Must Defendants Unlock Their Cellphones? What The Law Says

By Pei Pei Cheng de Castro & Jennifer Hopkins

On November 6, 2023, the Federal Bureau of Investigation (FBI) reportedly executed a search warrant for New York City Mayor Eric Adams’ electronic devices.¹

Mayor Adams was allegedly carrying two work-related cellphones but did not have his personal cellphone with him. When Mayor Adams produced his personal cellphone the next day pursuant to the warrant, his phone was unsurprisingly locked and required a passcode to open it. According to the Adams indictment, he told agents he had changed his passcode from four to six digits the day prior, but had forgotten the new passcode. More than one year later, the FBI has stated that it still has not gained access to Mayor Adams’ personal cellphone.²

It appears that federal agents did not seek a warrant or order requiring Mayor Adams to provide the code to permit agents to access the cellphone. For most criminal defense lawyers that is not surprising given the Department of Justice’s (DOJ) prior practices and the state of the law in the area. However, recently DOJ has been seeking and obtaining orders from district courts requiring targets and defendants to provide biometric data to permit agents to access their cellphones and conduct searches. One such search warrant included the following provision:

“During the execution of this warrant, law enforcement personnel are authorized to (1) press or swipe the fingers (including thumbs) of [person] to the fingerprint scanner of the subject device; (2) hold the subject device in front of the face of [person] to activate the facial recognition feature; and/or (3) hold the subject device in front of the face of [person] and activate the iris scanning recognition feature, for the purpose of attempting to unlock the device in order to search the contents as authorized by this search warrant.”

With advancements in technology, the use of biometric data to unlock devices has become more prevalent. Smart access technologies initially relied on biometric features, such as fingerprint sensors. To enhance both security and convenience, new biometric technologies were developed to include facial and iris recognition. Today, depending on the make and model, cellphones can be unlocked using a passcode, pattern, facial      recognition, fingerprint, or voice. Laptops can also be unlocked using a passcode, fingerprint, or voice. Emerging technologies are also exploring the possibility of unlocking electronic devices while in the proximity of another electronic device.

Given the rapid evolution of these technologies and the importance of cellphone data to many criminal cases, it is important to understand the state of the law on this topic. Is it settled, or is there room to challenge the use of biometric data in search warrants?

The following chart shows the state of the law across the country, distinguishing between the use of passcodes and biometric features (fingerprint, facial recognition) to unlock devices.

Courts have generally upheld the constitutionality of compelling individuals to unlock devices using biometric features, finding that such actions do not violate the Fifth Amendment. The central reasoning behind these decisions is that such actions do not compel the individual to provide any testimonial evidence, as unlocking a device through biometrics—whether by fingerprint, facial recognition, or other biometric data—is not considered a testimonial act.³

For example, in United States v. Eldarir, the court ruled that compelling an individual to use a fingerprint to unlock a phone did not violate their Fifth Amendment rights because a fingerprint “requires no revelation of mental thoughts” and is, therefore, not testimonial.⁴ Similar rulings were made in several other cases from 2018-2020 (In re Search Warrant As to the Residence of Mike Crowe, 437 F. Supp. 3d 515 (W.D. Va. 2020); United States v. Barrera, 415 F. Supp. 3d 832 (N.D. Ill. 2019); and In re Search of, 317 F. Supp. 3d 523 (D.D.C. 2018)).

In a more recent case, United States v. Payne, the Ninth Circuit affirmed this approach, holding that the government could compel the use of a fingerprint to unlock a phone without violating the Fifth Amendment.⁵ The court emphasized that using biometric data to unlock a device requires “no cognitive exertion” and, therefore, does not constitute testimonial communication protected by the Fifth Amendment’s self-incrimination clause.⁶

On the other hand, some district courts within the Seventh Circuit have reasoned that compelling an individual to unlock a device with biometric data, such as a fingerprint or facial recognition, is akin to compelling them to disclose a password.⁷ The courts have found this to be a violation of the Fifth Amendment, reasoning that it forces the individual to reveal the contents of their mind, which is a form of self-incrimination protected by the Constitution.⁸ In addition, some district courts in the Ninth Circuit have previously equated the use of biometric features to providing a passcode and have held that such compulsion unconstitutionally violates the Fifth Amendment.⁹

With respect to passwords and passcodes, courts have similarly divided on the question of whether compelling the provision of a passcode to unlock an electronic device violates the Fifth Amendment.

In the cases where the courts found that providing a passcode to unlock an electronic device was constitutional, the courts relied on a foregone conclusion analysis, reasoning that the constitutional protection may be overcome if the passcode’s existence, possession, and authentication are foregone conclusions.¹⁰ A foregone conclusion, in this context, refers to the legal determination that the government already knows certain facts about the passcode—such as its existence, the individual’s possession of it, and the individual’s ability to authenticate it—so that compelling disclosure of the passcode does not implicate the Fifth Amendment’s protection against self-incrimination.¹¹

In United States v. Smith, the U.S. District Court for the Southern District of New York, where Mayor Adams’ case is being heard, used this approach, holding that compelling an individual to provide a passcode to unlock a phone did not violate the Fifth Amendment.¹² The court concluded that the government had sufficiently established that it knew the individual owned the phone and was aware that the individual knew the passcode.¹³ Under this reasoning, the passcode was treated as a foregone conclusion, and the individual’s compelled disclosure of it was not seen as self-incriminating.¹⁴

Conversely, in United States v. Shvartsman, the Southern District held that the doctrine should be restricted to non-verbal acts of evidence production, such as physically surrendering a key to a safe.¹⁵ The court reasoned that providing a passcode is a verbal act that requires an individual to express the contents of the person’s mind.¹⁶ As such, it falls outside the scope of the foregone conclusion doctrine because revealing a passcode constitutes a testimonial communication, which is inherently protected by the Fifth Amendment’s privilege against self-incrimination.¹⁷ The court explicitly differentiated between the compelled disclosure of a passcode and the physical act of using biometric features to unlock a device.¹⁸ The court indicated that revealing a passcode was a testimonial act, whereas using biometric data was a non-testimonial physical act.¹⁹

Similarly, in In re Search Warrant No. 5165, the court noted that while biometric features and passcodes may be functionally equivalent in terms of providing access to a device, they are not legally equivalent.²⁰ The court emphasized that while both can be used to unlock a device, a passcode represents a mental act of communication, whereas biometric data is a physical characteristic that does not involve communication or mental effort.²¹

Several cases addressing the treatment of compelled passcodes have been brought before the U.S. Supreme Court, though in each instance, the Court declined to review the matters.²² These cases have involved important questions about the constitutional limits on compelling individuals to provide passcodes to unlock their electronic devices, but the Court has opted not to intervene. With petitions for certiorari denied, the lower court rulings remained in place.

In addition, a case concerning the compelled use of biometric features to unlock a device also sought review by the Supreme Court, but that petition was similarly denied. In Diamond v. Minnesota, the Court refused to hear the case, which involved a question about whether forcing an individual to use his fingerprint to unlock a device violated the Fifth Amendment.²³ As with the passcode cases, the denial of certiorari left the lower court’s decision undisturbed.

It should be noted, the Eighth Circuit has held that giving an incorrect passcode could lead to an obstruction of justice charge. In United States v. Beattie, the court found that the defendant obstructed justice when, in response to a warrant, he provided incorrect passcodes to his iPhone and iPad.²⁴ The defendant contended that the furnishing of passcodes was testimonial and that he was asserting his Fifth Amendment privilege against compelled self-incrimination. However, the court found the defendant “was not honestly unable to recall the passcodes,” noting that there is no constitutional right to lie.²⁵

Based on the current state of the law, if Adams had allowed his cellphone to be unlocked using biometric data, agents could have simply held it up to his face to unlock it. However, Adams’ claim that he had changed the passcode and forgotten it could introduce an opportunity to resolve the existing case law. While courts have generally allowed the compelled use of biometrics to unlock devices, Adams’ situation—where he asserts a lack of recall rather than refusal to disclose the passcode—raises questions about whether he could be compelled to at least attempt to enter the passcode. Given the current legal landscape, Adams could be compelled to make such an attempt, and failure to do so might expose him to charges related to obstruction or contempt.

Ultimately, there is still opportunity to challenge the circumstances under which a person has been compelled to provide biometric data and arguably, the passcode, until higher courts, including the United State Supreme Court, choose to address these issues.

***
Pei Pei Cheng de Castro is a Partner at Barclay Damon LLP, Senior Fellow at New York Law School’s Center for New York City and State Law, and former Deputy Counsel to Governor Kathy Hochul. Jennifer Hopkins is an Associate at Barclay Damon.

---

Footnotes:

1.Based on Indictment in United State v. Adams, 24 Cr 556 (SDNY 2024), link here Southern District of New York | New York City Mayor Eric Adams Charged With Bribery And Campaign Finance Offenses | United States Department of Justice.

2. See Gaby Del Valle, The feds still can’t get into Eric Adams’ phone, The Verge (Oct. 2, 2024, 4:06 PM), https://www.theverge.com/2024/10/2/24260626/fbi-eric-adams-locked-phone-forgotten-changed-password.

3. See, e.g., United States v. Eldarir, 681 F. Supp. 3d 43 (E.D.N.Y. 2023); In re Search Warrant As to the Residence of Mike Crowe, 437 F. Supp. 3d 515 (W.D. Va. 2020); In re Search Warrant No. 5165, 470 F. Supp. 3d 715 (E.D. Ky. 2020); United States v. Barrera, 415 F. Supp. 3d 832 (N.D. Ill. 2019); In re Search of, 317 F. Supp. 3d 523 (D.D.C. 2018).  

4.  Eldarir, 681 F. Supp. 3d at 52 (citing Barrera, 415 F. Supp. 3d at 839).

5. See United States v. Payne, 99 F.4th 495 (9th Cir. 2024).

6. Id. at 512.

7. See In re Application for a Search Warrant, 236 F. Supp. 3d 1066, 1073 (N.D. Ill. 2017); see also In re Single-Family Home & Attached Garage, No. 17-M-85, 2017 U.S. Dist. LEXIS 170184, at *25 (N.D. Ill. Feb. 21, 2017).

8. See, e.g., In re Application for a Search Warrant, 236 F. Supp. 3d at 1073 (“With a touch of a finger, a suspect is testifying that he or she has accessed the phone before, at a minimum, to set up the fingerprint password capabilities, and that he or she currently has some level of control over or relatively significant connection to the phone and its contents.”).

9.  See United States v. Wright, 431 F. Supp. 3d 1175, 1187-88 (D. Nev. 2020); see also In re Search of a Residence in Oakland, 354 F. Supp. 3d 1010, 1016 (N.D. Cal. 2019).

10. See, e.g., United States v. Apple Mac Pro Comput., 851 F.3d 238, 248 (3d Cir. 2017); United States v. Smith, 706 F. Supp. 3d 404, 409 (S.D.N.Y. 2023); United States v. Cheng, No. 4:20-CR-455, 2022 U.S. Dist. LEXIS 6437, at *23-25 (S.D. Tex. Jan. 12, 2022); United States v. Spencer, No. 17-CR-00259 (CRB), 2018 U.S. Dist. LEXIS 70649, at *9-10 (N.D. Cal. Apr. 26, 2018).

11. See, e.g., Fisher v. United States, 425 U.S. 391, 411 (1976) (introducing the foregone conclusion doctrine).

12. See Smith, 706 F. Supp. 3d at 409.

13. See id.

14. See id.

15. See United States v. Shvartsman, No. 23-CR-307 (LJL), 2024 U.S. Dist. LEXIS 50597, at *75-77 (S.D.N.Y. Mar. 20, 2024).

16.  See id. at *68 (citing Doe v. United States, 487 U.S. 201, 210 n.9 (1988)).

17. See  Shvartsman, 2024 U.S. Dist. LEXIS 50597, at *75-77.

18. See id.

19. See id.

20. See In re Search Warrant No. 5165, 470 F. Supp. 3d at 734.

21. See id.

22. ee, e.g., Utah v. Valdez, 144 S. Ct. 2684 (2024); Sneed v. Illinois, 144 S. Ct. 1012 (2024); Andrews v. New Jersey, 141 S. Ct. 2623 (2021); Pennsylvania v. Davis, 141 S. Ct. 237 (2020); Johnson v. Missouri, 140 S. Ct. 472 (2019); Doe v. United States, 584 U.S. 980 (2018).

23. See Diamond v. Minnesota, 584 U.S. 984 (2018).

24. United States v. Beattie, 919 F.3d 1110 (8th Cir. 2019).

25.  Id. at 1116.