In a new case decided Wednesday, SEC v. Huang, a federal trial court in Pennsylvania held that the government can't force a person to give up his passcode to his smartphone. I think the decision misses the mark, and I hope it is appealed. Here's a rundown.
First, the facts. The Securities and Exchange Commission (SEC) is investigating Bonan and Nan Huang for insider trading. The two worked at the credit card company Capital One as data analysts. According to the complaint, the two allegedly used their jobs as data analysts to figure out sales trends at major U.S. companies and to trade stocks in those companies ahead of announced company earnings. According to the SEC, they turned a $150,000 investment into $2.8 million.
Capital One let its employees use company-owned smartphones for work. Every employee picked his own passcode, and for security reasons did not share the passcode with Capital One. When Capital One fired the defendants, the defendants returned their phones. Later, as part of the investigation, Capital One turned over the phones to the SEC. The SEC now wants to access the phones because it believes evidence of insider trading is stored inside them.
But here's the problem: The SEC can't get in. Only the defendants know the passcodes. And the defendants have refused to disclose them.
That brings us to the new decision. The SEC has asked the court for an order to compel Bonan and Nan Huang to each give up their passcodes to the Capital One phones they used so the SEC can bypass the passcode gate and search the phones. The defendants have opposed the request for an order on Fifth Amendment grounds. In their view, an order forcing them to give up the passcodes would force them to testify against themselves in violation of the privilege against self-incrimination.
In the new ruling, the trial court agreed with the defendants and denied the SEC's request. The opinion was written by Judge Mark Kearney, a relatively new district court judge.
The most important part of the opinion is Judge Kearney's approach to the "foregone conclusion" doctrine. The doctrine, introduced in Fisher v. United States, says that the Fifth Amendment doesn't block complying with a court order when the testimonial part of complying with a court order is a foregone conclusion. In other words, if the government already knows the testimonial part of complying with the order, and they're not seeking to prove it from the order, then you can't use the Fifth Amendment to avoid compliance with the order.
The big issue in Huang is how to apply that doctrine. The government argued that the foregone conclusion doctrine applies because the government already knew the testimonial aspect of complying with the order for the passcode. The government already knew that the users possessed the phones, so the testimonial part of complying with any order -- admitting knowledge of the passcode, and therefore admitting to likely former possession of the phones -- was a foregone conclusion. Judge Kearney ruled that this argument "missed the mark" because the foregone conclusion doctrine is about what specific documents the government is seeking. Because the existence of specific files sought on the phone was a not a foregone conclusion, the foregone conclusion doctrine couldn't apply:
The court of appeals' reasoning in In re Grand Jury again persuades our analysis. There, the Court of Appeals for the Eleventh Circuit refused to apply the "foregone conclusion" doctrine because the Government could not meet its burden of showing with "reasonable particularity" what "if anything, was hidden behind the encrypted wall." 670 F.3d at 1349. While the Government need not "identify exactly" the underlying documents it seeks, "categorical requests for documents the Government anticipates are likely to exist simply will not suffice." Id. at 1348. There, the Government could not show the encrypted drives actually contained any files, nor could it show which files would if any prove to be useful. Id. at 1347.
Here, the SEC proffers no evidence rising to a "reasonable particularity" any of the documents it alleges reside in the passcode protected phones. Instead, it argues only possession of the smartphones and Defendants were the sole users and possessors of their respective work-issued smartphones. SEC does not show the "existence" of any requested documents actually existing on the smartphones. Merely possessing the smartphones is insufficient if the SEC cannot show what is actually on the device.
The author then goes on to reason a way around the 5th amendment:
Because the passcode itself could be incriminating, the smart way to limit the Fifth Amendment problem is for the government to ask for an order compelling the target to enter in the passcode rather than to divulge it to the police. That way, the government gets the unlocked phone but never gets the passcode. If the defendant has to enter in the passcode rather than tell it to the police, the testimonial aspect of complying would only be admitting knowledge of the passcode, which would very likely be a foregone conclusion in a case where the phone is used heavily by that person.
Man, I need to get working on a self destruct system for my phone.