 Here is our first speaker and also part of the CPV staff, so please welcome Rihanna Pfefferkorn. Good morning. Thank you so much for coming this early, still nursing last night's drinks deep in your brain cells, but I appreciate you coming. So I only have 20 minutes, so I'm going to go through this real quick. Before we dive in though, a couple of regulatory disclaimers, I am a lawyer, but I am not your lawyer. Nothing that I say here is legal advice, and all of these are just my own opinions, man, not just, not those of my employer. A note on the scope of this talk, here are some things that this talk is not about. This talk is not going to be about searches that occur at the United States border. That is like the upside down. It's like a whole other can of worms, and so I'm not going to be talking about searches that occur in that context. We're assuming that everything that I'm talking about today occurs within the United States. If you are curious about that, the Electronic Frontier Foundation has an Ask the EFF panel this weekend as part of main DEF CON. You can go and ask them about it. I will also have a list of suggested resources at the end if you're curious about this topic. This talk is also not going to be about the Fourth Amendment. The Fourth and Fifth Amendments protect overlapping but different sets of rights. The Fifth Amendment is going to be what we're talking about today. The Fourth Amendment protects you from unreasonable government searches and seizures, and it sets forth the conditions for the issuance of warrants. For this talk, we're going to assume that a valid warrant has already been issued for the electronic device for which there is a compelled decryption demand. Why are we assuming that? Well, the Supreme Court says that the police need a warrant in order to get into your smartphone. To search and seize your smartphone, they have to have a warrant first. That's also standard practice for searches and seizures of other types of computers, laptops, desktops, external hard drives. All of those typical practices to get a warrant for those two. So law enforcement cannot compel you without such an underlying legal authorization as a warrant to decrypt your device for them. They can ask you nicely and ask you to voluntarily consent to decrypt your device for them, but they cannot compel you absent some underlying legal authorization. And that typically will mean a warrant or a separate court order that is meant to give effect to that underlying warrant. With that said, there are plenty of ways that there can be problems under the Fourth Amendment with a device warrant. Yeah, with a warrant for a device. The Fourth Amendment prescribes such conditions as particularity, as not having something be overbroad and have a fishing expedition. So those are challenges that have been brought in the past to device warrants, but we're not going to concern ourselves with the Fourth Amendment issues today. And again, if you're interested in Fourth Amendment issues with device warrants, I'll have some suggested reading at the end of the talk. So what is this talk about? This talk is about the Fifth Amendment. Now the Fifth Amendment protects a number of rights, actually. There's the grand jury clause, there's the takings clause, there's the double jeopardy clause. But the one that we're focusing on today is the self-incrimination clause. No person shall be compelled in any criminal case to be a witness against himself. That sounds fairly straightforward, right? You can't be compelled to testify against yourself. It sounds simple, it's not. Fifth Amendment law is a big, hairy body of law, it's very complicated, but I only have 20 minutes. So I'm going to give you the very sort of high-level version of this today. Well, what's the Fifth Amendment got to do with encryption anyway? Well, the issue is that when a device is encrypted, that can impede the execution of a search and seizure warrant. The police can't get into it. Okay, so in that case, law enforcement has a few different options for what they can try to do in order to get access to the decrypted data on a device. One is to try and seize a cloud backup of the contents of the device. So if you back up your iPhone to your iCloud account, the police can go to Apple with a separate warrant and say, give us the contents of that iCloud account. But what if you don't back up your device? What if the backups aren't very recent? Well, then that's not going to be very useful to them. Another option would be to try to make Apple or Google unlock the phone, but that hasn't been a good legal option since 2016 when the FBI threw down with Apple and lost. And it hasn't been a good technical option in recent years because both iPhones and Android phones now use full disk encryption, typically turned on by default. And so at this point, not even the manufacturers of those phones can extract data in readable form for law enforcement. Another option would be for the police to use either a home rolled or third party vendors data extraction tool that can extract readable data even from a locked phone, such as a celebrate device or a gray key device. And those work sometimes, but they don't necessarily work consistently on every model of phone, every version of the OS. And there's this cat and mouse game between the manufacturers on the one hand and the makers of these tools on the other where the manufacturers, such as Apple, are always trying to close the vulnerabilities that enabled those tools to work in the first place. So what's the final option that the police could try? That's the one we're going to talk about today, which is to try and force the device owner to decrypt the device for the police. And that's where the Fifth Amendment comes in. So the idea of invoking your Fifth Amendment rights against being compelled to decrypt isn't new. I've been told that this was a topic of discussion in the CypherPunks mailing lists back in the 1990s. The first court decision on this issue came in 2007 that involved an encrypted partition on a laptop. But it's become more relevant now in recent years because, as mentioned, full disk encryption is now very prevalent, especially on smartphones and even on laptops sometimes as well. It's often the default or it's very easy to turn on so the user doesn't have to install and fiddle with a separate piece of software in order to encrypt their device or their files. And now there are multiple means to decrypt. You can use a passcode, password, passphrase. I'm just going to say passcode for the most part, even though those are all separate distinct things. But you can also use a biometric such as your face or your fingerprint. So we've seen more court cases on this issue really multiplying in recent years. And those cases have given rise to some general trends in the law, but that law is still unsettled. It's still evolving. The Supreme Court hasn't yet weighed in. So is there a general rule overall that we can glean from these cases? Well, kind of. Does the Fifth Amendment protect you from being compelled to decrypt? Now, when I say defendants, I'm mostly going to refer to defendants in this talk, but the Fifth Amendment does not just cover defendants. People who are something other than people who are currently being criminally investigated or who are already indicted and being prosecuted can invoke their Fifth Amendment rights and may have very good reason to do so. If the police have a device warrant for your device, it might not just be because you're a defendant. It could be because you are a witness. It could be because you are a victim of a crime. So when I say defendants, I don't just mean defendants. The general rule that arises is that if you use a biometric, you can be compelled to decrypt your device for law enforcement because a biometric is something you are. If you use a passcode to decrypt, typically you can't be compelled to unlock because a passcode is something that you know. But there are exceptions to each of these things that I'm going to explain. Now, in order to understand the jurisprudence on Fifth Amendment and compelled decryption, there are two key concepts that you need to understand. One of them is called the active production doctrine, and the other is the foregone conclusion doctrine. So the active production doctrine comes out against a background where typically the government can compel people to hand over documents or information that they have. Think of subpoenas, think of warrants. But this doctrine is an exception that allows the government to conduct investigations, gather evidence, gather documents, while still protecting people's constitutional rights. And it starts from the premise that acts, not just words, can count as testimony. Something you do can be testimonial, not just something that you say. So the very act of producing evidence can, on its own, have communicative aspects. When you are handing over evidence in response to a demand from law enforcement, you're testifying to the fact that that evidence exists, that you possess it, you have custody or control over it, and that that evidence is authentic and that you think it's responsive to the demand that you've been given. So if the act of producing evidence would mean testifying against yourself, then you can't be forced to hand that evidence over, even though there's a warrant for it. But not all acts of production are protected. The act must be compelled. If you hand something over voluntarily, there's no Fifth Amendment protection. It must be incriminating, meaning that compliance would put you in legal danger. And it has to be testimonial. An act is typically considered testimonial if it discloses the contents of your mind. But if it gives no indication of your thoughts or knowledge, then it's not testimonial. This is a concept that the courts have really grappled with in the context of compelled decryption. It's given them some trouble. It's been sort of hard to grok. And so the typical example that they turn to is one that the Supreme Court has used to illustrate what would and would not count as testimonial. The Supreme Court has said that surrendering the key to a strong box is not testimonial, whereas revealing the combination to a wall safe would be testimonial. The latter is testimonial because it forces you to disclose the contents of your mind. The former is not testimonial and there's no thought process involved in handing over a key. It's still incriminating if you have to hand over the key to a box full of crimes, but it's not testimonial, so it doesn't fall within the scope of the Fifth Amendment right. And that example, using something physical versus using the contents of your mind is going to come into play when we talk about biometrics versus pass codes. But first, I mentioned that there's one other doctrine that you need to understand and that's the foregone conclusion doctrine. So in general, as I just said, testimonial acts of production get Fifth Amendment protection, but there's an exception. That's the foregone conclusion exception. An act of production is not protected by the Fifth Amendment. If the information that the Act conveys is a foregone conclusion that adds little or nothing to the sum total of the government's information. Basically, the foregone conclusion exception will kick in if the government already knows that it's trying to compel from you from some other source. That is, the Act isn't telling the government anything that they don't already know and so that Act can be compelled. If it's a foregone conclusion that evidence exists, that you possess it and that it's authentic, then the foregone conclusion exception will defeat an invocation of your Fifth Amendment rights. Why would the police want to compel you to do something that they already know? Well, if your business partner rats you out and says there's evidence on that guy's computer of tax fraud, that tells the government the information that they would need as a basis for compelling you to hand over and decrypt your computer for them, but it doesn't put those files in their hands. They still need you to decrypt the device for them to have those actual files in their hands. So how does this apply when we can come to the context of compelling people to decrypt their devices? So in general, for biometrics, the courts say this does not count as testimonial because it's something you are. It's your fingerprint. It's your face. The courts have compared this to the compelled exhibition of bodily characteristics such as handing over a blood sample, a voice exemplar, or putting on a piece of clothing to see if it fits or not. And they say this is much more like a strong box key than the combination to a safe. Even though the courts have acknowledged that this doesn't really fit neatly into these boxes, because when you are producing your body, you are still also producing the decrypted contents of your device. But this is where the courts have generally landed. There have been a couple of cases that have said that a biometric is still testimonial. But only four judges have said this. So far two of them have been overturned on appeal and were waiting for a decision on a third that came out in January. And the rationale that those judges said was touching your finger to a sensor on your phone is testimonial. It's testifying that you have possession, that you have control over the device. And one of those courts has said this isn't the same as just comparing your fingerprint to a fingerprint that was lifted from a crime scene. It's much more like your physiological responses to a polygraph test, which the Supreme Court has said is testimonial. But on appeal, the courts have struck those down and said, no, this is not testimonial, as long as the agents or the police agents who are executing the warrant are picking your finger. They're just going to put each, the way that these orders are typically drafted now, a lot of the time it means that the executing officer will just depress each of your fingers onto the sensor until they get to the finger that unlocks it. And the courts there say there's no need to invoke your thought process at all. You could be unconscious and you could still have your finger pressed to the sensor on your phone, so there's no contents of your mind being used there. So in sum, if you use a biometric, you're probably out of luck when it comes to the Fifth Amendment. By contrast, a passcode is universally considered to be testimonial because you're decrypting what the passcode is using the contents of your mind. And that would seem pretty open and shut, except, you remember that I talked about the foregone conclusion exception? Well, that exception will defeat the Fifth Amendment claim if the government can show that it already knows the information that would be conveyed by your compelled act of decryption. Well, what information is that? Here's where the courts have split. The courts don't agree on the proper focus of the foregone conclusion analysis. Some courts have said that the government has to show that it already knows that there are incriminating files that exist on your encrypted device, whereas there are other courts that have said all the government has to show is that it knows that the defendant knows the passcode. Now, that's a much easier test to meet. It's not going to be a high bar in most cases for the government to be able to show that you already know how to unlock your own phone, so that is not a very defense-friendly test. But overall, the government will be in the best position if it can show it either way, if it has the evidence to show both that you know the passcode and that it knows the files already exist on the device. Because, given that the law is very unsettled, a lot of courts haven't been faced with this issue yet, and so if they don't know, so the government doesn't know whether the court's going to go with the passcode test or the files test, they want to be able to show it both ways. All right, so what evidence have the courts used to establish that the foregone conclusion applies? These are some real-world examples. The defendant talked to the cops and admitted that the device was his, or the defendant admitted to the cops that there was illegal stuff on the device, or the defendant voluntarily decrypted the device for law enforcement, even let law enforcement go through and unlock device and see that there were incriminating files on there, but before the police could get a warrant to search and seize the device, the device had encrypted and locked itself up again, or the defendant had told other people that there was incriminating stuff on the device or even shown it to them, and those people went and told the cops. So the government does not bat a thousand when they argue foregone conclusion. It depends on the amount of evidence that they have, but it has a pretty good batting average, and so the fact that courts consider passcodes to be testimonial isn't necessarily the great news that it might seem to be. So the upshot is that it depends whether the Fifth Amendment will protect you from being compelled to decrypt your device. If you use a passcode, you have way better odds than if you use a biometric, but the foregone conclusion exception can still getcha. It's hard to predict in advance whether a Fifth Amendment claim is going to succeed because the law is still evolving. The courts don't all use the same analysis, and the outcome is often really fact-dependent. Specific facts matter a lot. What the cops already know matters. The less information that they have, the harder it is for them to argue that the foregone conclusion exception should apply. The wording of a warrant or court-ordered matters. The wording can raise facial Fourth or Fifth Amendment problems that could make the warrant potentially invalid. How the cops execute the warrant matters. Even if the wording is perfectly fine, the way that the police execute that warrant and carry it out might still violate the Fifth Amendment. So even though all those courts said a biometric isn't testimonial because the cops are pushing your finger onto the sensor, if the police said you picked the finger that unlocks the phone, then you're using the contents of your mind to just select which finger it is, and I think a court might say in that case, that is testimonial. And so far, which court you're prosecuted in also matters because not all the courts have gotten around to this question yet. There are only two federal courts of appeals that have weighed in on this question. Those are the third and eleventh circuit courts of appeal. And only two state high courts, state supreme courts have weighed in. Soon we'll see three more decisions that are currently pending. And for my money, the worst state that you can be in for this is Florida. Florida is part of the Eleventh Circuit Court of Appeals, so if you're in federal court, that test will apply. But if you're in state court, there have been two different state level appeals courts that have come out in three different cases and they have disagreed with each other, even from case to case. So the Fifth Amendment analysis, meaning your constitutional rights, will vary depending not only on whether you're in federal or state court, but sometimes even what part of the state you're in. And all that suggests to me is that we really need to have a consistent rule. There won't be one until the supreme court weighs in. And that might be a couple years yet if they decide to take it up and we don't know whether they're going to decide that this is interesting enough for them to get around to it. I would like to see them take this issue up because this type of issue has been coming up more and more. It's only going to keep happening more often. And there should really be a consistent rule that would give predictability and consistency not only to the police so that they know how they can carry out these orders, what they can ask for, what they can't, but also for all of us, not only for you to know what your rights are if this situation arises, but also because it's really stupid as a matter of public policy for your constitutional rights to depend on whether you just happen to pick a biometric or a passcode, which leads to totally divergent potential legal outcomes. And your threat model for what you selected probably has nothing to do with thinking, what if I get arrested and there's a warrant for my device at some point? Your model might be that you have an abusive partner or an abusive parent in your home who might want to unlock your device using your finger while you're asleep to get access to your device. It might be that you just want the convenience of being able to unlock your phone dozens of times a day, as we all do, and you don't want to spend a bunch of time doing it. Maybe a biometric is better for you in that instance. Or maybe your parents and either your kid will try and enter times that it will brick your phone in order to try and get in and play games. Or if you have a biometric maybe they'll try and unlock your phone or your tablet while you're asleep and buy in-game Pokemon shit on your credit card. So what should you do? And again, not legal advice. The common sense stuff would be think twice before you blab about or show off the illegal shit that you have on your phone, especially to the cops. And stay out of Florida. That's just fifth amendment advice. That's just life advice. But seriously, for now if you're probably going to be better off using a passcode over a biometric or a passcode plus biometric than just normal biometric maybe you typically prefer to use a biometric but if you are going into a situation with a heightened risk of arrest, such as a protest, maybe you want to switch to the passcode temporarily or you can enable a feature that is now on both iPhones and Android phones. It's called panic button on iPhone and lockdown mode for Android, which will bring up the option to temporarily disable a biometric and require you to enter a passcode or a pattern instead. This feature has recently come in handy in real life during the Hong Kong protests that were happening. If the police have a warrant and they demand that you decrypt, get a lawyer. The EFF is around. They know some good lawyers. Go and talk to them if you don't have one already. If you want to voluntarily consent to decrypting your device, you might have very good reasons based on your particular circumstances to do so. Just understand that you are giving up some potential Fifth Amendment and maybe Fourth Amendment defenses that you might otherwise be able to bring in if you are getting prosecuted, that you are giving up by voluntarily consenting to open your device for them. If you want to invoke your Fifth Amendment, say it out loud, say it clearly, be unequivocal about it. The right is not self-executing. If you just don't say anything, you wave it. This is stupid, but you have to affirmatively say, I'm invoking my Fifth Amendment right not to be compelled to decrypt this because you don't have the right to make me incriminate myself. And if you invoke your rights, and that doesn't work, and the court still rules against you, it is possible that if you still refuse to comply, you might be held in contempt of court. But I think I am just about out of time for this, so don't ask me the contempt issue. Ask the Electronic Frontier Foundation. But thank you very much for coming. You now have a grasp of this very complicated area of law. Now you know how it works, and you can explain it to all your friends at your next protest that you go to. So here are some resources if you are interested. I'll take Q&A in a moment, but I just want to end with a call to action. Lately, the FBI director and the attorney general have both been saying that they want to pursue some legislative or other type of solution to give law enforcement guaranteed access into your device. And if you don't like that idea, tell your congressperson. Thank you. We are getting a mic set up, and we have a human mic stand right here. So come and form an orderly line. So we have about five minutes. What's that? The title slide? Questions at the microphone, please? Now, again, as Rihanna said, we got to cut it off at five minutes to make room for the next talk. But if you flow back through the village, Rihanna, I believe, will be there to answer follow-up. I'll be around today and tomorrow at the village. All right. Hi. I want to know what's the standard of proof for the foreground conclusion? Is it preponderance, clear and convincing, or beyond reasonable thought? It depends. So the police have to show with reasonable particularity that they know that there's incriminating stuff on your device, that they know that the files already exist. But there's been some variance in the standard that the courts have used in what level of evidence is enough. So it depends. Okay. Hey. Awesome talk. I remember a Fourth Amendment case where someone was being interviewed at their door, and they jump back and slam the door from the cops, and that was interpreted as, well, you're fleeing, so the Fourth Amendment we can override and push in. Is there any case law yet or would you anticipate if someone used a duress function on the phone like during a law enforcement interaction? Would that be considered, or someone I'm sure would try to say, well, you were attempting to flee the evidence or destroy the evidence, and it's not the same as just taking the phone in a neutral interaction? That's a great question. So I think it depends what the duress function does. If it is just the lockdown mode or the panic button, I don't think that that could be construed as destruction of evidence because it's not destroying anything. It's just scrambling it with encryption. It's still there. It can be decrypted, so nothing is being destroyed. However, when I've heard people theorize about creating a duress function, that would just go through and write zeros over everything on your phone. That probably would count as destruction of evidence, and I would say that's probably a bad idea. That took care of 30% of our questions. Given the current makeup of the Supreme Court and how slowly justices get replaced, whatever, what would they do now with that fifth amendment question that you said they need to weigh in on? I mean, if they can stop sexual harassing people long enough to decide, I don't know. That's a good question. I will say that you might think that a conservative justice would be reflexively anti-defendant. That's not always true. The late Justice Scalia was actually one of the best defenders of the rights that criminal defendants have, but I think that's because he thought that as soon as you've satisfied all of the procedural niceties, then you could just throw the book at them. I don't know how this court would come out. I don't think there's really been a lot of fifth amendment cases in this line. I will say at the most recent fifth amendment case that the Supreme Court has considered that I can consider off the top of my head is the one that I referenced, which is the one that says you have to affirmatively out loud express that you are invoking your right to remain silent. So if that's the way that they think about these issues, I don't know what will happen. I have another question regarding the foregone conclusions. You have to be able to prove that you either know the passcode or have access to the device or they can prove that they know that the files are on the device. Now if they know that you have incriminating files on that device but they obtain that information in a non-court admissible way. It was not legal. It was without a warrant in which they obtained that knowledge. Would that still qualify? That's a great question. I wish I knew the answer to it. I would certainly raise it if I were defense counsel for trying to get evidence excluded but I don't know the answer to that. To be clear, the foregone conclusion doctrine is complicated. So the courts have really struggled with all of this stuff so it's not just me who's confused. Thanks. Hi, I'm not sure if you brought this up before or if it even matters but what about face ID? What if they just hold your phone in front of your face? So like I said in general the police need a warrant to search your phone. So if they don't have a warrant I would try and get that bounced. If they do have a warrant and they just hold it up to your face hopefully you get the chance to invoke your Fifth Amendment right beforehand. But that's certainly a worry that a lot of people have and that might militate against deciding to use face ID if that's something that you're worried about. I would try and challenge that especially by saying you didn't even give me the opportunity to invoke my constitutional rights but certainly a worry that is prevalent, it's not just you. Alright, thank you very much. I'm sorry, we do have a hard cut off. However, Rihanna is going to be right over there with all that awesome knowledge in her head. Thank you.