How To Respond To Cops Who Want Your Passwords

thanks so much guys my name is chef Neela Cumbre I'm the criminal defense staff attorney at the Electronic Frontier Foundation I've seen many of your lovely faces at our table this this week so thank you so much for your support I want to start with a caveat this is not going to be the legal question our so I will not be answering your specific questions about your specific encounters with police we will be talking on broad strokes about the various contexts in which people find themselves when they're confronted with this question about what to do when the cops demand their passwords everyone's individual threat model will be different and so I want to respect that

so please just don't lose patience with me if I don't give you a direct answer about what works in your specific context if you do have questions like that feel free to email us at info at EFS org and we'll try and connect you for a personalized consultation with a with a lawyer okay so first things first how do you respond to when cops demand your passwords how do we get from here to here now I will hopefully lead us along this journey and you can kind of be equipped with some of the questions you should be asking yourself and the process for determining what you should do so let's begin do I have to this is probably the number

one question I get asked when when people find out I'm a colonel defense attorney do I have to give my passwords to the cops well the answer is it's complicated it depends on a couple of things first the jurisdiction in which you are in and that second your personal threat model so this I'm gonna geek out a little bit on law stuff for the next few minutes about various jurisdictions so that you can kind of see the landscape of how courts are dealing with this question and what they're doing so for example in Colorado a court actually ordered a defendant to give up her laptop password after the cops got a search warrant so there was some legal process and they

they actually that opinion goes through what the court thought was necessary to have to make her do that but at least there was some court order that happened before the cops were able to get it the second is in the in Florida the Florida Court of Appeal in second District found that you can be forced to give up your password but then the court the appellate court like so the trial court level said no no you cheat you don't have to give up your password the appellate court reversed the trial court and decided to compel the person to give up her their iPhone password if you go but the next level up there are kind of

three levels the trial court level the appellate court level and then the US Supreme Court at the eleventh circle of encircle the federal appellate level the the Eleventh Circuit found that the government does have to show with reasonable particularity what that means will also have to be fleshed out in further cases but they have to make at least some showing that what they want that they seek certain in a file or is are aware that it's actually on the device that they're trying to get into so if they have to be able to show that it exists in a specified location and identify what it is that they're looking for seems straightforward seems like before you get to go into a device you

should know what you're looking for and that it's there but courts differ on how what that reasons particularity means so in California the Central District of California which is also a federal appellate court found that you can be compelled to give your fingerprint to unlock your cell phone but not necessarily your password and that seems to be a pattern that's been emerging in some of the other more liberal districts in Virginia this the Second Judicial District they found that you can't be compelled to give your passcode but you can also be compelled to give your fingerprint and they again using the same reasoning in in the law we don't recognize a right to privacy in your physical appearance

which is why when you're dealing in a criminal case the court can actually order the defendant to stand up showed how they how they appear you compel them to give a fingerprint now the problem here is and the argument that we make is that your fingerprint really isn't about identifying you in this context it's about providing information that the government wouldn't otherwise have so you're actually not it's not just about how you appear it's about everything that you do as in the digital space because it's really just a gateway to get at information that wouldn't otherwise be available to them without some help from you which is why we think the Fifth Amendment is implicated and

I'll talk a little bit more about the Fifth Amendment later so in Michigan the US District Court in Michigan held the same as both Virginia and California that you some forcing someone to provide their pass code qualifies as testimony because it requires you to actually give communicate in some way the knowledge that you have about your pass code whereas the fingerprints you're not communicating knowledge that seems to be the the reasoning thus far in the Eastern District of Pennsylvania you can actually there is a civil case which was very interesting that held that you could invoke your Fifth Amendment right to avoid testifying against yourself as a reason to not give up your pass code

even when it was an employer's fault here I think it was like an insurance case and they were trying to compel the employees to unlock their employers phone to get at information that was relevant to the case but because the pass code was a personal communication that was just in the employees mind they held that your password because it's personal and producing it requires you to communicate that you couldn't be compelled to do it so that's it's a step in the right direction and surprisingly the Army Court of Criminal Appeals I was surprised to find this a military judge so this is again at the trial level up held that the Fifth Amendment right to

refuse to unlock your your phone the it was sent up to the appellate level the higher court and they they actually vacated the the original court order that said you didn't have to provide your passcode and said well we want further findings on your reasoning for why you are saying that the government can't get into the phone you can't force this person to get into the phone so it's now still being litigated so we don't know this is kind of a stay tuned we don't know how that's going to come out but they did affirm eventually when it came up they affirmed the the judge's suppression ruling which meant it threw out all of the information that

was taken from the phone but they did certify three issues for the appellate court to consider one whether the Fifth Amendment self-incrimination clause so for those of you that are unfamiliar with any cop show that ever one of the first things they tell you is anything you say can and will be used against you in a court of law you have the right to remain silent when you are inside the United States as well and we would argue even at the border you have the right to remain silent and not cooperate in the government's prosecution or gathering of evidence against you that's one of our fundamental constitutional rights so here they're certifying that that that

Rights protects you and it is violated when oh so they're there the question they're trying to answer is whether that right protects you when you voluntarily voluntarily give your password to law enforcement under pressure well I would argue under pressure government would say it wasn't under pressure detaining you until you give up the goods and then whether there's another case rule whether it's violated when like the Fifth Amendment is violated when investigators ask for a suspect ask a suspect to give up their password when they've already invoked their rights to an attorney because generally when someone says I want my lawyer or I want to talk to a lawyer they're supposed to cease questioning you so the second

question is whether if they ask you for your password after you've said I want to talk to a lawyer if that's violative of your constitutional rights and then the third is whether they've violated the Fifth Amendment whether even if they did violate the Fifth Amendment the military judge should have still kept the evidence in so that's kind of we'll see where that goes the second thing you need to think about is your personal threat model so I'm sure I'm talking to a bunch of people who are very concerned about information security I'm sure you all know how to conduct your own threat model but for those that are unfamiliar the five main questions you want to be

asking yourself are what are your assets what is it that you're trying to protect who are your adversaries who are you trying to protect those assets from the capabilities so what are your adversaries capable of doing to seize or interfere with your assets the things you want to protect your personal risk assessment so this is kind of a balancing act between how likely is the scenario that your assets will be threatened by the capabilities of your adversaries and what is your tolerance for that risk how much risk are you willing to take on with the protecting those assets and then finally the costs how much trouble are you willing to go through to prevent those consequences

prevent those risks from from coming to fruition and and and the adversaries getting to your assets so this is the process we always say in all of our surveillance self-defense trainings to anyone that asks you everyone has to come up with the answers to these questions to determine what makes sense for and think about what tools to use in a particular scenario because you know if you're information security officer with top secret clearance your threat model will be very different from you know your high school teenager who is communicating with their friends on Facebook now there might be some things that are common to both but it's still a very different kind of thinking about

what you what tools are at your disposal and how much risk you want to take on and the costs you're willing to pay so let's let's start talking about some examples and to get people to to volunteer some thoughts I have some very nice aff stickers that will be a reward to anyone that raises their hand and chooses to participate and you will get to choose between various stickers so the first being let's let's start with the middle one so meet the Guerrero's they're returning home from visiting their parents in Mexico when Customs and Border Patrol asks for their cell phone passwords the wife is a US citizen the her husband is a legal permanent

resident and they have a small child with them and only have an hour before their connecting flight home what are some of the things they should consider like alright we have a hand over here we have to pass the mic we have to pass the mic but since you'll be passing the mic you will get to display and let people select stickers one of the first things that I would consider is what I've taped the customs officer and the messages on your phone because if there's a discrepancy with your story and any messages that you've been texting for example or emails they can just refuse entry just based on the fact that you've lied to them okay so there that that is

true there there are a number of things to take into consideration one of them is the immigration status second is the the law hasn't actually caught up yet with what how the fifth amendment works at the border because certain other constitutional rights have been suspended you for example your right to be free from unreasonable search and seizure under the Fourth Amendment they've decided like the US Supreme Court has decided that at the border for limited purposes like enforcing the immigration laws and enforcing national security or protecting national security at the border that they get to do suspicionless searches of travelers to make sure you're not bringing in a bomb now their Customs and Border Protection and the US

government is trying to use that argument that that should also apply to other constitutional rights at the border so it's a little more nuanced but what I want to get at here is what are those those five questions that we should be asking for that threat modeling you know what are what are some of the assets adversaries capabilities risk assessment and costs that these people this couple should be thinking about when they're deciding what how to respond to CBP and I think this gentleman in the back had his hand up first but please them oh did you get your sticker well you're gonna want to look at your threat model and ask are you actually defending anything in your

phone that is so important that you're that the opportunity costs of missing your flight because you will miss your flight if you deny them is going to be worth that if there's nothing in there you got your baby with you you got an hour let it go so that that is not an uncommon response I think to being presented with this kind of scenario at the border and like I said I think different people will respond to this these questions differently in that situation if if you know you're a breastfeeding mother you're gonna be like I have to be able to get to my feeding time with my kid so one of the things when you're thinking about what

assets you you have maybe before and this is kind of going back maybe before you actually get there you think about well how are you going to what what are you actually going to take with you are there is there it the digital information that you're carrying with you on your phone on your lab top how essential is it to this particular family trip do you want to leave kind of the more sensitive information at home to do like coming to a security conference bringing your Chromebook instead of bringing your regular laptop you know those are considerations that you want to be thinking about before you hopefully get to that situation and they it looks like

okay yes okay so before they even was gonna say before they even begin to leave they should decide whether or not if they if they do decide if they are stopped by CBP and asked for their passwords they should decide whether or not they want to bring their real phones which have their entire digital life on them or if they have throwaway phones which have absolutely nothing on them and you can be like cured you can keep it cuz I'm not actually going to do anything with it when I get home but if they have if they had to bring their real phones let's see depending on whether or not they want to be split up I'm not 100%

certain on this but I'm sure in almost every circumstance a US citizen cannot be denied entry into the United States so if she's willing to leave her husband at the border or have him sent back she can tell CBP to pounce and take her kid back to their house and figure it out later that is certainly another choice that the couple could make and and I know it's kind of hard because we started with this very difficult example if you are right that US citizens have a right to repatriate themselves they can't be denied entry they can be seized for a certain period of time and a reasonable time is all the guidance we get from the courts some cases they've

found that four hours was reasonable others that much longer was reasonable so there's that as a legal permanent resident you also have the right to re-enter the United States but you it may raise some very difficult questions for your continued residency in the US so that's something that we'll need to think about when they're deciding on their threat model and then lastly these simple visa holders don't have a right to reenter the country even if you had applied for and received a visa if you come to the border and you refuse to cooperate with Border Patrol you they can revoke that discretion because that's totally discretionary your ability to enter so the there will be different threat models for those for

those different classes of individuals we had like one in the back one over here and one over here so so everything is based around the threat model and so if you if you essentially just have the idea of privacy let's just say and you say well I'm traveling abroad I'm gonna bring myself a burner and I'm big deal a Chromebook and and a burner phone all right there they put the phone they see it's missing the apps it's missing everything else these are burners your throat model just went up so simply by by trying to become too you know too disposable you've just increased your threat level yes so that is something that that again you you do

have to take into consideration when you're thinking about these tools that you're gonna consider or these options you're going to consider when you're traveling we actually have released a pretty good order guide I would encourage you all to like log on to our site and and look at it that has there also a link to our one pager on your constitutional rights at the border as well as kind of what to do when you're before the border at the border and after the border but yes for for the most part when you're when you're deciding how much security to to undertake there one of the things we mentioned and our border guide is also be aware that if you take certain Prosek

yura t precautions that could also backfire and alert them if they choose to you know be looking at your devices but one of the the first things we we recommend to people is at the very least you know shut everything off log out of any apps that are that you have so that even if they do you do end up giving your your password which is Oh your decision they still need an extra step to get through that digital portal into all of your other information on the cloud all right so the question was they can they ask for follow-up passwords they can can they ask for your social media handle and password so what's interesting about this is

recently Senator Wyden actually wrote to the Department of Homeland Security and Customs and Border Protection said what is the authority that you are using to get into people's digital devices and they wrote this you know very long letter back where they say you know these are the reasons this is where we think we get our authority but they conceded that they will not be asking at least in this letter that they've published in response to Senator Wyden that they will not be asking for iCloud password that would go to cloud accounts that it was just before the devices that you're carrying with you because they believe that it is there it is within their power to to look at and examine

anything that you take with you across the border I actually notice a comments question in the back corner oh and and also this gentleman here so it's really hard to take let's lose since you're closer yes you mentioned that the courts still up in the air about exactly what rights a citizen has at the border versus in general and it also a said that you have the right to repatriate as a citizen but does that apply to your devices in other words they can say you can go through but your your phone has to sit here until hell freezes over or whatever well so with the devices yes that's actually one of the responses in the letter is

that you know it's they basically say yes you do have a right to enter after a reasonable amount of time but we reserve the right to seize and search your like your property as it crosses the border but even in the so far this is just a policy this is not but in customs and border protection guidelines they say that you should be all your property should be returned to you within five days but that is subject to a very big loophole where if they have reason to believe there's some the way they phrase it is evidence of crimes that in either immigration fraud or child porn is a big thing that they think they get to enforce at the border

that they can then hold your devices in order to do a digital search also understand that they've asserted this diminished protection up to a hundred miles inland from the border and if you consider the perimeter of the United States that's a huge amount of the entire population oh it takes me it's actually more the courts have defined the the border as a hundred miles from the out like the actual border inland but in addition to that any point of entry for international travel is considered part of the border so it's it's beyond just the actual hundred miles around the whole US it's any international port of entry okay so as of I think it was Thursday last week the

US border has said that all countries that fly into the u.s. have to implement a law at the airports our rule at the airports saying that all devices must be fully charged and turned on by the time you get to the customs gate and so when I flew from Canada coming to here I didn't have to submit my device but I did see another Canadian who had to submit his device and he was told submit it or walk away and don't take this flight wait so I mean and he was forced to submit it powered on and unlocked before we get to customs we have to have it powered on and I didn't say anything

about locked but it has to be fully charged and powered on and Customs has at that point the option to say login I you're saying this is the point of entry at the US border from from Canada or is this Canadian government that's doing this no no this is us US border customs our customs has said that the airport that they're hosted in tell all of the passengers coming in that by the time they get to us it has to be fully powered and turned off I was not aware of that it's brand-new that which-which airport was it that we were flying out of calgary okay that that will be interesting to see how that unfolds

because when we released the border guide in March one of the general pieces of advice we were telling people were to shut off powered out everything so that it it would require the entry of your passcode before they could get into it so the question I had for you though was as a Canadian citizen coming into the u.s. is there anything there that do we have any wiggle room there because although I brought a burner phone if this is identified as a burner phone I can be rejected but if I didn't if I want to bring my personal phone I have confidential information I'm not allowed to bring down here so the alternative is really don't bring a phone well again

that in that context you'll have to revisit your threat model and determine for yourself are you if this is the policy now being rolled out through the points that through which you're going to be traveling you know do you what what are the assets you want to bring and you know how likely is it that you think you're gonna get stopped and are you how much are you willing to go through are you willing to say no I choose to keep my device powered off and just be prepared to wait I mean you each individual is gonna have to make that choice I know we had a question the far back and then oh okay Shh all right I

know he was trying to respond to something but go ahead or okay I promise to pass the mic back to you just a second this might potentially implicate a response to the prior question but so this will be four points I'll collapse them into about a minute so most police searches are executed in situations where police don't have constitutional authority but individuals who are approached by authorities concede their rights you waive your rights in response to a question by an officer and that consent paves the way to any number of things DHS component agencies are notorious for routinely violating limits on their power CBP is no exception despite the formal citizen's right to repatriate I know of at least three

cases of US citizens who were denied re-entry to the United States despite citizenship and with respect to CBP's concession and writing to Senator Wyden that the agency does not have the right to seek social media identifiers and certainly not passwords that's no reason to presume that CVP agents on the line will actually abide by that advice which is why it's so important for each of you to be here and share what you've learned the key to all this is asserting the rights that you know you have because you can't actually rely on the government to respect them well fed sometimes more of a question okay what what's the justification if you bring a burner phone with you for them

to say you're you're rejected from coming in we've searched your stuff and found you to not be allowed to come in because you don't have anything you're crossing with information that they found nothing really bad about you on and they're saying no no this is no good we want you to bring the real stuff I'm here like well I'm not bringing that into the United States I just have this why are you rejecting me what's the justification they well that I don't know what their justification would be if they try to prevent entry if you're a visa holder and they decide to prevent entry that would just be that's always within their discretion if you're

if you do have the right to re-enter and the border the the border agent decides to follow the law and and actually let you in if they if ultimately the the only red flag is that you brought a Chromebook and a device that's wiped of information if they don't ultimately if they don't find anything then they shouldn't have a justification for keeping you out but that won't stop them from detaining you to find that out so I of course we want to encourage everyone to be asserting the rights that they have they possess we also understand that each individual has to make the choice about whether they're willing to forego you know other conveniences like being

able to make their connecting flight or you know having to wait at the border while this inspections being done I have a question or maybe a point of clarification some things that I'm hearing is this in communicating what's your like the questions about burner phones versus not burner phones I it just comes for me it's like well what the it's that sounds like over communication in terms of what we need to communicate to any legal authority and so I I'm not even sure why we're making that distinction all right is your question why why do we care because they shouldn't be going into the device in the first place well there's that but then there's also if you allow them to

go into your device who who cares whether it's a burner phone or not like it's why do you need - why are we actively communicating that it's a burner phone well the the scenario that we explored earlier is that if if the if the border agent is savvy and again like in the hierarchy of various law enforcement agencies weren't you're not dealing with a particularly sophisticated class of individuals at the border I think that's most tactful way to put it they but if they're able to discern from looking at the device that it is a burner phone because there are there's no information on it that could raise a red flag that could make your detention longer because they might

be you know looking a little bit further to see if they find anything so that I think that's the distinction between you know burner phone not burner phone that people are making but then also just at base what you know what data do you really need to carry with you or have to carry with you and are you willing to take the risks that anything that you have on you could if you choose to like for example if you choose to give the password or even if you don't choose to give the password and they just detain the device until they're able to crack it they will eventually get access to more information if you choose to bring a not

your actual phone oh okay I'm gonna I'm so sorry I to cut off the discussion but I do want to get through some best practices but we will definitely have more more questions coming up I just wanted to make sure everyone kind of goes through the the galaxy or universe of what to be thinking about so our EFX position is is that compelled this decryption of your of your device is inherently testimonial and should be protected by the Fifth Amendment so for steps that you can take for yourself as one don't consent to a search this is the number one thing that Shah had was talking about you have these rights but if you give them up if

you waive them if you allow yourself to cave under pressure to law enforcement then they don't need a warrant they don't need legal process if you give them your permission they get to go in number to ask to see a search warrant and this this applies as much you know inside the US well it's more inside the US we'll we'll see if anyone is is like strong enough to demand it at the border but ask to see a search warrant and we'll go over what you should be looking for when you when you get to look at the search warrant choose to remain silent this is also a choice just like giving your password you can choose not to

provide any additional information for them to do is against you and then probably most importantly is ask to speak to a lawyer if if you have experiences especially at the border email borders at EFS org we have lawyers standing by specifically on the issue of digital searches at the border so let's let's go individually through each one you can politely say and tell the police and to come back with a warrant it's easier in the United States so this we're gonna take it in in the United States context because I I don't know that that the courts would recognize this at the border but you don't have to consent to a search or to give up your passwords if but if you do

they don't need a warrant so that's first and foremost we're gonna skip the other examples and encoded so when you ask to see a warrant if they say that if the police say they have a search warrant you should ask to look at it and and especially if they and this is something we usually tell people that that we think might be targeted at home if if they come to your home you don't actually have to answer the door you can ask them just if to identify themselves and slip the search warrant under the door you don't actually have to give them admittance into your home and very few people know that but look makes check the warrant to

make sure it actually lists your name that it lists your correct address because a lot of times the information is wrong that it actually lists the items and devices to be searched the accounts to be searched if it if it does in fact allow them to get into your digital accounts and that it specifically orders the disclosure of passwords if they're trying to say oh we have a search warrant it says you have to give us your passwords make sure that's actually part of the warrant and then the asteroid is I don't think that that would be a lawful order me personally for I don't think that you should that you could be ordered to give

up your constitutional rights so if you are particularly Hardy and and scrappy and are willing to - for like for go well you yeah you could be held in contempt so if there are some people that believe in this principle enough that they're willing to say yeah you know I'm willing to do that there are there are even big companies that when they're asked for user information and they're trying to say hey we have a search warrant for the and you you know we want you to give it to us who will say well we're just not going to produce those records and we'll fight it as a contempt order you can you will we'll go to the judge the judge

will can try and order us and we'll fight that this whether or not this is a lawful order before we even give you the records so this is again a choice we can't tell you that that's something that everyone should do because everyone's threat model will be different but that is definitely something that you should be thinking about and then lastly to check to see that it was actually signed by a judge a lot of times they try and pass off subpoenas that are just signed by like a an attorney or like a like a prosecutor or or a policeman who it's just like an affidavit make sure that's actually signed by a judge judge so-and-so the

Honorable so-and-so now whether or not you have time to like check if that's in fact a real judge I mean it just depends on how skeptical you are and then don't interfere with the search if they have a search warrant because that could be considered obstruction of justice which is a separate crime and but do object if you if the cops try to go beyond the areas that are identified in the warrant so those are kind of our our quick and dirty things to think about and we're going to skip the other example and you can stay silent so you don't have to say word to the police to help in the search if if they do end up serving a search

warrant we believe that you shouldn't have to give your encryption keys or passwords to the police the exception being that there are some courts that think that they have the right to compel you to do so so you usually it requires that extra step of getting a court to order you to divulge that information and again we believe that courts shouldn't be able to do that but you're gonna have to make the the choice of whether or not you're willing to deal with the contempt punishment while you litigate that and if you decide to talk to the police tell the truth don't don't go like oh I forgot my password oh this isn't my device because

lying to the cops is a crime so please don't do that and once the police are searching your home or computer again don't interfere or obstruct because it's a separate it's a separate crime that you can be charged for I'm just going to go through the last thing and then we'll we should be able to open it up to questions and and and okay okay I just wanted to make sure we got through the the meat and potatoes of what we're trying to to disseminate if the police want to search your electronic accounts or devices or even just to talk to you you should talk to a lawyer beforehand if you have that luxury if you have that opportunity you

recommend you know if you really think you're gonna be targeted at the border or in at a particular point to try and consult with an attorney before hands to see what other steps you might be able to take to protect yourself a lawyer can also help deal with getting your devices back and and getting a court to order destruction of any data that was seized if in fact they ended up going into your devices so okay these are kind of why these are the basis for why BFF has come to this to this position on why decryption is testimonial and passwords are testimonial the the Fifth Amendment privilege against compelling you to testify against yourself should protect

testimonial statements that's like the basis of the Fifth Amendment we believe that testimonial communications and this is also reflected in a lot are those that require person to use the contents of their own mind and to communicate some kind of fact seems pretty cut and dry in that context that a password would force a person to reveal the contents of their minds to law enforcement and so thus should be privileged by the Fifth Amendment and that is the argument that we're trying to advance in the courts and are always looking for people that are willing to help us advance that argument but the process decryption itself if you think about it it is testimonial because it involves

translating all of this encrypted data into things into new data communicates attic to law enforcement in a way that they can read it and so again this they only get to that unencrypted data through the contents of your mind so this is kind of our quick and dirty rubric for why we have we've come to this position so hopefully we've gotten there too what are the things that you can be doing but you understanding what the threats are and and risks are and if we have questions let's yes so just to point something out when you're thinking about your threat model your employer well to give an example I recently did some overseas travel and I had to check with my

employer beforehand about the policy of you know potential seizure and I was basically told don't give them passwords if they seize the property they seized the property if they do anything if they detain you in any way contact our lawyers and our lawyers will defend you so my company stands at least and yours may be the same so please check have your legal department draft something if they don't already have a stance on this but the idea that basically my company is is saying no we're not going to let that you know that pass our our IP is our IP and exposing it you know unintentionally or intentionally that way is not acceptable well that's that's

a very strong stance and I applaud your company for doing that it's it yeah we should applaud that yeah the

we have another question if non-us citizen is denied entry into the u.s. is that final like every time they try to enter the u.s. next time they'll say I see you've been refused for refusing again well that depends if we're talking about a visa holder they ultimately they'll have to consult an attorney to see if there's a process for review of the denial of entry and then they'll have to go through the process of reapplying for entry and they'll probably come across the same issue of because if they've been denied entry already for that reason it's likely that when they reapply they will try and get and do the same thing if you're a legal

permanent resident I you do you can defer litigation of of your continued residency in the United States so you can defer this issue to the decision to the immigration court that's something that your lawyer can ask for hopefully you have consulted one before crossing borders if you're in that position you mentioned before that you don't have to open your door for the police even if they have a search warrant they can have you can have them slip it onto the door after you verify the information on that search warrant or do you have to now open the door to them yes you would be obligated and you you could make the choice not to and then they will likely

break into your home and sometimes even before you're done reading the warrant they will break into your home so and and that is still something not I don't want to give it short drift you can litigate that after the facts but there there won't be a judge on call at that moment to say hey you shouldn't have done that I'm Jim yes just to clarify point from the map at the beginning in places where they can compel you to give up your fingerprint but not your passcode I turn off touch ID on my iPhone can they compel me to enable a touch ID on my iPhone that specific issue hasn't been litigated I think that because it would require you

to do an affirmative thing that wasn't there before they that it would be more difficult for them to be able to do that but only time will tell like we have to actually wait for it to come out in the courts that's not to say also and I've been corrected about this because I don't use touch ID but there are people that use the both touch ID and an alphanumeric password we just recommend not to use touch ID by itself if you use it in conjunction with a passcode that could still be more secure for you so it just kind of depends and in 2013 the State Department website said that when you're leaving the United States even as

the u.s. s and they basically viewed encrypted cryptid data it's kind of suspicious therefore they reserve the right to copy it and keep that copy forever I'd heard the rumor they've tuned that back to five years where's the stance from the FF on that now and what's the law on compelling a production of encrypted data like sorry then copying my encrypted data and keeping it forever if I like they they were basically saying if you have encrypted data we have a the right to copy it and keep it forever the State Department does that as a result of you're applying for a job with them or yeah our position would be that there's got to be a policy in place about data

retention they shouldn't be allowed to keep your data forever they but they shouldn't even be allowed to get to your data if they don't have the authority to do so so that is our position whether or not I I have yet to like we've only so far come across across cases where they've kept the data for a limited amount of time but you actually have to affirmatively require requests a court to have them purge the data so remember what I said about specific questions if you if you want specific answers email info id-ff torgue okay so quick note on restricting the amount of if they have come into your home there's a principle of plain

sight anything that's in plain sight to a police officer is potential evidence you cannot restrict them from that that was it okay yes that is true once once the law enforcement does gain entry whether it's to your home or to your digital device they are trying to use the the plain view doctrine I think it survives within the home if they have a legal right to be where there where there they are to make the observation in the digital space this is why ex ante protocols search protocols should be determined by the judge before they get to go in and that's something that we're fighting for but I don't think that the plain view doctrine should apply in the

same way in the digital space because you you can't you can't be like well but let me look at everything because I'm looking for this specific thing that's I I don't think that that theory translates in the digital world Oh Stephanie a moment ago you said that you were you were always looking for people that would help advance your Fifth Amendment argument other than joining the e FF which I think everybody in this room should do if they're not already what what specifically are you looking for there can you expand on that a little bit well if someone decided should be a test case and wanted to wanted to stand up to law enforcement at

the border or otherwise we would be interested in being a part of that so please if that is something that you're interested in in contact the info idea and we will talk about it yeah I'm a quick quick something to say I got this from kevin mitnick's book art of deception what he does is whenever he travels he takes out his hard drive and this is very easy to do with solid-state hard drives puts in a another hard drive and just emails or excuse me mails his or UPS FEDEX is his other hard drive to where he's going to be so that's just an easy workaround for this type of situation shouldn't say that okay that's

that is certainly like there are a number of practices that people adopt to try and and get around it it will present different risks depending on like if you're gonna be mailing that to China or Russia that might not be the best way to get around the American government but you you gotta have to deal with with your individual threat model okay thank you hi um so in regards to because we were talking about burner phones are really earlier so in regards to burner phones would the fact that there is a lack of information on their can could that be regarded as especially the rights were made in silent if you choose not to put any information on

there well so sadly the state of the law in with the Fifth Amendment is you have to you actually have to assert it the fact they've already Scott is the Supreme Court has already held that remaining silent is not enough to invoke your right to remain silent you must say I wish to remain silent before they will recognize the rights so just for example using a burner phone won't it I mean you could make the argument that that is a way in which you were trying to assert that right but you actually have to affirmatively assert it for them the courts to recognize it

sure so regarding the subpoena before you talked about a search warrant signed by a judge Pina could be signed by just an attorney if they show up at your house with a subpoena it's not signed by a judge can you just reject them from entering your house and say come back with a search warrant I'm calling my lawyer sort of thing so again it depends on what the the subpoena is asking for specifically if the subpoena is asking for getting into content in your digital device that the Supreme Court has held like even being able to search your cellphone generally should require a warrant under a case called Reilly versus California so I think there is

precedent for you to be able to say if they're trying to get to content in your in with the subpoena that you can you can reject that I would encourage you to consult an attorney before responding to the subpoena because most subpoenas have to give you a reasonable amount of time to respond so usually it's five to seven days some are ten some are even longer than that so prior to the date of that you're required to respond I would seek the the counsel of an attorney to determine how you want to handle that because it will depend on what the subpoenas demanding and on what timeframe they're demanding it last question hopefully this is an

easy one cops come to my house I request though to see their search warrant they show me the warrant are they required to either provide me a copy or allow me to copy that warrant so they are not required to provide you a copy there is nothing that would prevent you from taking a picture of the warrant with your phone more prudent people would ask before reaching for a phone to do that but I'm I'm personally like more a person that asks for forgiveness than permission but I'm not a particularly threatening specimen I mean so it just depends but yes you should you you should be given the opportunity to get a copy of the search warrant they

will usually tell you oh well we'll send it to you I don't trust cops generally so I would I would try and do everything that I could to get a copy and so I we will stay in this room I will answer more questions thank you so much for being so

[Applause]