If You Give A Cop Your Passcode... Court Considers Whether Using Voluntarily-Provided Codes Violates the Fourth Amendment
V&E Cybersecurity and Data Privacy Insights, April 17, 2019
The Colorado Supreme Court held last week that when a defendant voluntarily disclosed his four-digit passcode for what he thought was a limited purpose and an officer used the code to search the defendant’s entire phone, it did not violate the Fourth Amendment. The court reasoned that the defendant “had no legitimate expectation of privacy in the digits of his passcode after providing them to [a police officer].”1
The Colorado case, People v. Davis, has some similarities with the popular children’s book, If You Give a Mouse a Cookie.2 In that story, the reader learns of the slippery slope of headaches that can follow from one simple act — there, the voluntary provision of a chocolate chip cookie to a little furry friend. Here’s what happens If You Give A Cop Your Passcode:
If you give a cop your cell phone passcode — just so that he can call your significant other — he’s going to ask for a search warrant to go with it. The warrant will allow him to search your entire device. When he receives the search warrant, he’ll probably use the passcode you’ve already given him to facilitate such a search, even though you gave it to him for a limited purpose. When he’s finished, he may have identified information that law enforcement will attempt to use against you (or your company) in a criminal proceeding. Then, you will want to challenge use of the information on constitutional grounds. When a court considers your challenge, it may join the Colorado Supreme Court in holding that such evidence can properly be used against you (or your company) in criminal proceedings, because once you voluntarily disclose your passcode, you no longer have a reasonable expectation of privacy in it under the Fourth Amendment.
In Davis, the defendant, Shaun Davis, was arrested for suspicion of first-degree murder. Davis asked a police officer to use Davis’s cell phone to call his girlfriend and tell her to get the car that Davis had driven. To assist the officer in this endeavor, Davis gave him his passcode. Later, the police obtained a search warrant for Davis’s phone. Without seeking Davis’s or the court’s specific consent, officers unlocked Davis’s phone using the passcode that Davis had previously provided and then executed the search warrant.
Davis argued that the officer’s use of the passcode to aid in the search of the phone exceeded the scope of the consent he had provided. The Colorado Supreme Court disagreed, holding Davis no longer had an expectation of privacy in the passcode. Thus, the police did not violate the Fourth Amendment when they used Davis’s previously-disclosed passcode to unlock his phone.
This Colorado decision joins a line of developing case law (see, e.g.,
our prior commentary) addressing Fourth and Fifth Amendment limitations on evidence obtained from electronic devices protected by encryption technology. It is a reminder that even the most discrete voluntary disclosures to law enforcement can have significant implications.
Although not directly at issue in the Davis case, device encryption also raises a Fifth Amendment question: whether the government can compel individuals to provide it with a passcode or to use a
biometric feature — like a fingerprint — to unlock phones and other devices. Courts have recently come out on both sides of the issue, as a court in California3 recently found that a person cannot be compelled to provide a passcode or biometric feature to unlock a device under the Fifth Amendment, while a D.C. court reached the opposite result.4 The main crux of that disagreement stems from whether the act of placing one’s finger, thumb, or face in front of a scanner is “testimonial” in nature, or is a non-communicative act.
What this means for you:
- Companies should counsel their employees not to provide the government with electronic device passcode information unless compelled to do so by a warrant. If a person voluntarily provides a passcode to law enforcement — even if for only a limited purpose — it will be difficult for counsel to later mount a constitutional challenge to any information obtained as a result of use of the passcode to unlock the device.
- Companies should evaluate their policies governing the use of phones or other devices for work purposes and consider requiring a separate, unique passcode to access any portions of the device containing company data. Such a change may help protect company data from being accessed by the government.
- If your company or its employees are served with a warrant of any kind, contact counsel as soon as possible.
Visit our website to learn more about V&E’s Cybersecurity & Data Privacy practices. For more information, please contact Vinson & Elkins lawyers Jennifer S. Freel, Crystal Y’Barbo Stapley, or Morgan A. Kelley.
1 People v. Davis, No. 18SA267, 2019 WL 1510455 (Colo. Apr. 8, 2019).
2 LAURA JOFFEE NUMEROFF, IF YOU GIVE A MOUSE A COOKIE (1985).
3 Order Denying Search Warrant; Order Sealing Application, In the Matter of the Search of a Residence in Oakland, California, Case No. 4:19-mj-70053-KAW, Dkt. No. 1 (Jan. 10, 2019).
4 In the Matter of Search of [Redacted] Washington, District of Columbia, 317 F. Supp. 3d 523, 536 (D.D.C. 2018).