By Maya Kushner, Esq.

Emdenlaw has explained in a previous article that in order for police to search the data on your cell phone, they must first obtain a search warrant. But once a proper search warrant is executed, and your phone is seized, how much data can the police really see?

This image shows a police officer with cellphone. He is accessing data for investigation.

Most people have their phones protected by passcodes, and the easiest way to access your phone is to know this passcode. If the police demand that you provide them with the passcode, do you have to give it to them? Courts have not yet answered this question definitively, but the answer is likely “no,” because this forced revelation would violate the Fifth Amendment to the U.S. Constitution. The Amendment states, in relevant part, that “[n]o person… shall be compelled in any criminal case to be a witness against himself.” This prohibition applies not only during trial, but also during investigation: police cannot compel you to produce documents that will allow them to charge you with a crime.

Interestingly, the courts have made a distinction between compelling a person to do a physical act versus compelling the production of a document or communication. The former does not violate the Fifth Amendment, while the latter does. For example, the courts have found that forcing a suspect to write a sentence so that his handwriting can be compared to that on a ransom note is not a violation of the Fifth Amendment, because the police are compelling a mere physical act. However, compelling a suspect to turn over previous drafts of the ransom note would likely be deemed a violation.

So if you are asked to hand over your passcode, are police compelling a mere physical act? The answer is: probably not. In a number of cases, the U.S. Supreme Court has distinguished between compelling a suspect to hand over a key to a lock box and compelling the suspect to reveal a code to a safe. The Court found that handing over a key is a mere physical act and therefore does not violate the Fifth Amendment, while revealing a code requires the use of the suspect’s mind, or in some cases even compels the creation of a document that has not previously existed (if the suspect memorized the code and has never before written in down). Thus compelled revelation of a code represents impermissible self-incrimination. Your cellphone passcode is likely more akin to a safe code, rather than a physical key (especially if it’s not written down and exists only in your mind), therefore even with a warrant or a subpoena, the police likely may not compel you to reveal your passcode.

However, the existence of a passcode alone will probably not deter the police. They can still serve a search warrant on Apple or Google (for Android devices), requesting the passcode. While it’s unclear whether Apple or Google has ever provided the police with these passcodes, there are a number of cases in which these companies have turned over the contents of the phone (without revealing the passcode). Furthermore, if your phone’s data is backed up in the cloud, the search warrant can target that back-up data directly, without asking for physical access to the phone.

Police can also try to hack into your phone once they are lawfully in possession of the device. Many commercial forensic analysis tools are available that can crack PINs, passwords, and pattern locks. There are also less “techy” ways of forcing your way into a phone. For example, if the phone uses a pattern lock, you may be able to guess the pattern by the finger smudges the owner left on the screen. Android phones also offer the option for you to log into your phone using your email address and associated password if you have “forgotten” the pattern lock, and police may already be in possession of your email/password by the time they obtain your phone.

Encryption may be a good option to protect your data, but it’s not a fool-proof method and your data may still be susceptible to extraction with the proper forensic analysis tools. Further, handing over your encryption key may become the subject of a legal battle just like handing over your passcode.

You may try to find peace of mind by wiping your phone (in person or remotely). iPhones, for example, can be set to automatically wipe all data after 10 incorrect passcode attempts have been made. This, you may think, will prevent the police from “brute forcing” your passcode for fear that once they guess the passcode, they will find an empty phone. However, wiping the phone simply by restoring it to factory settings does not actually remove any of the data. The process only removes the directory, or list of “addresses” of the data (for example, the address to locate and view a specific photo or a specific text message), but leaves the actual data completely intact on the phone. Think of it this way: every house has an address, and those addresses are listed in the White Pages. If you burn the White Pages, you lose the specific addresses, but the houses are still there. This is exactly what happens when you wipe your phone: the directory is gone but the data remains, and this data can be extracted fairly easily. In order to demonstrate that restoring a phone to a factory setting does not actually delete the data, the security firm Avast purchased 20 “wiped” smartphones from Ebay and used publicly available forensic tools to extract their data. Avast was able to recover a staggering amount of data, including 1,000 Google searches, 750 emails and text messages, and 250 photos of what the company described as “the previous owner’s manhood.”

The only way to delete your data forever is to overwrite it with something else, and you currently have to do this yourself, because the “Erase All Content and Settings” option on your phone does not mean what you think it means.