Another Federal Court Says Compelled Production Of Fingerprints To Unlock A Phone Doesn't Violate The Constitution
from the must-be-going-so-dark-fingerprint-readers-won't-even-work dept
Where the Fifth Amendment ends for device owners largely seems to be determined by their favored security measure. If it's a password keeping a device encrypted, courts seem more willing to call compelled production a Fifth Amendment violation. If it's a biometric feature -- most commonly fingerprints or faces -- the courts are more likely to consider body parts non-testimonial.
There's not enough of a consensus either way to make it a clear choice, but courts seem to feel faces/fingerprints are like "keys" and passwords like "combinations" when it comes to the metaphorical lockbox that is your phone.
Adding to the case law that is "fingerprints are lockbox keys" is this decision [PDF] from a federal court in Illinois. (via FourthAmendment.com) The court says the Supreme Court says this is how it must be, even if the Supreme Court has yet to field a device encryption case.
The government wants to look in the defendant's phone for evidence of his threats against a confidential informant. There's a built-in limit to this, although it's not one of the government's making. Investigators want to apply the suspect's fingers and thumbs to the seized iPhone to unlock it. The suspect's mind is being taken out of the equation (as it were), which could result in the government getting what it wants in this request without actually getting what it wants from the man's iPhone.
In connection with the government’s motion to revoke Barrera’s bond conditions, District Judge Robert W. Gettlemen ordered that Barrera’s iPhone be turned over to Pretrial Services. The government seeks to search this iPhone, with a home button, that was taken from Barrera in order to develop evidence of his alleged threats. The iPhone has a fingerprint lock function (known as Touch ID), and the government asked this Court for a warrant to compel the defendant to place his fingers and thumbs on the iPhone home button in an attempt to unlock the phone. The government alleged in the affidavit in support of its request for a search warrant that it will select the fingers and thumbs to press on to the home button, and that the iPhone fingerprint unlock function will disable after five incorrect attempts. At that time, the iPhone function will demand a passcode to unlock the phone.
The court says any Fourth Amendment concerns are addressed by the government's warrant, which puts it on the right side of the Riley decision. With that settled, the court addressed the Fifth Amendment issues. (Emphasis in the original.)
Applying those three requirements in reverse order here, a biometric scan is certainly compelled—the government is explicitly requesting the Court’s authority to force the scan. The act may also be incriminating, as unlocking the phone may lead to the discovery of a nearly unlimited amount of potential evidence including text messages, social media posts, call logs, emails, digital calendars, photographs and videos, and location data. [...]
But if a compelled act is not testimonial, and therefore not protected by the Fifth Amendment, it cannot become protected simply because it will lead to incriminating evidence. As a result, the relevant Fifth Amendment inquiry here is whether the compelled act of scanning a subject’s fingerprint to unlock a device is a testimonial act.
The court decides it isn't a Fifth Amendment violation because the government will be choosing the five digits it will apply to the iPhone button, rather than the suspect. To complete the metaphor, the government has ten keys to choose from, but only has five attempts to pick the right key. Since the government is doing all the choosing, the suspect isn't doing anything testimonial since he isn't being asked to tell the government which of his fingers will unlock the phone.
First, the Court holds that the biometric unlock procedure is more akin to a key than a passcode combination. The Supreme Court in Doe, and later in Hubbell, has illustrated the difference between testimonial and non-testimonial physical acts via this helpful comparison, which aptly applies to an iPhone that has two different unlock features – a fingerprint and a passcode. In Doe, the Court noted that the Fifth Amendment permits the government to force an individual to surrender a key to a strongbox containing incriminating documents, but not to reveal the combination to a subject’s wall safe. Thus, using the Doe framework, this Court examines whether a biometric scan of an individual’s finger or thumb is more like a key or a combination.
A combination passcode requires a verbal statement from the possessor of the code. More importantly, compelling someone to reveal a passcode also requires an individual to communicate something against her will that resides in her mind. A key, however, is a physical object just like a finger — it requires no revelation of mental thoughts. Nor does a finger require a communication of any information held by that person, unlike a passcode. In fact, the application of a finger to the home button on a iPhone “can be done while the individual sleeps or is unconscious,” and thus does not require any revelation of information stored in a person’s mind.
But even this conclusion is not that simple. The government must show it knows the phone is owned or controlled by the suspect before it can start asking the court to give it permission to apply the person's fingers to the phone. The court doesn't address whether the government has met this evidentiary burden but rather waves it away by citing a 1988 Supreme Court decision (Doe) dealing with the production of financial records.
[T]he Court holds that the implicit inference from the biometric unlock procedure, that the individual forced to unlock had some point accessed the phone to program his or her fingerprint, is not sufficient to convert the act to testimonial. The Supreme Court considered this similar concept in Doe, when it found that requiring a petitioner to execute a consent directive that would result in the production of bank records would not have testimonial significance.
[...]
Similarly, the implicit inference that one might draw from the biometric unlock procedure — that the cell phone was at some point accessed in order to program the biometric lock feature — is no different in significance than any of the above inferences. It is of the same scale that existed in Doe, Gilbert and the other cases discussed above. The implicit inference is also not necessarily as firm as on first impression – the Touch ID feature on an iPhone permits up to five fingerprints to be programmed, thus allowing the potential for multiple users to program the feature. As a result, the Court concludes that any implicit inference that can be drawn from a biometric unlock procedure is not of testimonial significance.
This decision further muddies the federal waters, making it more likely the Supreme Court will have to address these Fifth Amendment issues in the near future. But until it's all settled, odds are passwords are better than fingerprints if your main concern is unwanted access by government employees.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, 5th amendment, biometrics, compelled production, fingerprints, passwords
Reader Comments
Subscribe: RSS
View by: Time | Thread
Fingerprint scan a spot not on your fingertip
Everyone assumes you have to use the tips of your fingers to create and use these kinds of locks. In reality, you can scan any part of your finger including the line under your joints. Compelling you to provide your fingerprints still wouldn't force you to unlock the phone if you take the proper steps to ensure their request will never hurt you.
[ link to this | view in chronology ]
Re: Fingerprint scan a spot not on your fingertip
Or you could really screw with them and set it up using a toe instead of a finger.
[ link to this | view in chronology ]
Re: Re: Fingerprint scan a spot not on your fingertip
I can see you now, walking down the street, phone rings and you whip off your shoe and sock and then drop you phone to the ground and press a toe to the sensor, just to answer a spam call.
[ link to this | view in chronology ]
Re: Re: Re: Fingerprint scan a spot not on your fingertip
Be grateful I chose a toe instead of another body part. But in your scenario I'd just use the password to unlock the phone.
[ link to this | view in chronology ]
Re: Re: Re: Fingerprint scan a spot not on your fingertip
Yeah, at least Maxwell Smart didn't have to take his sock off when he answered his shoe phone...
[ link to this | view in chronology ]
Re: Re: Fingerprint scan a spot not on your fingertip
[ link to this | view in chronology ]
Re: Re: Re: Fingerprint scan a spot not on your fingertip
Non-standard biometrics could result interesting possibilities:
Cops: We need a warrant to force fingerprint unlock of this suspects phone
Judge: Warrant approved
cops returning to court
Cops: Fingerprints didn't work...we need suspect to tell us his password.
Judge: If fingerprints didn't work how do you know it is even the suspect's phone?
Cops: Because we REALLY want it to be his phone and can prove it's his once he gives us the password.
Judge: Do you have anything at all that proves the phone is his?
Cops: We REALLY want it to be his.
[ link to this | view in chronology ]
Re: Fingerprint scan a spot not on your fingertip
My fingerprint scan on my iPhone 8 is about 50% reliable. Sometimes it works, sometimes it take 2 or more tries.
[ link to this | view in chronology ]
If I were the police, I might well call the phone companies and ask the numbers they have (if any) for [accused person], then call those numbers first.
If the phone doesn't ring, you must acquit.
[ link to this | view in chronology ]
Re:
That would entail the cops doing real investigative work. Much easy to just demand everything and then some be handed over to them.
[ link to this | view in chronology ]
what about what the court inferred
If the fingerprint unlock isn't testimonial, then how are they going to demonstrate that the person attached to the finger that unlocked the phone is the person who previously used the phone and put all of the bad stuff on it? Is there any way that the actual guilty party (not this person) used one of this person's fingers to set 1 fingerprint for the lock, and then did the same with one of theirs?
If the police get the phone unlocked, can they extract the valid prints from it? Or are they encrypted with a 1-way function?
[ link to this | view in chronology ]
Re: what about what the court inferred
When the government forces companies to provide these biometric security measures on every phone, then it will be unconstitutional to force us to unlock them.
[ link to this | view in chronology ]
My Solution
Fingerprint unlock but the phone requires me to enter the password once a day. Presumably, I can delay responding to a fingerprint request for that long a period of time. After that, the fingerprint is useless. Sadly, more people don't bother turning on this feature.
[ link to this | view in chronology ]
Re: My Solution
No you can't. If they say "put your finger here" and you refuse, that's obstruction; just like refusing a breathalyzer. Just hope your lawyer is on the ball and the request for a warrant to search takes too long. (Although I assume the police can unlock the phone and promise not to search it until the warrant arrives, right? I sense another court case in the making there) The other issue is to either turn the phone complete off or hit the home button with the wrong finger(s) several times while handing it over. But be careful how you appear to do that. Again, making it impossible to unlock the phone after they ask for it -i.e. when you know it is going to become evidence - is obstruction. Having it difficult to unlock before the police want it is OK.
[ link to this | view in chronology ]
I still do not understand why people put all their eggs in one basket.
[ link to this | view in chronology ]
Governments globally are a murderous lot. Every politician who takes up a position in them who does not denounce this violence against its own people has blood on their hands. Blood they can never wash away.
[ link to this | view in chronology ]
Re:
I mean, you’re not totally wrong there, but WTF does that have to do with this?
[ link to this | view in chronology ]
Re: Re:
I won't be compelled by any murderer to do anything.
[ link to this | view in chronology ]
"Finger"? What's That?
[ link to this | view in chronology ]
Re: "Finger"? What's That?
Dammit, I <shift><entered>d again.
I have two prints stored. One is the tip of my finger. The other isn't even a finger, but it's a good spot with a unique and persistent pattern. I actually practice quickly deleting my fingerprint and do any time I'm at/in a location where my phone might be taken. I also have a 10GB encrypted container file on my SD card that only contains one file: A JPEG of a "come back with a warrant" doormat.
[ link to this | view in chronology ]
I hope the supreme court says "Fingerprints are usernames, and it's not a problem to compel usernames. If you want security, use a password" and we can all move onto a more sane world where fingerprints are not considered passwords.
[ link to this | view in chronology ]
That would be ludicrous if the Scotus said Fingerprints were user names. Fingerprints can't be changed like user names. No matter what the lock is, it is there so no one can just trapse in and look around and steal data. That is like a lock on your vehicle or house. It says fuck off. Get the hell out of here.
[ link to this | view in chronology ]
Don't need the finger...
I wonder if anyone realizes that if they have the fingerprints from the booking, they can probably create a good enough mimic of the suspects fingers using ballistics gel. They don't need to compel the suspect to do anything beyond what they already do.
[ link to this | view in chronology ]
Re: Don't need the finger...
Once again here on Techdirt, someone has given these people ideas. No one compells you to give them any ideas. So why do that?
[ link to this | view in chronology ]
Security
Not only government.
If a criminal wants access to your fingerprint-locked phone, he can just knock you out and press a couple of fingers on your phone. It's simpler and faster than forcing you to tell him your password. There is still a margin of error as you have more fingers than the number of allowed attempts, but the chance of success is infinitely higher than guessing a password.
Moreover, you always have the problem that you can't change your fingerprint if they are compromised. Like if you touch anything, anywhere.
I'm surprised fingerprints have ever been considered "security" at all. It's ok as an additional layer to a password, but it's definitely not great as a single layer of security. It's convenient when you don't really care about security, but it stops there.
[ link to this | view in chronology ]