Error message

Deprecated function: implode(): Passing glue string after array is deprecated. Swap the parameters in Drupal\gmap\GmapDefaults->__construct() (line 107 of /mnt/w/cyberlaw/docs/prod/sites/all/modules/contrib/gmap/lib/Drupal/gmap/GmapDefaults.php).

Oh, So Everybody’s a Legal Expert Now: Minnesota v. Diamond, Microsoft Ireland, and User-Hostile Path Dependence in the Law

On January 17, the Minnesota Supreme Court issued its opinion in State v. Diamond. It affirmed the appellate court’s holding that compelling a defendant to provide a fingerprint to unlock a seized cellphone (for which police had a warrant) did not violate the Fifth Amendment privilege against self-incrimination.

The court held that providing a fingerprint to police to unlock a phone is not a testimonial communication. It acknowledged that the act “does not fit neatly into either category” of a testimonial act of producing documents as evidence, or a nontestimonial act of producing the body as evidence, as it both exhibits the fingerprint and produces the contents of the phone. Slip op. at 9. However, the court concluded that “producing a fingerprint is more like exhibiting the body than producing documents.” Id. at 9. The act of supplying a fingerprint does not reveal the contents of a defendant’s mind, the court reasoned; rather, it provides only bodily evidence, akin to a blood sample or voice exemplar. Id. at 9, 10. (Indeed, the court pointed out, the defendant need not even be conscious for the fingerprint to be taken. Id. at 13.) In so holding, the court joined several other lower federal and state courts that have deemed compelled production of a fingerprint to be nontestimonial. Id. at 11-12.

The Diamond court did not decide whether providing a password, rather than a fingerprint, is a testimonial communication. Id. at 11 n.5. However, it noted several cases that have decided that question in the affirmative because entering a password reveals the contents of the defendant’s mind. Id. at 11 n.6. The Diamond decision further cements the divide that has emerged in recent years between how courts treat compelled fingerprint unlocking versus how they treat passwords to unlock a phone (or decrypt a hard drive, a topic I’ve written about in the past). The latter is typically deemed testimonial, the former not.

Smartphones and the Fifth Amendment

Much ink has been spilled over whether or not that’s the right legal conclusion when it comes to fingerprints. More will be spilled over the Diamond decision. But what I want to point out today is that irrespective of the legal niceties, as a matter of public policy, this divide in Fifth Amendment jurisprudence is a bad idea. The courts have decided to hinge a core constitutional right of all smartphone users—three-quarters of Americans—on how they use their phone’s UI. From the user’s standpoint, that’s simply ridiculous.

When someone picks an unlocking mechanism for their phone (passcode, fingerprint, and now, facial ID), chances are that for most people, they make the choice based largely on convenience. That’s understandable, since we unlock our phones really frequently: 80 times a day on average for iPhone users, 110 for Android users.

In addition, a smartphone owner might worry about someone in their life trying to get into the phone, and pick based on that. Afraid your jealous lover will press your finger to your phone while you’re sleeping and snoop around in your messages? Use a passcode, or if you have the iPhone X, maybe Face ID (then again, maybe not). Worried that your kid, who loves playing games on your phone, will get hold of it and try guessing the passcode so many times that the phone bricks itself? Maybe your fingerprint is a better bet.

But what you probably aren’t thinking about is what will happen if you get arrested and the police want to search your device. Yes, sometimes you can anticipate that the odds of your arrest will be heightened—say, when protesting—and disable fingerprint unlocking for the duration. But you might find yourself getting arrested quite unexpectedly. And yes, iOS 11 for iPhone now has a “panic button” that lets users quickly disable Touch ID by tapping the power button five times. But your phone might not be accessible to you, or you might not have the presence of mind to exercise that option, when things are going pear-shaped.

And that’s assuming you own an iPhone. They’re less common than Androids. Guess who tends to own an Android? Black Americans. Guess who’s more likely to get targeted by the cops? Same answer. So, guess who won’t benefit from the new iOS 11 “panic button”? (I’ll wait.) When you combine racially discriminatory policing practices with the courts’ Fifth Amendment jurisprudence on smartphones, the logical conclusion is that all African-Americans should deny themselves the convenience of fingerprint-unlocking their phones because they’re more likely to catch a case. And that’s outlandish.

A UI choice should not strip us of a constitutional right down the line. Most Americans have a smartphone. They are common as dirt. We absolutely should not expect the average American to understand the niceties of Fifth Amendment jurisprudence when making a decision that affects an act they do dozens of times a day. If fingerprint-unlocking is what works best for your situation, why should you have to sacrifice the choice that’s right for you 99.999% of the time, just in case you might get arrested at some point?

Following the inverse reasoning is no better. “I’m not doing anything that might get me arrested, so I don’t have to worry about being compelled to unlock my phone” is a mindset not much different from “I don’t need privacy rights, because I have nothing to hide.” It’s a false rationale in the best of circumstances, and it’s one that rings hollow for black and brown Americans anyway.

And to return to my earlier point: when you configure your phone, you shouldn’t have to account for current developments in Fifth Amendment case law. Yet that’s the world we now live in—whether you know it or not. We’re all familiar with the Miranda warning from countless TV shows. But the cops don’t have to tell you “a passcode means stronger legal protection than your fingerprint,” and that information isn’t yet at the same level of cultural penetration as the right to remain silent. Plus, even if the cops did tell you that while arresting you, that information doesn’t do much good to past you. The set-it-and-forget-it unlocking decision has already been made. (Maybe smartphone makers and cell service providers should start putting a “Know Your Rights” warning label on the box your phone comes in. That would really piss off the law enforcement officials who think every security update Apple makes is intended solely to mess with them.)

Leaving aside your legal sophistication, why should your Fifth Amendment rights be dependent upon what kind of phone you happened to buy? Someone whose phone does not have a biometric option, only a passcode, will by default enjoy stronger Fifth Amendment protection against compelled unlocking than someone who was presented with the unwittingly fateful choice of fingerprint vs. passcode and chose…poorly. (Of course, for owners of basic phones with no screen-locking option, there is no Fifth Amendment issue because there’s nothing to unlock.) From a consumer standpoint, this is bad policy.

Webmail and the Stored Communications Act

That brings me to Microsoft Ireland. I have the same critique of Microsoft Ireland and its progeny as I do of the quandary we’re in when it comes to smartphones and the Fifth Amendment. Your choice of webmail provider creates a path dependency that proves outcome-determinative when the cops want your email.

The Microsoft Ireland case now pending before the Supreme Court is about just how long the long arm of the law is when it comes to stored digital evidence. When U.S. police want to search and seize someone’s email from a U.S. webmail provider, they’ve typically gotten a warrant under the federal Stored Communications Act. But in July 2016, the Second Circuit Court of Appeals held that the SCA’s warrant authority doesn’t extend to data stored outside the United States. The SCA warrant at issue was for a Microsoft webmail account, and Microsoft moved to quash the warrant after determining that the account’s contents were stored on servers in Ireland. In a surprise decision, the Second Circuit sided with Microsoft. That decision is now before the Supreme Court, and the parties’ briefs and a vast number of amicus curiae briefs have just been filed. (I haven’t read them, but maybe one of them makes the points I’m making here.)

The Microsoft Ireland decision and the State v. Diamond decision are similar in that each one represents one prong of a split in the case law: for Diamond, fingerprint-unlocking under the Fifth Amendment (as opposed to passcodes); for Microsoft Ireland, the territorial reach of SCA warrants. Since its ruling, every other federal court to consider the issue has declined to follow the Second Circuit’s lead. The United States’ opening brief to the Supreme Court (at 21-22 n.2) points to nearly a dozen cases to date that have come out the other way from Microsoft Ireland.

One noteworthy fact about those decisions is that none of them involve Microsoft webmail. They’re all for Google or Yahoo! webmail accounts. Importantly, Google stores emails differently from Microsoft. As one case describes, Google may break up user files into component parts; “different parts of a single file may be stored in different locations, including in different countries,” and “Google sometimes cannot be certain where a record is.” Professor Paul Schwartz calls this the “data shard model,” and Microsoft’s approach the “data localization model.”[1]

Regardless of where the data is stored, Microsoft, Google, and Yahoo! can all access it from their offices in the U.S. That fact largely accounts for the Google/Yahoo! courts’ departure from the Second Circuit. By that rationale, the “search” and “seizure” occur in the U.S., where company agents access the data to turn it over to law enforcement, so even if the data is stored abroad, compliance with the SCA warrant is not an extraterritorial application of the SCA. Maybe that is how the Supreme Court will resolve Microsoft Ireland. Oral argument, set for February 27, may provide some clues.

For now, though, here’s the upshot of the courts’ split: If you weren’t cool enough in April 2004 to know anyone who had a Gmail invite and so you kept using Hotmail forever, that’s turned out to be an inadvertent stroke of luck for you. The Second Circuit says those emails are beyond the reach of U.S. police with an SCA warrant (instead, they should go through the frustratingly slow MLAT process). But woe betide you if your employer happens to use enterprise Gmail instead of according to the other courts, your work emails are fair game.

Until the Supreme Court decides Microsoft Ireland (and hopefully announces a rule that does not require a fact-dependent provider-by-provider inquiry), we have a state of affairs much like that of your Fifth Amendment rights in your smartphone. Which free webmail provider you picked a dozen years ago dictates whether a court will authorize American police to execute a warrant for your email. And that’s ridiculous.

Whether the cops can or can’t get your emails should not depend on a choice you made for reasons that almost certainly had absolutely nothing whatsoever to do with how the provider stores files, or legal doctrines about extraterritoriality. You should not pick your job based on what kind of webmail access you’ll have. You should not have to think about what Congress meant when it used the term “warrant” in the SCA, which was a major consideration in the Second Circuit’s analysis. You should not be expected to know whether a webmail provider splits your files up into shards and sticks them in datacenters around the world, much less what legal implications might flow from that. Indeed, such technical information might not even be available from the provider. And even if you did pick a free webmail service—or a job—based on email file storage, the provider could still change its storage practices, or your employer could switch providers, well after you opened your account. That variability only further illustrates why it is silly for police access to your email to turn on a consumer choice that you made sometime in the past.

In sum: when so much of our lives is digital, smartphone user interfaces and webmail storage designs should not turn our rights against the police into a path-dependent process.

Or, to put it more darkly: It’s 2018. We’re not citizens anymore, we’re consumers, and the courts should treat us that way.

[1]  Perhaps this distinction, along with the non-Microsoft cases’ outcome, makes it wrong for me to have referred to them earlier as Microsoft Ireland’s “progeny”; they’re more like stepchildren, unwillingly lumped together with someone they have nothing in common with, screaming “you’re not my real dad!”


Add new comment