What do you keep on your mobile? For most people the answer goes beyond just details of telephone calls and text messages – the smart phone is a repository for years’ worth of photographs, personal emails, private files, web-browsing records, location tracking, and health data.
As the US Supreme Court put it in 2014, “adults who own a cell phone keep on their person a digital record of nearly every aspect of their life – from the mundane to the intimate . . . a cell phone search would typically expose to the government far more than the most exhaustive search of a house: a phone not only contains in digital form many sensitive records previously found in the home; it also contains a broad array of private information never found in a home in any form”.
The sensitivity of your phone means that this week’s proposal from the Department of Justice for a new Garda Síochána Powers Bill requires close scrutiny. That proposal would introduce a new power for gardaí, when carrying out search warrants, to demand your password or PIN and require you to biometrically unlock your phone (or tablet, or computer) using your fingerprint or face.
As well as taking a copy of everything on the device itself, gardaí could also use the device to access any other service you use – such as your webmail, cloud storage, or online banking – and then take a copy of that data also.
Very few countries have laws requiring password disclosure and in several jurisdictions, courts have held that mandatory disclosure of passwords is incompatible with the right to silence
The way in which the searches would be carried out is concerning. Failure to comply with the demand there and then (with no right to consult a solicitor) would be an offence exposing you to immediate arrest, punishable by imprisonment for up to five years and a fine of up to €30,000. This power would also apply to the devices of “any person present at the place where the search is carried out”, including for example the parents or siblings of a suspect or someone who shares a house with them.
At the moment there is a similar power only for a narrow set of crimes – mainly dishonesty offences and cybercrime. The significance of this proposal is that it would extend this to every warrant, in relation to every type of crime. Indeed, this power could apply in some cases without any crime at all: the proposal envisages that the Competition and Consumer Protection Authority and the Office of the Director of Corporate Enforcement may seek such warrants even “where no offence is suspected”.
What safeguards would be in place in relation to these searches? Material which might be legally privileged, such as correspondence from your solicitor, must be kept confidential and only inspected following assessment by the High Court. Otherwise, the proposal does not provide for any safeguards regarding sensitive information such as files held by doctors, journalists, or public representatives.
The lack of protection for journalists’ sources is particularly notable as a High Court judgment from 2020 on exactly this issue (seizure of a journalist’s mobile phone) strongly suggests that the failure to provide safeguards is in breach of both the European Convention on Human Rights and the Constitution.
The current proposal would greatly widen the search warrant to permit the search of a person's entire digital life, but without introducing any corresponding protections
The proposal does little to ensure that irrelevant material will not be seized and searched. Instead, if something “may contain” information within the scope of the warrant and “it is not reasonably practicable” to separate out that information then all the material – such as the entire contents of a device or the whole of an email account – may be seized and searched. In practice, this means that in most cases the entire contents of a phone, an email account, and so on will be copied.
The only limit on the extent of searches is that a code of practice may be adopted which may deal with searches of irrelevant material – but breaches would be a matter for internal disciplinary proceedings only, and would not have any other legal effect. This is particularly worrying given the danger that phones will be trawled for intimate images.
This proposal is also significantly out of line with international standards. Very few countries have laws requiring password disclosure and in several jurisdictions, notably Canada and several US states, courts have held that mandatory disclosure of passwords is incompatible with the right to silence and the privilege against self-incrimination.
Even in those jurisdictions where password demands are permitted, they are usually exceptions to the usual rule and can generally only be made on the basis of some special circumstances.
In the UK, for example, a notice to disclose a password can only be issued where a judge finds that such a notice is proportionate, that there is no other reasonably practicable way to access the relevant information, and that access is necessary for purposes such as national security or the prevention or detection of crime. The current proposal – by providing for password demands indiscriminately, in relation to every search warrant – is unprecedented.
Historically, search warrants were relatively limited documents which permitted the search of a particular place for a physical thing. The current proposal would greatly widen the search warrant to permit the search of a person’s entire digital life, but without introducing any corresponding protections, and without any evidence that this huge extension of powers is necessary. It must go back to the drawing board.
Dr TJ McIntyre is an associate professor in the UCD Sutherland School of Law, consultant solicitor with FP Logue Solicitors and chair of Digital Rights Ireland