When A Fingerprint IS The Password, Where Does The Fifth Amendment Come Into Play?
from the a-non-testimonial-appendage? dept
FBI Director James Comey is still complaining about encryption but it doesn't seem to be preventing law enforcement from accessing devices. To date, law enforcement has paid hackers to break into a phone, had an iPhone owner suddenly "remember" his password, seen a person jailed for 7 months (so far) for refusing to provide a password and, now, a law enforcement agency has used a warrant to force a suspect to unlock an iPhone using a fingerprint.
[A]uthorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone that had been seized from a Glendale home. The phone contained Apple's fingerprint identification system for unlocking, and prosecutors wanted access to the data inside it.The mostly-unanswered question is whether this violates the Fifth Amendment by forcing a person to provide evidence against themselves. (Not that due process was at the forefront of law enforcement's mind in this case. Or the magistrate judge's either. Jonathan Zdziarski points out the warrant was obtained within 45 minutes of the suspect being arrested -- not even enough time to bring in a lawyer.) While the law allows police to collect data from detained individuals -- including fingerprints -- it doesn't say much about physically applying someone's finger to their phone to unlock its contents.
The concern that fingerprint "passwords" would be less insulated against court orders and warrants was brought up here more than two years ago, shortly after Apple announced the new security feature. Biometric data isn't something anyone "knows" that could be considered "testimonial." It simply is an indicator of who you are, which courts have held isn't covered under Fifth Amendment protections against self-incrimination.
The additional concern is that law enforcement may have also used this Fifth Amendment workaround to obtain information on a separate suspect. The LA Times article adds these details to the general murkiness:
Why authorities wanted [Paytsar] Bkhchadzhyan to unlock the phone is unclear. The phone was seized from a Glendale residence linked to Sevak Mesrobian, who according to a probation report was Bkhchadzhyan's boyfriend and a member of the Armenian Power gang with the moniker of "40." Asst. U.S. Atty. Vicki Chou said the search was part of an ongoing probe. She declined further comment.Bkhchadzhyan was arrested and pled no contest to one count of identity theft. But the US Attorney's comment seems to imply law enforcement was looking for more than just evidence on Bkhchadzhyan when it searched the phone. If so, it raises even further questions about the constitutionality of this particular warrant, which may have forced this suspect to provide evidence against someone else.
The only prior case to raise this issue isn't very instructive and a dataset of one is hardly an indicator of prevailing judicial winds. But the reasoning in the 2014 case draws a line between what the court considers "testimonial" and what is merely providing access.
In 2014, a judge said Baust could be compelled to provide his fingerprint to open a locked phone but could not be ordered to disclose a passcode. The judge reasoned that providing a fingerprint was akin to giving a key, while giving a passcode — stored in one's mind — entailed revealing knowledge and therefore testifying. Baust was later acquitted.But does that line even exist? It's difficult to say it does when both fingerprints and passwords are virtually interchangeable, thanks to Apple's Touch ID system. The fingerprint is the password. The difference is detained suspects can only retain one of these "keys" in their minds. The rationale used by the court presumes vocal utterances are the only way a person can provide incriminating evidence against themselves.
It's not like withholding passwords will work in all cases either. Those who aren't jailed for contempt of court may instead find judges deciding that providing a password to law enforcement isn't a "testimonial" act on its own. The refusal to provide a password may also work against defendants by giving prosecutors a bit more ammo for their "foregone conclusion" justifications. After all, if a locked device didn't contain evidence of criminal activity, any "reasonable" person would have provided a password without hesitation.
It's a stretch of an argument though -- considering the prosecution needs to provide evidence it knows the stuff it's looking for resides on the devices, which is something extremely difficult to prove when the device is fully encrypted.
The limits of the Fifth Amendment's protections against self-incrimination are far from clearly defined when it comes to encrypted devices.. This leaves the security question in the hands of each individual user. Your choice of security method depends on who you're more worried about having access to your phone. If it's phone thieves, then a fingerprint might do. But if it's the government, use a password.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 5th amendment, encryption, fingerprint, fingerprint swipe, id, paytsar bkhchadzhyan, self incrimination, sevak mesrobian, touch id
Reader Comments
Subscribe: RSS
View by: Time | Thread
I guess I have a yearning for the olden days, when the screws would just beat the info out of me with truncheons and brass knuckles.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
"Foregone Conclusion"
By that logic, if a home didn't contain evidence of criminal activity, any "reasonable" person would provide permission for warrant-less searches without hesitation.
Yeah, I don't think so. That's quite a stretch.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Pronounce the DZ like the J in JAM.
I'm not even Armenian but I'm pretty sure that's it.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Laws about this
[ link to this | view in chronology ]
Re: Laws about this
[ link to this | view in chronology ]
Re: Re: Laws about this
[ link to this | view in chronology ]
Re: Laws about this
[ link to this | view in chronology ]
duh
[ link to this | view in chronology ]
Re: duh
[ link to this | view in chronology ]
Re: Re: duh
[ link to this | view in chronology ]
Re: Re: Re: duh
[ link to this | view in chronology ]
Re: duh
[ link to this | view in chronology ]
Re: Re: duh
[ link to this | view in chronology ]
Re: Re: Re: duh
[ link to this | view in chronology ]
Re: Re: Re: duh
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Defense lawyers need to smarten up.
[ link to this | view in chronology ]
The line exists.
So long as our laws are so numerous that it's impossible to know or follow them, so long as law enforcement can arrest people for what they imagine to be crimes, so long as prosecutory discretion allows officials to choose to convict some people and not others arbitrarily, I say the individual citizen needs all the protects it can get.
In the meantime you never want a part of your body worth more to someone than you are.
[ link to this | view in chronology ]
They can already get fingerprints, DNA, hair and blood...
So, the lesson is don't use just biometrics for critical security. Things you can't change and can't insure control over are not sufficient to insure that only you or people you willingly authorize will have access.
[ link to this | view in chronology ]
Plausible Deniability
If you have secrets you want to keep private don't use biometrics/physical keys/etc to protect them.
Forcing someone to give up a password is wrong. First you can't prove they remember it and 2nd you can't force someone to testify against themselves. Attempting to force someone to reveal knowledge that they can plausibly deny having any knowledge of is wrong.
[ link to this | view in chronology ]
Re: Plausible Deniability
Both of these are reasonable, and they can't prove intent here.
[ link to this | view in chronology ]
Of the mind
Come on girl, hold up your ten fingers and say "here".
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Place finger on hotplate.
(go straight to hospital - but your phone is now locked forever)
[ link to this | view in chronology ]
Re: Re:
The results were temporary. They grew back.
[ link to this | view in chronology ]
Re:
Fingerprint authentication is a terrible idea on all fronts. It's not very secure, it can't be easily changed or revoked when desired, and you can suffer many kinds of injuries that will alter your prints.
[ link to this | view in chronology ]
Is it a testamonial act?
By unlocking the device - no matter the method used - you are implying that you had control over or authority to use the device and by extension, what was or was not on that device.
[ link to this | view in chronology ]
Re: Is it a testamonial act?
The state is only governed by what it can do.
That said, yes, a phone opened by compulsion without a specific warrant should be inadmissible for any reason.
Not that we can expect that to happen in this society.
[ link to this | view in chronology ]
Re: Re: Is it a testamonial act?
The state is only governed by what it can do."
^ So much this. They see tech development as specifically FOR them.
[ link to this | view in chronology ]
Re: Re: Is it a testamonial act?
It's a good thing they got a warrant then, isn't it?
[ link to this | view in chronology ]
Re: Re: Re: Is it a testamonial act?
[ link to this | view in chronology ]
Re: Re: Re: Is it a testamonial act?
Such as a warrant to get a specific contact, not a warrant to search her email archives for something with which to incriminate her.
[ link to this | view in chronology ]
Re: Is it a testamonial act?
The person is NOT being asked to verify that they know how to unlock the phone. The police claim to already know how to unlock the phone - they claim it unlocks via her fingerprint. And the fact that she does indeed HAVE a fingerprint is obvious and not testimonial.
If her fingerprint does in fact unlock the device - well, perhaps that's evidence against her, but fingerprints on a murder weapon or something would also be evidence against her, and it's pretty well established that police can demand fingerprints (with a warrant) to check against a crime scene.
Demanding a password is different; complying with that means admitting that you know what the password is. The woman here doesn't have to admit she knows anything about the phone, just like someone with their prints on a gun doesn't have to admit they know anything about the gun. Also, with fingerprints there's not a problem like there is with a password where the person may legitimately not know (or remember) the password - if her fingerprint doesn't unlock the device, that's that.
[ link to this | view in chronology ]
Re: Re: Is it a testamonial act?
The person is NOT being asked to verify that they know how to unlock the phone. The police claim to already know how to unlock the phone - they claim it unlocks via her fingerprint. And the fact that she does indeed HAVE a fingerprint is obvious and not testimonial.
>>>I'm not addressing the matter of whether she has a fingerprint or whether she knows how to unlock the phone.
If her fingerprint does in fact unlock the device - well, perhaps that's evidence against her, but fingerprints on a murder weapon or something would also be evidence against her, and it's pretty well established that police can demand fingerprints (with a warrant) to check against a crime scene.
>>>Being able to unlock the device, either with a pass code or fingerprints are evidence that the person who supplied either had at least some minimal authority and control over the device. Fingerprints on a murder weapon - or anywhere at a crime scene - are a straw man fallacy for this discussion.
Demanding a password is different; complying with that means admitting that you know what the password is.
>>>Yes and no. The fingerprint acts as a password here. In either case, the means of unlocking the device is being demanded.
The woman here doesn't have to admit she knows anything about the phone, just like someone with their prints on a gun doesn't have to admit they know anything about the gun.
>>>Straw man fallacy again.
Also, with fingerprints there's not a problem like there is with a password where the person may legitimately not know (or remember) the password - if her fingerprint doesn't unlock the device, that's that.
>>>Not knowing does not equal not remembering.
>>>Please remember here. We are talking about a woman being ordered to unlock a device. It doesn't matter how the device is locked. It only matters that a) the device is locked; b) the cops think (or perhaps know) she has the means to unlock it; and c) the cops want the device unlocked. By unlocking the device, irrespective of how, the cops can infer that the woman had some level of control over the device; she is, in effect, saying 'I use or can access this phone' by unlocking for the cops or anyone else.
[ link to this | view in chronology ]
Re: Re: Re: Is it a testamonial act?
>>Being able to unlock the device, either with a pass code or fingerprints are evidence that the person who supplied either had at least some minimal authority and control over the device.
Yes, if your fingerprints can unlock the device, that's evidence that you have some control over the device. Just like if your fingerprints are on the outside of the device, that's evidence that you had some contact with the device. How is that a straw man?
Why does it matter whether the fingerprints are on the outside of the device, or in the software?
[ link to this | view in chronology ]
Re: Re: Re: Re: Is it a testamonial act?
Here, the cops are arguing that the phone contains direct evidence - maybe pictures, maybe notes, maybe messages - that show that she was involved in the commission of crimes. They're looking for the equivalent of a video recording or pictures of the woman pulling the trigger.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Is it a testamonial act?
It absolutely is "evidence"; that's going to be Exhibit A. It's not "proof", though. She can argue the gun was planted. Just like she could argue her fingerprint was planted or the content on the phone was planted.
Well, in THIS case it's unclear - they most likely want information on her gang member boyfriend. But I admit that doesn't matter much, since they COULD use it against her. One way they could solve this is to give her immunity, but they don't want to do that, so it's perfectly logical for her to assume they'd use it against her.
You seem to think that you can't be forced to provide the means to unlock something that contains evidence against you. But under current law, you absolutely can. If the key to a strongbox is around your neck, the police can take that key from you and unlock the strongbox. If you've swallowed the key, they can use doctors to forcibly get it out of your body one way or another. And if your finger is the key to your smartphone, they can use that finger to unlock your it.
What they can't make you do is admit that you know HOW to open the thing. Because that would be an actual admission. And if your fingerprint unlocks a phone, that might be evidence that you're connected to the phone, but it's not an admission of anything - maybe someone put your finger on the phone while you were asleep.
[ link to this | view in chronology ]
Crappy Workaround
Use an unusual finger for your phone's lock.
Set the "lock after x unsuccessful attempts" to 3
Then have it fall back to a password
When compelled by the court, use the wrong fingers three times. Oops, sorry, FBI. My bad. Problem solved.
[ link to this | view in chronology ]
Re: Crappy Workaround
[ link to this | view in chronology ]
And fingerprints are, while very convenient, a method of identification. There's a reason why "something you are" is less popular as a security paradigm than "something you have" and "something you know." It's the only one that you don't actually have any control over (both legally and practically).
[ link to this | view in chronology ]
So in effect you have no laws, only goons with badges and guns
[ link to this | view in chronology ]
It is a serious mistake for anyone to conflate a choice with an obligation. A person is afforded the Rights recognized by our Bill of Rights first. This being the case, waving such rights cannot ever be an obligation of a citizen. To think otherwise is a fast track to a Police State that cares not a wit for the Constitution of this country.
[ link to this | view in chronology ]
I'm Thinking Tasker
Of course, one could have a fingerprint set to factory reset but, I wouldn't want to deal with the legal consequences of a destruction of evidence charges.
[ link to this | view in chronology ]
Re: I'm Thinking Tasker
If you're being forced to tell them, "No not that finger.", or "Turn the finger sideways first", then there is a 5th amendment issue.
[ link to this | view in chronology ]
Simple technical fix
Two passwords.
Password 1 - your real data is decrypted.
Password 2 - your real data is wiped and replaced by an "innocent" substitute.
Modern devices generally have enough spare space for both.
[ link to this | view in chronology ]
Re: Simple technical fix
That way there's plausible deniability that it's actually data.
[ link to this | view in chronology ]
Unchangeable Password?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Giving the 5th Amend the Finger
[ link to this | view in chronology ]
Counsel
> enforcement's mind in this case. Or the magistrate
> judge's either. Jonathan Zdziarski points out the warrant
> was obtained within 45 minutes of the suspect being
> arrested -- not even enough time to bring in a lawyer.
WTF? Due process has *never* required the police wait to apply for a warrant (or the judge to wait to grant one) until the subject/defendant's lawyer shows up at the warrant application hearing.
In fact, that almost *never* happens.
[ link to this | view in chronology ]
Incrimination
> constitutionality of this particular warrant, which may
> have forced this suspect to provide evidence against
> someone else.
That's actually less of a constitutional issue. While you do have a 5th Amendment right against self-incrimination, absent something like spousal privilege-- which isn't a constitutional issue-- you have *no* right whatsoever to be free from incriminating others. If you have evidence that can be used to help the government's case against someone else, you can be compelled to provide it. Period. And nothing in the Constitution protects you from that.
[ link to this | view in chronology ]