By Ugur Nedim and Zeb Holmes
It has been reported that police in the United States compelled a suspect to unlock his iPhone X using its facial recognition technology, triggering debate about the legality of forcing people to unlock devices using their password or biometric capabilities.
The United States case
During a search of the home of 28-year old Ohio resident Grant Michalski on 10 August 2018, FBI officers told the suspect to put his face in front of the phone, which he did.
The officers then trawled through his phone and allegedly found evidence of child pornography.
They then charged him with receiving and possessing child pornography.
An FBI officer later confirmed in an affidavit that the Bureau had been using private companies to access, “technological devices that are capable of obtaining forensic extractions from locked iPhones without the passcode.”
Cellebrite and Grayshift are reported to be the two biggest companies providing such services.
Both companies have lucrative contracts with various US government agencies to bypass Iphone security.
Grayshift, for example, has a $484,000 deal with the Secret Service as well as a $384,000 contract with Immigration Customs Enforcement (ICE).
The Secret Service also paid $780,000 to Cellebrite in September 2018 for services rendered.
Access to data in Australia
Thanks to meta-data retention laws and a whole host of ensuing measures which facilitate access to various forms of personal data, Australian authorities are in a unique position in the Western world when it comes to information access.
These laws have already been misused in a number of ways without consequence. For example in 2016, it was revealed that over 60 Government agencies had applied to the Attorney-General for metadata access. The list includes the Australian Taxation Office, Department of Human Services, and even local councils.
In fact, Bankstown Council applied for metadata access in order to catch illegal rubbish dumpers and those who breach by-laws. That access was granted.
And the Queensland Police Service used the scheme to access the metadata of cadets in an attempt to determine whether they were sleeping with one another, or faking sick days.
To many, dumping rubbish, monitoring the sexual activities of cadets or even evading tax is not enough to justify sacrificing the privacy of the entire Australian population – especially when the reason put forth for the implementation of the laws was to fight against terrorism and organised crime.
And just recently federal legislation took access to personal information a step further, giving law enforcement agencies the power to compel domestic companies, as well as internationally-based companies that operate in Australia, to actively assist in the decryption of private communications on their platforms.
Can police require my passwords?
There is a legal mechanism for police in Australia to force the disclosure of an individual’s password, personal identification number and private encryption key to facilitate access a smartphone or computer during the investigation of a Commonwealth offence.
That mechanism is contained in section 3LA of the Crimes Act 1914 (Cth) (“the Act”), which provides that “a constable may apply to a magistrate for an order to provide any information or assistance that is reasonable and necessary” to allow them to access data stored on “a computer or data storage device.”
A “constable” is defined by section 3 of the Act as “a member or special member of the Australian Federal Police or a member of the police force or police service of a State or Territory”.
Police can apply to a magistrate for an “assistance order” requiring the owner or user of a computer or data storage device to provide such information they can establish a reasonable suspicion that the device holds or can enable access to evidential material relevant to a crime.
The subject of the order is not required to be suspected of any crime. He or she merely needs to be the owner of the device that police reasonably suspect holds information relating to an offence.
If the application is successful, the subject will be required to provide the password/s enabling police to gain access to the device/s, as well as any decryption information in order to make data accessible and intelligible to police.
Failure to comply with an assistance order is a criminal offence. When the law was first enacted, the maximum penalty was 6 months imprisonment. However, authorities have since raised the maximum penalty to 2 years behind bars.