Gelfgatt, Jones, and the Future of Compelled Decryption
by Eric A. Haskell
As great quantities of data have come to repose in electronic devices, obtaining access to the content of those devices has come to be greatly important to law enforcement in many criminal investigations. It sometimes happens that law enforcement has a right—typically pursuant to a search warrant—to search for data on a particular device, but is prevented from doing so by the presence of a password or other “key” that makes the data inaccessible or unreadable. Law enforcement sometimes can bypass the password on its own. See generally O.S. Kerr & B. Schneider, Encryption Workarounds, 106 Geo. L.J. 989 (2018). But, other times, the only practical way law enforcement can execute the search is with the help of a person who knows the password. Because the person who knows the password often is the suspect, their help generally is available only if compelled by court order. Such “compelled decryption” implicates not only the constitutional requirement that the search of the device be “reasonable,” but also the suspect’s constitutional privilege against compelled self-incrimination.
Basic Principles of the Privilege Against Self-Incrimination
The Fifth Amendment to the federal Constitution provides that “[n]o person . . . shall be compelled . . . to be a witness against himself . . . .” Article 12 of the Massachusetts Declaration of Rights similarly provides that “[n]o subject shall . . . be compelled to accuse, or furnish evidence against himself.” Decisional law has interpreted these privileges to bar the government from: (1) compelling a person; (2) to make a testimonial communication; (3) that is incriminating. Fisher v. United States, 425 U.S. 391, 408 (1976); Commonwealth v. Burgess, 426 Mass. 206, 218 (1997).
The privilege does not protect against compelled provision of a physical identifier such as fingerprints, a blood sample, or a handwriting exemplar. See generally Schmerber v. California, 384 U.S. 757, 767 (1966); Commonwealth v. Brennan, 386 Mass. 772, 776-83 (1982). This is because such identifiers do not “extort . . . information from the accused” or “attempt to force him to disclose the contents of his own mind,” and thus are not viewed as sufficiently “testimonial” for the privilege to attach. Doe v. United States, 487 U.S. 201, 210-11 (1988). Nor does the privilege shield documents from being disclosed pursuant to compulsion, even if their contents are incriminating. United States v. Hubbell, 530 U.S. 27, 35-36 (2000). This is because “the creation of those documents was not ‘compelled’ within the meaning of the privilege.” Id.
The privilege may apply where the mere act of producing a document or a thing is “testimonial” in that it implies an incriminating assertion of fact, such as: that the demanded object exists; that the object produced is authentic; or that the suspect possesses or controls the object. Fisher, 425 U.S. at 410; Commonwealth v. Hughes, 380 Mass. 583, 588-93 (1980). But this “act of production” doctrine does not apply where law enforcement already has independent evidence of the incriminating assertions that the act of production would imply. In other words, if the act of production “adds little or nothing to the sum total of [law enforcement’s] information,” then any facts implied by the act of production are “foregone conclusions” and the privilege does not apply. Fisher, 425 U.S. at 411; Hughes, 380 Mass. at 592.
Commonwealth v. Gelfgatt
In Gelfgatt, the defendant was arrested in connection with a complex fraud scheme that involved the creation and recording of forged mortgage assignments. Commonwealth v. Gelfgatt, 468 Mass. 512, 514-15 (2014). On the day of his arrest, investigators seized several encrypted devices from his home and also interviewed the defendant, who asserted that he was capable of decrypting them. Id. at 516-17. After the defendant was charged with forgery, uttering, and attempted larceny, the Commonwealth filed a motion seeking to compel him to enter the passwords into the encrypted devices. Id. at 517-18 & n.10. The Superior Court denied the motion and reported the case to the SJC.
The SJC determined that the contents of the devices were not privileged on self-incrimination grounds because they had been “voluntarily created by the defendant in the course of his real estate dealings.” Id. at 522 n.13. The SJC then held that the defendant’s act of entering the passwords would be a testimonial act of production, because it would implicitly acknowledge his “ownership and control of the computers and their contents.” Id. at 522. But, the SJC continued, the defendant had already acknowledged as much in his statement to the police; thus, any facts implied by his entering the passwords were foregone conclusions. Id. at 523-24. In doing so, the SJC commented that the “foregone conclusion” exception would apply where law enforcement already was aware of “(1) the existence of the evidence demanded; (2) the possession or control of that evidence by the defendant; and (3) the authenticity of the evidence.” Id. at 522 (citing Fisher, 425 U.S. at 410-13).
Commonwealth v. Jones
In Jones, the defendant was arrested and later charged with sex trafficking and deriving support from prostitution. Commonwealth v. Jones, 481 Mass. 540, 543-44 (2019). At the time of his arrest, he possessed a cellular telephone that, the police learned from other sources, he had used to facilitate prostitution transactions. Id. The Commonwealth filed a motion seeking to compel him to decrypt the telephone (although, as discussed below, the motion imprecisely described what it sought to compel him to do). The motion judge demurred, interpreting Gelfgatt to require the Commonwealth to establish “(1) the existence of the evidence demanded; (2) the possession or control of that evidence by the defendant; and (3) the authenticity of the evidence,” and concluding that the Commonwealth had failed to demonstrate those propositions with “reasonable particularity.” Id. at 545, 548, 553 n.14. The Commonwealth subsequently made a renewed motion, furnishing additional evidence that, it argued, showed that the defendant’s knowledge of the telephone’s password was a foregone conclusion. Id. But the motion judge declined to consider the newly-furnished evidence without a showing that it had been unknown or unavailable to the Commonwealth at the time of the initial motion. Id. at 545, 558-59. The Commonwealth then sought relief before a single justice of the SJC, who reserved and reported the case to the full Court on three questions: (1) what burden of proof the Commonwealth must bear to establish the “foregone conclusion” exception to the privilege under Gelfgatt; (2) whether the Commonwealth had met that burden; and (3) whether the Commonwealth was required, in a renewed Gelfgatt motion, to show that any newly-furnished evidence had been unknown or unavailable at the time of the initial motion.
Before answering those questions, the SJC addressed a threshold issue: What factual assertions must the Commonwealth demonstrate are “foregone conclusions” in order to obtain a Gelfgatt order? The SJC answered that, when the Commonwealth seeks to compel a defendant to enter a password into a device, “the only fact conveyed . . . is that the defendant knows the password, and can therefore access the device.” Id. at 547-48. The Court rejected the proposition that the compelled entry of a password also asserts the defendant’s ownership and control of the device, observing that “individuals may very well know the password to an electronic device that is owned and controlled by another person.” Id. at 547 n.8. Accordingly, the SJC concluded, the Commonwealth may invoke the “foregone conclusion” exception simply by showing that the defendant knows the password. Id.
Turning to the reported questions and relying on article 12, the SJC held that the Commonwealth must make that showing beyond a reasonable doubt. Id. at 551-55. Applying that standard, the Court found that the Commonwealth had shown the defendant’s knowledge of the password beyond a reasonable doubt, where: (1) the defendant possessed the telephone at the time of his arrest; (2) one month before his arrest, when asked by the police for his number, the defendant had provided the telephone’s number; (3) a woman told the police that the defendant used the telephone to facilitate prostitution transactions; (4) the telephone’s subscriber records were associated with a second number that was associated with the defendant; and (5) the telephone’s cellular site location information (CSLI) placed it in the same locations at the same times as another telephone that was confirmed to belong to the defendant. Id. at 555-58 (“[S]hort of a direct admission, or an observation of the defendant entering the password himself and seeing the phone unlock, it is hard to imagine more conclusive evidence of the defendant’s knowledge of the [telephone’s] password.”). Finally, the Court found that the motion judge abused his discretion by declining to consider evidence presented in the Commonwealth’s renewed motion that was not shown to have been unknown or unavailable at the time of the initial motion. Id. at 558-61. The Court observed that a Gelfgatt motion, “[m]uch like a search warrant application,” is an “investigatory tool,” the factual support for which may evolve over the course of an investigation. Id. at 559-60.
The Future of Compelled Decryption
Although Gelfgatt and Jones mark the SJC as a national leader on compelled decryption issues, important questions remain to be answered.
- Non-Gelfgatt Decryption Procedures
The order in Gelfgatt required the defendant to appear at a digital forensic lab, to enter the password into each device, and “immediately [to] move on . . . .” 468 Mass. at 517 n.10. It also forbade the Commonwealth from viewing or recording the password entered by the defendant. Id. In contrast, the order sought in Jones was “not perfectly clear” as to what it would require the defendant to do, but “suggested that it sought to require the defendant to make a written disclosure of the actual password.” 481 Mass. at 546 n.9. Acknowledging the possible infirmity with such a procedure, the SJC construed the order sought in Jones as tracking the one sought in Gelfgatt, and approved its issuance on that basis. Id.
The SJC was correct to hesitate when faced with a request to compel the defendant to disclose his password to law enforcement. This is because the compelled disclosure of a password is not a testimonial act of production to which the “foregone conclusion” exception might apply: Rather, it is a “pure” testimonial statement to which the “foregone conclusion” exception cannot apply. See id. (acknowledging as much in dicta); see also United States v. Oloyede, Nos. 17-4102, 17-4186, 17-4191, & 17-4207, — F.3d —, 2019 WL 3432459 (4th Cir. Jul. 31, 2019) (distinguishing between suspect’s typing password into device and giving password to law enforcement).
Furthermore, in both Gelfgatt and Jones, the suspect was not compelled to produce any particular files from the device after decrypting it; that was left to the analyst executing the warrant. In Jones, the SJC highlighted this aspect of the decryption procedure, observing that “the analysis would have been different” if the suspect had been compelled to produce particular files, because doing so “would implicitly testify to the existence of the files, [the suspect’s] control over them, and their authenticity.” 481 Mass. at 548 n.10. In that situation, the Commonwealth would have been obligated to prove, beyond a reasonable doubt, that those additional assertions were foregone conclusions before it could obtain a corresponding Gelfgatt order. Cf. Hubbell, 530 U.S. at 44-45 (act of production is privileged where grand jury subpoena would require recipient to produce documents whose existence and location were previously unknown to government).
- Cloud-Based Storage
Gelfgatt and Jones both involved a tangible device that was in the physical possession of law enforcement. But their holdings as to the privilege against compelled self-incrimination can also be applied to a request to compel decryption of a cloud-based digital space. Such a request would follow the same analysis, with law enforcement required to: (1) have a right to search the cloud location; (2) show beyond a reasonable doubt that the suspect knows the password to access the cloud location, thereby availing itself of the “foregone conclusion” exception; and (3) allow the suspect to input the password in a way that law enforcement does not see or record.
- Biometric Keys
In both Gelfgatt and Jones, the sought-after “key” was an alphanumeric password. But a key can also take the form of a biometric such as a facial scan, retinal scan, or fingerprint. Biometric keys introduce two novel questions: (1) is compelled biometric decryption properly viewed as a testimonial act of production, and thus within the scope of the privilege against compelled self-incrimination?; and, if so, (2) what must law enforcement show is a “foregone conclusion” before it can compel such biometric decryption?
Courts have answered the first question both ways. Some have viewed the compelled biometric decryption as no different than compelled provision of a traditional physical identifier, and thus nontestimonial. See, e.g., State v. Diamond, 905 N.W.2d 870, 875-76 (Minn. 2018); In re Search of [Redacted], 317 F. Supp. 3d 523, 535-37 (D.D.C. 2018); In re Search Warrant Application for [Redacted], 279 F. Supp. 3d 800, 803-05 (N.D. Ill. 2017); Commonwealth v. Baust, 89 Va. Cir. 267, 2014 WL 10355635 (Va. Cir. Ct. Oct. 28, 2014). Others have reasoned that, unlike providing a physical identifier, compelled biometric decryption implies factual assertions about the suspect’s relationship with the device. See, e.g., Seo v. State, 109 N.E.3d 418 (Ind. App. 2018), vacated and transferred to Ind. Supreme Court, 112 N.E.3d 1082 (Ind. 2018); In re Application for Search Warrant, 236 F. Supp. 3d 1066, 1073-74 (N.D. Ill. 2017); In re Search of a Residence in Oakland, Cal., 354 F. Supp. 3d 1010, 1015-16 (N.D. Cal. 2019); In re Search of White Google Pixel 3 XL Cellphone, No. 1:19-mj-10441, 2019 WL 2082709 at *3-4 (D. Idaho May 8, 2019). No Massachusetts court has yet issued a published opinion on this issue.
In this author’s view, law enforcement should be prepared for a Massachusetts court to depart from the traditional treatment of compelled provision of a physical identifier, and instead to view compelled biometric decryption as a testimonial act of production. Compelled provision of a physical identifier has been deemed nontestimonial not because it does not assert facts, but rather because the facts that it does assert are so “self-evident” as to be “[in]sufficiently testimonial for purposes of the privilege.” Fisher, 425 U.S. at 411 (compelled handwriting exemplar is nontestimonial for purposes of the privilege, despite its asserting both that handwriting belongs to suspect and that suspect is literate); accord Commonwealth v. Nadworny, 396 Mass. 342, 363-64 (1985) (fact that defendant is right-handed, unlike handwriting exemplar itself, is testimonial, although “trivial”). But, when law enforcement seeks to compel biometric decryption, its object is not merely provision of the biometric standing alone: If it were, the method of capturing the biometric would not matter, and investigators could just as well take a photograph of the suspect’s face, or ink-and-paper impressions of his fingerprints. Rather, the object of compelled biometric decryption is the interaction of the biometric, in a pre-programmed fashion, with a particular device. The successful interaction of biometric and device, in contrast to the biometric standing alone, asserts at least one fact that neither is trivial nor is self-evident from the biometric—specifically, it asserts that the suspect’s biometric is capable of decrypting the device. See In re Application for Search Warrant, 236 F. Supp. 3d at 1073. In other words, compelled biometric decryption asserts facts that are basically similar to those asserted by compelled decryption using a password.
This reasoning simultaneously answers both the first question of whether compelled biometric decryption should be viewed as a testimonial act of production (it should) and the second question of what law enforcement must establish is a “foregone conclusion” before it can compel such a biometric. If the assertion implied by the compelled biometric decryption is that the suspect’s biometric is capable of decrypting the device, then, pursuant to Jones, that is what the Commonwealth must prove beyond a reasonable doubt. As in Jones, the Commonwealth can do so through either direct evidence (e.g., that the suspect actually used his biometric to decrypt the device) or circumstantial evidence (e.g., that the suspect used the device in a manner indicating that he must have had the ability to do so).
As a practical matter, the utility of compelled biometric decryption to law enforcement may be circumscribed. This is because some biometric-based security technologies—including Apple’s popular fingerprint-based Touch ID—self-disable if, since the last time the device was unlocked, too much time has passed, or the device has been restarted or has lost power, or multiple attempts to unlock the device have been unsuccessful. See About Touch ID Advanced Security Technology. In addition, law enforcement may have limited ability to both maintain power to a biometrically locked device and to secure it from network activity (i.e., to minimize the risk of remote wiping or deletion of data). Perhaps for these reasons, federal practice has often encountered requests to compel biometric decryption made as part of an application for an omnibus search warrant to also authorize law enforcement: (1) to seize the device; and (2) to search the device for particular data after it has been seized and decrypted using the compelled biometric. See, e.g., In re Search of a Residence in Oakland, 354 F. Supp. 3d at 1013; In re Search of [Redacted], 317 F. Supp. 3d at 525-26; In re Search Warrant Application for [Redacted], 279 F. Supp. 3d at 801-02; In re Application for Search Warrant, 236 F. Supp. 3d at 1066-67.
- Ex Parte Gelfgatt Proceedings
Gelfgatt and Jones each arose in the posture of a motion filed in a criminal case in the Superior Court. This posture suggests that, in those cases, any evidence contained on the encrypted device was not necessary to support charges against the defendant. But some investigations will require a compelled decryption before charges can be brought. It thus seems likely that some Gelfgatt motions will arise in an ex parte posture.
The Appeals Court has already addressed a Gelfgatt motion arising out of a grand jury investigation, concerning a device that the police had previously obtained a warrant to search. See In re Grand Jury Investigation, 92 Mass. App. Ct. 531 (2017), further appellate review denied, 478 Mass. 1109 (2018). The Commonwealth filed a sealed Gelfgatt motion in the Superior Court and attached documents containing grand jury evidence that, the Commonwealth argued, satisfied its burden under the “foregone conclusion” exception. Id. at 532. The Commonwealth served the motion, but not the attachments, on counsel for the individual whom it sought to compel. The Appeals Court affirmed the Superior Court’s issuance of a Gelfgatt order, concluding that the attachments showed that it was a foregone conclusion that the individual knew the password, among other things. Id. at 534-35; see also Burgess, 426 Mass. at 215-16 (Fifth Amendment applies in same way to grand jury witness/target as to indicted defendant). The Appeals Court also specifically affirmed the non-disclosure of the attachments to counsel, reasoning that grand jury materials are secret, and that both the Superior Court judge and the appellate court could review the attachments on an ex parte basis. Id. at 535-36.
It is a small step from In re Grand Jury Investigation to think that at least some Gelfgatt orders may be sought as part of a search warrant application. Indeed, search warrant applications bear similarities to the motions sustained in Gelfgatt, Jones, and/or In re Grand Jury Investigation: They are ex parte, they rely on affidavits rather than live testimony, and they form an “investigatory tool that aids investigators in obtaining material and relevant evidence related to a defendant’s conduct.” Jones, 481 Mass. at 559. As noted, search warrant applications seeking compelled biometric decryption have appeared in federal practice. See, e.g., In re Search of a Residence in Oakland, 354 F. Supp. 3d at 1015-16; In re Search of [Redacted], 317 F. Supp. 3d at 535-37; In re Search Warrant Application for [Redacted], 279 F. Supp. 3d at 803-05; In re Application for Search Warrant, 236 F. Supp. 3d at 1073-74. Nonetheless, a search warrant application seeking a Gelfgatt order in state court would entail innovations to Massachusetts search warrant practice that the applicant must be prepared to address.
The applicant must be prepared to show that the act sought to be compelled is of a type of evidence for which the Legislature has authorized issuance of a search warrant. See G.L. c. 276, § 1 (enumerating categories of evidence that may be sought by search warrant). Compelled biometric decryption likely will fall into that category. See, e.g., In re Lavigne, 418 Mass. 831, 834-35 (1994) (statute authorizes use of warrant to procure bodily sample from suspect); cf. In re Search of [Redacted], 317 F. Supp. 3d at 540 n.13 (declining to decide whether Fed. R. Crim. P. 41 authorizes issuance of warrant to compel biometric decryption, and instead issuing warrant under All Writs Act, 28 U.S.C. § 1651). Compelled decryption using a password, on the other hand, might not.
The applicant must also be prepared to show that the application does not trigger an adversarial hearing, which the SJC has required as a prerequisite for issuance of warrants for some especially invasive searches. E.g., Lavigne, 418 Mass. at 835 (warrant to extract blood sample from suspect must be preceded by adversarial hearing at which court can weigh intrusiveness of procedure against need for evidence); Commonwealth v. Banville, 457 Mass. 530, 539-40 (2010) (warrant to obtain suspect’s DNA using buccal swab would have been preceded by adversarial hearing if it had occurred in Massachusetts). So long as compelled biometric decryption “[does] not involve penetration into [the suspect’s] body,” Banville, 457 Mass. at 539 n.2, it likely will not trigger such a hearing. See also Commonwealth v. Miles, 420 Mass. 67, 83 (1995) (ex parte order compelling suspect to appear and have his body inspected for poison ivy need not be preceded by hearing).
The applicant must take care to particularly identify the person whose biometric is to be compelled, perhaps by including a photograph and/or detailed physical description of that person in the warrant application papers. This stems in part from the “particularity” requirement applicable to any search warrant. See G.L. c. 276, § 2. It also follows from this author’s view (above) that compelled biometric decryption may be analyzed under the “foregone conclusion” exception to the “act of production” privilege: If that view is accepted, the identity of the person whose biometric is to be compelled would form one aspect of the “foregone conclusion” that, under Jones, the Commonwealth must prove beyond a reasonable doubt. The need for particularity in identifying the person whose biometric is to be compelled likely precludes law enforcement from obtaining a warrant to compel “any person present” at the warrant execution to apply his/her biometrics to a device. Cf. In re Search of a Residence in Oakland, 354 F. Supp. 3d at 1014 (denying such authorization); In re Application for Search Warrant, 236 F. Supp. 3d at 1068-70 (same).
And the applicant should be explicit about the different burdens it must sustain to obtain such a warrant. That a crime has occurred and that evidence related to the crime reasonably may be expected to be found in a particular place—requirements for issuance of any search warrant—need be demonstrated only to the level of probable cause. That it is a foregone conclusion that a particular person’s biometric is capable of decrypting the device, however, must be demonstrated beyond a reasonable doubt in accordance with Jones. The applicant should consider explicitly articulating the applicable burdens in the warrant application papers, for the benefit of the reviewing judicial officer.
Eric A. Haskell is an Assistant Attorney General and a member of the BBJ Board of Editors. This article represents the opinions and legal conclusions of its author and not necessarily those of the Office of the Attorney General. Opinions of the Attorney General are formal documents rendered pursuant to specific statutory authority.
 To ensure that even the act of placing a finger on the screen of a device does not disclose the suspect’s thoughts, the orders in some of those cases have required the police—not the suspect—to select the finger that the suspect must place on the screen. See In re Search of [Redacted], 317 F. Supp. 3d at 537, 539; In re Search Warrant Application for [Redacted], 279 F. Supp. 3d at 804.
 It also strongly implies that the suspect was the person who previously programmed the device to decrypt in response to his biometric; unlike an alphanumeric password, a biometric is unique and non-transferable. Contrast Jones, 481 Mass. at 547 n.8 (suspect’s knowledge of password to device does not necessarily imply that he owns or controls device, because password can be transferred between persons).
 An additional showing might be required to authorize the suspect’s temporary detention for the purpose of compelling his biometric, although that showing may well be subsumed by the two discussed in the body text. See Hayes v. Florida, 470 U.S. 811, 816-17 (1985) (holding that police cannot transport suspect to station for fingerprinting without probable cause or prior judicial authorization, but suggesting that seizure of suspect in field for fingerprinting may be permissible based on less than probable cause in some circumstances); see also In re Search of [Redacted], 317 F. Supp. 3d at 532-33 (applying Hayes to authorize warrant to detain person for compelled biometric decryption if: “(1) the procedure is carried out with dispatch and in the immediate vicinity of the premises to be searched, and if, at time of the compulsion, the government has (2) reasonable suspicion that the suspect has committed a criminal act that is the subject matter of the warrant, and (3) reasonable suspicion that the individual’s biometric features will unlock the device, that is, for example, because there is a reasonable suspicion to believe that the individual is a user of the device”); cf. Commonwealth v. Catanzaro, 441 Mass. 46, 52 (2004) (search warrant implies authority to detain occupants of premises while search is conducted).