An Ontario court decision has put a cap on how many attempts police can make trying to unlock digital devices belonging to an alleged criminal.
The case involved three cellphones that were seized among several other electronic devices as part of an Ottawa Police Service investigation into child pornography in October 2022.
“Over the past year, forensic investigators have tried about 175 million different passcodes in an effort to view the contents of the phones but have had no success,” wrote Ian Carter, a judge of Ontario’s Superior Court of Justice.
The ruling was in response to an October 2023 application to the court by the Ottawa Police for permission to hold on to the devices and keep trying to crack the codes. The police had applied to extend the detention order for the phones a number of times before, the court document shows.
The phones are locked with “complex-alpha-numeric passcodes,” according to the court decision, which noted that there are 44 nonillion potential passcodes for each phone—specifically 44,012,666,865,176,569,775,543,212,890,625.
The 175,000,000 different passcodes the investigators tested over the course of 2023 are “only an infinitesimal number” in comparison, the judge wrote.
Justice Carter said the court needed to balance the property rights of the accused and the interest in preserving evidence during investigations into criminal activity.
“[The phones] have no value in and of themselves at the moment. Their value for a criminal prosecution will only be realized if the passwords are cracked and evidence of an offence is uncovered on them,” he wrote.
“From a property perspective,” he added, “phones have value as a tool.”
He said the police needed to show that the further holding of the phones is “warranted.”
“In my view, the evidence on this application establishes that further detention of the phones is not warranted because there is little hope that the passwords will be cracked in a reasonable period of time.”
Justice Carter said the odds of the police cracking the codes of the phones were “so incredibly low as to be virtually non-existent.”
‘Complex Passcodes’
Uncovering complex-alpha-numeric passcodes can only be done through “a brute force process,” Justice Carter said in the court decision.He wrote that Ottawa Police used what’s called a “dictionary attack” to try and “guess” the passcodes. The method uses a specialized software application that relies on a pre-set word list and simply selects words one at a time from the list to try and unlock a device.
These passwords are generally limited to common English words along with some special characters and are created via the use of what’s called “Leet” speak, where letters are replaced with numbers or special characters, the judge wrote. For example, “fear” becomes “f34r”, “leet” becomes “l33t,” and “Alert” becomes “@lert.”
Justice Carter said that, in making his order, he was not putting a time limit on the investigation, as he said it could continue even without the phones.