What the Florida ruling on passwords actually means for security leaders

Shawn Tuma explains the rationale of the case and offers insights on potential implications to prepare security leaders for productive executive updates

florida smartphone legal

Right as we got ready to break for the holidays and a new year, the headlines in the tech world filled up this week with news that a Florida court ruled a defendant in a criminal case must turn over his password to unlock his phone.

Wait. What?

A few years ago, we touched on this topic in After this judge's ruling, do you finally see value in passwords? It was after a judge ruled authorities could use your fingerprint to unlock your smartphone. Based on the nuance of the situation, it built a strong case for the continued use of passwords.

To make sense of what happened in Florida, I reached out to Shawn Tuma (LinkedIn, @shawnetuma), Cybersecurity & Data Privacy Partner, Scheef & Stone, L.L.P., to get his perspective.

Initially, I was going to focus on exploring the implications of a decision in a state court. The concept was predicated on the notion that the judge got it wrong and this was an overreach.

After all, don’t we have precedent to stand on?

But then Shawn called me to share some excitement. Based on a more thorough review, he discovered that the Florida court dove into the core of the issue and considered carefully the opinion they issued.

“It’s not for me to decide whether the court got it right or wrong. What matters is that the court did provide a well reasoned decision that looked at prior precedent and built on the rationale of that precedent.”

First, it’s important to note the distinction between criminal and civil matters (read more here) in exploring why the 5th Amendment matters.

Criminal versus Civil Cases and why the 5th Amendment Matters

A criminal case is brought by the state. It requires a higher burden of proof, but can also carry a higher penalty.

That also means criminal cases have different protections (from the state). This includes the 5th Amendment. Among other things, it protects us against self incrimination. And that matters when it comes to things we know versus things we have.

As Shawn explained in After this judge's ruling, do you finally see value in passwords?

Did you know the US legal system makes a distinction between something you have and something you know?

If you lock a safe with a key, the authorities can obtain authorization to take the key (something you have) and open it. However, if you locked the safe using a combination (something you know), that information is protected under your Fifth Amendment right to avoid self-incrimination.  

What that means is that something you have, a key, can be taken and used against you. While something you know, a combination, can ultimately be compelled by a judge. Even then, you have rights -- and a decision -- to comply or not.

Traditionally, this means that while the state can compel you to provide a physical key -- and now a biometric -- to unlock a safe or other device, it cannot require you to divulge a combination or password. That’s because revealing the password is akin to testifying against yourself.

And the fifth amendment protects us against testifying against ourselves.

What happened in Florida

You can read the full opinion here for background on the circumstances of the case. The prosecutors looked at the underlying precedent to argue that supplying the passcode to the device is not actually testifying against yourself.

The judge agreed.

While most of the tech world lamented the mistaken nature of the court, Shawn Tuma read through the opinion and made an interesting discovery:

"The Fifth Amendment privilege protects an accused from being compelled to testify against himself, or otherwise provide the state with evidence of a testimonial or communicative nature." (citing Schmerber v. California, 384 U.S. 757, 763 (1966))). "The word 'witness' in the constitutional text limits the relevant category of compelled incriminating communications to those that are 'testimonial' in character."

Tuma notes the importance of understanding the phrase “‘testimonial’ in character.”

"[I]n order to be testimonial, an accused's communication must itself, explicitly or implicitly, relate a factual assertion or disclose information. Only then is a person compelled to be a 'witness' against himself."

Tuma explained that at point here is the concept of substantive value. The case then explores the three prongs of protecting from self-incrimination (an interesting read) and suggests:

That is, "it is not enough that the compelled communication is sought for its content. The content itself must have testimonial significance."

Tuma noted that this is the key point and reframes it as “Does the testimony go to evidence of elements of the charge - or just how you get to such evidence?” He continues by explaining, “it’s the difference between taking ‘testimonial’ from how it is communicated versus what is being communicated.”

In the past, the protection centered simply on the how instead of exploring the substantive value of what was communicated. In this case, the prosecution successfully argued that what was as important.

Tuma clarified the principle difference as ““The mind has to be extensively used in creating the response or relate him to the offense.”

What it means for security leaders

While the specifics and nuances of this case made the argument valid (at least for now), this clearly demonstrates how the law evolves. Even with the precedent previously set.

As Shawn pointed out, “it's really a pretty easy approach to understanding law – each case builds on something else and usually there's only one or two lines in a case that really turn it one way or the other it's just a matter of figuring out where that is."

When we ponder “How does the law adapt to new technology?”

This is how.

Tuma summarized the importance of this opinion by explaining, “the methodology that the court used provides a nice example of the evolution of law through the common law method -- which is how the law has traditionally adapted to address new issues."

This is how we advance for better and for worse. It’s a lengthy process. We have a role in it, too. Make time to sit with your legal team to discuss the case and explore implications for your organization. Learn from their experience and offer your insights, too. This way we all get a bit better.

What do you think? Did the court get it right? How do you see this evolving, and why? Sound off in the comments below or take it to twitter (@catalyst,  @shawnetuma).

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)