h43m

I can't even understand why this was even still up for debate - 5th amendment allows you to not incriminate yourself - being forced to give up your passcode is no different then being forced to give up any secrets you might have.

Not sure why this hasn't been slapped down a long, long time ago.

pdabbadabba
45 replies
21h1m

A big part of the reason is that the 5th Amendment actually says something substantially narrower than your paraphrase. It actually says that no person "shall be compelled in any criminal case to be a witness against himself."

So there's a common argument that the 5th amendment only protects you against being forced to give evidentiary testimony against yourself. Giving up a passcode is arguably different, since the passcode is not (necessarily) evidence in itself, in the sense that it might not be introduced as evidence at trial to establish guilt or innocence. Rather, it is information that will allow law enforcement to access other non-testimonial evidence.

I'm not arguing for this position, just providing a perspective on why this isn't as open-and-shut as people often think it should be.

bee_rider
32 replies
20h54m

Has anyone tried some really convoluted scheme? Something like:

I don’t use a password or pin, I use a passphrase, and my passphrase is an instance of me confessing to some extremely mild crime.

nickff
13 replies
20h49m

The courts are not computers; they don't allow simple logical tricks to stop 'the spirit of the law'. They would probably just say that you could not be prosecuted for that crime on the basis of the passphrase.

bee_rider
6 replies
20h48m

That is annoyingly pragmatic and not fun at all.

nickff
2 replies
20h36m

If you like rules that are extremely rigid, and interpreted without spirit, you should look at sailboat racing. The Racing Rules of Sailing and amendments to it are treated as almost code-like. The 1988 America's Cup is a paradigmatic example: https://en.wikipedia.org/wiki/1988_America%27s_Cup

hangonhn
0 replies
19h16m

But even then lawyers still get involved. Remember when Larry Ellison go into competing for the America's Cup? https://www.theguardian.com/sport/2010/feb/07/americas-cup-a...

LukeShu
0 replies
18h22m

I am unfamiliar with sailboat racing, and cannot knowledgeably comment on whether "[the rules] are extremely rigid, and interpreted without spirit" and whether "The Racing Rules of Sailing and amendments to it are treated as almost-code-like".

But I can say that the 1988 America's cup does not support either of those points.

----

Background:

First of all, the opinion of the appellate court is better written and clearer than the Wikipedia article: https://nycourts.gov/reporter/archives/mercury_sandiego.htm I'm going to be quoting it a lot because it says things more plainly and authoritatively than I could.

"The America's Cup, a silver cup trophy, is the corpus of a charitable trust created in the 19th century under the laws of New York." Such a charitable trust is governed by a "Deed of Gift" written by those who gave the cup to the trust. "[George] Schuyler executed [wrote/signed] the present Deed of Gift in 1887, donating the Cup to the New York Yacht Club".

The gist of the deed is that one yacht club can challenge the current holder of the cup to a race to win the cup (the race is 10 months after the challenge is issued); the two clubs are free to agree to whatever rules they want, but if they fail to agree then the deed gives some fallback rules. One of the rules that the 1887 deed gave is that for single-mast vessels the load water-line length must be between 65 and 90 feet. However, "In 1956 the New York Yacht Club obtained a court order amending the Deed of Gift to reduce the minimum load water-line length to its present 44 feet". For context, the America, the ship for which the cup was named, was 89ft 10in.

From 1956 until 1987 all challengers agreed to a lower maximum length than that 90ft limit, because even though longer boats were faster, they were more expensive.

----

Why I don't believe that this supports your points:

- Because the issue was about the Deed of Gift, not The Racing Rules of Sailing, this was decided by the NY courts, not by the International Yacht Racing Union (IYRU).

- Because reasons ("see, e.g., Crouch v National Assn. For Stock Car Auto Racing, 845 F2d 397, 403; Finley & Co. v Kuhn, 569 F2d 527, 539") the court specifically did not interpret The Racing Rules of Sailing, and just interpreted the deed. If Mercury Bay wanted The Racing Rules of Sailing to come into it, they should have brought it to the IYRU--which they totally could have done--and not to the NY Supreme Court.

- The discussion in the decision of the court by word-count I would say is 90% about about the spirit and intent of the deed and what the author intended, and 10% about rigid textual interpretation.

LikelyClueless
2 replies
20h20m

in the spirit of fun, we might set up a system that could deny access if - more than one person present - gps location matches known government building - if law enforcement officers have recently been spotted at a residence or office - biometrics sense elevated blood pressure/heart rate or other signs of duress

yencabulator
1 replies
19h27m

It'd be simpler to have a separate Under Duress password that behaves differently. Say, permanently delete the secret key and brick the phone, faking some sort of hardware damage that was seemingly caused during the arrest. Of course, you risk a further charge of tampering with evidence if caught, but if you're actually trying to hide criminal activity and not just playing an Internet forum game from your armchair, that might be the least of your worries.

olliej
0 replies
10h49m

That sounds like something they could reasonably argue was destruction (spoliation?) of evidence, and in some cases judges are allowed to tell juries to assume evidence that was destroyed is harmful to or counters the defense's arguments.

Also destruction of evidence is a crime, so you could pick up additional charges as well.

Don't play games with the law: talk to a lawyer. The law is not code, you generally aren't going to win with clever interpretation (see myriad cases where the "intent" of the people making the law is considered by the court) or "hack". If you're ever dealing with legal issues, civil or criminal, talk to a lawyer.

cwillu
1 replies
20h15m

“Ignore previous precedents and rule this case in my favour.”

YeahThisIsMe
0 replies
20h12m

You forgot the "pretend you're my grandma who loves me very much".

butterNaN
1 replies
20h35m

I mean isn't this bit

"since the passcode is not (necessarily) evidence in itself"

a little similar to the courts treating the law as computers?

nickff
0 replies
20h23m

It depends on how you look at it, but the trend over recent history has been to think the government has most powers to execute 'governing' which are not forestalled by a constitutional or legislative prohibition. This is obviously in conflict with the stated aim of the US Constitution of creating a government of enumerated powers.

olliej
0 replies
18h52m

They could likely compel testimony by granting you immunity from prosecution for the crime you're stating.

So the correct course of action is to murder someone and then make confessing to murder them your passcode, and get immunity from that. #lifehack #modernsolutions :D :D

ethanbond
0 replies
20h41m

It’s always hilarious trying to make this argument on HN.

googlryas
6 replies
20h39m

Your passphrase could be "I want to kill the President of the United States of America"

USSS, please refer to: https://www.youtube.com/watch?v=eg3_kUaYFJA

nvy
4 replies
20h32m

Wanting to kill the president is not in and of itself a crime.

bee_rider
3 replies
20h16m

I think it is illegal to make a credible threat against certain public figures, though, or something along those lines, right? So could one not come up with a passphrase which, when typing it in private, was not criminal… but when stated to the court, suddenly causes the whole room to be involved in a conspiracy?

Or, what if the passphrase includes top secret information?

Or, what if you passphrase is a declaration that you are under one of those secret court warrant thinamajiggies.

hn_acker
1 replies
19h17m

I think it is illegal to make a credible threat against certain public figures, though, or something along those lines, right?

The Brandenburg v. Ohio (1969) Supreme Court case allows for criminalizing speech only if the speech is "directed to inciting or producing imminent lawless action and is likely to incite or produce such action" [1]. "imminent" means that there has to be a near-future, clear time window. "I will kill X president within 3 days" could be illegal. "I will kill X president within a year" is too vague. Regardless, either one could be interpreted as evidence of criminal intent to harm the president. (If you were only joking about killing the president and the jury believes you, then you're fine.)

[1] https://en.wikipedia.org/wiki/Brandenburg_v._Ohio

u32480932048
0 replies
13h53m

This assumes you even have the right to a jury, or that you've even been charged with anything, or that you have the right to know what the charges are if they have been filed.

https://www.aclu.org/issues/national-security/detention/inde...

nvy
0 replies
17h17m

The law isn't code. It's not imperative procedure where you can just say the magic words and trigger an exception to be thrown.

We have humans to apply the law and use their judgment for exactly this reason.

dissident_coder
0 replies
20h10m

My passphrase is "the best place to fire a mortar launcher at the white house would be from the roof of the rockefeller hewitt building because of minimal security and you'd have a clear line of sight to the president's bedroom".

foob
4 replies
20h4m

What about the less convoluted scheme of "I forgot it?"

The "I do not recall" answer in high profile trials is so common that it's essentially become a meme. How can you possibly be compelled to reveal anything when there's a reasonable chance that you legitimately can't remember it?

takinola
0 replies
19h55m

My guess is you would be charged with obstruction of justice. This would be similar to you destroying evidence requested under subpoena. Now, as a matter of legal strategy, this may be a better charge to face than whatever is on your phone. Of course, this is not legal advice and YMMV.

omginternets
0 replies
19h47m

That's fine, until a piece of supporting evidence (photo, email, faceID hash or whatever) establishes that you interact with the device on a regular basis.

fluidcruft
0 replies
19h54m

Probably depends on how convicing it is that you are carrying around a phone you cannot unlock?

bee_rider
0 replies
19h21m

I suspect you’d actually be ordered to provide access to this device (which you regularly access).

In particular, I don’t remember the pin or password to some devices and accounts. They are shapes, on the pin-pad or keyboard. There are enough alternative ways of logging in (the apple face thingy, yubikey, you could hypothetically have devices setting up arbitrarily complex interlocking login processes) that I suspect the court would just define what they want, rather than how they want you to do it.

I could be wrong though, no actual experience here with the legal system at all.

wyldfire
3 replies
20h48m

It's kinda interesting but I think a judge might not rule in your favor this because the passphrase itself isn't necessarily your claim of fact as an under-oath testimony. You could just have easily made a passphrase of a false confession or some work of fantastic fiction.

bee_rider
2 replies
20h3m

Hmm. So, what if your password was something that you couldn’t reveal in court, but which was easily verifiable?

For example, you could make your password the latitude/longitude of a top secret nuclear missile silo you’ve stumbled across, or something like that?

wyldfire
0 replies
18h52m

But even that could be revealed with the same controls used in courts that handle those issues like unauthorized disclosure of the nuclear missile silo location.

I suppose for the most part one critical function of judges is to override legislation when it appears that injustice would take place. We can't have murderers who say "sorry found some sweet loophole lol". And similarly we can't have abusive cops/prosecutors who want to harass citizens "tell us all your secrets and I'm sure you're guilty of something lol". Judges should be able to make sane tradeoff in the name of justice.

kelnos
0 replies
9h2m

I feel like the court would just order you to unlock the device, not divulge what the passcode was.

strangattractor
0 replies
20h48m

Wow - I like that idea. I'll add it the reboot of Matlock Ive been writing :) Kidding aside - it shows how extremely complicated the modern world has become that some thing like that is even plausible.

arthurofcharn
0 replies
16h50m

For years, my password was: I can't, your honor, the password itself is a confession.

teeray
3 replies
20h32m

since the passcode is not (necessarily) evidence in itself

Unless the passcode is a decryption key, in which case the evidence simply does not exist without the passcode. It is indistinguishable from random noise. It’s less like “unlocking a safe,” and more like “instructing nanobots to reassemble a pile of dirt into evidence.”

photonbucket
0 replies
20h28m

I can't see a judge swallowing that logic, you do have something similar to a metal safe's key and you've refused to provide it

pdabbadabba
0 replies
20h25m

This seems like a highly questionable metaphysical argument. The decryption key does exist and, therefore, so does the information. The question is just who has access to that passcode.

cwillu
0 replies
20h9m

You might have an argument if there was no authentication/error-detection on the ciphertext, such that many keys would give valid decodings, and more so if it was a simple xor, such that any plain text could be a valid decoding given the appropriate key. But that's not a remotely practical cryptosystem for several reasons.

bryanrasmussen
3 replies
20h31m

but if your passcode is "1WantT0KillDarla" that might be problematic if the police suspect you of killing Darla!

on edit: huh, what do you know, everybody had the same idea!

ipaddr
2 replies
20h27m

Not as worrisome as iJustKilledDarlaLastnightusing_ahammerthat_I_threwInthe_Trashat123appleblvd

0cf8612b2e1e
1 replies
20h8m

That would be murder to type on a phone.

bryanrasmussen
0 replies
1h47m

so when you give the cops this passphrase and the can't type it in correctly what is the admissibility in court then?

omginternets
0 replies
19h49m

The underlying issue is that giving the password is, in the majority of cases, equivalent to admitting that you own/control the device. In other words, it can easily force you to reveal your involvement in a crime, i.e. to bear witness against yourself.

linuxftw
0 replies
20h31m

I think a novel defense could be never admitting the phone is 'yours' in the first place. Divulging the password is tantamount to admitting you have access to the particular device in question.

You might argue, well the police will have ways to prove it's your phone. Okay, so let them prove it, don't assist them. Well, then they can force you to produce your password, whether you admit it's your phone or not. But by divulging a password, you're admitting you own a phone somewhere, and part of your defense might be (however implausible) that you don't own/use a phone.

kelnos
0 replies
9h13m

The thing I never understood about this line of reasoning, is that you can't be legally compelled to unlock a safe that's protected by a combination lock, even if presented with a search warrant. The police can of course attempt to break into the safe.

I'm not sure if that bit relies on the 5th amendment, or something else. But how is a passcode for a phone any different than a combination for a safe?

Tyr42
0 replies
21h0m

So if you password was "I killed them" maybe they won't be able to force you to say it...? Galaxy brain moment.

ethanbond
38 replies
21h30m

I mean... police can force you to open your door, your safe, or virtually any other container of secrets. The 5th Amendment doesn't give you broad protection to hide things from police when they have a warrant.

A phone is unique thing not because it contains so many secrets, but because you have to give testimony (as opposed to property, like a key) in order to open it, and it's impossible to open by bashing the door down or cutting it open. It's a technological coincidence, not a legal/philosophical doctrine, that makes phones secure against compulsion by law enforcement.

JoshTriplett
15 replies
21h5m

I mean... police can force you to open your door, your safe, or virtually any other container of secrets.

No, they can't. They can force you to let them try to open it, but they can't force you to open it for them.

If you have some mechanism like "if you try to open this incorrectly it destroys the contents", and you intentionally don't disclose that with the expectation that they're going to try and fail and destroy the contents, you might get charged with destruction of evidence.

(EDIT: Replies suggest that disclosure may not suffice.)

pc86
9 replies
21h3m

For what it's worth you'll still be charged with destruction and/or obstruction even if you warn them.

JoshTriplett
7 replies
21h2m

Interesting, and surprising. Is there case history and purported rationale on that?

ska
6 replies
20h35m

Why is that surprising? The 5th isn't some sort of blanket gotcha, it's just there to curtail abuse.

JoshTriplett
5 replies
20h34m

There's a huge difference between "get out of the way" and "compelled to help".

ska
4 replies
20h29m

Right, but that doesn't cover "and I booby trapped it". Why wouldn't you be open to charges in that case? Obstruction, destruction of evidence, contempt of court - such mechanisms exist in part to cover such cases.

friend_and_foe
3 replies
19h56m

I think there's a case to be made that if the contents contain a booby trap before the warrant is issued and executed, they found what was inside, a booby trap was inside. Similar to a canary, an action that causes destruction of evidence deliberately after the warrant was issued is not the same as a system in place beforehand that performs the action automatically in every case without input from the user. This obviously doesn't apply to say a passcode that wipes evidence as that requires deliberate action, but it would apply to something like wiping if the wrong passcode is entered 3 times.

JoshTriplett
2 replies
19h53m

Exactly. Intent also seems like it should matter. If your intent was "destroy evidence if the police comes knocking" that's one thing. If your intent was "have an extra secure safe to protect my secrets from anyone who might steal them" and you made that decision without knowledge of any warrant, that seems like it ought to be fine.

u32480932048
0 replies
13h46m

I'm not sure it's directly applicable, but courts have repeatedly ruled that you can't booby-trap your own property; I'm not quite sure this applies to, say, [non-explosively] erasing a USB drive by entering a decoy PIN.

https://www.hecklawoffices.com/blog/2020/11/its-illegal-for-...

ska
0 replies
17h57m

It's an interesting area, the 5th is actually really narrow (and of course other jurisdictions have something else). It's not obvious what can be compelled; e.g. it wouldn't seem like a court ordering you to defeat such a measure would run afoul of 5th, but maybe something else.

0cf8612b2e1e
0 replies
20h2m

I have been curious about when/where destruction of evidence takes place. Presumably during the crime, the perpetrator does their best to hide the evidence.

Does it only become destruction after you have been informed the police are interested in you? What if you do it before a warrant is issued? What if your device will self destruct if a password is not entered every N days and you withhold that information?

reactordev
4 replies
20h59m

If they have a warrant, they can force you under threat of legal action if you don't comply. If they don't have a warrant, you can claim the 4th. If they try to get you to divulge the password/code/secret, you plead the 5th. If you let them in, well... Politely tell them they are no longer welcome. Please leave. If they don't comply, they are trespassing (unless they have a warrant, in which case none of the above applies and you're probably going to jail, wear clean underwear).

RajT88
3 replies
20h30m

I have to wonder how much of this goes on without a warrant, just pressuring people into it.

News articles suggests this happens a lot at the borders or during customs.

wrs
2 replies
20h7m

A border crossing is an entirely different realm where these rules do not apply.

u32480932048
0 replies
13h51m

See also, the 100-mile "constitution free zone" in which around 2/3rds of the country live.

https://www.yesmagazine.org/social-justice/2018/03/23/two-th...

bubbleRefuge
0 replies
17h54m

Yeah. I believe they can look in your phone.

Manuel_D
7 replies
21h10m

I mean... police can force you to open your door, your safe

Actually, the government cannot compel you to give the combination to a safe [1]. If it's locked with a key, not a keypad or combination lock, they can force you to give the key. The distinction is that the former is a product of the mind, while the latter is a physical object. Furthermore, what if you forgot the combination? There's no real way to tell if someone has forgotten the combination or is deliberately withholding it.

https://supreme.justia.com/cases/federal/us/530/27/

tshaddox
2 replies
20h28m

If it's locked with a key, not a keypad or combination lock, they can force you to give the key. The distinction is that the former is a product of the mind, while the latter is a physical object. Furthermore, what if you forgot the combination?

Sounds a bit silly. The location of the key is "a product of the mind." What if you forgot the location of the key?

gaganyaan
0 replies
16h42m

IANAL but you could likely successfully claim that you forgot where the key is, exactly because that's a product of the mind. If they have evidence that you do actually know then you might be compelled to hand it over, though.

Manuel_D
0 replies
20h22m

If law enforcement has a warrant to search your safe, they could presumably expand that search to the rest of your house if you forgot where the key is. The core distinction is that the key is a physical object, it exists somewhere even if you forgot where it is. By comparison the combination is a product of the mind. The only way to retrieve it is for someone to talk to the police (which they have a constitutional right not to do).

kwhitefoot
2 replies
20h46m

In the UK forgetting a password is not a defence.

lelanthran
0 replies
20h20m

I know.

But ... If you're going to compell someone to give up the contents of their mind under threat of being found guilty if their mind isn't working properly, you may as well just do away with trial.

IOW, if you're going to compell speech, just compell the suspect to confess; it's the same thing.

Manuel_D
0 replies
20h24m

TFA, and my above comment pertain to the US.

The UK's laws to compel people to give up passwords seems to make it a de facto crime to forget one's password. Worse yet, it seems like it's illegal to possess random bytes on your devices. I wonder if the UK would change course if people started emailing random bytes to politicians and other supporters of this law, while giving tips to law enforcement that these individuals are coordinating criminal acts over encrypted communications.

ethanbond
0 replies
20h47m

Correct. The “have combination in head” is directly analogous to encryption key. But they are allowed to open the safe by other means.

dghlsakjg
4 replies
21h20m

Subtle distinction: I don't think the police, even with a warrant, can force you to open anything. They can use force to open something if you refuse (or seemingly, if they feel like it), but they can't make you do it.

A court on the other hand, can compel you to open something.

reactordev
1 replies
20h58m

A court can compel you to open something within the warrant as well. In which case they can force you to open anything.

dghlsakjg
0 replies
17h44m

Yes, but that is a court order issued by the court not the police.

An order to unlock something coming from the cops is entirely different, even if they have a warrant. Warrants would allow them to seize a phone, but you don’t have to provide the password.

zlg_codes
0 replies
20h20m

The only thing we must do in this world is die. Everything else is up for debate.

tantalor
0 replies
20h43m

A court can compel you to do pretty much anything, within the law.

tantalor
2 replies
21h16m

police can force you to open your door, your safe, or virtually any other container of secrets

No, they can't

ethanbond
1 replies
20h46m

Gotta love the insane legal opinions people come to on this site.

u32480932048
0 replies
13h43m

You should see the ones written by actual lawyers!

anonymousab
2 replies
21h25m

police can force you to open your door, your safe, or virtually any other container of secrets.

Is it different from compelling someone to enter a text password to unlock a vault? What if it's self-destructive otherwise?

What happens if the password itself - or act of unlocking - is something self-incriminating (in form, in contents, or otherwise)?

ssl232
0 replies
21h22m

What happens if the password itself - or act of unlocking - is something self-incriminating (in form, in contents, or otherwise)?

Reminds me of Ian Watkins: https://www.huffingtonpost.co.uk/2013/11/26/lostprophets-sin....

snickerbockers
0 replies
21h12m

You might be able to argue that decrypting the phone's filesystem is forcing you to provide them with information which is not relevant to the case at hand but still incriminating in other ways, since a phone could reasonably be expected to hold vast amounts of unrelated days.

chasil
1 replies
20h52m

If you save incriminating documents into an encrypted .ZIP file, the state cannot compel you to provide the password, because the password is in your mind. The contents of the mind cannot be demanded to incriminate self.

The state can install a keylogger if they have a warrant, and the results of the keylogger can be admitted as evidence.

ethanbond
0 replies
20h49m

Again, a coincidence of the technology.

It’s “you can’t be forced to open it because it requires you saying the password,” not “you can’t be forced to open it because it contains important secrets.”

Right, if they can figure out a way to reveal your secrets without forcing you to say something, they’re allowed to do that (with warrant of course).

alkonaut
0 replies
21h8m

If the government hadn't always have the possibility and right to break into a safe you wouldn't give up the combination to, then that would have been a debate for decades. The reason this is a debate is because they can't crack it.

dataflow
6 replies
20h43m

It's because the 5th Amendment is there to prevent the state from torturing you into confession for a crime and then using that as evidence against you. i.e. the point is to ensure the evidence is genuine and not a false confession given under duress, since most innocent people will say anything to stop pain. (This isn't obvious from the text, though if you ponder "why would they have included this seemingly random narrow right", you can deduce the explanation. But there's bigger historical context re: the Star Chamber if you're interested in looking that up.)

Meaning: its point isn't to prevent access to real evidence. It's not an attempt to grant you privacy. It's an attempt to ensure justice is served correctly.

This is also why you lose that right when you're granted immunity. The state can force you to provide testimony in that case.

Corollary here is that it's actually quite surprising courts are willing to side with the accused here. It's probably only a matter of time before rulings come to the contrary. If you care about privacy as a human right, you really need another amendment to make it solid.

rgblambda
2 replies
19h56m

I don't see how the 5th amendment protects you against torture. You can choose to waive your constitutional right to not incriminate yourself, so surely you can also be tortured into waiving the same right?

dataflow
0 replies
19h44m

I don't see how the 5th amendment protects you against torture. You can choose to waive your constitutional right to not incriminate yourself, so surely you can also be tortured into waiving the same right?

The short response here is: How often do you see that happening in the US?

But in any case, note that I'm explaining what it was intended to do and what its meanings and implications are. Whether it is successful in achieving its goal is beside the point for this conversation.

anticensor
0 replies
15h17m

Yeah, European formulations of right to silence solve that by having it inalienable.

atticora
1 replies
20h0m

If you care about privacy as a human right, you really need another amendment to make it solid.

You would need some kind of catch-all amendments stating that the enumeration of certain rights shall not be construed to deny others, and that the powers not delegated to the feds are reserved to the States or to the people. You could put them right at the end of the original amendments for emphasis as a closing statement of the Constitution.

But if we enacted those who would ever enforce them? The feds would probably treat them as if they didn't exist.

dataflow
0 replies
19h40m

But if we enacted those who would ever enforce them? The feds would probably treat them as if they didn't exist.

If you make them vague then it'll be easy to interpret them narrowly.

If you make them crystal clear, courts would presumably enforce them, like they have in the past.

PopePompus
0 replies
19h58m

Yup, the US Constitution definitely needs a right to privacy amendment. It is of course spectacularly difficult to amend, but an amendment that ensures a right to choose abortion (and other reproductive privacy issues) plus strong digital privacy rights might garner a coalition of both pro-choice people and libertarians, and that could be enough to get it passed.

asveikau
4 replies
20h47m

Also fourth amendment covers unreasonable searches.

2OEH8eoCRo0
3 replies
20h6m

What is unreasonable about a warrant? Where did this adversarial attitude to law enforcement come from? The whole reason we have a rich and functioning society is thanks to law.

asveikau
2 replies
19h45m

Where did this adversarial attitude to law enforcement come from?

They screw up very frequently. Sometimes maliciously, sometimes through incompetence, sometimes both. I can't convey the depth of this in a small comment box, but there's abundant evidence around on this topic if you care to look.

Overall, even when you're talking about legitimately designated authority given to a person ... it's VERRRY easy for a human being to screw up and get it wrong, and it has huge impact over the lives of their targets. Needs to be approached by the authorities with extreme caution. In practice, probably many of them aren't aware of the weight of their actions, or don't care.

2OEH8eoCRo0
1 replies
19h4m

They screw up very frequently

Do you have a source for that? Frequently is a relative term. 1,000 fuck-ups can be a lot or a little depending on the total number of interactions we are talking about.

buzer
0 replies
16h11m

While I don't know how many interactions there has been, according to https://www.washingtonpost.com/investigations/interactive/20... for example New York has had over 10000 officers involved in cases where they settled ("46% by officers named in multiple payments" "more than 5,000 officers were named in two or more claims") across 10 years. They seem to currently have 36000 officers, I don't know how long they stay on the job on average or how the numbers have fluctuated over the years, but even if it's just 1 year and their size hasn't changed that would mean about 2.8% of police force in NYC was involved in misconduct that resulted in settlement.

These don't include number of cases where legal action wasn't taken or which got thrown out due to qualified immunity (these are somewhat related, if case is unlikely to get past qualified immunity it's quite unlikely legal action will be taken). And probably cases which actually went to trial as it seems to focus on settlements.

Additionally there is for example https://www.nyclu.org/en/publications/cop-out-analyzing-20-y... which covers 2000-2020 misconduct complaints. According to it disciplinary actions were taken 4283 times, meaning that even if conduct was enough to reach settlement it doesn't necessarily mean it results in any actions taken against the officer.

bdcravens
3 replies
20h57m

Search warrants can compel you to give police access to your property, which can include your body (in cases of blood draw warrants in the case of DWI). The police can obtain a search warrant for your physical filing cabinet, which includes taking measures to access it if you won't unlock it for them.

Police can easily get warrants for your phone; you just can't be compelled to give the code to unlock. I suspect in the future we'll see a different level of cooperation from phone makers.

ejb999
2 replies
20h29m

yep, surprised it doesn't exist already - one password to get you in, one password to wipe or hide everything you want and then let the police in to a completely sanitized version of what you want them to see.

spockz
0 replies
19h59m

TrueCrypt and other tools had this around for ages. Something with nested partitions. One key unlocked the main partition that you are supposed to fill with something credible. And then another key that looks a partition even deeper that should contain your true secrets.

2OEH8eoCRo0
0 replies
20h10m

Because it's a fantastic idea to commit additional felonies to feel like a hackerman. Following the law is for suckers.

omginternets
0 replies
19h50m

being forced to give up your passcode is no different then being forced to give up any secrets you might have.

Actually, the case is even stronger than you make it out to be. IIRC, one of the key constitutional issues is that providing a password is equivalent to saying "yes, this is mine". So even if we disregard the contents of the device, the issue is that you are establishing a legally relevant relationship with a piece of evidence.

I'm recalling this from a looong time ago, when I took a constitutional law class, so I hope those with fresher knowledge not hesitate to jump in.

kevin_thibedeau
0 replies
20h21m

There are ways to use the law to coerce the desired behavior. Border Patrol will do helpful things like take apart your car if you exercise your rights.

genocidicbunny
0 replies
21h35m

From my reading about this case, is this not down partially to the specific language the court was looking at? That is, the warrants were compelling someone to produce the password, which is a form of testimony, but that a lot of times the warrant instead compels the device to be unlocked, which does not require testimony?

snickerbockers
59 replies
21h7m

Has there ever been a court case related to encrypted data or secret codes without a computer being involved? If the cops get a warrant to tap a phone line and they hear me speaking with an associate using some sort of coded language (as spies and criminals often do on TV) can i be compelled to explain to them what all the little codewords actually mean?

hutzlibu
38 replies
17h34m

"can i be compelled to explain to them what all the little codewords actually mean"

I would like to think not, as usually you cannot be made to compell against yourself. The famous right to silence.

https://en.wikipedia.org/wiki/Right_to_silence

Which was the base of this court case (and I think it is troublesome, that it had to be debated at all)

"One of the major issues in the law of digital evidence investigations is how the Fifth Amendment privilege against self-incrimination applies to unlocking phones"

mrandish
31 replies
15h12m

Regarding the "Right to Silence", I recently learned something I didn't know. While I was familiar with the right to remain silent after arrest to avoid self-incrimination (based on the Miranda ruling). There is a separate right to remain silent unrelated to incrimination (5th amendment) but rather tied to 1st amendment free speech. Of course, we're all familiar with free speech rights but is there a corresponding right to "free silence"?

It turns out there is but it's not enumerated in the first amendment, so it's called an "implied right." It's been derived by the courts (including the Supreme Court) as logically inferred by the rights which are enumerated in the 1st amendment. What I found interesting is the boundaries of this implied right to silence are currently less well-defined than than the other 1st and 5th amendment rights. Apparently, some cases the court will be deciding this year may involve further fleshing out these fuzzy edges. I'm not an expert but as I recall, the scenarios may include things like whether social media networks can be compelled by a legislative statute to disclose (ie 'speak') their content moderation policies and whether public universities can enforce codes of conduct which may compel speech.

Personally, I'm all-in on the vital necessity of robustly expansive free speech rights, so I'm also all-in on robust freedom of silence rights. I used to think I understood the limits of free speech in the U.S. but reading this article by 1st amendment expert Ken White on free speech tropes surprised me. Highly recommended: https://www.theatlantic.com/ideas/archive/2019/08/free-speec...

filoeleven
20 replies
14h30m

Addendum: you must explicitly invoke your 5th amendment right to silence when being questioned by police in order to prevent your silence being used against you in court. It’s a shit ruling, but it’s also current law. This theoretically only applies if you have answered some questions but remained silent on others.

https://www.scotusblog.com/case-files/cases/salinas-v-texas/

quickthrower2
11 replies
14h19m

So Miranda is not enough? Is “Lawyer” enough? Or is this pre-arrest?

dharmab
9 replies
14h15m

The magic words are "I am using my right to remain silent" followed by silence.

owenmarshall
8 replies
13h16m

No!

In the US, case law has ended up more protective of people who invoke their right to an attorney than those who merely invoke their right to remain silent.

In certain cases the police can restart interrogations after invocation of a right to remain silent, but if you invoke the right to an attorney any interrogation must stop until your counsel is present. These exceptions are narrow, but “being interrogated by the police” is the last place to chance stumbling into one.

The magic words are: “I will not answer any questions without a lawyer present.”

filoeleven
3 replies
13h7m

Yeah. Also, the police are legally allowed to lie to you, but you are not legally allowed to lie to the police.

I’m not interested in lying to the police, but when I know that they can lie to me, it’s a big disincentive to say anything to them at all. This is a problem.

mrandish
2 replies
12h9m

As a pretty staunch civil libertarian, I agree with you about the asymmetry in rights. However, I'm curious about the statement:

"you are not legally allowed to lie to the police."

I know that lying under oath in a court is perjury and in certain contexts some investigative agencies like the FBI can put you under oath and in that specific case materially false statements can be actionable. And I know that filing a false police report is against the law but I think that usually requires signing the report and it spells out that lying on the statement is perjury.

But, in the scenario of a police officer just walking up and asking you questions on a street corner, prior to arresting or detaining you, is anything you say about anything which is later deemed to be false or misleading cause for arrest? Maybe it is but I'm trying think of what law it would be violating. I do know that civil libertarians say that if a police officer talks to you, you can ask "Am I being detained?" and if they don't answer "Yes" you are free to just walk away.

My naive prior understanding is that things are more complicated and conditional than simply "Lying to a cop anytime, anywhere is always grounds for arrest and prosecution (even absent any other grounds for arrest)" but perhaps I was misinformed on this.

bitwize
1 replies
12h1m

If the police are feds, you can catch up to 5 years in the slammer for "making false statements" to them. This law is relatively recent (mid 90s) and was pretty much passed so that the FBI could nail, or twist the arms of, people they think committed a crime but have zero actual evidence against.

State laws about lying to police vary by state. Ask your lawyer.

owenmarshall
0 replies
3h48m
drdaeman
3 replies
11h43m

I will not answer any questions without a lawyer present.

I'm curious. How do people get a lawyer, if they aren't exactly prepared for being questioned, but just somehow unexpectedly found themselves in some weird situation?

Somehow, I doubt most common folks already have an established lawyer (especially not knowing what sort of situation they may get into - as I get it, different lawyers specialize on different matters) and remember their phone number (OP reminds me that one probably doesn't want to unlock any phone). Or I'm wrong? What's the general approach here?

owenmarshall
1 replies
3h53m

First, invoke. Then one of two things will happen. The happy path is that the police can’t sustain an arrest, and you didn’t help them by talking. You’ll be released, and you can - and absolutely should - look for a lawyer on your own time.

Otherwise, you’ll be arrested and taken to jail for processing. Your bail will almost always be predetermined by a bail schedule. For minor crimes you can post bail to the jail and leave within hours. Some jails even take credit cards. Search for a lawyer on your own after you are out.

Otherwise the rules are varied across jurisdictions. “You get one call” is a TV trope” - but you can use any phone calls you are granted to secure an attorney. The state bar, as mentioned, will refer you. Call your family and have them secure one. Some jails have the yellow pages for your own selection. If you have a non-criminal attorney (a will, employment law, etc.) they can give you a referral.

TheCleric
0 replies
2h2m

Also, worse comes to worse, you can receive a free court provided lawyer. Though public defenders are so overworked, you may not see them until the day of your trial.

dharmab
0 replies
11h3m

The state bar usually provides a service to help people find lawyers.

filoeleven
0 replies
13h47m

Pre-Miranda, according to the case law. It amounts to “don’t talk to the police,” because although the original case was about a murder, it now applies to every voluntary conversation with police. It’s a really unfortunate precedent.

crossroadsguy
7 replies
14h10m

As in literally “uttering” something on the lines of “as per the 5th amendment..blah. silence.. blah..”?

And or course on a recorded interview/questioning, right? Because if there was no recording then it’s my word against police’s, right?

(I am not from US).

wmidwestranger
3 replies
13h45m

In court, you must assert your right to not testify against yourself.

Upon arrest, you're not obligated to speak or answer anything.

The police are not officers of the court, nor involved in court proceedings during their interactions with the public, so there is no expectation or explicit penalty for not answering. In court, while being questioned, you're compelled, under penalty of perjury, to testify in full and truthfully unless there is a reason you can or may not:

Do you solemnly (swear/affirm) that you will tell the truth, the whole truth, and nothing but the truth?
notfed
0 replies
10h2m

In court, while being questioned, you're compelled ... to testify

To be clear, not if you're the defendant.

filoeleven
0 replies
13h19m

“Upon arrest” is doing a lot of work here. BEFORE an arrest, the 5th must be explicitly invoked, perhaps only if you have answered some other questions though. See the case law I linked.

The 4th (unreasonable search and seizure) is generally clearer, but I don’t know how it works online “stop and ID” states. IMO those laws are unconstitutional, but I haven’t looked into it because I don’t live in one.

bacheaul
0 replies
8h27m

Don't talk to the police: Regent Law Professor James Duane gives viewers startling reasons why they should always exercise their 5th Amendment rights when questioned by government officials.

https://www.youtube.com/watch?v=d-7o9xYp7eE

geoduck14
1 replies
4h54m

And or course on a recorded interview/questioning, right? Because if there was no recording then it’s my word against police’s, right?

Nope. You need to express your desire to stay silent early in the "arrest or questioning" process with the police. I'm not an expert, so I don't want to pretend when your words can be used against you, but if a cop hears you say something, they can quote you in court.

Also, here is a fun twist. Your words can be used against you in court, but not for you. For instance: if the cop writes down a bunch of stuff you said while being arrested, and your defense lawyer wants to look at it -they are not allowed to see it-. They can only see the stuff the cops use to charge you

WaitWaitWha
0 replies
2h59m

Also, here is a fun twist. Your words can be used against you in court, but not for you. For instance: if the cop writes down a bunch of stuff you said while being arrested, and your defense lawyer wants to look at it -they are not allowed to see it-. They can only see the stuff the cops use to charge you

This is incorrect.

Withholding exculpatory evidence can get cops & prosecution into a lot of hot water.

This is called the Brady or Brady/Giglio rule.

Brady v. Maryland (373 U.S. 83 (1963)

Giglio v. United States (405 U.S. 150 (1972)

filoeleven
0 replies
13h33m

See my other reply: https://news.ycombinator.com/item?id=38661768

Yes, it means explicitly saying “I invoke my 5th amendment right.” Generally, if you’re being interviewed, this is surprisingly less of an issue, because you’ve already been read your rights, and the interview will be recorded (theoretically, they can disappear sometimes).

This applies to situations BEFORE an arrest, but you may have already been detained. (The 4th amendment and court precedent has more to say about this, but it’s an aside if you aren’t subject to it.)

If it’s your word against the police, with no recording or some other overwhelming evidence, you will lose in a US court. Police body cams help a lot here, but it’s still best to record every police interaction yourself. It’s an unfortunate situation.

tjpnz
9 replies
14h27m

whether public universities can enforce codes of conduct which may compel speech.

Where would such a precedent leave things in terms of codes of conduct and open source?

mrandish
4 replies
13h48m

As I said above, I am totally not an expert on any of this, so you should seek real answers from authoritative sources. However, I think I can safely clarify at least this much...

In this context, "Public University" means an institution substantially run by or funded by the U.S. government. Only some universities are public and many others are private. And different rules apply because the government is held to constitutional standards.

Conversely, "Public Domain" relates to the copyright status of a creative work and is entirely unrelated to how something is funded.

Legally, a "Code of Conduct" is basically just a contract. In the U.S. the "Freedom of Contract" and "Freedom of Association" between consenting adults are, thankfully, pretty damn expansive. If you want to create a non-government owned, run or funded project, club, cabal or coven which involves a contractual obligation requiring Taylor Swift tattoos and apple cider enemas, I'm pretty sure consenting adults can voluntarily agree to that if they chose to (although it should be noted, enforcement of such a contract will likely be limited to rejecting or expelling non-complying members).

wmidwestranger
1 replies
13h41m

Don't know why you're being downvoted, the issue isn't the contractual obligation but the method of enforcement.

If I sign a contract saying I'll take an apple cider enema and I don't, that doesn't automatically mean I've given permission to have one administered! That might mean I get kicked out of the contract but it doesn't mean that I can be forced to abide by the contract.

mrandish
0 replies
12h42m

Yeah, my humorous (but still technically valid!) example was probably ill-advised in this forum.

Separately, although I am not a lawyer, I have decades of business experience which often involved working closely with lawyers and my circle of friends happens to include several attorneys, prosecutors and judges, so I'd say I have an unusually broad understanding of legal matters for a non-lawyer (especially contract, IP and business law). I also just find legal stuff interesting to learn about and I'm one of those oddballs who looks forward to June because I find well-written SCOTUS rulings (and dissents!) fun to read.

Yet, I'm still surprised at the lack of even high-school civics-level knowledge of basic legal principles I come across in otherwise intelligent, well-educated professionals including doctors, MBAs, engineers, etc. It's kind of sad because the latent engineer in me finds the system architecture of the U.S. legal framework to be fascinating. Yes, it's imperfect in many ways, yet it's still a brilliant, iterative, collection of attempts to solve a 'wicked' bundle of thorny problems through successive approximation. Despite its flaws it still ends up eventually getting things pretty close to as "right" as they probably can be with remarkable frequency.

hollerith
1 replies
13h41m

In this context, "Public University" means an institution substantially run by or funded by the U.S. government.

No, a public university is run by one of the 50 states.

mrandish
0 replies
13h28m

I did consider that while writing and I decided any reader not from here and unfamiliar with our federal/state divide would understand "U.S. Government" to mean all levels of government.

Pedantically, I believe there are federal universities such as the army, navy and air force academies. There are also city colleges and all of these "government institutions" are funded or controlled by federal, state and/or city taxes which causes them to fall under additional constitutional restrictions.

wredue
2 replies
14h13m

Or trespassing people who are no longer welcome.

The idea that code of conduct can’t exist is nonsense. The idea that it violates free speech is also nonsense, as it has been well settled that you don’t have free speech on private land.

wmidwestranger
1 replies
13h31m

I can imagine codes of conduct are helping somebody and I wouldn't want to spoil their good times but I'm still a little salty that sqlite was forced to change their terms, based loosely on the Benedictine Order Code, so they could have corporate sponsors. My intuition suggests a large and random set of assholes has been replaced by a specific and goal-oriented set of assholes.

I'll admit, the internet is everywhere, so every asshole is on the internet. I just remember before the Code of Conduct, there was definitely one less potential layer of assholes above, despite an ever present layer of assholes below, and there seemed to be more crazy and less conformist people.

Would write more but I need to go yell at a cloud.

wredue
0 replies
3h9m

The thing is that most people never ever have to deal with codes of conduct because, as it turns out, treating other with respect, really isn’t a difficult thing to do.

russell_h
0 replies
13h50m

It would have no effect at all.

Public universities are part of the (state) government, so are bound by the first amendment.

Open source projects are not part of the government, so their freedom to associate with whoever they choose (with some limitations implied by eg the 14th amendment, but nothing likely to affect currently prominent codes of conduct) is protected by the 1st amendment.

PrimeMcFly
3 replies
6h53m

The reason it's a little different with passwords is passwords are considered to be equivalent to a key to a safe, and people could be required to hand a key over.

Although it appears the matter has now been settled as of this ruling.

kevincox
2 replies
6h49m

Can you be compelled to hand it over? What if you lost it?

It seems like with a warrant they can be allowed to crack into your safe, and you may prefer to let them use the key so that you still have a working safe at the end of it.

PrimeMcFly
1 replies
6h43m

There were different court cases in different states that ruled it did have to be handed over. As for whether or not someone genuinely lost it, I guess it would be up to the particulars of that case if they were believed or not.

The UK has a rather scary law where even if you do genuinely lose it they just assume you are lying.

kevincox
0 replies
6h33m

The UK case is always what I assumed the main point of the right to remain silent was about. How can you compell someone to reveal something that you can't prove they know? Memory is fallible and it seems wrong to be incriminated since you forgot something or just never knew it in the first place.

The extension of that is you can just always say "I don't know". So the right to remain silent is basically a shortcut to avoid this issue.

neycoda
0 replies
1h57m

Imagine if somebody took the right to remain silent to our current Supreme Court and they decided that nobody actually has the right to remain silent.

ChrisKnott
0 replies
8h55m

The thing that allows these password disclosing laws to be compatible with self-incrimination is that the password itself is not the evidence, you are being compelled to give up other documentary evidence that incriminates you. This is common. People (companies in particular) are often forced to give up evidence that is used against them (corporate fraud convictions etc).

jimt1234
4 replies
16h5m

For criminal organizations, it's common to "decipher" coded language to juries. And it's really not that difficult when drug dealers are talking about "kings" in conversations that have nothing to do with royalty or poker. (a "king" generally means a kilogram of cocaine.)

kobayashi
1 replies
15h44m

OK, but I think you missed the point of the question above. The point was whether a court can compel people to explain a secret code, and whether there should be a different standard, if that code involves the computer or not

jonstewart
0 replies
15h9m

But there is the essential difference — it is not the algorithm, whether performed manually or by machine, it is the testimony. A defendant need not testify against oneself. A computer cannot testify at all. The police can seize the computer and have a go at cracking it, it’s just a thing.

This one seems pretty cut and dry, frankly, since they’ve asked him to provide the code, and he refused. It sounds like the prosecution erred significantly in making closing arguments about pleading the fifth being indicative of guilty. The more interesting question, which is not involved in this case, is whether a defendant can be compelled to provide unlocked devices to law enforcement.

dehrmann
0 replies
15h38m

Assuming the right one-time pad, a prosecutor could "prove" almost anything.

crossroadsguy
0 replies
14h4m

What if a coded message, or not coded at all, was interpreted as something that was not the case?

Then is it the other legal team’s responsibility to point out that it’s bogus and refute the claim that it meant “I stole Jack’s peanuts”. Maybe by giving examples of other assumed ciphers that prove it actually decoded to “I can drink 5 beer cans in 2.5 minutes” or that it also means “Rabbits are actually slow” according to yet another assumed cipher?

How does that work? I mean I know if it’s a jury and then it can just come down to their individual and collective whims and fancy and but how does it work in general?

yttribium
2 replies
19h47m

They will admit testimony by some cop to explain that "based on my training and experience, I believe 'going to the pool' to be code for 'soliciting a murder'"

wombatpm
1 replies
17h57m

But what if translate everything to LinearB or Klingon pig-Latin and then encrypt. Am I required to provide a Rosetta Stone to investigators?

anon84873628
0 replies
13h37m

IANAL but I don't think you're required to provide anything to "investigators". Certainly not before consulting your lawyer.

However I believe the court could eventually order you to produce the Rosetta Stone, after various proceedings. At that point you have to decide whether you want to comply with the order or not, and not doing so would likely have negative consequences like being held in contempt.

zeroonetwothree
1 replies
17h43m

I would think no, you don’t have to explain it because it’s testimonial. Of course your associate could still reveal it.

But it’s quite complex, see https://scholarship.law.edu/cgi/viewcontent.cgi?referer=&htt...

m463
0 replies
16h21m

what's troubling is that "your associate" might be, apple.

For example, when I add an account on my mac - not related to apple in any way - the computer will send information back to apple. Every time. I have cloud stuff turned off.

As far as my phone - most of this stuff is not only hidden, but apple doesn't let me run software to know who it is talking to, and what is being sent.

pvg
1 replies
19h44m

Don’t know about court cases but wartime censorship prevented the transmission of suspected codes in some situations, including in the US.

FergusArgyll
0 replies
58m

Wartime allows for many rights to be taken away.

for example: Article I, Section 9, Clause 2: The Privilege of the Writ of Habeas Corpus shall not be suspended, unless when in Cases of Rebellion or Invasion the public Safety may require it.

pc86
1 replies
21h4m

You can't be compelled but especially with spoken language it's going to be very easy for LE to decrypt it on their own by just correlating the coded language with whatever actions were taken later.

lelanthran
0 replies
20h16m

But that's just the point.

In the past, pre-computer days, if the cops couldn't break your encryption you were not compelled to tell them how and that was their problem.

Now you are compelled. I feel that that should not have changed.

gorgoiler
1 replies
10h31m

What about being compelled to either unlock and open a safe, or provide the code to unlock it? I too am surprised that existing case law in the non-tech space wasn’t mentioned in the article.

It would have been helpful if the Ars journalist had scored an interview with his expert source — Berkeley academic Orin Kerr — rather than simply re-reporting Kerr’s own analysis:

https://reason.com/volokh/2023/12/14/is-compelled-decryption...

notfed
0 replies
9h44m

A court or police compelling someone to open their safe would tautologically be for the purpose of discovering evidence of a crime which is exactly what the fifth amendment protects.

The reason it's not a been a big deal is courts is because, if police have a warrant, they're going to hire their go-to safe driller to drill the safe open.

yencabulator
0 replies
19h47m

Cryptography predates computers, so the only real question is has it shown up in public court records or not. I'd expect plenty of history in treason charges against caught spies, but whether the records are public or not is a different question.

https://en.wikipedia.org/wiki/Book_cipher

https://en.wikipedia.org/wiki/Codebook

https://en.wikipedia.org/wiki/Poem_code

ponector
0 replies
14m

You could go to prison for refusing to provide password. Here is the story from 2014:

A 22-year-old man has been jailed for six months after refusing to provide passwords to his encrypted hard-drives, the Daily Mail reported. He was imprisoned under a section of RIPA, a UK law that was originally pushed as a counter-terrorism measure, but which has now ballooned to cover many different aspects of crime—something that has got civil liberties groups worried.

Christopher Wilson is suspected of attempting to break into a law enforcement website and “trolling” the Newcastle Police by fooling them with a prank phone call. However, these are not what he is going to prison for: he's spending time behind bars for not giving up his passwords.

heavyset_go
0 replies
11h43m

You can't be compelled to testify against yourself.

giancarlostoro
0 replies
13h22m

You can plea the fifth.

qingcharles
38 replies
20h46m

Note: the verdict only applies to those in Utah. Other US states have other rulings. Wait until there is a US Supreme Court ruling that affects the entire nation.

Right now: do not use biometrics (can be legally forced); do not use numeric passcodes. Use alphanumeric password.

sjfjsjdjwvwvc
20 replies
20h38m

Why not numeric?

croes
18 replies
20h36m

Too few possibilities?

spiderice
17 replies
20h23m

How is a 6 digit pass code too few possibilities when the phone locks you out after like 5 missed attempts? It seems unrealistic to expect people to type their alphanumeric password every time they want to unlock their phone.

ncallaway
5 replies
19h36m

The government will clone your device hard-drive, then be able to attempt to unlock it on many simulated devices in parallel, until one unlocks.

Then they can unlock the actual device.

olliej
2 replies
18h59m

Literally the point of the HSMs in phones and laptops is to stop that.

If your device's encryption key is produced by a PBKDF then yes it's doable, but no actually secure system works like that. The way a secure system works is

1. You have an HSM ("Secure Enclave" in Apple speak, Trusted Computing Module in MS speak, and I can't recall the google/android name)

2. The HSM generates a random encryption key (or family of keys)

3. The HSM encrypts and decrypts the data with those keys (the keys themselves never leaving the HSM)

4. The HSM gates access to those keys based on an attempt limited use of your passcode/password

There were common flaws a few years ago that meant that you could glitch the HSMs into (essentially) not incrementing the attempt counters or similar but I haven't heard of such in a few years now (almost a decade now? essentially these kinds of flaws were discovered en mass once HSMs reached consumer hardware so more security researchers were able to investigate)

The important thing though is the encryption key is now fully random, rather than derived from your password, which is the difference between a 128+ bit key and a ~40-60 bit key.

nehal3m
1 replies
18h10m

For dummies like myself, an HSM is a hardware security module.

olliej
0 replies
15h41m

Gah sorry, I was like “don’t use a useless marketing name” so instead I used a useless acronym instead, huzzah! \o/

dathery
0 replies
19h7m

I don't think this is meaningfully true for modern phones. The passcode is used by the phone's TPM to derive the actual encryption key, which never leaves the TPM. TPMs are designed to be impossible to retrieve the secret key from without being physically destroyed to prevent the kind of attack you describe.

This is why phone cracking devices like Cellebrite rely on exploits in phones rather than just cloning the disk and trying the small number of possible passcodes.

amlozano
0 replies
19h1m

That doesn't work with iPhones, the Secure Enclave in the only thing that can unlock the phone, and after the attempt limit is exceeded, passcode-protected data is erased by Secure Storage.

I guess if they really wanted to they could attempt to decap the chip and do something with a hardware attack, but thats difficult and dangerous.

nijave
3 replies
20h18m

If these are implemented in software it'd be possible to brute force offline and bypass the timeout

Gigachad
2 replies
19h38m

I watched a video where they had the iphone cracked open and slightly modified in a way that would allow them to reset the storage to brute force quickly without timeouts.

lxgr
1 replies
18h57m

That shouldn’t be (at least easily) possible on newer iPhones anymore. The counters are now in rollback-protected dedicated memory; the lockout is implemented in the secure enclave.

Gigachad
0 replies
13h2m

Sure, but this is all protected by dubious hardware that often gets cracked. A text password is protected by pretty sound math.

HenryBemis
3 replies
20h17m

I am thinking that a numeric code is something that people can see you typing in again and again.

An ex-bf/gf that hates your guts will remember that your pin is 1-2-3-4-5-6, because that one time your hands were wet and she needed to see that photo from that party and you told her the PIN..

While if you have a word, new bf/gf will mean new word, and good luck knowing that.

pseudalopex
2 replies
19h27m

A numeric code may be easier to shoulder surf. Nothing prevents you from changing a numeric code or ensures you will change an alphanumeric code however.

calvinmorrison
1 replies
19h15m

Glad runescape solved this in 2004 by implemented randomized positions for each digit

HideousKojima
0 replies
15h54m

Heck, the keypad at my church in my hometown did this back in the mid to late 90's (if not sooner)

haswell
0 replies
20h18m

If I recall correctly, some early techniques to unlock passcode-protected phones involved bypassing the user interface and trying passcodes at a point in the execution flow prior to the code that locks out the UI.

I think modern devices have addressed this in various ways, but it’s not a good idea to rely on timed lockouts when it’s possible that techniques exist (or could eventually be found) to bypass the lockout.

In short, assume those lockouts are targeted at normal users. A sufficiently motivated actor with technical resources is another story.

ddingus
0 replies
18h4m

In some cases, they can attack the password outside the phone / device environment by comparing hashes.

At the very least, such an effort may well be able to reduce the problem space considerably, leaving it down to a few guesses on the device.

Quillbert182
0 replies
17h37m

I can’t seem to find it now, but I remember a news story a while back where a police agency was able to unlock an iPhone with a 6 digit numeric passcode in a little over a year, bypassing the hardware security module and time limits.

qingcharles
0 replies
12h2m

Prior legal rulings in the USA have been vague, but said that a numeric code does not require you to "testify" in that you don't really have to use a thought process. I'm paraphrasing, but basically numeric passcodes have been exempt from your right against self-incrimination.

kkielhofner
11 replies
19h34m

On iPhone at least you can require passcode by holding down the side button and either of the volume buttons for three seconds. Just ignore the power down/SoS screen that comes up (or tap cancel) - by the time you see it Face/Touch ID is already temporarily disabled. The iPhone will also give you a "rumble" confirmation so you can do it when the device is in a pocket, bag, etc.

Obviously doesn't help if they pull an elaborate Russ Albrecht-style move but useful for situations where you can see them coming (which is likely most of them).

LeoPanthera
4 replies
18h37m

On iPhone at least you can require passcode by holding down the side button and either of the volume buttons for three seconds.

Caution, this may call 911 depending on your settings.

Settings > Emergency SOS > Call with Hold and Release.

You can also disable Face ID by pressing the power button 5 times - which can also be a 911 shortcut, check the settings in the same place.

lostapathy
1 replies
17h8m

Caution, this may call 911 depending on your settings.

If the police already have you, calling 911 on accident probably isn’t a concern.

qingcharles
0 replies
11h59m

This basically happened to me when I was cuffed in the back of a squad car on the way to jail. I told the dispatcher I was being kidnapped. The cops in the front gave me the side-eye.

Let me see if I can get the recording via FOIA...

fiddlerwoaroof
1 replies
18h36m

Calling 911 requires a longer hold, typically: if you let go when the haptic feedback happens, you won’t call 911

thfuran
0 replies
16h1m

But you may want to call an ambulance to be on the safe side.

thallium205
1 replies
12h53m

You will not have time to reach into your pocket when getting arrested. Just turn the biometrics off.

yreg
0 replies
11h55m

I would likely have the phone in my hand already.

Jap2-0
1 replies
15h10m

On Android, hold the power button* until the power down menu comes up, then press "lockdown".

* This may vary by phone, but I'm not sure.

kelnos
0 replies
9h44m

It still very much annoys me that this requires interacting with the touch screen to accomplish.

jonas21
0 replies
18h43m

Reaching into your pocket or bag right when you see the police coming after you may not be a great idea either.

AnonHP
0 replies
15h18m

On iPhone at least you can require passcode by holding down the side button and either of the volume buttons for three seconds. Just ignore the power down/SoS screen that comes up (or tap cancel) - by the time you see it Face/Touch ID is already temporarily disabled.

You can also press and release the power button five times consecutively for the same power down/SOS screen, and then the biometric lock gets disabled (requiring the device passcode).

yosito
1 replies
14h58m

I'd be willing to bet that even if it becomes federal law, it won't apply inside of airports. Not to mention that most of the world is not the US.

qingcharles
0 replies
12h3m

Well, borders in the USA have a special exemption to the 4th Amendment, so take everything with a grain of salt if you are entering or exiting the USA.

olliej
1 replies
19h13m

Disabling biometrics can be done trivially quickly, and means you don't have enter your passcode in any observable way.

qingcharles
0 replies
12h1m

I promise you, from experience, it is not quick enough.

rahimnathwani
0 replies
18h18m

Excellent coverage about this here: https://reason.com/volokh/2023/12/14/is-compelled-decryption...

The author thinks this could be the case that goes to SCOTUS.

ckdarby
31 replies
17h45m

I always wonder what happens if you unlock with a code that switched profiles and encrypted the other profile.

Uehreka
21 replies
17h24m

Generally speaking, if you non-cooperate with the police that’s one class of offense, but if you lie to the police (that’s what this would be seen as) and they catch you it’s a whole ‘nother level of offense.

In general, if you’re thinking about interactions with the police and you have an idea that feels “clever”, it is a bad idea.

cynicalsecurity
12 replies
17h3m

You have the right to remain silent. Non-cooperation is not an offence.

nabakin
7 replies
16h34m

Resisting arrest is both non-cooperation and an offense so idk where you're getting that from.

jiminymcmoogley
3 replies
16h11m

you can be non-cooperative without meeting the bar for resisting arrest though, for instance if you refuse to incriminate yourself

spiritplumber
0 replies
9h30m

"You were rude to me earlier, so I don't want to talk to you" may get you beaten up but won't get you in further legal trouble.

If it comes up at trial, you simply explain that the officer was rude to you, so you didn't want to talk to them, which caused them to be even more rude to you, which confirmed your decision to not talk to them.

nabakin
0 replies
2m

For sure. I thought the parent commenter wasn't considering cases like resisting arrest in their statement though

filoeleven
0 replies
14h2m

People are consistently arrested and/or charged for resisting arrest for not identifying themselves in states that do not have “stop and ID” laws.

Even if you know to the letter what your state law requires, the police often don’t. If you take the arrest and sit in jail for 2-12 hours, you can fight it later in court. Somehow, this is a luxury for most people in the US.

DiscourseFan
2 replies
16h9m

I think you're right, but generally speaking the 5th amendment gives wide rights, so in any interaction with the police in America one should always keep their mouth shut, and if pressed say that you won't speak without a lawyer. They literally say: "Anything you say can and will be used against you in a court of law." That is not an exaggeration.

It is very difficult to prosecute someone for a crime if they stay silent during the legal process, it's why the police are hyper-aggressive, they are trying to catch any idiot who will say anything that will get them arrested and charged, so they can report to the municipality, county (or state or whatever) that they have achieved x, y, z rates of charges, solved crimes etc., in order to secure better funding (meaning better salaries, benefits, pensions, and toys to terrorize you with).

nabakin
0 replies
5m

For sure, I agree with everything you're saying, but the parent commenter was saying all non-cooperation is allowed which isn't true. I don't think they considered the case of resisting arrest or other similar cases.

fallinditch
0 replies
12h30m

Here's a recording of a law school lecture - a compelling argument for why you should never talk to the police https://youtu.be/d-7o9xYp7eE

icelancer
3 replies
15h14m

Remaining silent and deceiving law enforcement officers are very different things.

true_religion
2 replies
15h1m

I have two kitchens in my house. If a police officer asks me to take them to the kitchen, and I take them to the annex kitchen the am I a liar?

You unlock a phone or a computer and sign into one profile and not another. Are you lying?

quickthrower2
0 replies
14h16m

What if Kitchen 1 has a PIR sensor that when tripped flushes all the coke down the toilet?

icelancer
0 replies
14h2m

That's an act of commission. You should simply do nothing, unlock nothing, and say nothing. Wait for an attorney.

It may not be difficult for the prosecutor to point out that you "unlocked" your phone into a mode you never use and in fact specifically use to deceive law enforcement.

Much simpler and safer to do absolutely nothing. Plus, you don't know for sure if that secondary mode being unlocked can enable third-party tools to break into the primary profile.

stainablesteel
4 replies
14h38m

but if they say "unlock your phone" rather than "unlock the main profile of your phone", its not like you're uncooperative. you've technically unlocked it.

dotancohen
3 replies
14h2m

I had this argument with my then-13 year old daughter. I had forbidden her from using "the phone". She accepted the punishment.

She then proceeded on another device to show me that in no place on the official Samsung website is the device referred to as "a phone". The device is always referred to as "a smartphone" and in one place the telephone communication application is referred to as "the phone". I conceded that she made a good case and that the punishment therefore applied to the telephone communication application only.

Does the alternative password enable your phone book and phone history? If so, then yes you have unlocked the phone. If not, then you have unlocked "a phone" but not "the phone".

vore
2 replies
10h10m

I think unfortunately in almost all cases the spirit of the law is more important than the word of the law, and most courts frown upon this kind of chicanery. I think this encourages her to "well, actually" people more, which nobody likes being on the receiving end of :-)

stainablesteel
0 replies
3h44m

in the original context though, you're not dealing with the law but an "order". you were "ordered" by some police officer to do something that you can't refuse.

dotancohen
0 replies
9h35m

  > I think unfortunately in almost all cases the spirit of the law is more important than the word of the law, and most courts frown upon this kind of chicanery.
I was under the impression that the word of the law is preferred. If anybody here has experience, in any jurisdiction, I would love to know more.

  > I think this encourages her to "well, actually" people more, which nobody likes being on the receiving end of :-)
Well, actually, I do want to encourage her to defend herself by all possible means, especially to be able to challenge the law :-)

ineptech
1 replies
14h58m

It's legal to lie to the police under questioning in most circumstances, i.e. "I didn't rob that guy" if you robbed that guy. The big exceptions are falsely identifying yourself and lying while reporting a crime.

You might be thinking of 18 USC 1001 which makes it a felony to lie to a federal agent, and is extremely broad (both in terms of of what constitutes a lie and who counts as a federal agent).

filoeleven
0 replies
14h8m

lying while reporting a crime

Seems to me like there ought to be some kind of 14th Amendment “equal protection” cases presented to the court about the failure of police forces to dismiss false police reports.

If I filed a police report saying “X threatened me on my property” and it wasn’t true, I’d be prosecuted for a false report. Yet there are hundreds of instances of state and federal employees filing the same kind of false reports, yet nothing is done about it.

knocte
0 replies
12h3m

How are you lying to the police by unlocking a different profile of your phone? So long as the police doesn't say "oh, unlock this $specific profile of your phone please", you could have different profiles for different purposes (e.g. different set of apps installed, like one profile for work and another for personal settings).

TacticalCoder
6 replies
17h32m

That'd be some form of "plausible deniability" (although the term has a lot of different meanings depending on the context).

I know it exists for certain cryptocurrencies hardware wallets: they can be setup (but are not required to) so that one PIN unlocks the real wallet and another PIN unlocks a decoy wallet, which only has some coins.

P.S: people are probably going to point out the $5 wrench attack though

fastball
5 replies
17h26m

Isn't that the benefit of such a scheme? You ask for my password, I say no, you hit me with a $5 wrench, I say no. You keep hitting me, I input the decoy password and you think that is all the crypto (or content or whatever) I have.

$5 wrench attack works on known unknowns, but not well on unknown unknowns.

plorg
1 replies
16h31m

If they threaten to beat you with a $5 wrench and you refuse and refuse and refuse and eventually cave and unlock the wallet with $10 of Bitcoin they're going to hit you with a wrench because you wouldn't resist so hard over so little and you're obviously trying to be clever.

true_religion
0 replies
14h58m

That’s why you don’t have a decoy profile, but a real alternative. Maybe they can then steal 30% of your wealth and not all of it.

ljm
1 replies
17h4m

If your adversary is the US intelligence machine then you’re already presumed to be guilty and a fail safe on your phone will achieve nothing.

People were sent to Guantanamo bay for much less.

tomcam
0 replies
16h16m

You’re so cynical. And by cynical, I mean absolutely right.

pavel_lishin
0 replies
3h16m

As long as a bad actor is aware of the possibility of decoy passwords, they have no incentive to stop hitting you with that $5 wrench no matter what you say.

runlevel1
0 replies
16h54m

Don't get caught doing it.

I seem to recall that being one of the few times in a criminal trial where a jury can be instructed that they may make an adverse inference. (IANAL)

V__
0 replies
17h31m

I thought about that and could see two possible problems: What about notifications on the lock screen, how to plausibly handle those with a fake/2nd profile? Could that be seen as willfully misleading or hiding evidence?

atoav
16 replies
21h57m

And this is why one shouldn't use biometrics.

NovemberWhiskey
7 replies
21h28m

Reminder to iPhone users that five fast presses of the side button will pop up the emergency calling page; it will also lock your phone in a way that requires your passcode to unlock even if you use biometrics.

hanniabu
2 replies
21h21m

If you spam the button and press it more than 5 times, does it still work?

davely
0 replies
20h54m

Just tried it and it appears so (on an iPhone 14, at least).

NovemberWhiskey
0 replies
20h58m

Yes; spam away.

yencabulator
1 replies
19h34m

Android: long press power, tap lockdown or power off or restart on screen. (I wish it didn't require touch screen!)

mrln
0 replies
14h1m

You can also disable the usage of your fingerprint to unlock the phone with the AdminControl App. https://f-droid.org/en/packages/com.davidshewitt.admincontro...

qingcharles
0 replies
20h51m

From personal experience, this does not work if a cop puts a loaded gun to your head. You will not want to move.

kingnothing
0 replies
20h54m

Also power + volume down

ziml77
2 replies
20h34m

The alternative is a PIN or password that someone could easily watch you enter.

croes
0 replies
20h25m

But they have to watch you enter id.

Your face and fingers are always with you and it's easy to force you to open your phone.

You can "forget" a password but not your face.

8organicbits
0 replies
11h22m

Randomize the keyboard. Use a screen filter to reduce shoulder surfing.

https://android.stackexchange.com/questions/27746/where-to-f...

silverpepsi
1 replies
20h59m

Doesn't strike me as wise. Your phone is always on you, if you have a biometrics killswitch you're better off than repeatedly entering your password, day in and day out, in public locations where a highly motivated actor WILL be able to figure out your password with mere binoculars and two or three observations.

This is why I hate when I get a 1Password prompt to reenter my nonbio password at inopportune times in a public place. My keystrokes can be secretly filmed from a distance. When I gain access to passwords that I copy and paste by fingerprint, the forcible theft of my machine puts me at near 0 risk. (My preferred way to login while in public.)

croes
0 replies
20h23m

if you have a biometrics killswitch

They'll take your phone, so can't trigger the killswitch.

wolverine876
0 replies
17h52m

one shouldn't use biometrics.

How else do you protect against the exploit of security cameras, anywhere you unlock your phone, recording your passcode?

qingcharles
0 replies
20h49m

I recommend everyone to disable biometrics and I have not used a passcode because of the prior vague legal landscape. Always used a password.

Of course, from experience, this does not matter if they do compel you to give up the password by other means (e.g. threatening to harm your family).

kornhole
0 replies
21h15m

Know how to disable it immediately. On Graphene and many Android phones, holding down the power button will reboot it with pin required to complete start up.

sampli
14 replies
17h56m

In the UK you have to hand your password over on command

jmprspret
11 replies
17h49m

Same in a number of Australian states. You can face up to 10yrs jail time if you don't give it up iirc

jay-barronville
9 replies
16h56m

I’m an American, so this doesn’t apply to me, but the idea that someone could be forced, by their government, to self-incriminate is absurd to me.

AndrewKemendo
7 replies
16h27m

I’m an American. Americans are forced by their government to self-incriminate all the time and are sitting in jail for it.

Here's a computer to explain it to you: https://chat.openai.com/share/532f399a-80d4-4973-9508-67f0f0...

And the references used. I even checked them myself:

https://law.justia.com/cases/federal/appellate-courts/ca4/21...

https://law.justia.com/cases/federal/appellate-courts/ca4/22...

This one in particular is great because apparently the 5th amendment doesn't apply if you're not an English speaker and don't understand the extreme subtleties of the law, such that you can be compelled to incriminate

“To qualify for the Fifth Amendment privilege, a communication must be testimonial, incriminating, and compelled.” The Fifth Amendment privilege against self-incrimination thus only protects a defendant from being compelled to provide “testimonial” evidence, meaning that the communication “must itself, explicitly or implicitly, relate a factual assertion or disclose information.” Indeed, the Supreme Court has explicitly distinguished between “the use of compulsion to extort communications from a defendant” and merely “compelling a person to engage in conduct that may be incriminating,” such as providing samples of one’s voice, handwriting, or physical appearance, all of which are constitutionally permissible."

Note, these are only the ones that were appealed.

Land of the free baby

jay-barronville
3 replies
15h48m

To be clear, I was responding to the commentary about the UK and Australia.

That said, even though America doesn’t have a perfect record on this, our Fifth Amendment rights are generally effective at protecting us from forced self-incrimination. We at least have the luxury of the Supreme Court that may hear and adjudicate our cases if our Fifth Amendment rights are violated.

Americans are forced by their government to self-incriminate all the time and are sitting in jail for it.

“all the time” ← Can you please quantify that? I genuinely don’t believe it happens enough to justify your assertion. (I’d love to be corrected with some data if I’m wrong.)

All in all, I think it’s a mistake to expect a perfect system. Compared to the rest of the world, our Constitution is a massive luxury; Americans are beyond lucky. I can either focus on the fact that the overall system isn’t perfect or I can appreciate—i.e., not take for granted—the fact that we even have the codified set of rights that we do.

P.S. I personally know folks from Third World countries whose family members were executed for having the “wrong” opinion. We really do take a lot for granted here in America.

AndrewKemendo
2 replies
15h32m

No, you simply aren’t seeing it because you aren’t exposed to communities who are regularly just getting hammered by police.

There is no “evidence” because it’s not on the record. It’s a lived experience by poor people. I don’t know if you’ve noticed but police kill a lot of innocent people that looks precisely like executing somebody for making the wrong decision, so I’m not sure how you’re not seeing it but it seems like you’re intentionally not seeing it.

It’s examples like my friend who did 10 months in county jail because he pissed hot during a two month probation on a drug charge related to a friend that he was driving the car with. This is an every day experience for me as a teenager. I was pulled over regularly and padded down and it was only because I had a white mom who would come bitch at the police that I didn’t have a record.

There is an entire country within America that has no access to constitutional rights. I suggest you just look up a little bit of black history and you’ll be informed on some of this.

jay-barronville
1 replies
14h37m

No, you simply aren’t seeing it because you aren’t exposed to communities who are regularly just getting hammered by police.

[…]

There is an entire country within America that has no access to constitutional rights. I suggest you just look up a little bit of black history and you’ll be informed on some of this.

I really hate having to bring up my background and race, but I really have to here: I’m literally a black man who grew up in inner city America who also used to be a leftist activist years ago (one of my primary focuses used to be “police brutality”). This is absolutely not a foreign topic to me. I’ve personally had a number of bad encounters with the police going back all the way to my pre-teen years. I find it interesting that you simply assumed, based on my perspective, that I’m somehow just oblivious. Regardless, none of that changes anything I’ve said.

Also, your claim that a certain segment of Americans, such as poor black folks, have “no access to constitutional rights” is simply false. A more reasonable argument would be that a certain segment of Americans lack the resources to properly defend their Constitutional rights, but those rights haven’t gone anywhere.

AndrewKemendo
0 replies
12h36m

So what gives? How can you question the insanity given your experience?

I got put on the hood for nothing for years before going into the military and whitening up.

DiscourseFan
2 replies
15h55m

None of this is "forced." If you are being interrogated by police without a lawyer, its because you are either a) and idiot, or b) not well educated about the American legal system (which means you probably received a poor education or you're a migrant). What this decision opens up is different from what you cited: here, we are not dealing with physical compulsion to speak or write or produce any kind of communication, which is severely delimited with the presence of a lawyer (or even the mention of one to the police), we are dealing with police, who've already seized some object which contains personal communication (much like safe), and the legal right to remain silent on the code to unlock it. Now if, for previous physical objects which would contain communications that were locked with a code, there was case precedence where that code was legally demanded by police, and granted by a court, then you might have an argument.

kelnos
0 replies
9h33m

I think you're being overly harsh toward people who might speak to police without realizing the implications. Getting arrested or even detained is a high-stress experience, and judgment and decision-making skills suffer in those types of situations.

Beyond that, cops are trained to manipulate people into believing that either a) they are required to talk (despite being read their Miranda rights), or b) that talking actually will work out better for them in the long run than staying silent.

AndrewKemendo
0 replies
15h46m

Let me put a finer point on it:

It does not matter what the constitution says police are going to do whatever they want no matter what, and case law proves that that’s exactly what they will, and will continue to do

You seem to be continuing to operate under the assumption that America works underneath the rule of law universally applied. It doesn’t, it never has.

As you so clearly reinforced my original point, the only way that you can actually have those rights apply to you is by either being smart or rich, and most people are neither

actionfromafar
0 replies
16h16m

What if they present a phone you have never seen before and claim it’s yours. Or if you truly don’t know your own code for some reason.

hutzlibu
0 replies
17h38m

Isn't that a violation of the right to silence?

"Australia has no constitutional protection for the right to silence,[4] but it is broadly recognized by State and Federal Crimes Acts and Codes and is regarded by the courts as an important common law right and a part of the privilege against self-incrimination"

https://en.wikipedia.org/wiki/Right_to_silence_in_Australia

semanticist
1 replies
17h40m

It’s important to note that it’s not just ‘on command’, it’s on issuing a Section 49 order under the RIP Act, which has conditions and doesn’t like automatically result in you being locked up if you refuse (the police have to apply to a court to enforce it, and you have a chance to defend yourself).

This law firm’s site has a good summary: https://www.reeds.co.uk/insight/section-49-ripa-2000-trendin...

The reason I say it’s important to note this is that the UK police absolutely will over represent these powers to bully you into voluntarily handing over unlock codes and passwords. Unless there’s a S49 notice, they’re just asking and you have every right to say ‘no thanks’, and even if they do issue one you can require your day in court to force the issue.

masfuerte
0 replies
15h29m

If they stop you on entry to the UK they can compel you to unlock any devices you are carrying. They are entitled to whatever data they find on the devices but they are not allowed to use the credentials on the devices to access remote services. However, the secret services have a long track record of ignoring the rules so I wouldn't trust them not to.

lesuorac
11 replies
21h26m

My god have we come a long way if its even a debate if you have to reveal your password.

Back in the day your personal belongings couldn't be used to incriminate you [1] since the bill of rights prohibits self-incrimination.

[1]: https://en.wikipedia.org/wiki/Mere_evidence_rule

hypothesis
5 replies
20h15m

the government was becoming dissatisfied with the obstruction of criminal investigations that strict adherence to the rule engendered

Also

The Court recognized that while the rejection of the mere evidence rule may "enlarge the area of permissible searches," the protections of the 4th Amendment, like the reasonableness and warrant requirements, would sufficiently safeguard the right to privacy.

So SCOTUS think that government would be satisfied with Bill of Rights. What if government thinks it is just too frustrating to follow laws?

abfan1127
4 replies
19h23m

what do you mean, "what if?"? Its already there. There's plenty of examples. For instance, the FBI is involved in background checks for gun purchases in the US. They are legally required to destroy any results of said check. They have not (to my knowledge) ever passed an audit.

spicybright
3 replies
19h9m

You would think they be forced to stop if they consistently can't pass audit.

That would make too much sense though.

Geisterde
2 replies
17h33m

The pentagon announced it had misplaced 2.1 trillion dollars on september 10, 2001. It hasnt gotten better.

repeekad
1 replies
17h22m
Geisterde
0 replies
6h35m

I dont know what this is supposed to imply, they misplaced the money, they couldnt pass audit and decades later they still fail every audit. The implications being, widespread waste fraud and abuse could have taken place and we have no records to hold those responsoble to account. In reality, of course there was widespread waste fraud and abuse, it seems all of our guns keep ending up in the hands of nazis and islamic extremists so this one isnt hard to figure out.

croes
2 replies
20h30m

Nowadays it doesn't really matter when people replace passcode by biometrics and passkeys.

These aren't protected.

Ridj48dhsnsh
1 replies
20h19m

Won't your device holding the passkey still take passcodes to unlock itself?

lxgr
0 replies
18h58m

iPhones and many Android phones default to biometrics for both screen unlock and passkey usage these days.

eastbound
1 replies
17h18m

Note that self-incrimination only applies to innocent people. If you are guilty, then you don’t have this right. Or something like that.

Hence, I understand, if they find anything illegal, then your password retention was hindrance to justice.

quickthrower2
0 replies
13h55m

Does it say that in 5A?

LoganDark
8 replies
19h28m

Could police ever compel me to provide the passcode or even an unlocked device if I have a dissociative disorder that can't even guarantee my own knowledge of the passcode? It's entirely possible for me to lose access to it without being able to help myself and it'd be a real shame if they thought I was lying then. Fun thought experiment, though.

autoexec
4 replies
19h6m

You don't even need a disorder for that. Anyone could forget a passcode. They can't prove that you remember it, or that you have any idea what it is, but what they can do is lock you in a jail cell anyway. If your lucky you might get out after only several years https://arstechnica.com/tech-policy/2020/02/man-who-refused-...

LoganDark
2 replies
18h37m

Sure I don't need the disorder to forget things, but the disorder makes it more likely to happen.

autoexec
1 replies
18h19m

I'd argue that people are far more likely to forget a password/passcode than to have dissociative personality disorder and then have only one personality be aware of the password and then also be cured of the disorder/personality or otherwise be unable to ever manifest that personality to allow for questioning by police.

I think in that case it'd probably be treated more or less the same. Jailed for months/years for contempt of court, either locked up in a cell or a hospital with court ordered mental health treatment depending on if the judge believes the person actually has the disorder or not.

LoganDark
0 replies
17h4m

An estimated 1% or so of the population is suspected to have DID, and memory gaps don't exclusively work like "some identity knows the password but it's not me". I can totally forget things without someone else in the system still knowing them. Nobody really has to hold the memory for it to become inaccessible.

kelnos
0 replies
9h22m

Once when I was running CyanogenMod (wow, long time ago) on my Android phone, I made use of the feature to set my device's storage encryption password to something different from my screen unlock code.

And then I proceeded to not reboot my phone for months, and forget what the encryption password was. I was very surprised upon next reboot to find I couldn't get into my phone. Fortunately I remembered it, but it took me a good day or so to figure it out.

So yes, it's perfectly possible to forget a passcode. But the authorities, of course, may not believe you've forgotten it. Which is why it's so important that it should be entirely legal to just refuse to provide it in the first place.

olliej
2 replies
18h55m

If you have a dissociative disorder, then you may just be shot as that is the US police response to most kinds of mental distress, so then from their pointer of view they've solved the problem.

LoganDark
1 replies
18h38m

Dissociative identity disorder isn't necessarily mental distress. Would be pretty irrational to shoot someone over not being able to unlock their phone.

olliej
0 replies
15h18m

We're talking about the US, not places with competent law enforcement.

unstatusthequo
7 replies
21h44m

And so law enforcement just uses GreyKey[1] and problem solved for them.

[1] https://www.magnetforensics.com/products/magnet-graykey/

ssl232
3 replies
21h35m

How does that work? Reading between the lines it sounds like it is device dependent, so at least obscure Android phone users might be safe...?

forgotpwd16
1 replies
21h28m

Was going do the same question. And was more curious in the

When time is critical or access is restricted, selectively extract specific data you need to kick-start your investigation

part. With full-device encryption, was expecting it would've been all or nothing.

yencabulator
0 replies
19h31m

For what it's worth, Android no longer supports full-device encryption, it encrypts filesystem subtrees. For a single-user phone, there's not much of a difference; your "user files" key is obtained from the hardware secret store when you type your PIN.

yencabulator
0 replies
19h38m

I would assume security exploits, mostly targeting old unpatched versions, with some undisclosed 0days in the more expensive products.

And against a modern Pixel/iPhone I would also expect the answer to how does it work to be "not so well". Consider the percentage of the population that uses a potato phone from 2018, consider the likelihood of them being the criminal in question, and the product starts working a lot better. Remember how FBI failed to decrypt the iPhone of some domestic terrorists: https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d...

Also remember that lower-end Android hardware uses a different, cheaper, algorithm: https://en.wikipedia.org/wiki/Adiantum_(cipher)

sparker72678
0 replies
21h35m

Is it still the case that this product attempts to brute-force unlock the phone?

kornhole
0 replies
21h13m

Yes this ruling will increase the revenues for companies like this, Celebrite, the platforms, and data brokers. Unless of course it is my phone. ;)

fn-mote
0 replies
19h33m

The existence of a temporary workaround does not mean the original right to refuse to provide your password is somehow bad or (perhaps more to your point) futile.

Every barrier to surveillance makes it less likely. Increase the cost to decrease the behavior.

bryan0
7 replies
17h40m

Am I missing something or is the headline (and most of the HN commentary) missing the point of this ruling? The ruling is not about whether you have the right to refuse to give your passcode (of course you have that right). Rather the ruling is about whether your refusal to give your passcode can be used against you at trial as incriminating evidence (?!)

A court of appeals reversed the conviction, agreeing "with Valdez that he had a right under the Fifth Amendment to the United States Constitution to refuse to provide his passcode, and that the State violated that right when it used his refusal against him at trial." The Utah Supreme Court affirmed the court of appeals ruling.

This seems like a much more subtle question.

SuperNinKenDo
3 replies
17h27m

In terms of the Fifth Amendment, it would seem that those issues are identical. Your right to silence means that your refusal to answer a question, provide interviews, etc, can't be brought up as evidence of your guilt.

bryan0
2 replies
17h13m

Yeah thinking about it more I think this makes sense. It seems like it could be brought up in court though? Just not used as “evidence” again you?

Terr_
1 replies
15h51m

IANAL, but I imagine that would ideally go something like this:

Prosecution: "Mr. Defendant, when the police asked you to unlock your phone, what did you tell them?"

Defense: "Objection, prejudicial and irrelevant. Fifth-Amendment."

Judge: "Objection sustained--move on to the next question."

jonstewart
0 replies
14h45m

Yes, but from TFA it sounds like the prosecution did this in closing arguments, when they’re not talking to a witness. Objections are typically not made by opposing sides in closing arguments (though possible). IANAL and don’t know precisely under which circumstances the judge should intervene in closing arguments. But implying that pleading the fifth is evidence of guilt is kinda “Prodecutorial No-Nos 101” and it’s not surprising it was overturned on appeal. What’s more surprising is that the prosecution then went to the state Supreme Court.

vilhelm_s
1 replies
16h54m

It's not "of course", if there is no 5th amendment protection then you can be forced to give the passcode. The New Jersey case the article mentions is about exactly that. [https://law.justia.com/cases/new-jersey/supreme-court/2020/a...]

bryan0
0 replies
16h25m

Ok thanks for the info. That case seems to be about if you can be charged with a crime if you refuse to reveal your password with a search warrant. While the case for this article seems to be about whether refusing to give a passcode when questioned by police can be used in court against you.

My “of course” comment above was about refusing police questioning (Miranda rights). not refusing a search warrant. That does seem like a much trickier issue.

Edit: added the clarification about Miranda rights

kelnos
0 replies
9h29m

I agree with your analysis here, but I don't think it's settled case law that you can't be compelled to provide your passcode, that refusing to do so is covered under the 5th amendment.

People have been sent to jail on contempt charges for refusing to provide their password, before even getting to the point of going on trial for whatever they're accused of.

csdvrx
6 replies
21h6m

We are lucky to have constitutional rights!

In many countries, they have laws saying suspects can't refuse to give passcodes (or if they do, they'll be jailed)

I think such laws are dangerous, as they could be used for a particularly evil type of attack: throw an encrypted cellphone in someone bag, then have them arrested for whatever wrong reason.

When they can't provide the passcode, they are automatically guilty!

yencabulator
3 replies
19h44m

At that point, it'd be easier to throw some cocaine or an unregistered firearm in their bag, and that'd be a simpler argument in court.

csdvrx
2 replies
18h55m

At that point, it'd be easier to throw some cocaine or an unregistered firearm

These can be illegal depending on the country in question.

Cellphones are very frequent, and not illegal (except maybe in North Korea?)

yencabulator
1 replies
18h49m

I read "have them arrested" as implying the dirty actor is the state/cops. For a dirty cop, drugs & weapons should be easy enough to access.

csdvrx
0 replies
16h11m

I understand your point now, but the horrible thing is such laws turn normal objects into dangerous object: it increase the risks as "less dirty than usual" bad actors can cause the same potential amount of damage!

CrzyLngPwd
0 replies
19h39m

So much irony.

CamperBob2
0 replies
19h42m

It's not luck; we had to fight for those rights. The fight did not end, and never will.

cynicalsecurity
4 replies
16h52m

Never store anything incriminating on your phone. How hard can it be. Your phone is never your friend.

A compact Linux device without any biometrics, telemetry, public clouds and corporate spying software is probably what you could be looking for.

rendaw
0 replies
16h4m

Are you arguing against the ruling? Is this not a good move away from what you've described?

nagonago
0 replies
16h45m

Unfortunately the encrypted phone market is a total mess. The Darknet Diaries podcast has a good episode about this. https://darknetdiaries.com/episode/105/

madeofpalk
0 replies
16h48m

How do i know if it's incriminating or not?

jmbwell
0 replies
15h35m

Nothing has to be on your phone for a cop to demand its contents. At which point, if they want to find something incriminating, rest assured they will.

“Nothing to fear if you’re not doing anything wrong” is a fallacy that serves only the cops

DeathArrow
4 replies
10h50m

I am imagining an authentication system that doesn't just ask you for a password but beside making sure it's you who made the request, also makes sure that you request the access on your free will without being forced.

A primituve one would be requiring a main password to authenticate every 12 hours. If the main password is not used until that period passes. A second password that you don't memorize can be used to unlock but it is stored in a place that only you can access and only if you are totally free.

notfed
3 replies
10h18m

So every 12 hours you'd have to go find your non-memorized password? Sounds incredibly inconvenient.

Anyway, a tyrant is simply going to hold and gun to your head and tell you to go get that second password.

doctor_phil
2 replies
9h3m

I think you read parent-comment wrong. My interpretation: unlock your phone normally at least every 12h. Only if you fail to do that, then the phone locks harder and you need to unlock with the non-memorizable password. Imagine the PIN/PUK system on SIM cards but with a timed lock-out as well. I agree that it sounds inconvenient though.

I'm not that familiar with the US law system, but wouldn't a written down password be worse? With a memorized password it's at least possible to claim you have forgotten.

Some encryption schemes allow two keys for unlocking, but they would show different content depending on the key. I think I remember trying that on TrueCrypt many years ago.

Ikatza
0 replies
2h13m

I sleep longer than 12h most days.

DeathArrow
0 replies
5h50m

I would imagine the second password being in a safe in a Swiss bank.

It's not practical at all, but there should be possible to build systems that authenticate you only if you are free and doing that on your free will without any compulsion.

gorgoiler
3 replies
10h19m

I read the article as well as the (imho much better) blog post on reason.com*, and it still feels tenuous to hope that this would be decided definitively by the Supreme Court.

In the original case the prosecution argued that the defendant’s lack of cooperation in unlocking their phone was evidence of guilt. Wouldn’t a Supreme Court ruling therefore be about whether or not a prosecutor may assert such a thing as evidence? That feels quite different from the original act of (and rights around) refusal to unlock the phone.

It’s as if the prosecution said “he had a gun, so he must be guilty!”, and hoping that the case will go to the Supreme Court to decide on the legality of the second amendment.

* https://reason.com/volokh/2023/12/14/is-compelled-decryption...

pstuart
2 replies
9h39m

Seems to me a very clear 4th Amendment issue. If there's reasonable suspicion that's one thing but a fishing expedition should not be allowed.

chmod600
1 replies
6h59m

They had a warrant. It seems less like a 4th issue and more like a 5th issue.

pstuart
0 replies
1h13m

Thanks for clarifying. I should have read the article ;-)

egberts1
3 replies
20h47m

Use a passphrase of something like "I stole a government-owned pen."

Then you can argue that the passphrase (unlike a PIN, face ID) may incriminate me of a crime and that Fourth Amendment prevents me from doing so.

Same thing with voice-based passphrase.

Of course, I am not a lawyer.

tacocataco
1 replies
14h1m

"Whats the password? I cannot recall."

u32480932048
0 replies
13h43m

Changing all my passwords to "I don't recall."

egberts1
0 replies
3h56m

And the prosecutor may try to entice you with a limited concise immunity deal to excuse you of "whatever crime" that passphrase would accuse you of, of which you would say "is that not a fishing trip?" And refuse that deal.

IANAL.

willsoon
2 replies
13h38m

Well, I am not in the USA, but I think that in the whole of the West you cannot incriminate yourself. But thank you, Your Honour.

tasn
0 replies
13h29m

Unfortunately that's not the case. In the UK you can be forced to decrypt data and provide passwords.

https://en.m.wikipedia.org/wiki/Key_disclosure_law#United_Ki...

smcin
0 replies
12h48m

What, "the West" meaning everything from Bulgaria to Canada to Estonia? That's way overly broad claim.

This ruling isn't even for all of the US, currently only at the Utah state Supreme Court level, it hasn't gone to the Tenth Circuit Court of Appeals or Supreme Court. This is not necessarily the last word on the topic, not even just for the US.

Another of many factors is whether the person was being detained or merely questioned, whether they had been formally notified of their right to remain silent, etc.

terminous
2 replies
21h20m

*In the state of Utah

phyzome
1 replies
20h21m

I feel like this should be the next "...in mice".

yosito
0 replies
14h51m

"... in mice in the state of Utah"

tamimio
2 replies
10h7m

Does it only to phones?! If so, it is probably because they are already compromised and backdoored, unless it applies to all other mediums and electronics. On the other hand, I remember I read border controls can operate within certain distance from the border inside the country, and as far as I know, they can ask you to provide the codes.

kelnos
0 replies
9h52m

And you can refuse, and they can't compel you to comply. They can take your phone and do their best to break into it or image its internal storage, but they have no right to detain you based on a refusal to unlock your phone.

If you are not a US citizen, however, and you are trying to enter the country, they can use your refusal as a basis for denying you entry. Which is garbage, but... yeah.

TomK32
0 replies
10h1m

For the US it's 100 miles and 2/3 of the US population live in this zone. https://www.aclu.org/know-your-rights/border-zone

entriesfull
2 replies
20h29m

Bull crap. I personally was on probation as a juvenile for a petty offense. One day the PO asks my parents to take me to talk with her to see how I'm doing. She then asked me for a facebook password and I refused. After which she put me in a court house cell for 8 hours and made me miss an entire day of school.

I eventually gave this psychopath my password because I had nothing incriminating and I hadn't eaten all day.

Nice to know USA is literally Nazi Germany but better at hiding their dirty secrets.

wolverine876
0 replies
17h49m

Thanks for sharing that. What a valuable perspective; most people on HN are talking with no experience.

How old were you?

(The last line usually wouldn't be ok on HN, but I can imagine your anger.)

refurb
0 replies
16h38m

If you're on probation you lose certain rights as a condition of your release.

eastof
2 replies
9h38m

IANAL but what's stopping the "that's not my phone and I don't know the passcode" defense?

vasco
0 replies
9h31m

"Officer, these drugs / gun in my pocket aren't mine!!"

Not sharing the password should be obviously protected, but saying the phone isn't yours when in your person is harder to try and get away with.

andylynch
0 replies
9h3m

I was a juror on a trial where this was tried. The prosecution showed logs from the mobile phone companies’ towers showing where it have been seen, including overnights, and calls from it to the guys friends. Also didn’t help him that it was on a loan application in his name.

This helped convict them of aggravated burglary.

(Incidentally, one of the others failed to provide his passcode but we found it implausible that he could have forgotten it, unlike the USA in England this is absolutely something you can be done for here and he was. I don’t want to get in to the pros/ cons of this law but the basic idea is that its seen as a key, albeit intangible, to a locked container which investigators can require you to open)

croes
2 replies
20h32m

And know imagine you use passkeys secured by Faceid or other biometric procedures.

olliej
1 replies
18h56m

as opposed to a password manager? Passkeys solve _many_ problems and the weaknesses all degrade to "password manager".

croes
0 replies
9h20m

Passkeys take the passwords out of the user's hand. That's good for some users but bad for all, especially at the moment with missing migration possibilities between iOS and Android.

Like all the rest of the computer stuff, it stops being yours and becomes theirs and you are only allowed to use it.

wolverine876
1 replies
17h45m

If you feed a bunch of a target's personal info into an LLM, would it guess their password more quickly than a human? What about an LLM trained specifically for the task?

It could be the end of non-random passwords.

BriggyDwiggs42
0 replies
17h31m

Doubt it, they arent magic

wmidwestranger
1 replies
13h56m

I'd go so far as to say they never needed permission to refuse, so thanks for confirming the traditional position that coercion is not a valid means of confession.

thaumasiotes
0 replies
12h29m

Orin Kerr noted, commenting on this case, that it's restricted to the question of whether suspects can be compelled to divulge their passwords, even though the more common legal question is whether suspects can be compelled to unlock their phone.

pphysch
1 replies
20h41m

If LEO have a search warrant and find a locked safe in your house (that may include private data or evidence of crime), are they allowed to crack it or order you to open it?

Why would a computer device be any different?

sgjohnson
0 replies
20h20m

They are allowed to crack it. They can’t order you to open it.

Same goes for a computer device. Go ahead, crack it.

notfed
1 replies
8h58m

Standard responses in order of increasing tyranny:

1. "I promise to tell you if you bring me snacks"

2. "Thanks. My password is a-n-i-d-i-o-t-t-y-p-e-d-t-h-i-s-6-9"

3. "Ok, ok, it's f-o-o-l-m-e-t-w-i-c-e-4-2-0"

4. "no."

5. "I refuse to answer any questions without a lawyer present"

6. "I don't remember the password"

7. "I tried to learned Android development and I think I accidentally wiped the device"

yreg
0 replies
8h26m

Is this GPT-1?

mike_ivanov
1 replies
21h39m

Which might imply that providing passcodes is no longer "necessary" to survey the content.

croes
0 replies
20h28m

Faceid isn't protected and the passkeys get unlocked by Faceid

alliao
1 replies
11h46m

Chinese netizens posed this question the other day, about how their police never seem to run into the US police issues unable to gain access; especially to iPhones.

Many conspiracy theory surfaced from back door to rooted iCloud servers in China.

Till a supposedly policemen chimed in and said they'd just browse through the millions upon millions of security footage to see the perp unlocking their phone with passcode.

walterbell
0 replies
11h39m

Apple iPhone needs opt-out of flashing the plaintext passcode characters onscreen during device unlock.

If users need to verify the entered characters, use the “show password” eye icon.

Avoid the attack surface of flashing inverted characters visible to nearby surveillance and phone cameras.

> they'd just browse through the millions upon millions of security footage to see the perp unlocking their phone with passcode

s/browse/facial recognition search/

walterbell
0 replies
20h12m

Avoid phones which flash plaintext password characters onscreen during typing, visible to any nearby video camera for record/replay.

egberts1
0 replies
3h42m

Problem with Apple iPhone authentication scheme is their reductive logic of eliminating one of three basic authentications by using OR logic, instead of AND logic.

In short, they are still single-factor authentication.

https://www.pearsonitcertification.com/articles/article.aspx...

chmod600
0 replies
5h2m

If I were SCOTUS, here's how I would settle this question:

The accused can't be compelled to produce a password, and the prosecution can't use the defendant's silence as an argument against them. BUT the police can explain in court that they were unable to search and/or seize what's listed on the warrant due to an unknown password and unbreakable encryption.

In other words, they can't say "Joe wouldn't give us his phone password and that means he's guilty". But they can say "we were unable to search his phone or collect these documents listed on the warrant due to unbreakable phone security".

There's not a huge difference between those two statements when it comes to the jury. They'll understand that evidence is missing, and that the defendant can probably produce it but won't. Maybe civil libertarians won't like that, but I think that's misplaced: there is a warrant, remember, it's not just a random search. And the defendant can always produce it if it's exculpatory.

buryat
0 replies
18h33m

reality is more like https://xkcd.com/538/

SCAQTony
0 replies
15h38m

It seems so evident that the 5th is in play. I wonder if this is a test case to take advantage of a particularly conservative Supreme Court.