Kashmir Hill

Sometimes a legal case sits perfectly at the confluence of many strange and novel technological realities. And there's just such a case being prosecuted in Pennsylvania. The government alleges that two defendants used big data analysis of credit card data to illegally make millions in the stock market. But the government hopes to prove its civil case with data it thinks resides on the traders' encrypted smartphones. And so, the case has become a new front in the Cryptowar battlefield.

Bonan Huang and Nan Huang, former Capital One fraud analysts based in Virginia, are charged with insider trading. They had access to the credit card data of all of Capital One's customers through their work, and so they allegedly came up with a rather ingenious scheme. According to the Securities and Exchange Commission's complaint against them, they ran search queries in Capital One's database for companies whose stock they wanted to trade in—burrito chain Chipotle, handbag maker Coach, and outdoor retailer Cabela are mentioned in SEC documents—and then decided whether to buy or short the stocks based on the shopping patterns they saw in the proprietary database.

Advertisement

"Illegal research, sure, but they were right — spectacularly, and over and over again," wrote Bloomberg View's Matt Levine. According to the SEC, they made almost $3 million on a $147,300 investment from 2012 to 2015. Not too shabby! Big data analysis is valuable.

"That [profit] would be impressive if that were true," says Greg Morvillo, the lawyer representing the two Huangs. "Time will tell if the government can prove it."

Trading on insider information is frowned upon by regulators; penalties include fines, being barred from trading, and if tried criminally, prison time. Capital One fired the analysts on January 16 of this year, and the SEC filed a civil complaint against them for insider trader on the 21st.

Advertisement

When they left Capital One, Bonan Huang and Nan Huang turned in their company-provided smartphones, an iPhone 6 and a Samsung Galaxy S5. The SEC now wants to take a peek at what's on the phones, saying there are bank records on them that could be useful to its case, but the information on the phones can't be decrypted without their passcodes—which only Bonan Huang and Nan Huang know. And they're not telling.

As you may know, starting last year, in its recent, strong push for privacy protections for consumers, Apple decided to encrypt iPhones by default, so that only a person who knows the passcode can access the information on the device. The Samsung Galaxy can also be encrypted and it was likely something encouraged by the bank's security team. According to the SEC's legal filings, "the Bank asked employees not to keep records of their passwords for safety reasons."

So, heading into a December trial, the SEC tried to get a federal court to compel the two defendants to turn over their passcodes, but the Huangs pled the 5th saying they didn't want to provide "testimony" that could be incriminating for them. The federal judge in Pennsylvania agreed with them.

"We find, as the SEC is not seeking business records but Defendants' personal thought processes, Defendants may properly invoke their Fifth Amendment right," wrote U.S. District Judge Mark Kearney. "Since the passcodes to Defendants' work-issued smartphones are not corporate records, the act of producing their personal passcodes is testimonial in nature and Defendants properly invoke their fifth Amendment privilege."

Former federal prosecutor and legal scholar Orin Kerr disagreed with the ruling, writing on Volokh, essentially, that a "passcode" is not testimony but is more like a key to a locked door, which in the physical world, the government could force someone to hand over. But according to the judge, your passcode is more like something you know that's happened to you than a key.

Nan Huang and Bonan Huang, who are not related, are now living in China, and their lawyer Greg Morvillo says they may not even remember the passcodes.

Advertisement

"The reality is that the government is just guessing that there may be something relevant on those phones," said Morvillo.

We live in a world where everything we do is increasingly tracked, and digital information we create hourly and daily can come back to haunt us. But the increasing use of encryption may well complicate that. It's why the government has asked tech companies to provide "golden keys" that would unlock any device and allow it to "testify" against its owner if there's evidence of wrongdoing. And we are in the midst of a huge debate, about how much control we as citizens should have over what information the government gets access to.

It's not the first time this issue has come up. Two years ago, a court ruled that a child porn suspect didn't have to decrypt his computer's hard drive, because of his rights under the Fifth Amendment. Then the court changed its mind. Then the point became moot, because the government managed to break the encryption on the devices. He ultimately pled guilty.

Advertisement

It's an issue that's likely to come up much more often as technology companies are starting to build decryption features into products by default, meaning that it will not only be tech-savvy citizens who are taking full advantage of their constitutional rights.

Whether the information on your phone is protected may well depend on how you lock it down. A Virginia judge ruled last year that a man whose smartphone could be unlocked with his fingerprint could be forced to hand his fingerprint over, because it was something on his body and not in his head.