Federal Judge Says Compelling People To Unlock Phones With Their Fingerprints/Faces Violates The 5th Amendment

from the surprising-turn-of-events dept

The advent of biometric "passcodes" -- fingerprints and facial recognition -- appear to be leaving those who choose these methods with fewer Fifth Amendment protections. A handful of courts have ruled fingerprints and faces aren't "testimony." Much as officers can collect fingerprints and mugshots without a warrant following an arrest, they can also apply fingers and faces to locked phones to get to the data inside.

But it's not as simple as some court decisions make it appear. Even passwords can be considered testimonial, as they may indicate ownership of a locked device or compel production of evidence to be used against the device's owner. The passcode argument has gone both ways in court, which usually comes down to the individual judge's definition of "foregone conclusion." Does the foregone conclusion refer to the device's ownership or the evidence contained in it? The latter is harder to prove, and raising the burden of proof to this level tends to result in courts finding the compelled production of passwords to be a Fifth Amendment violation.

Via Thomas Brewster at Forbes, there's finally some good news on the biometric security front. A federal judge in California has ruled forcing people to unlock phones using biometric measures is a Fifth Amendment violation.

[I]n a more significant part of the ruling, Judge Westmore declared that the government did not have the right, even with a warrant, to force suspects to incriminate themselves by unlocking their devices with their biological features.

As the court points out [PDF], when the fingerprint IS the password, the Fifth Amendment is implicated despite these features normally being considered non-testimonial.

The Court finds that utilizing a biometric feature to unlock an electronic device is not akin to submitting to fingerprinting or a DNA swab, because it differs in two fundamental ways. First, the Government concedes that a finger, thumb, or other biometric feature may be used to unlock a device in lieu of a passcode. In this context, biometric features serve the same purpose of a passcode, which is to secure the owner's content, pragmatically rendering them functionally equivalent.

The court notes law enforcement is well aware of jurisprudence surrounding device security. In this case, the more time that passed between the seizure of the devices and their compelled unlocking, the less likely law enforcement would be able to evade the Fifth Amendment. Judge Westmore doesn't find this reasoning acceptable.

[A] passcode is generally required "when a device has been restarted, inactive, or has not been unlocked for a certain period of time." This is, no doubt, a security feature to ensure that someone without the passcode cannot readily access the contents of the phone. Indeed, the Government expresses some urgency with the need to compel the use of the biometric features to bypass the need to enter a passcode. This urgency appears to be rooted in the Government's inability to compel the production of the passcode under the current jurisprudence. It follows, however, that if a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one's finger, thumb, iris, face, or other biometric feature to unlock that same device.

The court goes on to say the government had other options to access messages -- like approaching Facebook with a warrant -- rather than intrude on the Fifth Amendment (and the Fourth Amendment -- more on that in a moment), but it chose to do it this way. Just because it's easier and faster to do it via compelled production doesn't make it right. In fact, in the court's eyes, all this effort did was violate the Constitution in multiple ways.

An attempted assault on the Fourth Amendment also occurred in this case. Investigators looking for evidence of extortion via Facebook sought to have every device and person at a residence seized and searched, with every resident compelled to unlock devices found during the search. As the judge points out in the rejection of the search warrant application, the Fourth Amendment requires far more specificity.

This request is overbroad. There are two suspects identified in the affidavit, but the request is neither limited to a particular person nor a particular device.

Thus, the Court finds that the Application does not establish sufficient probable cause to compel any person who happens to be at the Subject Premises at the time of the search to provide a finger, thumb or other biometric feature to potentially unlock any unspecified digital device that may be seized during the otherwise lawful search.

This is a far better answer to this sort of request than others we've seen. Searching someone's home and digging through their electronics is one of the scariest powers the government has. The Fourth Amendment is in place to limit these exercises of immense government power to those that are justifiable and necessary. When judges grant overbroad orders, they're doing more than failing to act as a check against government abuse. They're normalizing abuse of citizens' rights via judicial precedent.

Filed Under: 5th amendment, compelled speech, facial recognition, fingerprints, locked phones, passwords, testimony, unlocking phones

Feds Finally Get Around To Using Someone's Face To Unlock Their Cellphone

from the FaceTime:-FBI-Edition dept

The only surprise about this is that it took this long to happen.

A child abuse investigation unearthed by Forbes includes the first known case in which law enforcement used Apple Face ID facial recognition technology to open a suspect's iPhone. That's by any police agency anywhere in the world, not just in America.

It happened on August 10, when the FBI searched the house of 28-year-old Grant Michalski, a Columbus, Ohio, resident who would later that month be charged with receiving and possessing child pornography. With a search warrant in hand, a federal investigator told Michalski to put his face in front of the phone, which he duly did. That allowed the agent to pick through the suspect's online chats, photos and whatever else he deemed worthy of investigation.

This won't become a Fifth Amendment test case for several reasons.

First, Michalski apparently consented to the search by using his face to unlock the phone. If this was as voluntary as it appears, it pretty much eliminates a Constitutional challenge.

Beyond that, it's unlikely a court would find someone's face testimonial. For the most part, courts haven't found fingerprints to be testimonial, even if the application of a fingerprint leads directly to the production of evidence to be used against the phone's owner.

The "foregone conclusion" argument would only require law enforcement prove the phone belongs to the person they're asking to unlock it -- information easily acquired with a subpoena from the service provider.

Even if all these hurdles could be jumped, actions taken by the investigating agent pretty much eliminated any evidence the defendant might have challenged, as Forbes' Thomas Brewster reports.

Whilst Knight may've found some evidence of criminal activity when he manually searched the device, in one respect the forced Face ID unlock of the iPhone X was a failure. It wasn't possible to siphon off all the data within using forensic technologies. That was because the passcode was unknown.

In modern iPhones, to hook the cellphone up to a computer and transfer files or data between the two, the passcode is required if the device has been locked for an hour or more. And forensic technologies, which can draw out far more information at speed than can be done manually, need the iPhone to connect to a computer.

It appears Knight didn't keep the device open long enough and so couldn't start pulling out data with forensic kits. He admitted he wasn't able to get all the information he wanted, including app use and deleted files. What Knight did get he documented by taking pictures.

Michalski's lawyer confirms in a comment to Forbes there's been no evidence produced from the unlocked iPhone, leaving him nothing to challenge in court.

Even if this case is a wash in terms of Constitutional challenges, that doesn't mean the status quo will remain unchanged as more phone manufacturers move towards biometric-based security features. Courts may recognize -- as they have with smartphones and cell location data -- that old assumptions about privacy and presumed government access are no longer valid in a world almost wholly reliant on portable devices filled to the brim with personal data and documents.

Filed Under: encryption, face, faceid, iphones, unlocking phones
Companies: apple

Military Appeals Court Says Demands To Unlock Phones May Violate The Fifth Amendment

from the ANSWER-UNCLEAR:-ASK-AGAIN-LATER dept

A decision [PDF] handed down by the Appeals Court presiding over military cases that almost affirms Fifth Amendment protections against being forced unlock devices and/or hand over passwords. Almost. The CAAF (Court of Appeals for the Armed Forces) doesn't quite connect the final dot, but does at least discuss the issue, rather than dismiss the Fifth Amendment question out of hand. (h/t FourthAmendment.com]

The case stems from a harassment case against a soldier who violated (apparently repeatedly) a no-contact order separating him from his wife. After being taken into custody, Sgt. Edward Mitchell demanded to speak to a lawyer. Rather than provide him with a lawyer, investigators asked him to unlock his phone instead.

Appellee invoked his right to counsel at approximately 10:50 a.m. Appellee's platoon leader signed a "Receipt for Pre-Trial/Post Trial Prisoner or Detained Person," and SSG Knight escorted Appellee back to his unit, where he remained in the company area and accessed both his Kyocera phone and iPhone.

[...]

In the office, Investigator Tsai informed Appellee of the verbal search and seizure authorization, and Appellee questioned the validity of verbal authorizations, asking to see a written one. Around this time, the commander left the office. Investigator Tsai told Appellee that verbal authorizations are valid and asked if Appellee had any cell phones on his person. Appellee then handed an iPhone to the investigators. Investigator Tsai saw that the iPhone was protected by a numeric passcode, and asked Appellee to provide it. Appellee refused.

At this point, this line of questioning should have been abandoned. Actually, it should never have begun without Mitchell's lawyer present. But the investigators apparently believed that asking, rather than ordering, Mitchell to unlock his phone made the whole thing consensual.

Investigator Tsai then handed the phone back to Appellee and asked him to unlock it, saying: "if you could unlock it, great, if you could help us out. But if you don't, we'll wait for a digital forensic expert to unlock it." Neither investigator knew at the time that Appellee's iPhone had two finger/thumb prints stored, and could have potentially been opened using "Touch ID capabilities." Appellee then entered his passcode and unlocked the phone: "[Appellee] was also required to permanently disable the cell phone's passcode protection. In order to do so, [he] was required to access the phone's settings and enter his numeric passcode (PIN) two more times to fully disable the phone's protections."

The military judge at the lower level suppressed the evidence, holding that Mitchell was in custody without requested legal representation at the time he unlocked his phone for investigators. The Appeals Court affirms the lower court's findings.

Under the circumstances presented, we conclude that the Government violated Appellee's Fifth Amendment right to counsel as protected by Miranda and Edwards. The Government does not contest that Appellee was in custody when he invoked his right to counsel while detained at the military police station. It is almost equally clear that Appellee was in custody in his commander's office when investigators asked him to unlock his iPhone.

The court also points out that simply asking nicely for an in-custody suspect to "help out" the government by possibly incriminating themselves doesn't make it any more Fifth Amendment-compliant, nor does it change the nature of questioning from an "interrogation" to "a couple of guys chatting about stuff with absolutely no criminal case-building implications."

This line of questioning qualifies as interrogation. The agents' initial request—“can you give us your PIN?”—is an express question, reasonably likely to elicit an incriminating response. The Government contends that a request for consent to search is not an interrogation, citing this Court’s reasoning in United States v. Frazier that “such requests are not interrogations and the consent given is ordinarily not a statement.” 34 M.J. 135, 137 (C.M.A. 1992). But asking Appellee to state his passcode involves more than a mere consent to search; it asks Appellee to provide the Government with the passcode itself, which is incriminating information in the Fifth Amendment sense, and thus privileged.

The court points out the simple act of unlocking a phone can be incriminating. It demonstrates for investigators and prosecutors the person holding the phone may well be responsible for any incriminating content found on it. It also implies ownership, making it easier to connect the person to the device (and the content contained).

By asking Appellee to enter his passcode, the Government was seeking an “answer[] … which would furnish a link in the chain of evidence needed to prosecute” in the same way that Hoffman and Hubbell used the phrase. Not only did the response give the Government access to direct evidence as in Hubbell, it also constituted direct evidence as in Hoffman. See Hubbell, 530 U.S. at 39–40 (“The documents were produced before a grand jury …. The use of those sources of information eventually led to the return of an indictment ….”); Hoffman, 341 U.S. at 488 (“[T]ruthful answers … to these questions might have disclosed that he was engaged in such proscribed activity.”). As even the dissent concedes, Appellee’s response constitutes an implicit statement “that [he] owned the phone and knew the passcode for it.”

Based on that, the court finds Mitchell's Fifth Amendment rights were violated by this in-custody request to provide a passcode. Unfortunately, the court considers this the end of its judicial inquiry.

In light of this holding, we need not reach the question of whether the Government directly violated Appellee’s Fifth Amendment privilege against compelled self-incrimination. We thus do not address whether Appellee’s delivery of his passcode was “testimonial” or “compelled,” as each represents a distinct inquiry.

Even though the ruling doesn't extend far enough to make passcodes worthy of Fifth Amendment protections, the judicial analysis at least shows providing passwords can create evidence to be used against the accused. This decision doesn't quite stretch that far thanks to the investigators' ignoring Mitchell's invocation of his right to an attorney, but it does the act of entering passwords can be considered self-incriminating.

Filed Under: 5th amendment, caaf, compelled unlocking, edward mithchell, military, self incrimination, unlocking phones