MIGHTY POWER OF THE PASSWORD
LAST WEEK, a California judge ordered Apple to assist the FBI in building a backdoor-hack to the iPhone used by one of the San Bernardino terrorists who killed fourteen people in 2015 so that the government could continue their investigation into the attack. The government is relying on the All Writs Act from 1789, which has been used before but never to compel a company to write software. So far, Apple has refused to comply saying it would make every iPhone vulnerable to intrusion by hackers, political enemies, and the government.
This fight between government and technology has smoldered for decades. In recent years, top cops, like the Director of the FBI, have lobbied Congress to require technology companies to build backdoors into their product to facilitate criminal investigations. Technology companies, like Apple, have pushed back.
While the media rages over legal gymnastics and the impending showdown, lost in the conversation is the elegant power of the password. No matter how advanced technology becomes or the level of encryption achieved, the secret password remains the greatest defense to intrusion.
Long ago, the Latin maxim nemo tenetur seipsum accusare, signifying that no one is bound to accuse himself, laid the groundwork for current fight between the FBI and Apple. The Fifth Amendment to the U.S. Constitution, which provides that “[n]o personal shall . . . be compelled in any criminal case to be a witness against himself . . . ,” attempts to strike a balance between an individual’s right to be free from privacy intrusions by the government and the government’s right to investigation and prosecute wrongdoing.
In somewhat settled law courts can compel the production of a strongbox key but not the revelation of the combination to the same strongbox.1 But now, instead of a strongbox, our private information is digital and often stored on the device we carry with us. Cell phones, like strongboxes, are protected under the Fourth Amendment, which demands that law enforcement obtain a warrant before accessing the information stored on the device.2 Unsettled is what happens after police seize a cell phone and obtain a search warrant
In 2014, A Virginia court held that a criminal suspect could be compelled to produce his fingerprint to access the contents of his iPhone—equivalent to key fitting a lock.3 However, he could not be compelled to provide the passcode—abstract thought—to unlock the device as this would be in violation of his Fifth Amendment right against self-incrimination.
This ruling that passwords but not fingerprints are Constitutionally protected runs counter to Apple’s message that their new fingerprint technology makes the iPhone more secure, not less secure.
Like FBI v. Apple, there will be many more cases involving cells phones, user privacy, data encryption, and the interpretation of the Fifth Amendment. For the time being, passwords are the greatest protection offered against unwanted intrusion. But, some passwords are better than others4: simple passwords can be guessed, other times they are written down and easily found, or they are shared with others. There is no Fifth Amendment violation where police guess or obtain your password by reverse ingenuity. Secure your information from unwanted intrusion using a random password that you do not share with others and never write down.
1 United States v. Hubbell, 530 U.S. 27, 43 (2000); In re Boucher, 2007 WL 4246473, at *4 (“A password, like a combination, is in the suspect’s mind, and is therefore testimonial and beyond the reach of the grand jury subpoena.”).
2 Riley v. California, 134 S. Ct. 2473 (2014).
3 Commonwealth of Virginia v. Baust, No. CR14-1439, at 1 (Va. 2d Cir. Ct. Oct. 28, 2014).
4 See James Eng, Worst Passwords of 2015: Star Wars’ Terms Makes SplashData’s List, NBCNews.com (Jan. 19, 2016, 2:28 PM), http://www.nbcnews.com/tech/security/worst-passwords-2015-star-wars-terms-make-splashdata-s-list-n499681 (reporting that “1234” and “password” were the most commonly used passwords).