When A Fingerprint IS The Password, Where Does The Fifth Amendment Come Into Play?

from the a-non-testimonial-appendage? dept

FBI Director James Comey is still complaining about encryption but it doesn't seem to be preventing law enforcement from accessing devices. To date, law enforcement has paid hackers to break into a phone, had an iPhone owner suddenly "remember" his password, seen a person jailed for 7 months (so far) for refusing to provide a password and, now, a law enforcement agency has used a warrant to force a suspect to unlock an iPhone using a fingerprint.

[A]uthorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone that had been seized from a Glendale home. The phone contained Apple's fingerprint identification system for unlocking, and prosecutors wanted access to the data inside it.

The mostly-unanswered question is whether this violates the Fifth Amendment by forcing a person to provide evidence against themselves. (Not that due process was at the forefront of law enforcement's mind in this case. Or the magistrate judge's either. Jonathan Zdziarski points out the warrant was obtained within 45 minutes of the suspect being arrested -- not even enough time to bring in a lawyer.) While the law allows police to collect data from detained individuals -- including fingerprints -- it doesn't say much about physically applying someone's finger to their phone to unlock its contents.

The concern that fingerprint "passwords" would be less insulated against court orders and warrants was brought up here more than two years ago, shortly after Apple announced the new security feature. Biometric data isn't something anyone "knows" that could be considered "testimonial." It simply is an indicator of who you are, which courts have held isn't covered under Fifth Amendment protections against self-incrimination.

The additional concern is that law enforcement may have also used this Fifth Amendment workaround to obtain information on a separate suspect. The LA Times article adds these details to the general murkiness:

Why authorities wanted [Paytsar] Bkhchadzhyan to unlock the phone is unclear. The phone was seized from a Glendale residence linked to Sevak Mesrobian, who according to a probation report was Bkhchadzhyan's boyfriend and a member of the Armenian Power gang with the moniker of "40." Asst. U.S. Atty. Vicki Chou said the search was part of an ongoing probe. She declined further comment.

Bkhchadzhyan was arrested and pled no contest to one count of identity theft. But the US Attorney's comment seems to imply law enforcement was looking for more than just evidence on Bkhchadzhyan when it searched the phone. If so, it raises even further questions about the constitutionality of this particular warrant, which may have forced this suspect to provide evidence against someone else.

The only prior case to raise this issue isn't very instructive and a dataset of one is hardly an indicator of prevailing judicial winds. But the reasoning in the 2014 case draws a line between what the court considers "testimonial" and what is merely providing access.

In 2014, a judge said Baust could be compelled to provide his fingerprint to open a locked phone but could not be ordered to disclose a passcode. The judge reasoned that providing a fingerprint was akin to giving a key, while giving a passcode — stored in one's mind — entailed revealing knowledge and therefore testifying. Baust was later acquitted.

But does that line even exist? It's difficult to say it does when both fingerprints and passwords are virtually interchangeable, thanks to Apple's Touch ID system. The fingerprint is the password. The difference is detained suspects can only retain one of these "keys" in their minds. The rationale used by the court presumes vocal utterances are the only way a person can provide incriminating evidence against themselves.

It's not like withholding passwords will work in all cases either. Those who aren't jailed for contempt of court may instead find judges deciding that providing a password to law enforcement isn't a "testimonial" act on its own. The refusal to provide a password may also work against defendants by giving prosecutors a bit more ammo for their "foregone conclusion" justifications. After all, if a locked device didn't contain evidence of criminal activity, any "reasonable" person would have provided a password without hesitation.

It's a stretch of an argument though -- considering the prosecution needs to provide evidence it knows the stuff it's looking for resides on the devices, which is something extremely difficult to prove when the device is fully encrypted.

The limits of the Fifth Amendment's protections against self-incrimination are far from clearly defined when it comes to encrypted devices.. This leaves the security question in the hands of each individual user. Your choice of security method depends on who you're more worried about having access to your phone. If it's phone thieves, then a fingerprint might do. But if it's the government, use a password.

Filed Under: 5th amendment, encryption, fingerprint, fingerprint swipe, id, paytsar bkhchadzhyan, self incrimination, sevak mesrobian, touch id