Federal Judge Says Compelling People To Unlock Phones With Their Fingerprints/Faces Violates The 5th Amendment
from the surprising-turn-of-events dept
The advent of biometric “passcodes” — fingerprints and facial recognition — appear to be leaving those who choose these methods with fewer Fifth Amendment protections. A handful of courts have ruled fingerprints and faces aren’t “testimony.” Much as officers can collect fingerprints and mugshots without a warrant following an arrest, they can also apply fingers and faces to locked phones to get to the data inside.
But it’s not as simple as some court decisions make it appear. Even passwords can be considered testimonial, as they may indicate ownership of a locked device or compel production of evidence to be used against the device’s owner. The passcode argument has gone both ways in court, which usually comes down to the individual judge’s definition of “foregone conclusion.” Does the foregone conclusion refer to the device’s ownership or the evidence contained in it? The latter is harder to prove, and raising the burden of proof to this level tends to result in courts finding the compelled production of passwords to be a Fifth Amendment violation.
Via Thomas Brewster at Forbes, there’s finally some good news on the biometric security front. A federal judge in California has ruled forcing people to unlock phones using biometric measures is a Fifth Amendment violation.
[I]n a more significant part of the ruling, Judge Westmore declared that the government did not have the right, even with a warrant, to force suspects to incriminate themselves by unlocking their devices with their biological features.
As the court points out [PDF], when the fingerprint IS the password, the Fifth Amendment is implicated despite these features normally being considered non-testimonial.
The Court finds that utilizing a biometric feature to unlock an electronic device is not akin to submitting to fingerprinting or a DNA swab, because it differs in two fundamental ways. First, the Government concedes that a finger, thumb, or other biometric feature may be used to unlock a device in lieu of a passcode. In this context, biometric features serve the same purpose of a passcode, which is to secure the owner’s content, pragmatically rendering them functionally equivalent.
The court notes law enforcement is well aware of jurisprudence surrounding device security. In this case, the more time that passed between the seizure of the devices and their compelled unlocking, the less likely law enforcement would be able to evade the Fifth Amendment. Judge Westmore doesn’t find this reasoning acceptable.
[A] passcode is generally required “when a device has been restarted, inactive, or has not been unlocked for a certain period of time.” This is, no doubt, a security feature to ensure that someone without the passcode cannot readily access the contents of the phone. Indeed, the Government expresses some urgency with the need to compel the use of the biometric features to bypass the need to enter a passcode. This urgency appears to be rooted in the Government’s inability to compel the production of the passcode under the current jurisprudence. It follows, however, that if a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device.
The court goes on to say the government had other options to access messages — like approaching Facebook with a warrant — rather than intrude on the Fifth Amendment (and the Fourth Amendment — more on that in a moment), but it chose to do it this way. Just because it’s easier and faster to do it via compelled production doesn’t make it right. In fact, in the court’s eyes, all this effort did was violate the Constitution in multiple ways.
An attempted assault on the Fourth Amendment also occurred in this case. Investigators looking for evidence of extortion via Facebook sought to have every device and person at a residence seized and searched, with every resident compelled to unlock devices found during the search. As the judge points out in the rejection of the search warrant application, the Fourth Amendment requires far more specificity.
This request is overbroad. There are two suspects identified in the affidavit, but the request is neither limited to a particular person nor a particular device.
Thus, the Court finds that the Application does not establish sufficient probable cause to compel any person who happens to be at the Subject Premises at the time of the search to provide a finger, thumb or other biometric feature to potentially unlock any unspecified digital device that may be seized during the otherwise lawful search.
This is a far better answer to this sort of request than others we’ve seen. Searching someone’s home and digging through their electronics is one of the scariest powers the government has. The Fourth Amendment is in place to limit these exercises of immense government power to those that are justifiable and necessary. When judges grant overbroad orders, they’re doing more than failing to act as a check against government abuse. They’re normalizing abuse of citizens’ rights via judicial precedent.
Filed Under: 5th amendment, compelled speech, facial recognition, fingerprints, locked phones, passwords, testimony, unlocking phones
Comments on “Federal Judge Says Compelling People To Unlock Phones With Their Fingerprints/Faces Violates The 5th Amendment”
That pesky Bill of Rights…continuing to do it’s job of making the government follow the rules too.
Re: Re:
You sure the BoR is continuing to do its job?
Compare the explicit text of the Fourth Amendment —
— against the following passage from Bailey v US (2013) —
(Citations omitted.)
Cases going back to Terry v Ohio (1968) clearly establish that so-called “detention” means seizing someone. Here in Bailey, though, the court says that a warrant doesn’t have to “particularly“ describe any person — instead, as long as somebody happens to be in just the exact wrong place at the exact wrong time, they can be seized, and it’s all A-OK. Hunky-dory.
You sure the BoR is continuing to do its job?
Re: Re: Re:
“You sure the BoR is continuing to do its job?”
The Bill of Rights…yes, it’s still doing it’s job.
The courts interpreting the Bill of Rights the way they were meant to be interpreted and holding the government to account for failing to repect our rights…not so much.
Re: Re: Re: Re:
From one of the cases cited above, Muehler v Mena (2005) —
But what did the Supreme Court do?
Amendment VII
“A jury … found that Officers Muehler and Brill violated Mena’s Fourth Amendment right.”
So all that’s really the BoR “doing its job” ? A scrap o’ parchment guarantee, honored only in the breach…
I’m told the old, defunct Soviet Union had a very fine set of rights granted to its citizens. On paper. The very best Bill of Rights.
Re: Re: Re:2 Re:
Respondent Mena. Sorry.
As the case caption clearly indicates, “The Court of Appeals affirmed the judgment.” So Mena was not the petitioner in the Supreme Court, but was the appellee in the high court, the respondent there.
Re: Re: Re:2 Re:
So because the courts have failed to uphold the BoR, you want to blame the BoR?
Re: Re:
They will just have to work harder, finding another way to erode our rights.
Re: Re:
This changes little for the Government. They will still continue to play dumb as they step all over your rights.
I don't understand how this works...
Is it still legal for law enforcement to search a device by guessing the passcode?
Furthermore, what if they find a piece of paper that happens to have the correct passcode on it?
Extend this further – can law enforcement use already-obtained fingerprint data to unlock a phone? For example, can they use fingerprints that they have already obtained during booking? Can similar be done with a separate facial scan and 3d reconstruction of their facial features to unlock a phone? What if they already have this information from a prior scan of the suspect’s face?
Where is the line drawn?
Re: I don't understand how this works...
That, at least, won’t work. The technology has been better than that for around a decade now at least, because that’s when I had a unlock-by-face laptop. A friend tried to troll it by taking a picture of my face and holding his phone up to the camera, and it wouldn’t let him in.
If I understand correctly, it checks IR as well as visible light to defeat exactly this sort of attack.
Re: Re: I don't understand how this works...
He did specify "3D reconstruction".
Interesting. That does seem like an obvious step.
I could see this turning into an arms race of sorts, with police (or any other sufficiently well-heeled group attempting to break into phones) coming up with new ways to fool security measures and phone manufacturers coming up with new ways to prevent those measures from working.
Re: Re: I don't understand how this works...
Well yeah, a “picture” isn’t gonna do it, that’s why they use the IR dot projector to detect an actual 3d face.
In any case, I’ve read a number of articles (even in the last year) purporting to have “fooled” a facial scan unlock mechanism, and I’m sure the government will gladly invest in such tech if they can legally use it to unlock devices without forcing said user to do so for them…
The question i’m sort of asking: Can they obtain the necessary data to attempt unlocking the phone independently of forcing the owner to unlock it directly.
Is there really any law that says law enforcement cannot scan your face or take your fingerprints for purposes of “collecting information” and then use that same information later to perform an unlock?
Re: Re: I don't understand how this works...
Except that one could easily troll the last two iterations of iphone facial unlock. Obviously you had a better system in a laptop?
Re: I don't understand how this works...
Yes.
I would expect that would depend on whether they found it during a legal search. At least, it should.
These are interesting questions. I suspect the answer would be "yes, provided they acquired those things legally," but as far as I know none of these questions have been tested in court.
The weaknesses revealed
The weaknesses revealed.
This just illustrates the folly of using bio-metrics to try and replace passwords. Yes, use bio-data for identification, and then use passwords for access. Of course you should use good, not guessable (or brute forceable), passwords.
Re: The weaknesses revealed
That is precisely true. Biometrics should be used as usernames, not passwords.
Officer “Is this your phone?”
Citizen “I choose not to answer that”
Officer “can you Unlock this phone”
Citizen “I choose not to answer that”
I don’t use the bio-metric security(?) features of any phone.
I do not like this decision. I’m afraid it will cause more harm than good, especially is it is overturned, as I suspect it will. I do not buy the argument, that since passwords and fingerprints have the same function, they should have the same protections. Alcohol and cocain have the same function – stimulate the reward system in your brain, yet they are not treated the same.
To use your face or thumb to unlock the phone you do not even have to be conscious. You can be completely brain-dead and it will still work. This decision stipulates that you can testify in a coma. IMO, that’s ridiculous and it will bring this decision down.
Re: Re:
Uh… That’s not what this decision says at all. Not even close.
Re: Re:
I think you may be looking at the idea of "testimony" too concretely. One’s biometric markers being able to unlock a device would be considered, I believe, a "testimonial action" in the sense that it speaks to ownership/control of the item; whether you’re conscious or not when (e.g.) your fingertip passes over a scanner is immaterial.
Re: Re: Re:
I look at it as a puzzle – can I solve it and not get in trouble. And then there’s question: how much of their operational techniques do Police have to divulge at trial? They have the information already – the fingerprints and the mugshot (adding IR channel to it wouldn’t be a big deal). How much of a parallel construction can they get away with? Is “Oh, we have this special software – you put in all the information about the subject in and it unlocks the phone” good enough?
So if not overturned this decision will create incentives to cheat.
Re: Re: Re: Re:
Paraphrase of your posts:
“All these pesky rules are hard to follow, and the courts enforcing them gives police incentive to cheat. I’d prefer the courts just let the police search whatever they want legally, so they won’t cheat.”
That’s some bass-ackwards logic there, sir.
Re: Re:
Alcohol and cocaine are not constitutionally protected under the BOR.
This ruling has no effect on the most likely place you’ll be asked to unlock your phone: at the border.
That’s why anyone traveling outside the country needs to set a manual password, and be aware that in every airport there are cameras looking at you from all directions at all times, so even refusing to give out your password might make no difference in the end if you’ve previously keyed in your password in the airport.
Re: Re:
One thing that worried me with the distribution of socalled Obama phone was technically the phone was US Government property. Would that open the door for government officers to force you to grant access as you are not the owner. Also they could install surveillance technology at leisure before shipment, given they specify what is loaded on the phone in the governments contract vehicle.
I am not so worried about being challenged when entering the US, but when entering another nation state. There rules and protections can vary widely and may be radically different for a non-citizen in their empire.