Massachusetts Judge Says ATF Can Apply A Suspect's Fingerprints To Unlock An IPhone
from the five-finger-Fifth-Amendment-discount dept
It looks like a passcode still beats a fingerprint when it comes to securing your info. Maybe not from criminals, but definitely from the government. Lisa Vaas of Naked Security reports the ATF has received permission from a federal judge to apply a suspect's fingerprints to a phone to unlock it.
[T]he document, issued on 18 April, Massachusetts federal district judge Judith Dein gave agents from the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) the right to press a suspect’s fingers on any iPhone found in his apartment in Cambridge that law enforcement believes that he’s used, in order to unlock the devices with iPhone Touch ID.
The warrant [PDF] authorizes ATF agents to "press the fingers (including the thumbs)" of suspect Robert Brito-Pina to the "Touch ID sensor of any Apple cellular phone" recovered during the search. Brito-Pina is suspected of buying and selling weapons -- neither of which are permissible given his felon status. The ATF apparently believes evidence of this will be found on Pina's iPhone.
There doesn't appear to be any limit on how many fingers the ATF can use to unlock the phone. The warrant says only that officers will decide which fingers to apply. Presumably, that means all of them (including thumbs), since there's no language limiting officers to a certain number of finger applications. The only thing preventing every finger from being applied during the search is the iPhone itself, which will require a passcode after five wrong fingerprint applications.
The phone's nexus is established pretty thoroughly in the warrant application, which much of the sting operation using an arrestee-turned-informant being carried out via text messages. The government moved to unseal the warrant five days after applying for it, suggesting it has already executed this warrant.
The weird thing about the warrant application, which thoroughly details the sting operation and the ATF's surveillance of the suspect, is it appears the swearing agent isn't actually sure Pina owns an iPhone.
Given the popularity of Apple brand devices, I believe it is likely that I will find Apple brand devices such as an Apple iPhone at the Target Location.
And, despite authorizing the agents to only use Pina's finger to unlock any recovered iPhones, the warrant still contains boilerplate stating agents may demand fingerprint applications from anyone at the searched residence.
In some cases, it may not be possible to know with certainty who is the user of a given device, such as if the device is found in a common area of a premises without any identifying information on the exterior of the device. Thus, it will likely be necessary for law enforcement to have the ability to require any occupant of the Target Location to press their finger(s) against the Touch ID sensor of the locked Apple device(s) found during the search of the Subject Premises in order to attempt to identify the device's user(s) and unlock the device(s) via Touch ID.
This case likely won't budge the needle on the Fifth Amendment question. At least, not yet. If Pina wants the evidence gleaned from the iPhone suppressed (assuming there is an iPhone), there may be further discussion of this crucial issue in the future. Most judicial decisions on the use of biometrics to unlock devices have sided with government, asserting that faces and fingerprints are "non-testimonial," even if they're the gateway to plenty of evidence that will be used against the defendant. But there have been a few judges who've taken contrary stances, so the issue is far from settled.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, 5th amendment, atf, fingerprints, massachusetts, search, unlock
Reader Comments
Subscribe: RSS
View by: Time | Thread
Fishing expedition, they brought the bait, but the wrong hook
If the text messages came from and ATF informant, then they already have both parts of the conversation, are they looking for other conversations?
If the Iphone belongs to someone else, why is Robert Brito-Pina being charged? If the Iphone belongs to someone else, how can they assert that Robert Brito-Pina used it?
Makes one wonder what that Federal Judge was thinking. Presumably the warrant was sufficiently detailed as to what they were looking for, but the nexus between the stated defendant and phone seems very tenuous.
[ link to this | view in chronology ]
This just reinforces the assertion that you should never use biometrics for securing your devices. Stick with passwords/passcodes.
[ link to this | view in chronology ]
Re:
Who but a criminal would use a passcode instead of biometrics? Just like those deviants that encrypt thier e-mail, I say.
[ link to this | view in chronology ]
Is it normal to be able to include anyone at a target residence to be part of a warrant even if they are not a suspect?
[ link to this | view in chronology ]
Re:
It shouldn't be.
[ link to this | view in chronology ]
Re:
"Persons and Persons Unknown" is the standard language.
[ link to this | view in chronology ]
Wouldn't it be nice if you could configure your phone to perform different actions in response to different fingerprints?
Right index finger: insta-brick.
Left thumb: set the volume to max and play an audio clip featuring an air raid siren and a voice screaming "Hijacking in progress! Hijacking in progress!"
[ link to this | view in chronology ]
Re:
Or better yet, something like TrueCrypt.
Enter one code, you get a dummy version of your phone.
Enter another, you get your real version of your phone.
And then maybe a third code, phone = brick.
[ link to this | view in chronology ]
Plausible deniability
The nice thing about having a dummy partition is that it provides plausible deniability, in case a court forces a person to unlock their phone for law enforcement.
Or law enforcement decides to use the $5 wrench approach.
[ link to this | view in chronology ]
Re:
Or better yet, don't use bio-metrics to lock your phone. Use a strong pass-code and don't worry about the malleable laws used to circumvent your right to privacy.
[ link to this | view in chronology ]
Re: Re:
Better yet, don't discuss or text incriminating evidence on your phone.
Even better, don't CARRY what is THE best tracking and spying device ever created.
As I've told my wife repeatedly, Facebook will survive half a day without her input.
[ link to this | view in chronology ]
I am a resident of The People's Republic of Cambridge in Massachusetts Oblast.
I thought we were supposed to be hippy-commies. This is the reason why people jokingly refer to Cambridge, MA as The People's Republic of Cambridge.
This ruling doesn't sound very hippy-commie to me. I'd like to sit down and chat with this judge at one of our many artisan coffee shops or one of our organic, vegan delis.
[ link to this | view in chronology ]
The People's Republic of Cambridge
China is unapologetically the People's Republic of China
North Korea is, unsarcastically the Democratic People's Republic of Korea or DPRK
Congo is the Democratic Republic of the Congo
East Germany when it was behind the iron curtain was the German Democratic Republic
What were you guys thinking?
[ link to this | view in chronology ]
Re: The People's Republic of Cambridge
That's why I dubbed us hippy-commies.
We were the first city/town in MA to ban plastic bags for all retail establishments that provide a bag to a customer. They actually call it BYOB: bring your own bag.
Though I've never been to North Korea, my guess is that Cambridge has a different vibe than the DPRK. Do the citizens of DPRK have two Whole Foods within a mile from their homes?
I certainly did not come up with the nickname of The People's Republic of Cambridge. I'm only responsible for the "Massachusetts Oblast" I stuck at the end for fun.
I don't even see this ruling as a loophole or run-around the 5th Amendment. I see it as a gross violation of it.
[ link to this | view in chronology ]
Hippy-commies
Being an old and self-identified San Franciscan. Cambridge sounds delightful. I now live two hours away in the basin and one of the things I most miss are the non-franchise cafés.
I was just noting that nations that call themselves people's republics include the worst offenders of crimes against humanity. It was an attempt at humor.
[ link to this | view in chronology ]
Does the iPhone software compensate for obtuse angles?
If you unlock your phone with your left thumb at 90°, will the iPhone still unlock if you try it straight up?
Given the five-tries limit, utilizing an obtuse angle as well as a fingerprint might improve the odds.
[ link to this | view in chronology ]
Re: Does the iPhone software compensate for obtuse angles?
If it's anything like the finger print reader on my android phone, then yes it will compensate for any angle you use.
[ link to this | view in chronology ]
General non-specific warrants
It's disconcerting, and lowers confidence in the DoJ being actually interested in justice when they have warrants to seize all phones at a venue for any of them to be unlocked.
Phones belonging to non-suspects should have to require separate warrants.
At least that's how I ascertain it should work according to Law and Order or Dragnet. Otherwise it looks like law enforcement is fishing for warm bodies to fill private prisons and property to loot via forfeiture.
[ link to this | view in chronology ]
At least this action by the ATF requires a warrant. As many international travelers are now painfully aware of, border police and airport customs have been doing it without a search warrant, as we all should know the Constitution does not apply at (or near) the border. And using a passcode is hardly any better, as they can detain you or prevent you from ever getting into the country (even US citizens) essentially forever if you refuse to give up your laptop or iphone password.
[ link to this | view in chronology ]
From the top then...
Biometrics can be used as account names.
Biometrics should never be used as account passwords.
[ link to this | view in chronology ]
The whole fingerprint id concept was just marketing bullshit. I'm not sure why anyone thought that fingerprint id was some sort of security panacea. People will buy into anything that let's them think they are technically sophisticated, no matter how stupid it is.
[ link to this | view in chronology ]
Re:
They saw it in a movie?
[ link to this | view in chronology ]
Re:
It's no panacea, but it has improved my security. Before I had a fingerprint scanner, I didn't have any security on my phone. In the many years I'd had a cell phone I had not once lost it or left it anywhere or had it outside my control when not at home. So entering a passcode every time I wanted to use it was just not worth the trouble. A fingerprint scanner is a very convenient way to add some level of security. And if I have time to turn the phone off, a password will be required on startup.
[ link to this | view in chronology ]
This shows the distinction of "testimonial" evidence versus "tangible" evidence.
A fingerprint, DNA is tangible. A password is testimonial, meaning that a 5th amendment defense can be raised.
The government is fully dedicated towards destroying this 5th amendment right.
[ link to this | view in chronology ]
Re:
Where does that leave a personal diary?
[ link to this | view in chronology ]
Da truth
[ link to this | view in chronology ]
Limits
Is't there like a 12 hour time limit from last finger print unlock before pass code becomes mandatory? I know after a reboot its mandatory also after so many bad fingers.
[ link to this | view in chronology ]