AT&T Execs Think It's Really Funny They Misled Consumers About 5G Availability

Federal Judge Says Compelling People To Unlock Phones With Their Fingerprints/Faces Violates The 5th Amendment

from the surprising-turn-of-events dept

Tue, Jan 15th 2019 9:34am — Tim Cushing

The advent of biometric "passcodes" -- fingerprints and facial recognition -- appear to be leaving those who choose these methods with fewer Fifth Amendment protections. A handful of courts have ruled fingerprints and faces aren't "testimony." Much as officers can collect fingerprints and mugshots without a warrant following an arrest, they can also apply fingers and faces to locked phones to get to the data inside.

But it's not as simple as some court decisions make it appear. Even passwords can be considered testimonial, as they may indicate ownership of a locked device or compel production of evidence to be used against the device's owner. The passcode argument has gone both ways in court, which usually comes down to the individual judge's definition of "foregone conclusion." Does the foregone conclusion refer to the device's ownership or the evidence contained in it? The latter is harder to prove, and raising the burden of proof to this level tends to result in courts finding the compelled production of passwords to be a Fifth Amendment violation.

Via Thomas Brewster at Forbes, there's finally some good news on the biometric security front. A federal judge in California has ruled forcing people to unlock phones using biometric measures is a Fifth Amendment violation.

[I]n a more significant part of the ruling, Judge Westmore declared that the government did not have the right, even with a warrant, to force suspects to incriminate themselves by unlocking their devices with their biological features.

As the court points out [PDF], when the fingerprint IS the password, the Fifth Amendment is implicated despite these features normally being considered non-testimonial.

The Court finds that utilizing a biometric feature to unlock an electronic device is not akin to submitting to fingerprinting or a DNA swab, because it differs in two fundamental ways. First, the Government concedes that a finger, thumb, or other biometric feature may be used to unlock a device in lieu of a passcode. In this context, biometric features serve the same purpose of a passcode, which is to secure the owner's content, pragmatically rendering them functionally equivalent.

The court notes law enforcement is well aware of jurisprudence surrounding device security. In this case, the more time that passed between the seizure of the devices and their compelled unlocking, the less likely law enforcement would be able to evade the Fifth Amendment. Judge Westmore doesn't find this reasoning acceptable.

[A] passcode is generally required "when a device has been restarted, inactive, or has not been unlocked for a certain period of time." This is, no doubt, a security feature to ensure that someone without the passcode cannot readily access the contents of the phone. Indeed, the Government expresses some urgency with the need to compel the use of the biometric features to bypass the need to enter a passcode. This urgency appears to be rooted in the Government's inability to compel the production of the passcode under the current jurisprudence. It follows, however, that if a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one's finger, thumb, iris, face, or other biometric feature to unlock that same device.

The court goes on to say the government had other options to access messages -- like approaching Facebook with a warrant -- rather than intrude on the Fifth Amendment (and the Fourth Amendment -- more on that in a moment), but it chose to do it this way. Just because it's easier and faster to do it via compelled production doesn't make it right. In fact, in the court's eyes, all this effort did was violate the Constitution in multiple ways.

An attempted assault on the Fourth Amendment also occurred in this case. Investigators looking for evidence of extortion via Facebook sought to have every device and person at a residence seized and searched, with every resident compelled to unlock devices found during the search. As the judge points out in the rejection of the search warrant application, the Fourth Amendment requires far more specificity.

This request is overbroad. There are two suspects identified in the affidavit, but the request is neither limited to a particular person nor a particular device.

Thus, the Court finds that the Application does not establish sufficient probable cause to compel any person who happens to be at the Subject Premises at the time of the search to provide a finger, thumb or other biometric feature to potentially unlock any unspecified digital device that may be seized during the otherwise lawful search.

This is a far better answer to this sort of request than others we've seen. Searching someone's home and digging through their electronics is one of the scariest powers the government has. The Fourth Amendment is in place to limit these exercises of immense government power to those that are justifiable and necessary. When judges grant overbroad orders, they're doing more than failing to act as a check against government abuse. They're normalizing abuse of citizens' rights via judicial precedent.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 5th amendment, compelled speech, facial recognition, fingerprints, locked phones, passwords, testimony, unlocking phones

25 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 15 Jan 2019 @ 9:53am

That pesky Bill of Rights...continuing to do it's job of making the government follow the rules too.
[ link to this | view in chronology ]
- Anonymous Coward, 15 Jan 2019 @ 10:31am
  
  Re:
  
  Bill of Rights...continuing to do it's job of making the government follow the rules
  
  You sure the BoR is continuing to do its job?
  
  Compare the explicit text of the Fourth Amendment —
  
  … no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
  
  — against the following passage from Bailey v US (2013) —
  
  In Summers, the Court defined an important category of cases in which detention is allowed without probable cause to arrest for a crime. It permitted officers executing a search warrant "to detain the occupants of the premises while a proper search is conducted." The rule in Summers extends farther than some earlier exceptions because it does not require law enforcement to have particular suspicion that an individual is involved in criminal activity or poses a specific danger to the officers. In Muehler, applying the rule in Summers, the Court stated: “An officer's authority to detain incident to a search is categorical; it does not depend on the ‘quantum of proof justifying detention or the extent of the intrusion to be imposed by the seizure.’ ” The rule announced in Summers allows detention incident to the execution of a search warrant “because the character of the additional intrusion caused by detention is slight and because the justifications for detention are substantial.”
  
  (Citations omitted.)
  
  Cases going back to Terry v Ohio (1968) clearly establish that so-called “detention” means seizing someone. Here in Bailey, though, the court says that a warrant doesn't have to “particularly“ describe any person — instead, as long as somebody happens to be in just the exact wrong place at the exact wrong time, they can be seized, and it's all A-OK. Hunky-dory.
  
  You sure the BoR is continuing to do its job?
  [ link to this | view in chronology ]
  - Anonymous Coward, 15 Jan 2019 @ 11:53am
    
    Re: Re:
    "You sure the BoR is continuing to do its job?"
    
    The Bill of Rights...yes, it's still doing it's job.
    
    The courts interpreting the Bill of Rights the way they were meant to be interpreted and holding the government to account for failing to repect our rights...not so much.
    [ link to this | view in chronology ]
    - Anonymous Coward, 15 Jan 2019 @ 12:36pm
      
      Re: Re: Re:
      
      … holding the government to account…
      
      From one of the cases cited above, Muehler v Mena (2005) —
      
      At 7 a.m. on February 3, 1998, petitioners, along with the SWAT team and other officers, executed the warrant. Mena was asleep in her bed when the SWAT team, clad in helmets and black vests adorned with badges and the word "POLICE," entered her bedroom and placed her in handcuffs at gunpoint . . .
      
      . . . In her [petitioner Mena's] § 1983 suit against the officers she alleged that she was detained "for an unreasonable time and in an unreasonable manner" in violation of the Fourth Amendment. . . .
      
      . . . [A] jury, pursuant to a special verdict form, found that Officers Muehler and Brill violated Mena's Fourth Amendment right to be free from unreasonable seizures by detaining her both with force greater than that which was reasonable and for a longer period than that which was reasonable. The jury awarded Mena $10,000 in actual damages and $20,000 in punitive damages against each petitioner for a total of $60,000.
      
      But what did the Supreme Court do?
      
      We granted certiorari, and now vacate and remand.
      
      . . .
      
      In summary, the officers' detention of Mena in handcuffs during the execution of the search warrant was reasonable and did not violate the Fourth Amendment.
      
      Amendment VII
      
      [N]o fact tried by a jury, shall be otherwise reexamined in any court of the United States, than according to the rules of the common law.
      
      “A jury … found that Officers Muehler and Brill violated Mena's Fourth Amendment right.”
      
      So all that's really the BoR “doing its job” ? A scrap o' parchment guarantee, honored only in the breach…
      
      I'm told the old, defunct Soviet Union had a very fine set of rights granted to its citizens. On paper. The very best Bill of Rights.
      [ link to this | view in chronology ]
      - Anonymous Coward, 15 Jan 2019 @ 12:54pm
        
        Re: Re: Re: Re:
        
        In her [petitioner Mena's] § 1983 suit…
        
        Respondent Mena. Sorry.
        
        As the case caption clearly indicates, “The Court of Appeals affirmed the judgment.” So Mena was not the petitioner in the Supreme Court, but was the appellee in the high court, the respondent there.
        [ link to this | view in chronology ]
      - Anonymous Coward, 15 Jan 2019 @ 1:19pm
        
        Re: Re: Re: Re:
        So because the courts have failed to uphold the BoR, you want to blame the BoR?
        [ link to this | view in chronology ]
- DannyB (profile), 15 Jan 2019 @ 10:32am
  
  Re:
  They will just have to work harder, finding another way to erode our rights.
  [ link to this | view in chronology ]
- Anonymous Coward, 15 Jan 2019 @ 10:38am
  
  Re:
  This changes little for the Government. They will still continue to play dumb as they step all over your rights.
  [ link to this | view in chronology ]
Anonymous Coward, 15 Jan 2019 @ 10:34am

I don't understand how this works...
Is it still legal for law enforcement to search a device by guessing the passcode?

Furthermore, what if they find a piece of paper that happens to have the correct passcode on it?

Extend this further - can law enforcement use already-obtained fingerprint data to unlock a phone? For example, can they use fingerprints that they have already obtained during booking? Can similar be done with a separate facial scan and 3d reconstruction of their facial features to unlock a phone? What if they already have this information from a prior scan of the suspect's face?

Where is the line drawn?
[ link to this | view in chronology ]
- Mason Wheeler (profile), 15 Jan 2019 @ 10:38am
  
  Re: I don't understand how this works...
  
  What if they already have this information from a prior scan of the suspect's face?
  
  That, at least, won't work. The technology has been better than that for around a decade now at least, because that's when I had a unlock-by-face laptop. A friend tried to troll it by taking a picture of my face and holding his phone up to the camera, and it wouldn't let him in.
  
  If I understand correctly, it checks IR as well as visible light to defeat exactly this sort of attack.
  [ link to this | view in chronology ]
  - Thad (profile), 15 Jan 2019 @ 10:45am
    
    Re: Re: I don't understand how this works...
    
    That, at least, won't work. The technology has been better than that for around a decade now at least, because that's when I had a unlock-by-face laptop. A friend tried to troll it by taking a picture of my face and holding his phone up to the camera, and it wouldn't let him in.
    
    He did specify "3D reconstruction".
    
    If I understand correctly, it checks IR as well as visible light to defeat exactly this sort of attack.
    
    Interesting. That does seem like an obvious step.
    
    I could see this turning into an arms race of sorts, with police (or any other sufficiently well-heeled group attempting to break into phones) coming up with new ways to fool security measures and phone manufacturers coming up with new ways to prevent those measures from working.
    [ link to this | view in chronology ]
  - Anonymous Coward, 15 Jan 2019 @ 10:46am
    
    Re: Re: I don't understand how this works...
    Well yeah, a "picture" isn't gonna do it, that's why they use the IR dot projector to detect an actual 3d face.
    
    In any case, I've read a number of articles (even in the last year) purporting to have "fooled" a facial scan unlock mechanism, and I'm sure the government will gladly invest in such tech if they can legally use it to unlock devices without forcing said user to do so for them...
    
    The question i'm sort of asking: Can they obtain the necessary data to attempt unlocking the phone independently of forcing the owner to unlock it directly.
    
    Is there really any law that says law enforcement cannot scan your face or take your fingerprints for purposes of "collecting information" and then use that same information later to perform an unlock?
    [ link to this | view in chronology ]
  - Anonymous Coward, 15 Jan 2019 @ 7:15pm
    
    Re: Re: I don't understand how this works...
    Except that one could easily troll the last two iterations of iphone facial unlock. Obviously you had a better system in a laptop?
    [ link to this | view in chronology ]
- Thad (profile), 15 Jan 2019 @ 10:41am
  
  Re: I don't understand how this works...
  
  Is it still legal for law enforcement to search a device by guessing the passcode?
  
  Yes.
  
  Furthermore, what if they find a piece of paper that happens to have the correct passcode on it?
  
  I would expect that would depend on whether they found it during a legal search. At least, it should.
  
  Extend this further - can law enforcement use already-obtained fingerprint data to unlock a phone? For example, can they use fingerprints that they have already obtained during booking? Can similar be done with a separate facial scan and 3d reconstruction of their facial features to unlock a phone? What if they already have this information from a prior scan of the suspect's face?
  
  These are interesting questions. I suspect the answer would be "yes, provided they acquired those things legally," but as far as I know none of these questions have been tested in court.
  [ link to this | view in chronology ]
afn29129 David (profile), 15 Jan 2019 @ 11:00am

The weaknesses revealed
The weaknesses revealed.

This just illustrates the folly of using bio-metrics to try and replace passwords. Yes, use bio-data for identification, and then use passwords for access. Of course you should use good, not guessable (or brute forceable), passwords.
[ link to this | view in chronology ]
- Anonymous Coward, 15 Jan 2019 @ 7:16pm
  
  Re: The weaknesses revealed
  That is precisely true. Biometrics should be used as usernames, not passwords.
  [ link to this | view in chronology ]
Anonymous Coward, 15 Jan 2019 @ 12:55pm

Officer "Is this your phone?"
Citizen "I choose not to answer that"

Officer "can you Unlock this phone"
Citizen "I choose not to answer that"

I don't use the bio-metric security(?) features of any phone.
[ link to this | view in chronology ]
Anonymous Coward, 15 Jan 2019 @ 2:10pm

I do not like this decision. I'm afraid it will cause more harm than good, especially is it is overturned, as I suspect it will. I do not buy the argument, that since passwords and fingerprints have the same function, they should have the same protections. Alcohol and cocain have the same function - stimulate the reward system in your brain, yet they are not treated the same.

To use your face or thumb to unlock the phone you do not even have to be conscious. You can be completely brain-dead and it will still work. This decision stipulates that you can testify in a coma. IMO, that's ridiculous and it will bring this decision down.
[ link to this | view in chronology ]
- Anonymous Coward, 15 Jan 2019 @ 3:19pm
  
  Re:
  Uh... That's not what this decision says at all. Not even close.
  [ link to this | view in chronology ]
- stderric (profile), 15 Jan 2019 @ 3:47pm
  
  Re:
  I think you may be looking at the idea of "testimony" too concretely. One's biometric markers being able to unlock a device would be considered, I believe, a "testimonial action" in the sense that it speaks to ownership/control of the item; whether you're conscious or not when (e.g.) your fingertip passes over a scanner is immaterial.
  [ link to this | view in chronology ]
  - Anonymous Coward, 15 Jan 2019 @ 10:13pm
    
    Re: Re:
    I look at it as a puzzle - can I solve it and not get in trouble. And then there's question: how much of their operational techniques do Police have to divulge at trial? They have the information already - the fingerprints and the mugshot (adding IR channel to it wouldn't be a big deal). How much of a parallel construction can they get away with? Is "Oh, we have this special software - you put in all the information about the subject in and it unlocks the phone" good enough?
    
    So if not overturned this decision will create incentives to cheat.
    [ link to this | view in chronology ]
    - hegemon13, 16 Jan 2019 @ 6:35am
      
      Re: Re: Re:
      Paraphrase of your posts:
      
      "All these pesky rules are hard to follow, and the courts enforcing them gives police incentive to cheat. I'd prefer the courts just let the police search whatever they want legally, so they won't cheat."
      
      That's some bass-ackwards logic there, sir.
      [ link to this | view in chronology ]
- Red, 16 Jan 2019 @ 7:00am
  
  Re:
  Alcohol and cocaine are not constitutionally protected under the BOR.
  [ link to this | view in chronology ]
Anonymous Coward, 16 Jan 2019 @ 4:20am

This ruling has no effect on the most likely place you'll be asked to unlock your phone: at the border.

That's why anyone traveling outside the country needs to set a manual password, and be aware that in every airport there are cameras looking at you from all directions at all times, so even refusing to give out your password might make no difference in the end if you've previously keyed in your password in the airport.
[ link to this | view in chronology ]
- Red, 16 Jan 2019 @ 7:16am
  
  Re:
  One thing that worried me with the distribution of socalled Obama phone was technically the phone was US Government property. Would that open the door for government officers to force you to grant access as you are not the owner. Also they could install surveillance technology at leisure before shipment, given they specify what is loaded on the phone in the governments contract vehicle.
  
  I am not so worried about being challenged when entering the US, but when entering another nation state. There rules and protections can vary widely and may be radically different for a non-citizen in their empire.
  [ link to this | view in chronology ]