When A Fingerprint IS The Password, Where Does The Fifth Amendment Come Into Play?

from the a-non-testimonial-appendage? dept

FBI Director James Comey is still complaining about encryption but it doesn’t seem to be preventing law enforcement from accessing devices. To date, law enforcement has paid hackers to break into a phone, had an iPhone owner suddenly “remember” his password, seen a person jailed for 7 months (so far) for refusing to provide a password and, now, a law enforcement agency has used a warrant to force a suspect to unlock an iPhone using a fingerprint.

[A]uthorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone that had been seized from a Glendale home. The phone contained Apple’s fingerprint identification system for unlocking, and prosecutors wanted access to the data inside it.

The mostly-unanswered question is whether this violates the Fifth Amendment by forcing a person to provide evidence against themselves. (Not that due process was at the forefront of law enforcement’s mind in this case. Or the magistrate judge’s either. Jonathan Zdziarski points out the warrant was obtained within 45 minutes of the suspect being arrested — not even enough time to bring in a lawyer.) While the law allows police to collect data from detained individuals — including fingerprints — it doesn’t say much about physically applying someone’s finger to their phone to unlock its contents.

The concern that fingerprint “passwords” would be less insulated against court orders and warrants was brought up here more than two years ago, shortly after Apple announced the new security feature. Biometric data isn’t something anyone “knows” that could be considered “testimonial.” It simply is an indicator of who you are, which courts have held isn’t covered under Fifth Amendment protections against self-incrimination.

The additional concern is that law enforcement may have also used this Fifth Amendment workaround to obtain information on a separate suspect. The LA Times article adds these details to the general murkiness:

Why authorities wanted [Paytsar] Bkhchadzhyan to unlock the phone is unclear. The phone was seized from a Glendale residence linked to Sevak Mesrobian, who according to a probation report was Bkhchadzhyan’s boyfriend and a member of the Armenian Power gang with the moniker of “40.” Asst. U.S. Atty. Vicki Chou said the search was part of an ongoing probe. She declined further comment.

Bkhchadzhyan was arrested and pled no contest to one count of identity theft. But the US Attorney’s comment seems to imply law enforcement was looking for more than just evidence on Bkhchadzhyan when it searched the phone. If so, it raises even further questions about the constitutionality of this particular warrant, which may have forced this suspect to provide evidence against someone else.

The only prior case to raise this issue isn’t very instructive and a dataset of one is hardly an indicator of prevailing judicial winds. But the reasoning in the 2014 case draws a line between what the court considers “testimonial” and what is merely providing access.

In 2014, a judge said Baust could be compelled to provide his fingerprint to open a locked phone but could not be ordered to disclose a passcode. The judge reasoned that providing a fingerprint was akin to giving a key, while giving a passcode — stored in one’s mind — entailed revealing knowledge and therefore testifying. Baust was later acquitted.

But does that line even exist? It’s difficult to say it does when both fingerprints and passwords are virtually interchangeable, thanks to Apple’s Touch ID system. The fingerprint is the password. The difference is detained suspects can only retain one of these “keys” in their minds. The rationale used by the court presumes vocal utterances are the only way a person can provide incriminating evidence against themselves.

It’s not like withholding passwords will work in all cases either. Those who aren’t jailed for contempt of court may instead find judges deciding that providing a password to law enforcement isn’t a “testimonial” act on its own. The refusal to provide a password may also work against defendants by giving prosecutors a bit more ammo for their “foregone conclusion” justifications. After all, if a locked device didn’t contain evidence of criminal activity, any “reasonable” person would have provided a password without hesitation.

It’s a stretch of an argument though — considering the prosecution needs to provide evidence it knows the stuff it’s looking for resides on the devices, which is something extremely difficult to prove when the device is fully encrypted.

The limits of the Fifth Amendment’s protections against self-incrimination are far from clearly defined when it comes to encrypted devices.. This leaves the security question in the hands of each individual user. Your choice of security method depends on who you’re more worried about having access to your phone. If it’s phone thieves, then a fingerprint might do. But if it’s the government, use a password.

Filed Under: , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “When A Fingerprint IS The Password, Where Does The Fifth Amendment Come Into Play?”

Subscribe: RSS Leave a comment
55 Comments
Anonymous Coward says:

The more I see where this country is headed, the more I don’t want anything more to do with digital technology of pretty much any kind. (and I say this, having been in the IT industry for the last 20 years)

I guess I have a yearning for the olden days, when the screws would just beat the info out of me with truncheons and brass knuckles.

Anonymous Coward says:

Re: "Foregone Conclusion"

After all, if a locked device didn’t contain evidence of criminal activity, any “reasonable” person would have provided a password without hesitation.

By that logic, if a home didn’t contain evidence of criminal activity, any “reasonable” person would provide permission for warrant-less searches without hesitation.

Yeah, I don’t think so. That’s quite a stretch.

Anonymous Coward says:

The problem is the prosecutors had an easy argument “we’ve always been able to collect fingerprints so why not now, too?!”, while defense lawyers have had weak arguments and didn’t say stuff like “but the fingerprint is not just for identification now, it’s to get access to all of our lives’ data, so clearly it’s not the same?”

Defense lawyers need to smarten up.

Uriel-238 (profile) says:

The line exists.

The question is if the line should exist, I think.

So long as our laws are so numerous that it’s impossible to know or follow them, so long as law enforcement can arrest people for what they imagine to be crimes, so long as prosecutory discretion allows officials to choose to convict some people and not others arbitrarily, I say the individual citizen needs all the protects it can get.

In the meantime you never want a part of your body worth more to someone than you are.

Scote (profile) says:

They can already get fingerprints, DNA, hair and blood...

With a warrant there is really no question of whether they can compel a fingerprint. They already have the right to book you and fingerprint you – no warrant needed. They can get warrants to force you to give up a DNA sample, blood samples, hair samples. They can get warrants to x-ray your body for drugs. They can give you laxatives and make you use an evidence collecting, nonflushing toilet. Fingerprints for a cell phone? Bah, that horse left the barn before cell phones were even invented.

So, the lesson is don’t use just biometrics for critical security. Things you can’t change and can’t insure control over are not sufficient to insure that only you or people you willingly authorize will have access.

Anonymous Coward says:

Plausible Deniability

I do not see providing a fingerprint and different than a DNA/Blood/Stool/Whatever sample.

If you have secrets you want to keep private don’t use biometrics/physical keys/etc to protect them.

Forcing someone to give up a password is wrong. First you can’t prove they remember it and 2nd you can’t force someone to testify against themselves. Attempting to force someone to reveal knowledge that they can plausibly deny having any knowledge of is wrong.

Anonymous Coward says:

Re: Plausible Deniability

Actually, with iPhones, fingerprints ARE plausible deniability. Simply present a print that you know won’t work until the print scanner is locked out. Then say that you’ve forgotten the password after mis-entering it a few times.

Both of these are reasonable, and they can’t prove intent here.

John Fenderson (profile) says:

Re: Re:

You don’t even have to be forced to provide a fingerprint. It’s reasonably easy (but not always trivially so) to unlock those phones using a latent print lifted from something you’ve touched.

Fingerprint authentication is a terrible idea on all fronts. It’s not very secure, it can’t be easily changed or revoked when desired, and you can suffer many kinds of injuries that will alter your prints.

Anonymous Coward says:

Re: Is it a testamonial act?

No, it isn’t a testimonial act.

The person is NOT being asked to verify that they know how to unlock the phone. The police claim to already know how to unlock the phone – they claim it unlocks via her fingerprint. And the fact that she does indeed HAVE a fingerprint is obvious and not testimonial.

If her fingerprint does in fact unlock the device – well, perhaps that’s evidence against her, but fingerprints on a murder weapon or something would also be evidence against her, and it’s pretty well established that police can demand fingerprints (with a warrant) to check against a crime scene.

Demanding a password is different; complying with that means admitting that you know what the password is. The woman here doesn’t have to admit she knows anything about the phone, just like someone with their prints on a gun doesn’t have to admit they know anything about the gun. Also, with fingerprints there’s not a problem like there is with a password where the person may legitimately not know (or remember) the password – if her fingerprint doesn’t unlock the device, that’s that.

Quiet Lurcker says:

Re: Re: Is it a testamonial act?

No, it isn’t a testimonial act.

The person is NOT being asked to verify that they know how to unlock the phone. The police claim to already know how to unlock the phone – they claim it unlocks via her fingerprint. And the fact that she does indeed HAVE a fingerprint is obvious and not testimonial.

>>>I’m not addressing the matter of whether she has a fingerprint or whether she knows how to unlock the phone.

If her fingerprint does in fact unlock the device – well, perhaps that’s evidence against her, but fingerprints on a murder weapon or something would also be evidence against her, and it’s pretty well established that police can demand fingerprints (with a warrant) to check against a crime scene.

>>>Being able to unlock the device, either with a pass code or fingerprints are evidence that the person who supplied either had at least some minimal authority and control over the device. Fingerprints on a murder weapon – or anywhere at a crime scene – are a straw man fallacy for this discussion.

Demanding a password is different; complying with that means admitting that you know what the password is.

>>>Yes and no. The fingerprint acts as a password here. In either case, the means of unlocking the device is being demanded.

The woman here doesn’t have to admit she knows anything about the phone, just like someone with their prints on a gun doesn’t have to admit they know anything about the gun.

>>>Straw man fallacy again.

Also, with fingerprints there’s not a problem like there is with a password where the person may legitimately not know (or remember) the password – if her fingerprint doesn’t unlock the device, that’s that.

>>>Not knowing does not equal not remembering.

>>>Please remember here. We are talking about a woman being ordered to unlock a device. It doesn’t matter how the device is locked. It only matters that a) the device is locked; b) the cops think (or perhaps know) she has the means to unlock it; and c) the cops want the device unlocked. By unlocking the device, irrespective of how, the cops can infer that the woman had some level of control over the device; she is, in effect, saying ‘I use or can access this phone’ by unlocking for the cops or anyone else.

Anonymous Coward says:

Re: Re: Re: Is it a testamonial act?

>>By unlocking the device, irrespective of how, the cops can infer that the woman had some level of control over the device;

>>Being able to unlock the device, either with a pass code or fingerprints are evidence that the person who supplied either had at least some minimal authority and control over the device.

Yes, if your fingerprints can unlock the device, that’s evidence that you have some control over the device. Just like if your fingerprints are on the outside of the device, that’s evidence that you had some contact with the device. How is that a straw man?

Why does it matter whether the fingerprints are on the outside of the device, or in the software?

Quiet Lurcker says:

Re: Re: Re:2 Is it a testamonial act?

The presence of fingerprints on the murder weapon in themselves are not evidence that the person who handled the weapon committed the crime. Place the weapon at a murder scene, add the fingerprints to the weapon, and you still only place the person at the crime scene. There’s still no evidence that the person pulled the trigger OR that they intended to do so even if they did.

Here, the cops are arguing that the phone contains direct evidence – maybe pictures, maybe notes, maybe messages – that show that she was involved in the commission of crimes. They’re looking for the equivalent of a video recording or pictures of the woman pulling the trigger.

Anonymous Coward says:

Re: Re: Re:3 Is it a testamonial act?

The presence of fingerprints on the murder weapon in themselves are not evidence that the person who handled the weapon committed the crime.

It absolutely is “evidence”; that’s going to be Exhibit A. It’s not “proof”, though. She can argue the gun was planted. Just like she could argue her fingerprint was planted or the content on the phone was planted.

Here, the cops are arguing that the phone contains direct evidence – maybe pictures, maybe notes, maybe messages – that show that she was involved in the commission of crimes.

Well, in THIS case it’s unclear – they most likely want information on her gang member boyfriend. But I admit that doesn’t matter much, since they COULD use it against her. One way they could solve this is to give her immunity, but they don’t want to do that, so it’s perfectly logical for her to assume they’d use it against her.

You seem to think that you can’t be forced to provide the means to unlock something that contains evidence against you. But under current law, you absolutely can. If the key to a strongbox is around your neck, the police can take that key from you and unlock the strongbox. If you’ve swallowed the key, they can use doctors to forcibly get it out of your body one way or another. And if your finger is the key to your smartphone, they can use that finger to unlock your it.

What they can’t make you do is admit that you know HOW to open the thing. Because that would be an actual admission. And if your fingerprint unlocks a phone, that might be evidence that you’re connected to the phone, but it’s not an admission of anything – maybe someone put your finger on the phone while you were asleep.

Derek Kerton (profile) says:

Crappy Workaround

As long as our rights are being “reinterpreted” by the courts, you can do this:

Use an unusual finger for your phone’s lock.
Set the “lock after x unsuccessful attempts” to 3
Then have it fall back to a password

When compelled by the court, use the wrong fingers three times. Oops, sorry, FBI. My bad. Problem solved.

Anonymous Coward says:

The thing is, your identity has never been something protected by the fifth amendment. Remember, confirming your identity already opens up a lot of potentially incriminating evidence. After all, without it they can’t grab your phone and internet histories from your providers, locate your house to search it, contact your friends/family/employer, pull up your financial records, or a whole host of other things. And despite all of this very clear potentially incriminating info that is only accessible after you are identified, you can’t refuse to identify yourself when ordered to.
And fingerprints are, while very convenient, a method of identification. There’s a reason why “something you are” is less popular as a security paradigm than “something you have” and “something you know.” It’s the only one that you don’t actually have any control over (both legally and practically).

Brian C says:

“The refusal to provide a password may also work against defendants by giving prosecutors a bit more ammo for their “foregone conclusion” justifications. After all, if a locked device didn’t contain evidence of criminal activity, any “reasonable” person would have provided a password without hesitation.”

It is a serious mistake for anyone to conflate a choice with an obligation. A person is afforded the Rights recognized by our Bill of Rights first. This being the case, waving such rights cannot ever be an obligation of a citizen. To think otherwise is a fast track to a Police State that cares not a wit for the Constitution of this country.

R.H. (profile) says:

I'm Thinking Tasker

If there’s not already, I want a Tasker (for Android) plugin that uses the fingerprint scanner to determine which finger you used to unlock the device. You’d be able to set it so that specific fingers will perform an action other than unlocking the device. My personal preference would be powering it off. Android devices (I think iOS devices do this too) require the actual PIN to be typed on powerup for decryption before accepting a fingerprint to unlock the lock screen. That way, I can have the ease-of-use of fingerprint unlock but, the safety of my PIN in case of compulsion.

Of course, one could have a fingerprint set to factory reset but, I wouldn’t want to deal with the legal consequences of a destruction of evidence charges.

Anonymous Coward says:

Re: I'm Thinking Tasker

There’s no destruction of evidence by you unless the court specifically directs that you unlock the phone. If you just have to provide your fingers, you compliantly hold your hand out and let the police officer press the finger of their choice on the phone.
If you’re being forced to tell them, “No not that finger.”, or “Turn the finger sideways first”, then there is a 5th amendment issue.

darren chaker (profile) says:

Giving the 5th Amend the Finger

I actually wrote a post about this topic, http://consenttosearch.com/site/fingerprint-and-fifth-amendment/ The law is well established a person must provide a handwriting exemplar, voice exemplar, and other non-testimonial things to police. Now, due to technology, people enjoy swiping the finger in lieu of using a PW. I know of a couple of cases that said yes, and one that said no. There’s a case pending in the 9th Circuit now on this issue. I see it as, police cannot force you to provide the key to your house where you a stolen radio at, but they want you to use your finger to open up a secure phone so they may incriminate you with the contents? For now, I suggest the obvious – take the .05 second to enter in a PW, and do not use your finger for anything less that things you enjoy using it for, since we do not need the government to tell us where to put it!

btr1701 (profile) says:

Counsel

> Not that due process was at the forefront of law
> enforcement’s mind in this case. Or the magistrate
> judge’s either. Jonathan Zdziarski points out the warrant
> was obtained within 45 minutes of the suspect being
> arrested — not even enough time to bring in a lawyer.

WTF? Due process has *never* required the police wait to apply for a warrant (or the judge to wait to grant one) until the subject/defendant’s lawyer shows up at the warrant application hearing.

In fact, that almost *never* happens.

btr1701 (profile) says:

Incrimination

> If so, it raises even further questions about the
> constitutionality of this particular warrant, which may
> have forced this suspect to provide evidence against
> someone else.

That’s actually less of a constitutional issue. While you do have a 5th Amendment right against self-incrimination, absent something like spousal privilege– which isn’t a constitutional issue– you have *no* right whatsoever to be free from incriminating others. If you have evidence that can be used to help the government’s case against someone else, you can be compelled to provide it. Period. And nothing in the Constitution protects you from that.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...