This article was originally published in the Spring 2015 issue of the Virginia Bar Association YLC Docket Call.
The ever-evolving technological landscape constantly elicits new and interesting questions of law. Privacy and data security are areas of contention and confusion for many. Why? Because privacy limits are unclear because the reach of technology outpacing the evolution of the law. As cell phones have advanced, they have become essential to everyday life and are no longer merely phone used to make and receive calls. Cell phones are minicomputers filled with personal, and mostly private, information including calendars, alarm clocks, books, videos and photos. People store everything from grocery lists to banking information in phones. How do the laws that govern phones solely to make and receive calls apply to these new multifaceted devices? Courts and lawmakers are slowly answering that question.
In Reily v. California, the Supreme Court shed some light on privacy limits regarding cell phones. The Court held that the police generally may not, without a warrant, search digital information on a cellphone seized from an individual who has been arrested. The Court characterized cell phones as minicomputers filled with massive amounts of private information, which distinguished them from the traditional items that can be seized from an arrestee’s person, such as a wallet. This ruling is a necessary stride towards deciphering how the Fourth Amendment applies in this digital age but leaves a lot of unanswered questions.
After obtaining a warrant to search a phone how will officers access the contents? Can officers compel the accused to provide one’s passcode or fingerprint? Existing laws do not apply smoothly and presents an interesting question: Is producing one’s passcode or fingerprint to allow access to digital information on a smartphone testimonial communication subject to the Fifth Amendment privilege against self-incrimination? This was the question answered in the Virginia case Commonwealth of Virginia v. Baust.
In Commonwealth of Virginia v. Baust, the defendant David Baust was indicted on charges of assault. The victim alleged that video of the assault was on Baust’s smartphone. The police obtained and executed a search warrant, retrieving (among other items) the smart phone. However, the phone was “locked” and could only be entered using a passcode or fingerprint. The court decided to review each method of entry separately under the Fifth Amendment and arrived at two different conclusions.
The court held that fingerprints and passcodes are different in the eyes of law because of the testimonial nature of providing a passcode, which violates the accused’s right not to incriminate him or herself. The Judge explained that Baust could not be compelled to provide his passcode to access the smartphone, but could be compelled to produce his fingerprint to access the phone. Producing the passcode would require the defendant to divulge knowledge—information from his own mind, placing it in the testimonial realm. However, he concluded that a personal fingerprint does not require any similar knowledge—it is equivalent to a key that fits into a lock.
This legal distinction will have a major impact on smartphone users, especially as providers market the increased security of these alternate access mechanisms. Your fingerprint is advertised as a more secure method for accessing tour phone but presents vulnerability if ever compelled to provide access to your phone. The legal differences may not be clear to users, as the passcode and the fingerprint are functionally equivalent. Should they really be distinguished under the law? Is there a distinction between telling police a passcode and typing in the passcode so that police may gain access to a phone? By typing the code, the individual does not have to provide any knowledge (testimony) directly to the police, although still providing access to data that is potentially criminally incriminating. Is the outcome or the means more important, because although not a verbal testimony providing a fingerprint or writing a passcode may lead to criminally incriminating information?
This decision raises a lot of questions and determining privacy rights in our technology will only get more complex as technology continues to evolve. The court is being charged to assess the functional and technological implications of new technology and create laws with those perspectives in mind. This is a difficult balance. Consistency will also be important to citizens as they seek to protect themselves within the bounds of these laws.
Most immediately, in Virginia, you should protect your phone using a passcode, not your fingerprint.
 134 S. Ct. 2473, 2477 (2014).
 Commonwealth of Virginia v. Baust, No. CR14-1439, at 2 (Va. 2d Cir. Ct. Oct. 28, 2014).
 Id. at 1.
 Id. at 4.
 Id. at 5.