Federal Judge Says Compelling People To Unlock Phones With Their Fingerprints/Faces Violates The 5th Amendment
from the surprising-turn-of-events dept
The advent of biometric "passcodes" -- fingerprints and facial recognition -- appear to be leaving those who choose these methods with fewer Fifth Amendment protections. A handful of courts have ruled fingerprints and faces aren't "testimony." Much as officers can collect fingerprints and mugshots without a warrant following an arrest, they can also apply fingers and faces to locked phones to get to the data inside.
But it's not as simple as some court decisions make it appear. Even passwords can be considered testimonial, as they may indicate ownership of a locked device or compel production of evidence to be used against the device's owner. The passcode argument has gone both ways in court, which usually comes down to the individual judge's definition of "foregone conclusion." Does the foregone conclusion refer to the device's ownership or the evidence contained in it? The latter is harder to prove, and raising the burden of proof to this level tends to result in courts finding the compelled production of passwords to be a Fifth Amendment violation.
Via Thomas Brewster at Forbes, there's finally some good news on the biometric security front. A federal judge in California has ruled forcing people to unlock phones using biometric measures is a Fifth Amendment violation.
[I]n a more significant part of the ruling, Judge Westmore declared that the government did not have the right, even with a warrant, to force suspects to incriminate themselves by unlocking their devices with their biological features.
As the court points out [PDF], when the fingerprint IS the password, the Fifth Amendment is implicated despite these features normally being considered non-testimonial.
The Court finds that utilizing a biometric feature to unlock an electronic device is not akin to submitting to fingerprinting or a DNA swab, because it differs in two fundamental ways. First, the Government concedes that a finger, thumb, or other biometric feature may be used to unlock a device in lieu of a passcode. In this context, biometric features serve the same purpose of a passcode, which is to secure the owner's content, pragmatically rendering them functionally equivalent.
The court notes law enforcement is well aware of jurisprudence surrounding device security. In this case, the more time that passed between the seizure of the devices and their compelled unlocking, the less likely law enforcement would be able to evade the Fifth Amendment. Judge Westmore doesn't find this reasoning acceptable.
[A] passcode is generally required "when a device has been restarted, inactive, or has not been unlocked for a certain period of time." This is, no doubt, a security feature to ensure that someone without the passcode cannot readily access the contents of the phone. Indeed, the Government expresses some urgency with the need to compel the use of the biometric features to bypass the need to enter a passcode. This urgency appears to be rooted in the Government's inability to compel the production of the passcode under the current jurisprudence. It follows, however, that if a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one's finger, thumb, iris, face, or other biometric feature to unlock that same device.
The court goes on to say the government had other options to access messages -- like approaching Facebook with a warrant -- rather than intrude on the Fifth Amendment (and the Fourth Amendment -- more on that in a moment), but it chose to do it this way. Just because it's easier and faster to do it via compelled production doesn't make it right. In fact, in the court's eyes, all this effort did was violate the Constitution in multiple ways.
An attempted assault on the Fourth Amendment also occurred in this case. Investigators looking for evidence of extortion via Facebook sought to have every device and person at a residence seized and searched, with every resident compelled to unlock devices found during the search. As the judge points out in the rejection of the search warrant application, the Fourth Amendment requires far more specificity.
This request is overbroad. There are two suspects identified in the affidavit, but the request is neither limited to a particular person nor a particular device.
Thus, the Court finds that the Application does not establish sufficient probable cause to compel any person who happens to be at the Subject Premises at the time of the search to provide a finger, thumb or other biometric feature to potentially unlock any unspecified digital device that may be seized during the otherwise lawful search.
This is a far better answer to this sort of request than others we've seen. Searching someone's home and digging through their electronics is one of the scariest powers the government has. The Fourth Amendment is in place to limit these exercises of immense government power to those that are justifiable and necessary. When judges grant overbroad orders, they're doing more than failing to act as a check against government abuse. They're normalizing abuse of citizens' rights via judicial precedent.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 5th amendment, compelled speech, facial recognition, fingerprints, locked phones, passwords, testimony, unlocking phones
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Re:
You sure the BoR is continuing to do its job?
Compare the explicit text of the Fourth Amendment —
— against the following passage from Bailey v US (2013) —
(Citations omitted.)
Cases going back to Terry v Ohio (1968) clearly establish that so-called “detention” means seizing someone. Here in Bailey, though, the court says that a warrant doesn't have to “particularly“ describe any person — instead, as long as somebody happens to be in just the exact wrong place at the exact wrong time, they can be seized, and it's all A-OK. Hunky-dory.
You sure the BoR is continuing to do its job?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
I don't understand how this works...
Furthermore, what if they find a piece of paper that happens to have the correct passcode on it?
Extend this further - can law enforcement use already-obtained fingerprint data to unlock a phone? For example, can they use fingerprints that they have already obtained during booking? Can similar be done with a separate facial scan and 3d reconstruction of their facial features to unlock a phone? What if they already have this information from a prior scan of the suspect's face?
Where is the line drawn?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: I don't understand how this works...
That, at least, won't work. The technology has been better than that for around a decade now at least, because that's when I had a unlock-by-face laptop. A friend tried to troll it by taking a picture of my face and holding his phone up to the camera, and it wouldn't let him in.
If I understand correctly, it checks IR as well as visible light to defeat exactly this sort of attack.
[ link to this | view in thread ]
Re: I don't understand how this works...
Yes.
I would expect that would depend on whether they found it during a legal search. At least, it should.
These are interesting questions. I suspect the answer would be "yes, provided they acquired those things legally," but as far as I know none of these questions have been tested in court.
[ link to this | view in thread ]
Re: Re: I don't understand how this works...
He did specify "3D reconstruction".
Interesting. That does seem like an obvious step.
I could see this turning into an arms race of sorts, with police (or any other sufficiently well-heeled group attempting to break into phones) coming up with new ways to fool security measures and phone manufacturers coming up with new ways to prevent those measures from working.
[ link to this | view in thread ]
Re: Re: I don't understand how this works...
In any case, I've read a number of articles (even in the last year) purporting to have "fooled" a facial scan unlock mechanism, and I'm sure the government will gladly invest in such tech if they can legally use it to unlock devices without forcing said user to do so for them...
The question i'm sort of asking: Can they obtain the necessary data to attempt unlocking the phone independently of forcing the owner to unlock it directly.
Is there really any law that says law enforcement cannot scan your face or take your fingerprints for purposes of "collecting information" and then use that same information later to perform an unlock?
[ link to this | view in thread ]
The weaknesses revealed
This just illustrates the folly of using bio-metrics to try and replace passwords. Yes, use bio-data for identification, and then use passwords for access. Of course you should use good, not guessable (or brute forceable), passwords.
[ link to this | view in thread ]
Re: Re:
The Bill of Rights...yes, it's still doing it's job.
The courts interpreting the Bill of Rights the way they were meant to be interpreted and holding the government to account for failing to repect our rights...not so much.
[ link to this | view in thread ]
Re: Re: Re:
From one of the cases cited above, Muehler v Mena (2005) —
But what did the Supreme Court do?
Amendment VII
“A jury … found that Officers Muehler and Brill violated Mena's Fourth Amendment right.”
So all that's really the BoR “doing its job” ? A scrap o' parchment guarantee, honored only in the breach…
I'm told the old, defunct Soviet Union had a very fine set of rights granted to its citizens. On paper. The very best Bill of Rights.
[ link to this | view in thread ]
Re: Re: Re: Re:
Respondent Mena. Sorry.
As the case caption clearly indicates, “The Court of Appeals affirmed the judgment.” So Mena was not the petitioner in the Supreme Court, but was the appellee in the high court, the respondent there.
[ link to this | view in thread ]
Citizen "I choose not to answer that"
Officer "can you Unlock this phone"
Citizen "I choose not to answer that"
I don't use the bio-metric security(?) features of any phone.
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
To use your face or thumb to unlock the phone you do not even have to be conscious. You can be completely brain-dead and it will still work. This decision stipulates that you can testify in a coma. IMO, that's ridiculous and it will bring this decision down.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
I think you may be looking at the idea of "testimony" too concretely. One's biometric markers being able to unlock a device would be considered, I believe, a "testimonial action" in the sense that it speaks to ownership/control of the item; whether you're conscious or not when (e.g.) your fingertip passes over a scanner is immaterial.
[ link to this | view in thread ]
Re: Re: I don't understand how this works...
[ link to this | view in thread ]
Re: The weaknesses revealed
[ link to this | view in thread ]
Re: Re:
So if not overturned this decision will create incentives to cheat.
[ link to this | view in thread ]
That's why anyone traveling outside the country needs to set a manual password, and be aware that in every airport there are cameras looking at you from all directions at all times, so even refusing to give out your password might make no difference in the end if you've previously keyed in your password in the airport.
[ link to this | view in thread ]
Re: Re: Re:
"All these pesky rules are hard to follow, and the courts enforcing them gives police incentive to cheat. I'd prefer the courts just let the police search whatever they want legally, so they won't cheat."
That's some bass-ackwards logic there, sir.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
I am not so worried about being challenged when entering the US, but when entering another nation state. There rules and protections can vary widely and may be radically different for a non-citizen in their empire.
[ link to this | view in thread ]