Does a law violate the privilege against self-incrimination by requiring an individual to reveal a device password when a search warrant is being executed? The Irish High Court recently considered this issue in Poptoshev v DPP, holding that it doesn't.
In Poptoshev the applicant challenged sections 48 and 49 of the Criminal Justice (Theft and Fraud Offences) Act 2001. Section 48 allows gardaĆ with a warrant under that section to operate any computer at a place which is being searched, and to require any person at that place, who has lawful access to the information in any such computer, to furnish any password necessary to operate it. Section 49 criminalises failure to provide that password.
The applicant refused to provide passwords for two mobile phones and a laptop seized from him during a search of his home. When charged with failure to provide the passwords he brought a judicial review action claiming that this obligation, and the corresponding criminal penalty for failure to comply, amounted to a disproportionate interference with the privilege against self-incrimination under both the Constitution and the European Convention on Human Rights.
The High Court rejected this claim. The court held that the privilege against self-incrimination did not apply on the basis that 'the passwords in relation to each of these three devices existed independent of the will of the applicant', relying in particular on the similar English judgment in R v S (F). (An important aspect was that the applicant admitted ownership of the devices - there would have been a stronger self-incrimination claim otherwise.)
Separately, the High Court also held that mobile phones were included in the term 'computer' in the 2001 Act, which did not specifically define computers, and that the duty to provide a password applies 'there and then' while a search is being carried out and cannot be met by providing a password subsequently.
It is interesting that it has taken over twenty years for the constitutionality of this provision to be considered. There doesn't seem to have been many (if any?) prosecutions for failure to provide a password before now. According to a 2017 EU review of Irish law on cybercrime, Irish officials indicated that 'prosecution for withholding passwords is generally not done due to the right against self-incrimination' (p.68). After this judgment it's likely that these prosecutions will become more common.
