State compulsion of smartphone security features and the privilege against self-incrimination

Citation(2023) 36 SACJ 282
DOIhttps://doi.org/10.47348/SACJ/v36/i2a5
Published date14 November 2023
Pages282-303
AuthorTheophilopoulos, C.
Date14 November 2023
State compulsion of smartphone
security features and the privilege
against self-incrimination
CONSTANTINE THEOPHILOPOULOS*
ABSTRACT
There is current ly a lacuna in statutor y and case law about the legal
nexus between smar tphone technology in the form o f password/code or
biometric-locked smart phone security features and the priv ilege against self-
incrimin ation. This paper exam ines whether a recipient of a cyber-wa rrant,
subpoena, or other compelli ng order, may invoke the privilege against
self-incrimi nation in the face of a state order compell ing the production of
a security featu re in order to unlock a smar tphone and forensically access
stored incrimi nating data les as ad missible relevant evidence at trial. T his
paper examines the lega l nexus by critical reference to relevant Sout h
African legislat ion, comparative internationa l law, the Fifth Amendment
privilege, and the foregone conclusion doctr ine as described by the USA
Supreme Court in Fishe r v United States, Hubbell v United Sta tes and other
federal courts.
1 Introduction
A smartphone contains a critical amount of personal information
stored and led as data messages in its various infrastructure data
caches. Automatic built-in applications such as voice and video calling,
photo storage, SMS text messaging, including voluntarily uploaded
applications such as Facebook, Telegram, Instagram, WhatsApp, X
and TikTok to name a few, can store a lifetime’s worth of personal
information which dene a person’s personality, business habits and
social interactions with fam ily, friends, and others. A crim inal suspect’s
smartphone is likely to contain easily identi ed relevant data evidence
in the form of data messages and metadata linking a suspect to a
* BSc LLB (Wits) LL M LLD (SA); Associate Professor, Interim Di rector and supervising
attorney, Law Clinic, Un iversity of the Witwat ersrand. ORCID: ht tps://orcid.
org/0000-0003-4336-1044.
https://doi.org/10.47348/SACJ/v36/i2a5
282
(2023) 36 SACJ 282
© Juta and Company (Pty) Ltd
possible crime.1 Therefore, a police investigation may target a suspect’s
smartphone via a search cyber-warrant, an interception warrant, or a
decryption direc tion and a prosecutor may subpoena a witness to appear
and give oral evidence about the stored data contents of a smartphone
at trial. A prosecutor may also, via a subpoena duces tecum, compel
a witness to produce at trial relevant data messages in the form of
data les downloaded from a smart phone in the witness’s possession
or control. The two principal issues to be analysed i n this article are
(a) whether the state may compel the disclosure of a password/code, or
biometric feature, to seize, access, search and preserve data messages,
stored in a suspect’s smartphone or on a service provider server,
during a police investigation.2 Alternatively, may the state compel a
subpoenaed witness to unlock security protected relevant private data
les and produce such unlocked data les at a criminal trial, and
(b) what legal defences may a suspect, accused, or witness employ in
preventing the state from compelling access to locked data les stored
on a smartphone relevant to the facta probantia of a criminal charge.
A designated police ofcial is statutorily entitled to target, search,
seize, access, or intercept relevant smartphone data and/or metadata.3
In addition, a designated ofcial may compel the disclosure of a
decryption key in order to access securit y protected smartphone data
or use forensic software tools to break security features which protect
access to data les stored on a smartphone’s storage mediums.4
However, with new generation smartphones it is becoming increasingly
difcult to bypass complex key encrypted or complex password/
code-protected data les. It may also be procedurally costly, and
1 Riley v California 573 US 373 (2014) at 375, 394-395, ‘a smartphone col lects in one
place many distinc t types of in formation – an address , a note, a bank statement, a
video that reveals more i n combination tha n any isolated record’ and amou nts to
a ‘signicant cache of se nsitive personal in formation’; US v Djibo 151 F. Supp. 3d
297 (EDNY 2015) at 310, a smartphone contain s ‘the combined footpr int of what is
occurring so cially, economically, persona lly, psychologically and spir itually in the
owner’s life’.
2 Password or passcode: m ay be dened as a smar tphone securit y feature consisti ng
of a random combinatio n of either numbers, let ters, or symbols. Biomet ric data: a
digital feature wh ich measures a unique physical char acteristic such as a ngerpr int
or recognises a spec ic facial feature or an iris scan.
3 Sections 81-83 of the E lectronic Commu nications and Transac tions Act 25 of 2002;
s 25 read with s 29 of the Cybe rcrimes Act 19 of 2020.
4 Sections 29(2)(h) and 37(2)(a) of the Cybercr imes Act 19 of 2020, forensic access
and analysis of a pass word/code or encryption key locked sm artphone involve,
(i) forensically u nlocking, break ing, or bypassing smar tphone securit y locking
features where possible, no ting that for many key encr ypted digital dev ices it
may prove impossible to break t he encryption in o rder to access relevant data,
(ii)making a duplicate copy (i.e. an im age mirror copy) of the origi nal seized hard
drive, and (iii) analysi ng the data content of the duplic ate copy to identify the
relevant data evidence.
State compulsion of smartphone security features
and the privilege against self-incrimination 283
https://doi.org/10.47348/SACJ/v36/i2a5
© Juta and Company (Pty) Ltd

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT