Feds Finally Get Around To Using Someone's Face To Unlock Their Cellphone

from the FaceTime:-FBI-Edition dept

Tue, Oct 2nd 2018 12:00pm — Tim Cushing

The only surprise about this is that it took this long to happen.

A child abuse investigation unearthed by Forbes includes the first known case in which law enforcement used Apple Face ID facial recognition technology to open a suspect's iPhone. That's by any police agency anywhere in the world, not just in America.

It happened on August 10, when the FBI searched the house of 28-year-old Grant Michalski, a Columbus, Ohio, resident who would later that month be charged with receiving and possessing child pornography. With a search warrant in hand, a federal investigator told Michalski to put his face in front of the phone, which he duly did. That allowed the agent to pick through the suspect's online chats, photos and whatever else he deemed worthy of investigation.

This won't become a Fifth Amendment test case for several reasons.

First, Michalski apparently consented to the search by using his face to unlock the phone. If this was as voluntary as it appears, it pretty much eliminates a Constitutional challenge.

Beyond that, it's unlikely a court would find someone's face testimonial. For the most part, courts haven't found fingerprints to be testimonial, even if the application of a fingerprint leads directly to the production of evidence to be used against the phone's owner.

The "foregone conclusion" argument would only require law enforcement prove the phone belongs to the person they're asking to unlock it -- information easily acquired with a subpoena from the service provider.

Even if all these hurdles could be jumped, actions taken by the investigating agent pretty much eliminated any evidence the defendant might have challenged, as Forbes' Thomas Brewster reports.

Whilst Knight may've found some evidence of criminal activity when he manually searched the device, in one respect the forced Face ID unlock of the iPhone X was a failure. It wasn't possible to siphon off all the data within using forensic technologies. That was because the passcode was unknown.

In modern iPhones, to hook the cellphone up to a computer and transfer files or data between the two, the passcode is required if the device has been locked for an hour or more. And forensic technologies, which can draw out far more information at speed than can be done manually, need the iPhone to connect to a computer.

It appears Knight didn't keep the device open long enough and so couldn't start pulling out data with forensic kits. He admitted he wasn't able to get all the information he wanted, including app use and deleted files. What Knight did get he documented by taking pictures.

Michalski's lawyer confirms in a comment to Forbes there's been no evidence produced from the unlocked iPhone, leaving him nothing to challenge in court.

Even if this case is a wash in terms of Constitutional challenges, that doesn't mean the status quo will remain unchanged as more phone manufacturers move towards biometric-based security features. Courts may recognize -- as they have with smartphones and cell location data -- that old assumptions about privacy and presumed government access are no longer valid in a world almost wholly reliant on portable devices filled to the brim with personal data and documents.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, face, faceid, iphones, unlocking phones
Companies: apple

19 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

ECA (profile), 2 Oct 2018 @ 12:06pm

Ummm, Ya?
I said it before..
USE something that cant be duplicated, EASILY..
Use your hand over your face to create a different pattern..
IF the program is GOOD, and works properly...It will KNOW what you did..
[ link to this | view in chronology ]
- Bergman (profile), 2 Oct 2018 @ 2:48pm
  
  Re: Ummm, Ya?
  Exactly. If you have any desire for privacy, for God's sake use something testimonial as your unlock token.
  [ link to this | view in chronology ]
- Dukrugger (profile), 3 Oct 2018 @ 4:28pm
  
  Re: Ummm, Ya?
  You can always disable faceID or touchID so it can be unlocked only with a passkey or even a long alphanumeric password but people prefer convenience over security, only "paranoids" and "people who have something to hide" do otherwise.
  [ link to this | view in chronology ]
Ninja (profile), 2 Oct 2018 @ 12:07pm

It's cardboard security like fingerprints. Sure it is pretty easy to use but if you really want security set a password and stick to it. Any serious, conscious criminal will avoid using it.
[ link to this | view in chronology ]
zarprime (profile), 2 Oct 2018 @ 12:38pm

I have a stupid question...
So the whole problem is that a face or a fingerprint, or even a passcode on a phone isn't "testimony" and so the 5th Amendment doesn't factor in. So what happens if my passphrase for unlocking my phone is "I robbed a bank"? I suppose if they let me type it in and didn't see what it was then it wouldn't be an incriminating statement, but what if I had to say it aloud, or if they wanted to type it in themselves (so I couldn't do it incorrectly several times and lock up the phone)?
[ link to this | view in chronology ]
- Anonymous Coward, 2 Oct 2018 @ 1:03pm
  
  Re: I have a stupid question...
  Because a password is just a password and NOT a statement even if its appearance is equivalent to that of a statement.
  
  If you want protection from decryption orders by a judge you must introduce a system before hand that automatically destroys data as part of its regular every days cycle.
  
  For example, require that a USB key you posses be presented to an encrypted system at least once per day or it changes encryption keys regardless of if it is attached or not. Justice works slowly you will be in jail and if your system AND encryption device changes keys apart from each other then you are safe.
  
  Like a dead mans switch. As long as this process is enshrined in your daily routine then you are free of criminal charges of evidence tampering unless such evidence already meets laws the require you to keep it for x amount of time. It is not your fault if the police throw you in jail preventing you from performing the daily requirement of key encryption recovery.
  
  Not only that but you should most certainly keep a shadow partition filled with even more critical data so that nothing looks amiss under forensic scrutiny. There are many ways to keep your data secure. Fake profiles is one simplified example of this.
  [ link to this | view in chronology ]
  - Bergman (profile), 2 Oct 2018 @ 2:52pm
    
    Re: Re: I have a stupid question...
    You could also use a longer password, and if you're feeling cute, make it a confession to what you are trying to hide. A password of "BlueFlower013" is not testimonial. But securing evidence of an armed robbery behind "I committed robbery on that day at that time against that person" is a confession to that crime.
    
    Any confession is testimonial.
    [ link to this | view in chronology ]
    - ECA (profile), 3 Oct 2018 @ 11:56am
      
      Re: Re: Re: I have a stupid question...
      Could also use...
      multiple passwords..1 open the phone, the other simple ones, Erase data..corrupt the phone..
      
      Or open different sections of the phone, safe, and Private sections..
      
      dongles are nice, but dongles get lost. OR left in the device.
      
      What would be Neat, is a skin tag, that has a mag signature to open the phone..and only YOU know on what part of the body to use it.
      [ link to this | view in chronology ]
Nathan F (profile), 2 Oct 2018 @ 1:33pm

So in a future case, what exactly is stopping the police from sitting a suspect down, holding the phone up to get his face to unlock it and then proceeding. The suspect doesn't have to do anything, just sit there (unlike swiping his finger over a sensor). If providing a biometric like a fingerprint or face isn't testimonial would there even be a 4th or 5th amendment breach?
[ link to this | view in chronology ]
Michael Long (profile), 2 Oct 2018 @ 2:01pm

Protection
For those unaware, on the new iPhone OS's, squeezing the sleep/wake button and the lower volume button for a couple of seconds will lock the phone such that a passcode is required to open it.

If at all possible, I'd do this before (or while) having to hand the phone over, and I'd definitely do it before hitting a TSA or Homeland security checkpoint.

It's gotten to the point where some people recommend traveling with a burner phone that has a minimum amount of personal information contained within it.
[ link to this | view in chronology ]
- Anonymous Coward, 2 Oct 2018 @ 2:28pm
  
  Re: Protection
  Lots of folks have pointed this option out but IMHO the execution of the act will be hit or miss.
  
  I get where Apple was going with how Face-ID works. The camera catches your eyes, recognizes your face and unlocks the phone in next to no time, that's pretty handy. Just the execution wasn't well thought out.
  
  The 'Fix' should be to add a voice command prompt to complete the unlock. Nothing extraordinary, just the basics: Open/Unlock; Shutdown/Restart; SOS; LOCK. If I were Apple I'd probably throw in voice print recognition to the owner just for an extra layer of security.
  [ link to this | view in chronology ]
Anonymous Coward, 2 Oct 2018 @ 2:55pm

In the past, facial recognition was easily circumvented by use of a portrait. Has it gotten any better?
[ link to this | view in chronology ]
Aaron Walkhouse (profile), 2 Oct 2018 @ 5:42pm

I've got a pair of "Clark Kent" glasses…
…so if I have to put them on to activate a phone I have
effectively disarmed Big Brother yet again; particularly
because I carry dissimilar reading glasses by necessity. ‌‌‌‌ ; ]
[ link to this | view in chronology ]
Coyne Tibbets (profile), 2 Oct 2018 @ 9:25pm

Submission versus consent

First, Michalski apparently consented to the search by using his face to unlock the phone. If this was as voluntary as it appears, it pretty much eliminates a Constitutional challenge.

Was it truly consent? Or just submission to authority?

When held at gunpoint by a mugger and one voluntarily gives over one's money, that does not imply consent.
[ link to this | view in chronology ]
- That One Guy (profile), 3 Oct 2018 @ 6:07am
  
  Re: Submission versus consent
  Nonsense, what possible coercive element could there be in an FBI investigator showing up at your house and telling you to do something?
  [ link to this | view in chronology ]
That One Guy (profile), 3 Oct 2018 @ 3:06am

How is this still a thing?
A physical feature like a face, eye or fingerprint should only ever be used as a form of user name, never as a password. At most presenting a face to the camera should identify which account on it the person is requesting access to, it should not unlock the account/device itself.
[ link to this | view in chronology ]
- Anonymous Coward, 3 Oct 2018 @ 7:26am
  
  Re: How is this still a thing?
  Exactly. Everyone should be using 2 factor authentication which is something you have (face, fingerprint, retina, user name) and something you know (password).
  [ link to this | view in chronology ]
Digitari, 3 Oct 2018 @ 9:44am

#changepassword
[ link to this | view in chronology ]
- Digitari, 3 Oct 2018 @ 9:47am
  
  Re: #changepassword
  IInvokeMy5amendmentrights
  [ link to this | view in chronology ]