Apple's Fingerprint ID And How It May Take Away Your 5th Amendment Right To Protect Your Data

from the these-things-have-consequences dept

There was plenty of discussion about how Apple's new fingerprint ID biometric system on the new iPhones might help the NSA build a giant database of fingerprints, but others quickly pointed out how unlikely that was. Some have even argued that it could lead to greater privacy protection (though, others are reasonably concerned since you can't "change" your fingerprint if someone figures out a way to hack it -- and fingerprint readers have been hacked many times in the past).

However, there are additional concerns, such as how relying on fingerprint scans over passwords might remove your ability to use the 5th Amendment to protect your private data. As we've discussed a few times, while not all courts agree, some have ruled that you can't be forced to give up your passwords to unencrypt your data, because it could be seen as a 5th Amendment violation of self-incrimination. However, with a fingerprint, the issue is slightly different than with a password. As the EFF's Marcia Hoffman explains:

The privilege against self-incrimination is an important check on the government’s ability to collect evidence directly from a witness. The Supreme Court has made it clear that the Fifth Amendment broadly applies not only during a criminal prosecution, but also to any other proceeding “civil or criminal, formal or informal,” where answers might tend to incriminate us. It’s a constitutional guarantee deeply rooted in English law dating back to the 1600s, when it was used to protect people from being tortured by inquisitors to force them to divulge information that could be used against them.

For the privilege to apply, however, the government must try to compel a person to make a “testimonial” statement that would tend to incriminate him or her. When a person has a valid privilege against self-incrimination, nobody — not even a judge — can force the witness to give that information to the government.

But a communication is “testimonial” only when it reveals the contents of your mind. We can’t invoke the privilege against self-incrimination to prevent the government from collecting biometrics like fingerprints, DNA samples, or voice exemplars. Why? Because the courts have decided that this evidence doesn’t reveal anything you know. It’s not testimonial.

It does seem odd that a simple switch from a password to a fingerprint could have constitutional implications, but welcome to the world where the law and the technology don't always match up perfectly together.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 5th amendment, fingerprint, fingerprint reader, iphone, passwords, privacy, security
Companies: apple


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 13 Sep 2013 @ 2:17pm

    Fingerprint use is kind of cool but it clearly runs into problems like this.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 13 Sep 2013 @ 2:28pm

    Confused

    Ok - maybe I'm being dense here, or maybe my knowledge of Constitutional Law is severely lacking, but could someone give me a practical example of how this comes in to play in regards to a Fingerprint ID on a iPhone?

    Is it like a Mission Impossible scene where feds/police could lift your prints off your phone and 'hack' in? Or can they force you to unlock your phone using Fingerprint ID since the law makes fingerprint swiping different from password entering?

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 13 Sep 2013 @ 2:29pm

    Re: Confused

    Read the linked article and you won't ask stupid questions.

    link to this | view in thread ]

  4. identicon
    Anonymous, 13 Sep 2013 @ 2:35pm

    Nobody's forcing you to use an iPhone...yet.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 13 Sep 2013 @ 2:36pm

    What could possibly go wrong?

    I don't like the idea of any password that's unchangeable.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 13 Sep 2013 @ 2:47pm

    Re:

    Nobody's forcing you to buyan iPhone...yet.

    FTFYYW

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 13 Sep 2013 @ 2:49pm

    Fingerprint passwords should at most, only be used as two-factor authentication. So not only would you need the person's fingerprint, but also a separate alphanumeric password.

    Although, I'm the type of person who doesn't like to give my biometric data to corporations and governments. So I wouldn't use fingerprint passwords myself.

    Plus, no doubt Apple's fingerprint password system is closed source and proprietary. Which makes me trust it's security even less.

    Also, once Apple's massive fingerprint database is broken into. Your fingerprint password probably won't even function very well as a two-factor authentication protocol at that point.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 13 Sep 2013 @ 2:50pm

    Nothing to see here...

    Please move along and buy your iPhone. Your dataz is protected by NSA advanced security, not even Snowden will getz your dataz.

    link to this | view in thread ]

  9. icon
    btr1701 (profile), 13 Sep 2013 @ 2:51pm

    > The privilege against self-incrimination is
    > an important check on the government's ability
    > to collect evidence directly from a witness.

    This is a fundamental misstatement of the law.

    The 5th Amendment checks the government's ability to collect evidence from the *defendant*. Witnesses have no 5th Amendment protection or right to remain silent. They can and often are compelled to provide all manner of testimony against their will.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 13 Sep 2013 @ 2:53pm

    Re:

    That's why the bad guys are okay with killing witnesses.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 13 Sep 2013 @ 2:56pm

    Re: Re:

    That is next on Obama's list of things do to.

    You don't wanna buy iPhone with GeoLocation and Finga prints scannerz? No Problem, we will charge you a TAX and use that TAX monies to get you the iPhone plus someone else one too.

    I gotz this!

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 13 Sep 2013 @ 2:57pm

    Re: What could possibly go wrong?

    Sure you can change the password... literally start using your middle finger.

    link to this | view in thread ]

  13. This comment has been flagged by the community. Click here to show it
    identicon
    out_of_the_blue, 13 Sep 2013 @ 3:02pm

    Why does MH refer to a "privilege", when it's a fundamental right?

    Since repeated and so obviously against "lay" usage, has to be some sort of lawyer trick.

    Anyhoo, so what's your position on either my question or Apple or implications here, Mystery Mike? We're ALL interested in you actually stating a position that you hold and will defend from now on.

    link to this | view in thread ]

  14. identicon
    Anonymous, 13 Sep 2013 @ 3:03pm

    Re: Re:

    WTF ever.

    link to this | view in thread ]

  15. icon
    G Thompson (profile), 13 Sep 2013 @ 3:15pm

    Re:

    Is there many people outside the continent of North America that actually use iPhones anymore?

    Fingerprint scanning (and this isn't really fingerprint scanning as LEO's et.al use it) isn't really a good biometric anyway since unless Apple are reading more than 1 fingerprint of one finger it's even less secure than a 4 digit password (9999 combinations).

    But hey if you want to use fingerprint's, that aren't considered by most courts to be reliable anymore (especially with only 1 finger), to secure your phone.. go right ahead

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 13 Sep 2013 @ 3:21pm

    Re:

    Also, once Apple's massive fingerprint database is broken into. Your fingerprint password probably won't even function very well as a two-factor authentication protocol at that point.

    Hopefully the fingerprint is stored on the device, otherwise a network based attack to unlock is possible, and requires giving the correct response to a fingerprint check, and not knowing the fingerprint.
    A slight problem if faking a finger to fool a reader becomes easy to do, guess where a set of fingerprints is probaly available? You got it, on the protected device.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 13 Sep 2013 @ 3:25pm

    Re: Confused

    A judge could order you to unlock the phone with your fingerprint. If you don't, you go to jail until you do. You stay there until you comply.

    link to this | view in thread ]

  18. identicon
    Reader, 13 Sep 2013 @ 3:48pm

    I don't see any reason why a repeatable finger decal, or fabric couldn't be used as a substitute for those who wanted to safely use this feature. Granted it's not as immediately accessible as a natural finger, but it could be somewhat conveniently stored somewhere, apart from the phone. It obviously defeats the convenience aspect of this, but with a passcode, it adds two stage authentication without compromising biometric details.

    link to this | view in thread ]

  19. icon
    Jeffry Houser (profile), 13 Sep 2013 @ 4:06pm

    For the Record....

    Just for the record; there have been some reports that the Apple system does not use Fingerprints instead of passwords; but in addition to them. You'll need a password after the unit is restarted and if the unit has been inactive for a certain amount of time.

    I also got the impression from one article that you could set it up so the wrong fingerprint will wipe the phone; which sounds dangerous to your data.

    link to this | view in thread ]

  20. icon
    Richard (profile), 13 Sep 2013 @ 4:06pm

    Coming home drunk

    ..getting the munchies ... turning on the hotplate ... staggering over to the fridge.. and back ... losing balance.. both hands on the stove to save yourself.

    Arrgh apart from the pain NO FINGERPRINTS ... locked out of all devices.

    This is not fantasy .. it actually happened to someone at about 3 degrees separation from me.

    link to this | view in thread ]

  21. icon
    t3rminus (profile), 13 Sep 2013 @ 4:25pm

    Re: Re:

    Actually a 4-digit password only has 6,561 possible combinations, whereas a fingerprint is close to infinite, since it's really comparing sections of a large bitmap.

    What's more likely is that someone will find a way to fool the fingerprint scanner-- with an object (mold/photo/gel/etc), by hacking how the scanner communicates with the device, or by breaking the software on the device itself.

    link to this | view in thread ]

  22. icon
    t3rminus (profile), 13 Sep 2013 @ 4:27pm

    Re: Re:

    Apple has already stated the fingerprint is stored in the "secure cryptographic vault" section of the A7 chip, which is also used for passcodes and certificates, and that it never leaves the device.

    The NSA could probably use their backdoors to get at it, but then again, they can get your passcode, too...

    link to this | view in thread ]

  23. icon
    t3rminus (profile), 13 Sep 2013 @ 4:29pm

    Re: For the Record....

    The wrong passcode can already wipe your phone-- don't lend your passcode-protected iPhones to friends who don't know the passcode. It will end in disaster.

    link to this | view in thread ]

  24. icon
    Christopher Smith (profile), 13 Sep 2013 @ 4:43pm

    Not a new issue

    This certainly is an interesting edge case, but it's not new one. Established law in the US has been that courts can compel production of the key to a safe but not divulging a combination; this is just a logical extension to new sorts of "safes".

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 13 Sep 2013 @ 4:43pm

    It's only a matter of time...

    ...until malware -- quite likely from Apple's own app store -- infests iPhones and starts quietly exfiltrating fingerprint data.

    Why?

    Because people who (VERY mistakenly) think it's a good idea to attempt to secure their phone with their fingerprint are quite likely the same people who will make the additional mistake of trying to secure other things with their fingerprint.

    The phone and the data it contains may not be particularly valuable or of particular interest -- but the other things might be.

    Whoever does this first and sets up an underground market for fingerprints is going to make a fortune. If they're really smart, they'll not only sell them to thieves and the like, but to every intelligence agency on this planet that's willing to pay -- and they will.

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 13 Sep 2013 @ 4:49pm

    Re: Re: Re:

    Apple has already stated the fingerprint is stored in the "secure cryptographic vault" section of the A7 chip, which is also used for passcodes and certificates, and that it never leaves the device.

    Give me a reason to believe this statement.

    Because Apple's nice? Because they're cool? Because they're trendy? Because the friendly ghost of Steve Jobs said so?

    Why, EXACTLY, should anyone believe that Apple is telling the truth here? Where is the hard, cold, independently-verifiable evidence, including all the source code, the schematics, everything?

    Consider carefully: they're producing a product that will likely sell in the millions. (The fanboys/girls are already all over it.) It includes a device that captures biometric data. That is the wet dream of every intelligence agency in the world. Do you really think that this is an accident? Or that they'll just sit in their monolithic quasi-anonymous buildings, watch Apple do this, and do NOTHING?

    This (fingerprint) data has enormous value. Therefore there will be buyers, and there will be sellers. It's inevitable. It's only a question of what price will be paid and how the exchange will take place.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 13 Sep 2013 @ 5:03pm

    Re: Re: Re:

    No - no ... that is what the ObamaPhone is all about

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 13 Sep 2013 @ 5:33pm

    In Africa, there was an organization going around and scanning the eyes of low income people. There were gathering huge amounts of biometrics data from them.

    In return for allowing themselves to be scanned, they received some sort of food 'smartcard' for food.

    All I remember is that, it seemed to be white people doing the biometric eye scans. There was this elderly African woman who looked confused, like she found the whole thing incredibly intrusive, degrading, and even frightening.

    The excuse for all these eye scans was, "To cut down on food fraud".

    There seems to be huge money in biometrics data, if a group of foreigners are flying all the way to Africa to exploit the native people there.

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 13 Sep 2013 @ 5:51pm

    Re: Re: Re:

    One has to remember the digits and their order, so there is a mental element to it that is being argued as testimonial and protected by the 5th Amendment. Of course, there is also a mental element to a finger print used in this manner. You have to form and mentally communicate which finger has the correct print. Of course, the more fingers you have the more testimonial the expression.

    link to this | view in thread ]

  30. icon
    Graham J (profile), 13 Sep 2013 @ 7:34pm

    No.

    The scanner on the iPhone uses optics and RF, it won't be fooled by photos, gummi bears or cut off fingers. The stored scan data is more like a hash than an image; the NSA hacking your phone and grabbing that data doesn't do them much good.

    As for the tinfoil hats, Apple is a hardware and services company, they have little incentive to steal your data or allow it to be stolen. As opposed to, say, a mobile operating system developer who is also the world's largest ad network.

    link to this | view in thread ]

  31. identicon
    Rekrul, 13 Sep 2013 @ 10:10pm

    Re: Re: Re:

    Actually a 4-digit password only has 6,561 possible combinations...

    Am I missing something? Assuming you use only numbers, a four-digit passcode can be any number from 0000 to 9999, which makes 10,000 possible combinations. If you also include letters, the number of possible combinations rises to over 400,000.

    link to this | view in thread ]

  32. identicon
    alternatives(), 14 Sep 2013 @ 4:08am

    Re: No.

    As for the tinfoil hats, Apple is a hardware and services company, they have little incentive to steal your data or allow it to be stolen.

    Yes, no incentive to have stolen what they could instead sell.

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 14 Sep 2013 @ 6:45am

    i suppose the ones who didn't think this was a big deal were the likes of Obama, Clapper, and General Alexander? this is the biggest invasion of privacy ever! yes, it's good to have a way that no one other than the owner can use this piece of equipment, but is they cant already, it will probably be only minutes before all the various security agencies in the USA if not everywhere else as well, will know the ins and outs of a ducks ass on every single solitary person that owns the device. and i bet that it wouldn't stop there, either. once the equipment was activated by the owner logging in or whatever, everyone that even handled the device would be logged as well!! there would soon be absolutely no privacy whatsoever! people would be arrested as soon as they logged on to a site without even doing anything! imagine that for a minute!!

    link to this | view in thread ]

  34. identicon
    Shon Gale, 14 Sep 2013 @ 7:22am

    I have always passed ion Apple Tech. Just another reason to continue. Didn't IBM do this already? I mean really it didn't take off there either.

    link to this | view in thread ]

  35. identicon
    Pat, 14 Sep 2013 @ 7:24am

    Re: Confused

    Facepalm...

    link to this | view in thread ]

  36. identicon
    Anonymous Coward, 14 Sep 2013 @ 11:07am

    Re: No.

    As for the tinfoil hats, Apple is a hardware and services company, they have little incentive to steal your data or allow it to be stolen. As opposed to, say, a mobile operating system developer who is also the world's largest ad network

    Other than the fact the US government can compel them to give it to them. It's also more than a little insulting to call us tinfoil hats when all we are saying is that the government has the authority to get the information.

    link to this | view in thread ]

  37. identicon
    Anonymous Coward, 14 Sep 2013 @ 11:50am

    Thanks, Apple.

    link to this | view in thread ]

  38. icon
    hopponit (profile), 14 Sep 2013 @ 1:23pm

    Fingerprint

    Two points. I'm a vet., the gov. has had my prints on file since the '70s. They don't need to do much snooping to find my prints. Second point. The recent revelation that the gov. told their people to cover-up where they got leads in drug cases and such. Would the gov.agencies look at our data and files without a warrant then fudge the truth about where they got their evidence?

    link to this | view in thread ]

  39. icon
    Rapnel (profile), 14 Sep 2013 @ 5:00pm

    Re: Re: Re:

    Wait, what? Incrementing from 0 to 9999 gives us 10k.

    ... teh Internets. Day ahr so much funnies sum todays.

    link to this | view in thread ]

  40. icon
    Rapnel (profile), 14 Sep 2013 @ 5:07pm

    Re: Fingerprint

    Only if you have something to hide OR someone else has something to gain.

    ...

    I might have that backwards too. Yes, I'm sure of it.

    link to this | view in thread ]

  41. icon
    JMT (profile), 14 Sep 2013 @ 6:13pm

    Re: Re: Re: Re:

    "Give me a reason to believe this statement."

    Because lying about something like this in such a public manner would be an extremely stupid commercial decision, and Apple make very few of those.

    link to this | view in thread ]

  42. identicon
    Никто, 14 Sep 2013 @ 7:36pm

    Re: Re: Re: Re: Re:

    You are one of those brainless trogs who believes the invisible hand is a tangible entity, aren't you?

    More to the point: staying out of jail and/or being allowed to continue to do business in the U.S. isn't a "stupid commercial decision"; if the powers that be want this data, they will get it and Apple will not be able to stop them.

    But you're missing a more important point: people who are stupid enough to buy Apple products (yes, I mean it, every single one of you) are also stupid and short sighted enough to forget about the hypothetical uproar over the discovery that Apple disclosed biometric data to the gov't . . . the second they sell a newer, shinier toy for you to play with.

    link to this | view in thread ]

  43. identicon
    Никто, 14 Sep 2013 @ 7:39pm

    Re: Re: No.

    I think at this point in the game, anyone using the phrase "tin foil hats" for anything short of bald-faced assertions that Obama is a lizard person and/or has personal telepathy and is stealing their OMG SECKRITZ can safely be written off as a shill, troll, or hopelessly insane.

    link to this | view in thread ]

  44. icon
    Daemon_ZOGG (profile), 14 Sep 2013 @ 9:58pm

    Apple's Fingerprint ID, And How It May Take Away Your 5th Amendment Right..

    If they have your finger print (and yes, they do). Then anything is possible. Apple can do with whatever they want with YOUR finger print. So can the blackhat Apple software hackers, who hack Apple's systems. So can the NSA. Wink, wink, say no more. :P (i.e your screwed for using Apple products. And not using OpenSource resources).

    link to this | view in thread ]

  45. identicon
    Anonymous Coward, 15 Sep 2013 @ 1:17am

    Re: Re: For the Record....

    It will end in hilarity.

    I would be borrowing my friends iPhones all the time if it did this. Mind you they may not want to be my friends for much longer, still probably worth the laugh.

    link to this | view in thread ]

  46. icon
    Corwin (profile), 15 Sep 2013 @ 7:37am

    It's all falling into place

    and you're not realizing it.

    This world is headed towards total transparency. Some day, you WILL have everyone's total life at your fingertips.

    And everyone will have yours.

    Reality is open. Laws are beneath meaningless. If you CAN deploy enough sensors, you CAN know everything. No matter what fiction you believe in, no matter how many others believe in it with you : that is reality, and reality can be measured.

    That is a GOOD thing. Trust-free society. Everyone's karma projected right on their faces by technology.

    It will be the mirror of humanity. It will scream in its face "THIS IS WHAT YOU ARE".

    I can't wait.

    link to this | view in thread ]

  47. identicon
    Slicerwizard, 15 Sep 2013 @ 1:57pm

    6561 Combinations

    t3rminus thinks we only have 9 digits (numbers, not fingers!) to choose from (9x9x9x9=6561)

    Why he thinks that, I dunno. No zeroes in his world?

    link to this | view in thread ]

  48. identicon
    Anonymous Coward, 16 Sep 2013 @ 3:17am

    Re: Why does MH refer to a "privilege", when it's a fundamental right?

    We're ALL interested in you actually stating a position

    ..no we're not.

    link to this | view in thread ]

  49. icon
    Ninja (profile), 16 Sep 2013 @ 4:07am

    Re:

    Although, I'm the type of person who doesn't like to give my biometric data to corporations and governments.

    You can't opt out from giving your fingerprints to the govt last time I checked ;)

    link to this | view in thread ]

  50. identicon
    Reader, 16 Sep 2013 @ 9:03am

    Re: No.

    This is exactly the case. The authentication software generates a map of key points in the print, not a stored image of it, (where an exact image would be far more demanding to match). I don't see any way for the stored coordinates from this map to be reassembled into an actual print. I'm not sure it can't be fooled by other finger facsimiles however, unless you know of a reason why.

    link to this | view in thread ]

  51. icon
    limbodog (profile), 16 Sep 2013 @ 9:37am

    Re: Confused

    You can't be forced to give up your password to your phone (except, of course, when you can), but you have no protections over your fingerprints, so they could just replicate your fingerprint and open your phone's documents without your approval.

    link to this | view in thread ]

  52. identicon
    Anonymous Coward, 23 Sep 2013 @ 7:16am

    Re:

    I think are mistaken:
    The 5th amendment actually states: nor shall be compelled in any criminal case to be a witness against himself"

    link to this | view in thread ]

  53. icon
    Sheogorath (profile), 18 Oct 2013 @ 9:07pm

    Re: Re: Re: Re:

    It's a ReaganPhone, actually.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.