If someone was accused of a crime and police suspected that evidence could be found on their phone, would it surprise you to learn that the police can order them to provide their password?
Following Britain’s lead, Australia recently passed a law that allows police to compel decryption, which means forcing an accused person to provide their password or unlock a device. However, in Canada and the United States — countries with a constitutional bill of rights — courts are divided on whether compelling a person to reveal their password should be legal.
The issue comes up in cases where police need evidence on a laptop or phone that no company or agency can help them retrieve without a password, or without possibly destroying the data.
Does ordering you to hand over your password entail a form of self-incrimination or a violation of the right to silence? Would granting police the power to compel passwords cross a line centuries old against forcing a person to speak to build the case against them? Or should rights act as a trump card, effectively shutting down prosecutions — leaving victims without justice and shielding criminals from the law?
A recent Ontario case is the first in Canada to deal with the matter directly, and highlights what’s at stake. As a law professor focusing on technology and rights, I was keen to see how the court would resolve these issues.
Warrants for electronic data
In the 2019 case of R v. Shergill, the accused was charged with a series of sexual and child pornography offences involving a 15-year-old girl. Police obtained his phone upon arrest and a warrant to search it, but couldn’t open it without a password.
There are at present no powers in Canadian law that explicitly authorize police to compel an accused to provide a password or unlock a device. But courts do have the power to compel a person to help police do something to execute a warrant.
The Crown in Shergill asked the judge for an assistance order that would compel the accused to open his phone. In response, the defence argued that doing so would offend Canada’s Charter of Rights and Freedoms.
Drawing on American case law, the Crown responded that an order to compel a password would be Charter-compliant for two reasons.
WATCH BELOW: CBSA demands passwords on devices
Complying with the Charter
First, the Canadian Charter of Rights and Freedoms does not rule out all forms of compulsion: it permits an accused person to be forced to provide fingerprints, breath and DNA samples. It only prevents the Crown from compelling the accused to testify.
The Crown conceded that handing over a password is a form of testimony, but says the data on the phone is not. Since the data existed before the investigation, compelling an accused person to reveal their password does not force the accused to assist in creating the evidence against them; it only forces them to reveal that they know the password, a fact the court can exclude from the evidence considered in the trial.
Some scholars have gone further, arguing that a password shouldn’t even be considered testimony, since it doesn’t serve the same expressive function as other forms of speech traditionally protected under the Constitution, such as art or political opinion.
The purpose of compelling an accused to reveal their password is not to conscript the accused in helping the prosecution build a case: it simply enables the state to access evidence to which it is lawfully entitled.
The weight of tradition
Justice Philip Downes, who presided over R v. Shergill, disagreed, setting out reasons that closely parallel the prevailing view on password compulsion in U.S. courts.
The act of providing a password or unlocking a phone is a form of testimony, because it entails communicating something that exists only in one’s mind. It is closer in nature to revealing the combination of a safe rather than handing over a physical key.
The data on a phone is also closely tied to the password. In practical terms, since police are unlikely to access the phone’s data without the password, it is unrealistic to say that when an accused is compelled to unlock a phone, the data pre-exists being compelled to do so. Essentially, by handing over their password, the accused creates the evidence used against them.
The judge conceded that encryption poses a serious hurdle for police. Constitutional rights should not serve as an absolute trump card over the state’s interest. But the breach of the accused’s rights here was fundamental in nature and the weight of authority favoured the accused.
WATCH BELOW: CyberNB expects 1,000 more cybersecurity jobs to open up over the next five years
Passwords as testimony
The debate in Canada and the U.S. over whether password compulsion is legal turns on the same core issues: is a password a form of testimony? Does the accused help to create the case against them by unlocking a phone? And what is the state’s interest here? Does encryption pose an insurmountable hurdle to prosecution, or is it often only a matter of convenience?
Some law scholars argue that with an ever-growing abundance of other sources of data, compelled decryption is really only a matter of convenience. Others argue that in serious cases — murder, sexual assault — we can’t always find a true substitute for the data we fail to access behind encryption.
One possible way forward is to engage in a balancing of interests on a case-by-case basis, similar to what we do when we decide whether evidence obtained in violation of rights should still be admissible. In each case, we could weigh the severity of the breach with the seriousness of the offence.
Regardless of the solution, however, the problem that data encryption poses to law enforcement continues to pose a challenge. For a society that values the rule of law, it will force us to make hard choices between liberty and justice.