State Appeals Court Says Unlocking A Phone With A Fingerprint Doesn't Violate The Fifth Amendment

from the giving-The-Man-the-finger-no-longer-subversive;-actually-helpful dept

As was hinted heavily three years ago, you might be better off securing your phone with a passcode than your fingerprint. While a fingerprint is definitely unique and (theoretically…) a better way to keep thieves and snoopers from breaking into your phone, it’s not much help when it comes to your Fifth Amendment protections against self-incrimination.

The Minnesota Appeals Court has ruled [PDF] that unlocking a phone with a fingerprint is no more “testimonial” than a blood draw, police lineup appearance, or even matching the description of a suspected criminal. (h/t Orin Kerr)

Diamond relies on In re Grand Jury Subpoena Duces Tecum, 670 F.3d 1335 (11th Cir. 2012), to support his argument that supplying his fingerprint was testimonial. In In re Grand Jury, the court reasoned that requiring the defendant to decrypt and produce the contents of a computer’s hard drive, when it was unknown whether any documents were even on the encrypted drive, “would be tantamount to testimony by [the defendant] of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.” Id. at 1346. The court concluded that such a requirement is analogous to requiring production of a combination and that such a production involves implied factual statements that could potentially incriminate. Id.

By being ordered to produce his fingerprint, however, Diamond was not required to disclose any knowledge he might have or to speak his guilt. See Doe, 487 U.S. at 211, 108 S. Ct. at 2348. The district court’s order is therefore distinguishable from requiring a defendant to decrypt a hard drive or produce a combination. See, e.g., In re Grand Jury, 670 F.3d at 1346; United States v. Kirschner, 823 F. Supp. 2d 665, 669 (E.D. Mich. 2010) (holding that requiring a defendant to provide computer password violates the Fifth Amendment). Those requirements involve a level of knowledge and mental capacity that is not present in ordering Diamond to place his fingerprint on his cellphone. Instead, the task that Diamond was compelled to perform—to provide his fingerprint—is no more testimonial than furnishing a blood sample, providing handwriting or voice exemplars, standing in a lineup, or wearing particular clothing.

Of course, it’s what’s contained in the now-unlocked device that might be incriminating, which is why Diamond pointed to In re Grand Jury as being analogous to the forced provision of a fingerprint. The court’s rebuttal of this argument, however, doesn’t make a lot of sense. It says the process that unlocked the device requires no knowledge or mental capacity — which is certainly true — but that the end result, despite being the same (the production of evidence against themselves) is somehow different because of the part of the body used to obtain access (finger v. brain).

In recounting the obtaining of the print, the court shows that some knowledge is imparted by this effort — information not possessed by law enforcement or prosecutors.

Diamond also argues that he “was required to identify for the police which of his fingerprints would open the phone” and that this requirement compelled a testimonial communication. This argument, however, mischaracterizes the district court’s order. The district court’s February 11 order compelled Diamond to “provide a fingerprint or thumbprint as deemed necessary by the Chaska Police Department to unlock his seized cell phone.” At the April 3 contempt hearing, the district court referred to Diamond providing his “thumbprint.” The prosecutor noted that they were “not sure if it’s an index finger or a thumb.” The district court answered, “Take whatever samples you need.” Diamond then asked the detectives which finger they wanted, and they answered, “The one that unlocks it.”

This is something only Diamond would know, and by unlocking the phone, he would be demonstrating some form of control of the device as well as responsibility for its contents. So, it is still a testimonial act, even if it doesn’t rise to the mental level of retaining a password or combination. (And, if so, would four-digit passcodes be less “testimonial” than a nine-digit alphanumeric password, if the bright line comes down to mental effort?)

Given the reasoning of the court, it almost appears as though Diamond may have succeeded in this constitutional challenge if he had chosen to do so at the point he was ordered to produce the correct finger.

It is clear that the district court permitted the state to take samples of all of Diamond’s fingerprints and thumbprints. The district court did not ask Diamond whether his prints would unlock the cellphone or which print would unlock it, nor did the district court compel Diamond to disclose that information. There is no indication that Diamond would have been asked to do more had none of his fingerprints unlocked the cellphone. Diamond himself asked which finger the detectives wanted when he was ready to comply with the order, and the detectives answered his question. Diamond did not object then, nor did he bring an additional motion to suppress the evidence based on the exchange that he initiated.

And so, in first decision of its kind for this Appeals Court, the precedent established is that fingerprints are less protective of defendants’ Fifth Amendment rights than passwords.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “State Appeals Court Says Unlocking A Phone With A Fingerprint Doesn't Violate The Fifth Amendment”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Use a random non-pointer finger as your keyed fingerprint, along with a stringent ‘3 errors and the phone is wiped’ lock, perhaps? If you really really really wanted to still use finger unlock.

If forcing a fingerprint is just like a blood draw, it’s not like you *have* to tell them which finger is the correct one.

Hyman Rosen (profile) says:

Search, not testimony

If the government already knows that you are the owner of the device (because of sufficient evidence – it is in your pocket, or in your home, or you have been seen using it) then it is a “foregone conclusion” that you are able to unlock it. Therefore your actual unlocking of it is not testimony; the government acquires no information through that act that it did not already have, whether you unlock by fingerprint or password.

That the device itself contains incriminating evidence is irrelevant; as you could not prevent an authorized search of your home, you similarly cannot prevent an authorized search of your device.

On the other hand, if the government then attempted to use the fact of your being able to unlock the device as evidence that you owned it, after you were compelled to do so, that would be a violation of the 5th Amendment.

That One Guy (profile) says:

Re: Search, not testimony

There’s a difference, and while it may seem like splitting hairs I’d say that anything can make or break a case is important, between "We’re pretty sure that the phone/device is the property of the accused and they have access to it’s contents" and "We have rock-solid evidence that is theirs and they do have access to the contents." The first might be admissible depending on the judge, and even then they still have to make the link between the evidence found on the device and the accused, the latter would definitely be admissible and the link is trivial to make.

As for the second point I’d say the difference is between not being able to prevent an authorized search and being forced to enable an authorized search, and in the process provide evidence that wasn’t available before.

The comparison kinda breaks down given the difference between houses and phones so this will likely be a little sloppy, but assuming there is incriminating evidence to be found it would be somewhat like police showing up at someone’s house and demanding that they tell them where the evidence that will incriminate them is located. In that case the home-owner is not only providing the evidence that will be used against them they’re demonstrating that they know where it is, which creates a very strong connection between it and them, a connection which can be used against them in court.

Anonymous Coward says:

Re: Search, not testimony

Let’s change that a little.

If the police already know what you did (because of sufficient evidence – of some sort) then it is a “foregone conclusion” that you are guilty. Therefore your confession is not testimony; the government acquires no information through that act that it did not already have, they just need you to sign the paper they have already prepared.

If “foregone conclusions” are good enough, that what do we need trials for, eh?

Roger Strong (profile) says:

Re: Re: Search, not testimony

Attorney General Edwin Meese III explained why the Supreme Court’s Miranda decision (holding that subjects have a right to remain silent and have a lawyer present during questioning) is unnecessary: “You don’t have many suspects who are innocent of a crime. That’s contradictory. If a person is innocent of a crime, then he is not a suspect.”
– U.S. News and World Report, 10/14/85

That One Guy (profile) says:

Re: Re: Re: Search, not testimony

"You don’t have many suspects who are innocent of a crime. That’s contradictory. If a person is innocent of a crime, then he is not a suspect."

Talk about a perfect example of why the laws either protect the innocent and the guilty, or they protect neither.

If one holds to the idea that the guilty don’t deserve the same rights and legal protections as the innocent(an idea I have seen mentioned and/or hinted at several times before), and also believe that if someone is a suspect then they are guilty(or at the least are likely guilty), then simply being accused is enough to strip away rights and protections, which would be a bad idea were law enforcement flawless and never made mistakes, and becomes downright disastrous given that is anything but the case.

Wyrm (profile) says:

Re: Search, not testimony

The problem is somewhere else.
By unlocking the phone, you unlock it’s content. As long as it’s encrypted, the police doesn’t know what’s in there. Therefore, unlocking is providing the data.
So the “testimony” you’re offering is not that you can unlock the phone, but the content itself.

That One Guy (profile) says:

Re: Re: Search, not testimony

So the "testimony" you’re offering is not that you can unlock the phone, but the content itself.

I would(and have) argue that it’s both actually. It’s providing the content and demonstrating that you can access it, creating a link between the content and you, which is something that can be used against you. The most blatantly illegal evidence imaginable isn’t any good to the police if they can’t establish a connection between it and someone they can charge after all, and being able to unlock the device that that evidence is on establishes that link.

DannyB (profile) says:

Re: Time for a new locking mechanism

Suppose your new phone unlocking system used a drop of blood instead of a fingerprint.

Now would a fingerprint still have no more testimonial value than a blood draw?

The court should not compare the fingerprint to a blood draw but should compare it to a master key to your entire life history. Now does the fingerprint have testimonial value?

Anonymous Coward says:

As someone once said on a similar post. There should be an option that uses your fingerprint as the Login ID and a password to unlock. That way even if your fingerprint is compromised, or in this case the government ask for it, a password is still needed to unlock the device.

Thinking about it a fingerprint as a password is a stupid way to secure something if you are truly concerned about someone accessing it. All someone needs to do it get to you or put you too sleep. Obviously the U.S. government probably wont do that, but what about a not so friendly friend, jealous lover, bad business partner after a night at the bar. Or foreign intelligence for a activist or generalist. This is not even considering the ways a fingerprint can be forged.

Anonymous Coward says:

This particular decision seems inevitable. The government (1) is obviously allowed to take your fingerprints, (2) could, using that information, with little technical difficulty mold a counterfeit, (3) could trivially attempt all ten fingers, (4) can (with a judge’s permission) examine files on the phone.

What’s the point in arguing that they can’t take your fingerprint on a phone that they suspect is yours, rather than on their own inkpad?

And, as someone has already figured out, steganography becomes your very good friend, as soon as the software provides for multiple fingerprints opening multiple virtual systems on the same phone.

That One Guy (profile) says:

Simple rule of thumb(or forefinger, or pinky...)

If an act provides access to evidence that can be used against the person required to do the act, then it should count as self-incrimination, and therefore not be allowed.

That it involves a fingerprint rather than a password shouldn’t make any difference, the purpose behind the requirement is for the accused to be forced to provide evidence that will be used against them, something that could be trivially demonstrated simply by instituting a ‘trade’ of immunity for anything found, a requirement you can be sure the police would not accept as it would undermine the whole purpose of forcing the person to unlock the device in the first place.

Anonymous Coward says:

I don’t understand this whole situation. For decades, fingerprints have been used for police work. Police would take fingerprints from various people, and then compare those fingerprints to prints found at crime scenes, searching for evidence which could be used to incriminate suspects. Nobody ever argued that providing prints was a form of self-incrimination, because it’s obvious that it isn’t. If the police searched the scene and found, say, a paper copy of the plan used by the criminals, and from that paper copy lifted fingerprints, then those prints would be used like any others found at the scene. If a computer was found at the scene, and your fingerprints were all over the buttons, they would be lifted and used to incriminate you, as well as provide evidence of ownership of said computer and the files on it.

Here, they are doing exactly the same thing. Taking fingerprints, and comparing those prints to prints found at the crime scene. Why should the fact that the prints found at the scene are stored in a digital format make a difference?

Just because you chose to use a stupid and insecure method of maintaining your privacy does not mean that the police/courts must write new policies to make your method secure.

That One Guy (profile) says:

Re: Re:

Here, they are doing exactly the same thing. Taking fingerprints, and comparing those prints to prints found at the crime scene. Why should the fact that the prints found at the scene are stored in a digital format make a difference?

Because they’re not just ‘comparing prints’, they’re demanding someone provide incriminating evidence against themselves by providing access via prints. If it was really as simple as taking prints then they could take the prints and then turn around and use them on the device if they want, yet they didn’t do so.

At the same time if it’s not an issue of self-incrimination then they could easily offer immunity from anything found on an unlocked device, yet I don’t imagine they’d ever make that offer because it would nullify the reason they are demanding the person unlock the device.

Just because it’s easier to force someone to provide self-incriminating evidence and/or violate their privacy does not mean the police/courts get to ignore the rules against such actions.

Anonymous Coward says:

Re: Re: Re:

If it was really as simple as taking prints then they could take the prints and then turn around and use them on the device if they want, yet they didn’t do so.

Meh. I guess that’s a valid argument. I guess I’m a little too pragmatic for these things. No reason to waste the extra money transferring the prints to a machine readable material when you have the originals.

That One Guy (profile) says:

Re: Re: Re: Re:

I see it as a long-term issue. ‘We can compel someone to provide prints before, what difference does it make to make them provide them in a way to unlock a device?’ might seem fairly minor, but if allowed it will expand.

A little give here, ‘just to save time’, or ‘because it’s a foregone conclusion’ and what’s allowed under the law is widened, ever so slightly. And then a little down the line what’s allowable is stretched ‘just a little more’ and more is allowed. And so on and so forth until you reach a point where the ‘limits’ are little more than ‘guidelines’.

(A good example could be ‘asset forfeiture’. As horribly flawed as it is it started rather small and grew over time. I rather doubt the ones who originally put it into place would have envisioned innocent people losing their houses and having to prove the ‘innocence’ of their property or lose it, yet here we are with government and police agencies throwing fits about the simple requirement for a conviction before property changes hands.)

Rights are very rarely destroyed outright, as that’s obvious and people are more likely to fight back. Instead they suffer small erosion over time. ‘Minor, temporary exceptions’ that bend the laws just a bit, and then the law and/or how it’s interpreted changes and the ‘temporary exception’ becomes the new norm. And then a little while later another ‘minor, temporary exception’ is made, and the cycle continues until you have more ‘minor, temporary exceptions’ than you do the original law, and what is allowed and considered acceptable now has only the faintest similarity with what was allowed and considered acceptable then.

Peter (profile) says:

Coming next: Searching houses does not violate your privacy

With the same reasoning, they can abandon the warrant requirement for searching homes – after all, the keys to the front door are freely available in the accused’s trouser pocket or hand bag, and can easily be retrieved with minimal invasion of privacy and no disclosure of knowledge he might have or to speak his guilt.

Anonymous Coward says:

Re: Re:

I have a 8 digit password. If you just turned the phone off the Fingerprint reader will no longer work until you first enter your passcode. You can power down a phone pretty fast. Once it starts powering down, you can’t just turn it back on or stop the process. Power your phone down before the police have a chance to grab it. If you’re really worried, just don’t use it.

Roger Strong (profile) says:

Re: There's an app for that!

These days most police are using trunked radio systems. They may be sharing frequencies with ambulances, fire, transit, city crews and private companies, using talkgroup IDs to keep the conversations separate.

Digital encrypted trunked systems are increasingly popular, making it nearly impossible to determine which talkgroups belong to which users.

In any case, police would learn of such a system just like everyone else. They could unlock the phone between transmissions, drive the phone and owner a few blocks from the police station, or just weaken the signals by tin-foiling the interrogation from into a Faraday cage.

Anonymous Coward says:

Just need updated unlock features

Unlock with correct finger, get access.
Unlock with the special finger, phone gets wiped.

So when your being interrogated and the cop says “If you cooperate by unlocking your phone, we will put a good word in for you with the DA, maybe get you a plea deal.”

You say “Sure! and proceed to wipe your phone”

mb (profile) says:

Conflating Authorization and Authentication

People often conflate authorization and authentication, but they are very different things. Authentication determines WHO you are. Authorization determines WHAT you are permitted to do.

Biometrics make a great authentication token. It is really difficult (In a properly designed system) to falsify biometric credentials, so when you are authenticated biometrically there is a very low probability of a false positive, and a really good chance that you are the correct person.

Biometrics make a terrible authorization token, because YOU CANNOT CHANGE THEM. Once authorization has been assigned to a biometric is cannot be changed. ever. That’s the whole point of biometrics. They are immutable. But authorization DOES NOT NECESSARILY follow from authentication.
Good authorization tokens are passwords and PINs because they CAN be changed, and there are an infinite number of them. You can assign different authorization tokens to different parts of a system. You can see this when you log in to your computer using one password, check your email with another, and connect to facebook with yet a different password.
Security will always be a trade-off with convenience. Most people can’t be bothered to type different passwords for every application, so they tell the system to cache the passwords, and tie that all back to their primary authentication token, and mobile phone manufacturers are very conscious of this, so it appears that authentication and authorization are the same thing and thus, commonly conflated concepts.

biorpg (profile) says:

Re: Conflating Authorization and Authentication

You can see this when you log in to your computer using one password, check your email with another, and connect to facebook with yet a different password.

I use the same password for my computer as I do my email, bank account, AD domain at work, usenet, obscure and questionable hacking forums, random sites that I create an account to make one post with etc..

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...