State Appeals Court Says Unlocking A Phone With A Fingerprint Doesn't Violate The Fifth Amendment
from the giving-The-Man-the-finger-no-longer-subversive;-actually-helpful dept
As was hinted heavily three years ago, you might be better off securing your phone with a passcode than your fingerprint. While a fingerprint is definitely unique and (theoretically...) a better way to keep thieves and snoopers from breaking into your phone, it's not much help when it comes to your Fifth Amendment protections against self-incrimination.
The Minnesota Appeals Court has ruled [PDF] that unlocking a phone with a fingerprint is no more "testimonial" than a blood draw, police lineup appearance, or even matching the description of a suspected criminal. (h/t Orin Kerr)
Diamond relies on In re Grand Jury Subpoena Duces Tecum, 670 F.3d 1335 (11th Cir. 2012), to support his argument that supplying his fingerprint was testimonial. In In re Grand Jury, the court reasoned that requiring the defendant to decrypt and produce the contents of a computer’s hard drive, when it was unknown whether any documents were even on the encrypted drive, “would be tantamount to testimony by [the defendant] of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.” Id. at 1346. The court concluded that such a requirement is analogous to requiring production of a combination and that such a production involves implied factual statements that could potentially incriminate. Id.
By being ordered to produce his fingerprint, however, Diamond was not required to disclose any knowledge he might have or to speak his guilt. See Doe, 487 U.S. at 211, 108 S. Ct. at 2348. The district court’s order is therefore distinguishable from requiring a defendant to decrypt a hard drive or produce a combination. See, e.g., In re Grand Jury, 670 F.3d at 1346; United States v. Kirschner, 823 F. Supp. 2d 665, 669 (E.D. Mich. 2010) (holding that requiring a defendant to provide computer password violates the Fifth Amendment). Those requirements involve a level of knowledge and mental capacity that is not present in ordering Diamond to place his fingerprint on his cellphone. Instead, the task that Diamond was compelled to perform—to provide his fingerprint—is no more testimonial than furnishing a blood sample, providing handwriting or voice exemplars, standing in a lineup, or wearing particular clothing.
Of course, it's what's contained in the now-unlocked device that might be incriminating, which is why Diamond pointed to In re Grand Jury as being analogous to the forced provision of a fingerprint. The court's rebuttal of this argument, however, doesn't make a lot of sense. It says the process that unlocked the device requires no knowledge or mental capacity -- which is certainly true -- but that the end result, despite being the same (the production of evidence against themselves) is somehow different because of the part of the body used to obtain access (finger v. brain).
In recounting the obtaining of the print, the court shows that some knowledge is imparted by this effort -- information not possessed by law enforcement or prosecutors.
Diamond also argues that he “was required to identify for the police which of his fingerprints would open the phone” and that this requirement compelled a testimonial communication. This argument, however, mischaracterizes the district court’s order. The district court’s February 11 order compelled Diamond to “provide a fingerprint or thumbprint as deemed necessary by the Chaska Police Department to unlock his seized cell phone.” At the April 3 contempt hearing, the district court referred to Diamond providing his “thumbprint.” The prosecutor noted that they were “not sure if it’s an index finger or a thumb.” The district court answered, “Take whatever samples you need.” Diamond then asked the detectives which finger they wanted, and they answered, “The one that unlocks it.”
This is something only Diamond would know, and by unlocking the phone, he would be demonstrating some form of control of the device as well as responsibility for its contents. So, it is still a testimonial act, even if it doesn't rise to the mental level of retaining a password or combination. (And, if so, would four-digit passcodes be less "testimonial" than a nine-digit alphanumeric password, if the bright line comes down to mental effort?)
Given the reasoning of the court, it almost appears as though Diamond may have succeeded in this constitutional challenge if he had chosen to do so at the point he was ordered to produce the correct finger.
It is clear that the district court permitted the state to take samples of all of Diamond’s fingerprints and thumbprints. The district court did not ask Diamond whether his prints would unlock the cellphone or which print would unlock it, nor did the district court compel Diamond to disclose that information. There is no indication that Diamond would have been asked to do more had none of his fingerprints unlocked the cellphone. Diamond himself asked which finger the detectives wanted when he was ready to comply with the order, and the detectives answered his question. Diamond did not object then, nor did he bring an additional motion to suppress the evidence based on the exchange that he initiated.
And so, in first decision of its kind for this Appeals Court, the precedent established is that fingerprints are less protective of defendants' Fifth Amendment rights than passwords.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: fifth amendment, fingerprints, minnesota, self-incrimination
Reader Comments
Subscribe: RSS
View by: Time | Thread
Fuck it
[ link to this | view in chronology ]
Re: Fuck it
(I've been asked to stop.)
[ link to this | view in chronology ]
Re: Fuck it
[ link to this | view in chronology ]
Re: Re: Fuck it
[ link to this | view in chronology ]
Re: Re: Fuck it
Can't wash off this thing for days.
[ link to this | view in chronology ]
If forcing a fingerprint is just like a blood draw, it's not like you *have* to tell them which finger is the correct one.
[ link to this | view in chronology ]
Re:
Middle finger. It's always the middle finger.
[ link to this | view in chronology ]
Search, not testimony
That the device itself contains incriminating evidence is irrelevant; as you could not prevent an authorized search of your home, you similarly cannot prevent an authorized search of your device.
On the other hand, if the government then attempted to use the fact of your being able to unlock the device as evidence that you owned it, after you were compelled to do so, that would be a violation of the 5th Amendment.
[ link to this | view in chronology ]
Re: Search, not testimony
Some may disagree with your first sentence. News of the Weird has featured a couple stories over the years where drugs were found during a cavity search.... and the cavity owner denied being the drug owner. No sir, not theirs.
No doubt their defense relied on "alternative facts."
[ link to this | view in chronology ]
Re: Search, not testimony
There's a difference, and while it may seem like splitting hairs I'd say that anything can make or break a case is important, between "We're pretty sure that the phone/device is the property of the accused and they have access to it's contents" and "We have rock-solid evidence that is theirs and they do have access to the contents." The first might be admissible depending on the judge, and even then they still have to make the link between the evidence found on the device and the accused, the latter would definitely be admissible and the link is trivial to make.
As for the second point I'd say the difference is between not being able to prevent an authorized search and being forced to enable an authorized search, and in the process provide evidence that wasn't available before.
The comparison kinda breaks down given the difference between houses and phones so this will likely be a little sloppy, but assuming there is incriminating evidence to be found it would be somewhat like police showing up at someone's house and demanding that they tell them where the evidence that will incriminate them is located. In that case the home-owner is not only providing the evidence that will be used against them they're demonstrating that they know where it is, which creates a very strong connection between it and them, a connection which can be used against them in court.
[ link to this | view in chronology ]
Re: Search, not testimony
If the police already know what you did (because of sufficient evidence - of some sort) then it is a "foregone conclusion" that you are guilty. Therefore your confession is not testimony; the government acquires no information through that act that it did not already have, they just need you to sign the paper they have already prepared.
If "foregone conclusions" are good enough, that what do we need trials for, eh?
[ link to this | view in chronology ]
Re: Re: Search, not testimony
- U.S. News and World Report, 10/14/85
[ link to this | view in chronology ]
Re: Re: Re: Search, not testimony
"You don't have many suspects who are innocent of a crime. That's contradictory. If a person is innocent of a crime, then he is not a suspect."
Talk about a perfect example of why the laws either protect the innocent and the guilty, or they protect neither.
If one holds to the idea that the guilty don't deserve the same rights and legal protections as the innocent(an idea I have seen mentioned and/or hinted at several times before), and also believe that if someone is a suspect then they are guilty(or at the least are likely guilty), then simply being accused is enough to strip away rights and protections, which would be a bad idea were law enforcement flawless and never made mistakes, and becomes downright disastrous given that is anything but the case.
[ link to this | view in chronology ]
Re: Search, not testimony
By unlocking the phone, you unlock it's content. As long as it's encrypted, the police doesn't know what's in there. Therefore, unlocking is providing the data.
So the "testimony" you're offering is not that you can unlock the phone, but the content itself.
[ link to this | view in chronology ]
Re: Re: Search, not testimony
So the "testimony" you're offering is not that you can unlock the phone, but the content itself.
I would(and have) argue that it's both actually. It's providing the content and demonstrating that you can access it, creating a link between the content and you, which is something that can be used against you. The most blatantly illegal evidence imaginable isn't any good to the police if they can't establish a connection between it and someone they can charge after all, and being able to unlock the device that that evidence is on establishes that link.
[ link to this | view in chronology ]
Time for a new locking mechanism
1. Create app to wipe phone if compromised
2. ???
3. Profit!
[ link to this | view in chronology ]
Re: Time for a new locking mechanism
[ link to this | view in chronology ]
Re: Re: Time for a new locking mechanism
If that action is not taken within some preset amount of time, say default 48 hours, the real system is destroyed.
[ link to this | view in chronology ]
Re: Time for a new locking mechanism
Now would a fingerprint still have no more testimonial value than a blood draw?
The court should not compare the fingerprint to a blood draw but should compare it to a master key to your entire life history. Now does the fingerprint have testimonial value?
[ link to this | view in chronology ]
Re: Time for a new locking mechanism
[ link to this | view in chronology ]
Re: Re: Time for a new locking mechanism
At best it's an ID, not a password.
[ link to this | view in chronology ]
Re: Re: Re: Time for a new locking mechanism
Darn, I'm going to have to get new DNA!
[ link to this | view in chronology ]
Thinking about it a fingerprint as a password is a stupid way to secure something if you are truly concerned about someone accessing it. All someone needs to do it get to you or put you too sleep. Obviously the U.S. government probably wont do that, but what about a not so friendly friend, jealous lover, bad business partner after a night at the bar. Or foreign intelligence for a activist or generalist. This is not even considering the ways a fingerprint can be forged.
[ link to this | view in chronology ]
What's the point in arguing that they can't take your fingerprint on a phone that they suspect is yours, rather than on their own inkpad?
And, as someone has already figured out, steganography becomes your very good friend, as soon as the software provides for multiple fingerprints opening multiple virtual systems on the same phone.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Solving the world's problems, or at least that which we naturally define as "problems" is far more likely to bring about destruction, as messed up as that is. See: Overpopulation.
[ link to this | view in chronology ]
Simple rule of thumb(or forefinger, or pinky...)
If an act provides access to evidence that can be used against the person required to do the act, then it should count as self-incrimination, and therefore not be allowed.
That it involves a fingerprint rather than a password shouldn't make any difference, the purpose behind the requirement is for the accused to be forced to provide evidence that will be used against them, something that could be trivially demonstrated simply by instituting a 'trade' of immunity for anything found, a requirement you can be sure the police would not accept as it would undermine the whole purpose of forcing the person to unlock the device in the first place.
[ link to this | view in chronology ]
Here, they are doing exactly the same thing. Taking fingerprints, and comparing those prints to prints found at the crime scene. Why should the fact that the prints found at the scene are stored in a digital format make a difference?
Just because you chose to use a stupid and insecure method of maintaining your privacy does not mean that the police/courts must write new policies to make your method secure.
[ link to this | view in chronology ]
Re:
Here, they are doing exactly the same thing. Taking fingerprints, and comparing those prints to prints found at the crime scene. Why should the fact that the prints found at the scene are stored in a digital format make a difference?
Because they're not just 'comparing prints', they're demanding someone provide incriminating evidence against themselves by providing access via prints. If it was really as simple as taking prints then they could take the prints and then turn around and use them on the device if they want, yet they didn't do so.
At the same time if it's not an issue of self-incrimination then they could easily offer immunity from anything found on an unlocked device, yet I don't imagine they'd ever make that offer because it would nullify the reason they are demanding the person unlock the device.
Just because it's easier to force someone to provide self-incriminating evidence and/or violate their privacy does not mean the police/courts get to ignore the rules against such actions.
[ link to this | view in chronology ]
Re: Re:
If it was really as simple as taking prints then they could take the prints and then turn around and use them on the device if they want, yet they didn't do so.
Meh. I guess that's a valid argument. I guess I'm a little too pragmatic for these things. No reason to waste the extra money transferring the prints to a machine readable material when you have the originals.
[ link to this | view in chronology ]
Re: Re: Re:
I see it as a long-term issue. 'We can compel someone to provide prints before, what difference does it make to make them provide them in a way to unlock a device?' might seem fairly minor, but if allowed it will expand.
A little give here, 'just to save time', or 'because it's a foregone conclusion' and what's allowed under the law is widened, ever so slightly. And then a little down the line what's allowable is stretched 'just a little more' and more is allowed. And so on and so forth until you reach a point where the 'limits' are little more than 'guidelines'.
(A good example could be 'asset forfeiture'. As horribly flawed as it is it started rather small and grew over time. I rather doubt the ones who originally put it into place would have envisioned innocent people losing their houses and having to prove the 'innocence' of their property or lose it, yet here we are with government and police agencies throwing fits about the simple requirement for a conviction before property changes hands.)
Rights are very rarely destroyed outright, as that's obvious and people are more likely to fight back. Instead they suffer small erosion over time. 'Minor, temporary exceptions' that bend the laws just a bit, and then the law and/or how it's interpreted changes and the 'temporary exception' becomes the new norm. And then a little while later another 'minor, temporary exception' is made, and the cycle continues until you have more 'minor, temporary exceptions' than you do the original law, and what is allowed and considered acceptable now has only the faintest similarity with what was allowed and considered acceptable then.
[ link to this | view in chronology ]
It's been used for stupider things before...
[ link to this | view in chronology ]
Coming next: Searching houses does not violate your privacy
[ link to this | view in chronology ]
Re: Coming next: Searching houses does not violate your privacy
I'd say don't give them ideas but I have no doubt whatsoever that at least some of them have given serious consideration to that very argument, and hold back not because they don't want it to work but because they don't think it would work just yet.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
There's an app for that!
Imagine if the phone passively monitors the signal strength (not content) of police frequencies. If it detects one of these dangerous signals getting too close to you, the phone goes into a lockdown mode that takes more than a fingerprint to unlock.
[ link to this | view in chronology ]
Re: There's an app for that!
Digital encrypted trunked systems are increasingly popular, making it nearly impossible to determine which talkgroups belong to which users.
In any case, police would learn of such a system just like everyone else. They could unlock the phone between transmissions, drive the phone and owner a few blocks from the police station, or just weaken the signals by tin-foiling the interrogation from into a Faraday cage.
[ link to this | view in chronology ]
"While a fingerprint is definitely unique"
Citation needed.
[ link to this | view in chronology ]
Re:
Oh wait, did you want proof of uniqueness or proof that that statement is garbage?
[ link to this | view in chronology ]
Just need updated unlock features
Unlock with the special finger, phone gets wiped.
So when your being interrogated and the cop says "If you cooperate by unlocking your phone, we will put a good word in for you with the DA, maybe get you a plea deal."
You say "Sure! and proceed to wipe your phone"
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Conflating Authorization and Authentication
Biometrics make a great authentication token. It is really difficult (In a properly designed system) to falsify biometric credentials, so when you are authenticated biometrically there is a very low probability of a false positive, and a really good chance that you are the correct person.
Biometrics make a terrible authorization token, because YOU CANNOT CHANGE THEM. Once authorization has been assigned to a biometric is cannot be changed. ever. That's the whole point of biometrics. They are immutable. But authorization DOES NOT NECESSARILY follow from authentication.
Good authorization tokens are passwords and PINs because they CAN be changed, and there are an infinite number of them. You can assign different authorization tokens to different parts of a system. You can see this when you log in to your computer using one password, check your email with another, and connect to facebook with yet a different password.
Security will always be a trade-off with convenience. Most people can't be bothered to type different passwords for every application, so they tell the system to cache the passwords, and tie that all back to their primary authentication token, and mobile phone manufacturers are very conscious of this, so it appears that authentication and authorization are the same thing and thus, commonly conflated concepts.
[ link to this | view in chronology ]
Re: Conflating Authorization and Authentication
I use the same password for my computer as I do my email, bank account, AD domain at work, usenet, obscure and questionable hacking forums, random sites that I create an account to make one post with etc..
[ link to this | view in chronology ]