Phone codes are not secret
The plenary session of the Court of Cassation has just issued a long-awaited decision regarding the refusal to communicate his phone’s “secret code”. Indeed, it is considered that a cell phone unlock code can be a decryption key if it is accompanied by an encryption tool. As a result, refusal to communicate can be considered an offense punishable by up to three years in prison and a fine of 270,000 euros.
Cash. butt. plen., 7 November 2022, noh 21-83146
Someone has been arrested for possession of marijuana and then detained for violating narcotics laws. Admitting to obtaining, possessing, consuming and selling drugs, he refused to communicate to investigators the unlocking codes of two of his smartphones that could potentially have been used to commit the offense. In addition to his lawsuits for possessing and offering or transferring cannabis, others have been filed against him for refusing to surrender or enforcing a secret convention to decipher cryptographic means.
Convicted of offenses under narcotics laws, he was acquitted by a court judge on grounds of refusing to submit a secret agreement to decipher cryptology tools, arguing that unlocking codes for smartphones would not be secret decryption. convention that it will only be used to access the data contained in the phone.
Legal error according to the criminal chamber of the high court which ruled for the first time in October 2020 that “mobile unlock codes constitute a decryption agreement if it is possible to clarify the data they contain »1. However, caught during the dismissal, the Douai Court of Appeal rejected and did not follow this excuse, once again upholding the acquittal.
It is in this context that it is up to the plenary session of the Court of Cassation to determine whether an unlock code for a smartphone constitutes a confidential decryption agreement that allows the data on it to be decrypted.
Two texts apply here. First, article 434-15-2 of the Criminal Code which penalizes “in fact, for anyone who knows the secret convention for the decryption of a cryptological tool that is likely to have been used to prepare, facilitate or commit a crime or misdemeanor, to refuse to submit the agreement to the judicial authorities ”. Second, article 29 of law n° 2004-575 dated 21 June 2004 concerning trust in the digital economy (LCEN) which provides a definition of cryptological means, namely “any piece of hardware or software designed or modified to change data, whether information or signals , using the secret convention or to perform the inverse operation with or without the secret convention. The main purpose of these cryptological tools is to guarantee the security of data storage or transmission, by enabling to ensure their secrecy, authentication or integrity control.
Unsurprisingly, the plenary session followed the rationale for the division of crimes and agreed to the general judgment of the court of appeals judging that it emerged from a combined reading of the two texts that apply to the case that “a code unlocks a mobile phone.” can is the decryption key if the phone is equipped with an encryption tool.”
Supervision of the existence of an encryption device attached to the opening code is the responsibility of the judge
The constitution of this breach depends on the existence of an encryption device attached to the unlock code. The plenary panel determined that it was up to the judge to seek this information. The trial court, which alone can judge whether or not the offense was committed, must therefore find out whether the unlock code also requires decryption of the data contained in the phone.
This search can only be done in practice if this information already exists, for example by listing phone models that indicate the ability of unlock codes to decrypt data (PIN codes, phone access codes, access codes to certain applications, etc.), or if a judge calls an expert on a case-by-case basis to conduct this research.
A justifiable violation of the right to self-accusation?
The defendant’s obligation to provide access to data that might incriminate him clearly raises questions about the violation of the right to remain silent and not incriminate himself. The Court of Cassation has come to limit the right not to incriminate oneself by considering that it “does not include data that can be obtained from the person concerned by using force of coercion but which exists regardless of the will of the person concerned.2. What’s in question here is so much less of the data itself than its accessibility. The respondent is not required to provide access points to investigators for messages or data incriminating him, but only provides access to the database, in this case the telephone. To equate with a search, the defendant was not asked to show investigators where objects or documents against him were in his house, but only to access his house. Access to encrypted data, such as home access, can be coercive. The Constitutional Council also adhered to the pragmatic vision of article 434-15-2 of the Criminal Code, judging it in accordance with the Constitution on the grounds that “it is not intended to obtain a confession from it and does not carry a confession or presumption of guilt but only permits the decryption of encrypted data”3.
Questions about the proportionality of sentences
The intended crime is related to the alleged commission of one or more other predicate crimes. However, in contrast to the category of consequential offenses, here the offenses can be defended independently from the constitution of the offense which is the subject of the investigation. It is therefore appropriate to question the proportionality of the penalties imposed in the event of refusal to communicate a secret decryption agreement, in relation to the penalties imposed for the commission of the principal offence. It should be noted that this argument was presented before the Constitutional Council, which decided that this provision did not violate the principle of proportionality of punishment.4 guaranteed by article 8 of the Declaration on the Rights of Man and the Citizen (DDHC), but without giving any compelling reasons5.
The first paragraph of article 434-15-2 of the Criminal Code punishes this offense with a penalty of three years in prison and a fine of 270,000 euros. This obstruction violation applies when the “cryptological means [est] may have been used to prepare, facilitate or commit a crime or offence”. What if the suppression of the facts which are the subject of the investigation is not as severe as regulated in the obstruction of justice? Can’t we presume that the punishment was, in this case, disproportionate? If not, this means that legislators allow stronger repression to hinder the administration of justice than violations that actually set justice in motion.
Broad conception of the quality of judicial authority
According to the provisions of Article 434-15-2 of the Criminal Code, the recipient of the decryption agreement is a judicial officer. It can be understood that in the sense of the Constitution, what is meant by judicial power is a judge. If, in this case, the Court of Cassation does not consider it necessary to withdraw the conditions under which the request may fall within the scope of this article, it is still necessary to withdraw the case law in the matter.
Therefore, in the context of an investigation into blatant narcotics law violations, a police officer has requested the communication of three telephone unlock codes that have been found in the possession of the detained individual. Refusing to communicate it, he was later taken to a criminal court for refusing to surrender a secret agreement to decipher cryptological tools. However, the request for communication originated with a police officer during the trial and was not based on an indictment from a judicial authority, the Court of Appeal of Paris later ruled that the offense had not been committed.6.
However, the Court of Cassation pointed out that “requests issued by judicial police officers acting under articles 60-1, 77-1-1 and 99-3 of the Criminal Procedure Code (…) under the control of a judicial authority, fall within the provisions of article 434-15-2 Criminal Code”. In other words, a police officer has the right to ask for a cell phone unlock code in this context, but the offense cannot be characterized if the request is not preceded by a warning that refusal is likely to constitute a felony.7.
It is important to emphasize the criteria for characterizing these violations. Indeed, the offense was based on several cumulative conditions. In particular, there needs to be a refusal to communicate or apply decryption conventions of cryptological means. But most importantly, these cryptological tools must “may have been used to prepare, facilitate or commit a crime or offence”. This implies two consequences.
First, it means that a judicial authority cannot, during a simple inspection, require a person to communicate his or her phone unlock code as long as such a step is not part of the framework of the investigation.
Above all, such an approach must be justified by elements capable of establishing that the telephone was used in the context of the crime under investigation. This was specifically pointed out by the Constitutional Council, noting that “an investigation or instruction must enable to identify the presence of data processed by means of cryptology which may have been used to prepare, facilitate or commit a crime or offence”8.