When A Fingerprint IS The Password, Where Does The Fifth Amendment Come Into Play?

from the a-non-testimonial-appendage? dept

FBI Director James Comey is still complaining about encryption but it doesn't seem to be preventing law enforcement from accessing devices. To date, law enforcement has paid hackers to break into a phone, had an iPhone owner suddenly "remember" his password, seen a person jailed for 7 months (so far) for refusing to provide a password and, now, a law enforcement agency has used a warrant to force a suspect to unlock an iPhone using a fingerprint.

[A]uthorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone that had been seized from a Glendale home. The phone contained Apple's fingerprint identification system for unlocking, and prosecutors wanted access to the data inside it.
The mostly-unanswered question is whether this violates the Fifth Amendment by forcing a person to provide evidence against themselves. (Not that due process was at the forefront of law enforcement's mind in this case. Or the magistrate judge's either. Jonathan Zdziarski points out the warrant was obtained within 45 minutes of the suspect being arrested -- not even enough time to bring in a lawyer.) While the law allows police to collect data from detained individuals -- including fingerprints -- it doesn't say much about physically applying someone's finger to their phone to unlock its contents.

The concern that fingerprint "passwords" would be less insulated against court orders and warrants was brought up here more than two years ago, shortly after Apple announced the new security feature. Biometric data isn't something anyone "knows" that could be considered "testimonial." It simply is an indicator of who you are, which courts have held isn't covered under Fifth Amendment protections against self-incrimination.

The additional concern is that law enforcement may have also used this Fifth Amendment workaround to obtain information on a separate suspect. The LA Times article adds these details to the general murkiness:
Why authorities wanted [Paytsar] Bkhchadzhyan to unlock the phone is unclear. The phone was seized from a Glendale residence linked to Sevak Mesrobian, who according to a probation report was Bkhchadzhyan's boyfriend and a member of the Armenian Power gang with the moniker of "40." Asst. U.S. Atty. Vicki Chou said the search was part of an ongoing probe. She declined further comment.
Bkhchadzhyan was arrested and pled no contest to one count of identity theft. But the US Attorney's comment seems to imply law enforcement was looking for more than just evidence on Bkhchadzhyan when it searched the phone. If so, it raises even further questions about the constitutionality of this particular warrant, which may have forced this suspect to provide evidence against someone else.

The only prior case to raise this issue isn't very instructive and a dataset of one is hardly an indicator of prevailing judicial winds. But the reasoning in the 2014 case draws a line between what the court considers "testimonial" and what is merely providing access.
In 2014, a judge said Baust could be compelled to provide his fingerprint to open a locked phone but could not be ordered to disclose a passcode. The judge reasoned that providing a fingerprint was akin to giving a key, while giving a passcode — stored in one's mind — entailed revealing knowledge and therefore testifying. Baust was later acquitted.
But does that line even exist? It's difficult to say it does when both fingerprints and passwords are virtually interchangeable, thanks to Apple's Touch ID system. The fingerprint is the password. The difference is detained suspects can only retain one of these "keys" in their minds. The rationale used by the court presumes vocal utterances are the only way a person can provide incriminating evidence against themselves.

It's not like withholding passwords will work in all cases either. Those who aren't jailed for contempt of court may instead find judges deciding that providing a password to law enforcement isn't a "testimonial" act on its own. The refusal to provide a password may also work against defendants by giving prosecutors a bit more ammo for their "foregone conclusion" justifications. After all, if a locked device didn't contain evidence of criminal activity, any "reasonable" person would have provided a password without hesitation.

It's a stretch of an argument though -- considering the prosecution needs to provide evidence it knows the stuff it's looking for resides on the devices, which is something extremely difficult to prove when the device is fully encrypted.

The limits of the Fifth Amendment's protections against self-incrimination are far from clearly defined when it comes to encrypted devices.. This leaves the security question in the hands of each individual user. Your choice of security method depends on who you're more worried about having access to your phone. If it's phone thieves, then a fingerprint might do. But if it's the government, use a password.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 5 May 2016 @ 9:47am

    The more I see where this country is headed, the more I don't want anything more to do with digital technology of pretty much any kind. (and I say this, having been in the IT industry for the last 20 years)

    I guess I have a yearning for the olden days, when the screws would just beat the info out of me with truncheons and brass knuckles.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 May 2016 @ 11:32am

      Re:

      when you see you're country that you love sliding wholeheartedly into a police state. You can either emigrate or try and weather out the decades of citizen opression and murder that tends to happen.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 May 2016 @ 7:12pm

      "Foregone Conclusion"

      After all, if a locked device didn't contain evidence of criminal activity, any "reasonable" person would have provided a password without hesitation.

      By that logic, if a home didn't contain evidence of criminal activity, any "reasonable" person would provide permission for warrant-less searches without hesitation.

      Yeah, I don't think so. That's quite a stretch.

      reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 5 May 2016 @ 9:48am

    Bkhchadzhyan? How is that pronounced? What in the world is your mouth supposed to do with B-K-H-CH with no vowels between them?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 May 2016 @ 10:01am

    Laws about this

    I think someone should try bringing in the Anti-Circumvention laws. Isn't it illegal to bypass protection on a device you don't own? If I call it "DRM" instead of encryption, do I suddenly get more rights?

    reply to this | link to this | view in chronology ]

  • icon
    limbodog (profile), 5 May 2016 @ 10:01am

    duh

    This is why a fingerprint *should not be* a password, it should be a userid.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 May 2016 @ 10:06am

    Though honestly, if multiple random people on the internet can trick fingerprint readers with printed fingerprints, you'd have to think the FBI could do the same.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 May 2016 @ 10:09am

    The problem is the prosecutors had an easy argument "we've always been able to collect fingerprints so why not now, too?!", while defense lawyers have had weak arguments and didn't say stuff like "but the fingerprint is not just for identification now, it's to get access to all of our lives' data, so clearly it's not the same?"

    Defense lawyers need to smarten up.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 5 May 2016 @ 10:18am

    The line exists.

    The question is if the line should exist, I think.

    So long as our laws are so numerous that it's impossible to know or follow them, so long as law enforcement can arrest people for what they imagine to be crimes, so long as prosecutory discretion allows officials to choose to convict some people and not others arbitrarily, I say the individual citizen needs all the protects it can get.

    In the meantime you never want a part of your body worth more to someone than you are.

    reply to this | link to this | view in chronology ]

  • identicon
    Scote, 5 May 2016 @ 10:18am

    They can already get fingerprints, DNA, hair and blood...

    With a warrant there is really no question of whether they can compel a fingerprint. They already have the right to book you and fingerprint you - no warrant needed. They can get warrants to force you to give up a DNA sample, blood samples, hair samples. They can get warrants to x-ray your body for drugs. They can give you laxatives and make you use an evidence collecting, nonflushing toilet. Fingerprints for a cell phone? Bah, that horse left the barn before cell phones were even invented.

    So, the lesson is don't use just biometrics for critical security. Things you can't change and can't insure control over are not sufficient to insure that only you or people you willingly authorize will have access.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 May 2016 @ 10:19am

    Plausible Deniability

    I do not see providing a fingerprint and different than a DNA/Blood/Stool/Whatever sample.

    If you have secrets you want to keep private don't use biometrics/physical keys/etc to protect them.

    Forcing someone to give up a password is wrong. First you can't prove they remember it and 2nd you can't force someone to testify against themselves. Attempting to force someone to reveal knowledge that they can plausibly deny having any knowledge of is wrong.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 May 2016 @ 11:36am

      Re: Plausible Deniability

      Actually, with iPhones, fingerprints ARE plausible deniability. Simply present a print that you know won't work until the print scanner is locked out. Then say that you've forgotten the password after mis-entering it a few times.

      Both of these are reasonable, and they can't prove intent here.

      reply to this | link to this | view in chronology ]

  • icon
    Todd Shore (profile), 5 May 2016 @ 10:25am

    Of the mind

    A fingerprint may not be "of the mind" and may not ultimately have protection, however the knowledge of which finger was used and the orientation of that finger is.

    Come on girl, hold up your ten fingers and say "here".

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 May 2016 @ 10:25am

    What most people keep forgetting is that your fingerprint is not constitutionally protected. By using your fingerprint to lock your cellphone, you open yourself up to being forced to unlock your cellphone. This is different than a passcode.

    reply to this | link to this | view in chronology ]

    • icon
      Richard (profile), 6 May 2016 @ 3:42am

      Re:

      heat up a hotplate to about 200C.
      Place finger on hotplate.
      (go straight to hospital - but your phone is now locked forever)

      reply to this | link to this | view in chronology ]

      • icon
        Uriel-238 (profile), 6 May 2016 @ 11:09am

        Re: Re:

        Dillinger tried this in efforts to obfuscate his fingerprints. (Though he used acid, not a hot-plate)

        The results were temporary. They grew back.

        reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 6 May 2016 @ 10:30am

      Re:

      You don't even have to be forced to provide a fingerprint. It's reasonably easy (but not always trivially so) to unlock those phones using a latent print lifted from something you've touched.

      Fingerprint authentication is a terrible idea on all fronts. It's not very secure, it can't be easily changed or revoked when desired, and you can suffer many kinds of injuries that will alter your prints.

      reply to this | link to this | view in chronology ]

  • identicon
    Quiet Lurcker, 5 May 2016 @ 10:29am

    Is it a testamonial act?

    Heck yes!

    By unlocking the device - no matter the method used - you are implying that you had control over or authority to use the device and by extension, what was or was not on that device.

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 5 May 2016 @ 10:34am

      Re: Is it a testamonial act?

      The state refuses to be governed by what it's allowed to do.

      The state is only governed by what it can do.

      That said, yes, a phone opened by compulsion without a specific warrant should be inadmissible for any reason.

      Not that we can expect that to happen in this society.

      reply to this | link to this | view in chronology ]

      • icon
        Derek Kerton (profile), 5 May 2016 @ 11:17am

        Re: Re: Is it a testamonial act?

        "The state refuses to be governed by what it's allowed to do.

        The state is only governed by what it can do."

        ^ So much this. They see tech development as specifically FOR them.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 May 2016 @ 11:20am

        Re: Re: Is it a testamonial act?

        That said, yes, a phone opened by compulsion without a specific warrant should be inadmissible for any reason.

        It's a good thing they got a warrant then, isn't it?

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 5 May 2016 @ 11:40am

          Re: Re: Re: Is it a testamonial act?

          Ah, but the get a warrant to actually search the phone, which is a different issue from compelling an unlock.

          reply to this | link to this | view in chronology ]

        • icon
          Uriel-238 (profile), 5 May 2016 @ 2:37pm

          Re: Re: Re: Is it a testamonial act?

          Yeah, I betcha it's not a specific one.

          Such as a warrant to get a specific contact, not a warrant to search her email archives for something with which to incriminate her.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 May 2016 @ 1:04pm

      Re: Is it a testamonial act?

      No, it isn't a testimonial act.

      The person is NOT being asked to verify that they know how to unlock the phone. The police claim to already know how to unlock the phone - they claim it unlocks via her fingerprint. And the fact that she does indeed HAVE a fingerprint is obvious and not testimonial.

      If her fingerprint does in fact unlock the device - well, perhaps that's evidence against her, but fingerprints on a murder weapon or something would also be evidence against her, and it's pretty well established that police can demand fingerprints (with a warrant) to check against a crime scene.

      Demanding a password is different; complying with that means admitting that you know what the password is. The woman here doesn't have to admit she knows anything about the phone, just like someone with their prints on a gun doesn't have to admit they know anything about the gun. Also, with fingerprints there's not a problem like there is with a password where the person may legitimately not know (or remember) the password - if her fingerprint doesn't unlock the device, that's that.

      reply to this | link to this | view in chronology ]

      • identicon
        Quiet Lurcker, 5 May 2016 @ 2:42pm

        Re: Re: Is it a testamonial act?

        No, it isn't a testimonial act.

        The person is NOT being asked to verify that they know how to unlock the phone. The police claim to already know how to unlock the phone - they claim it unlocks via her fingerprint. And the fact that she does indeed HAVE a fingerprint is obvious and not testimonial.

        >>>I'm not addressing the matter of whether she has a fingerprint or whether she knows how to unlock the phone.

        If her fingerprint does in fact unlock the device - well, perhaps that's evidence against her, but fingerprints on a murder weapon or something would also be evidence against her, and it's pretty well established that police can demand fingerprints (with a warrant) to check against a crime scene.

        >>>Being able to unlock the device, either with a pass code or fingerprints are evidence that the person who supplied either had at least some minimal authority and control over the device. Fingerprints on a murder weapon - or anywhere at a crime scene - are a straw man fallacy for this discussion.

        Demanding a password is different; complying with that means admitting that you know what the password is.

        >>>Yes and no. The fingerprint acts as a password here. In either case, the means of unlocking the device is being demanded.

        The woman here doesn't have to admit she knows anything about the phone, just like someone with their prints on a gun doesn't have to admit they know anything about the gun.

        >>>Straw man fallacy again.

        Also, with fingerprints there's not a problem like there is with a password where the person may legitimately not know (or remember) the password - if her fingerprint doesn't unlock the device, that's that.

        >>>Not knowing does not equal not remembering.

        >>>Please remember here. We are talking about a woman being ordered to unlock a device. It doesn't matter how the device is locked. It only matters that a) the device is locked; b) the cops think (or perhaps know) she has the means to unlock it; and c) the cops want the device unlocked. By unlocking the device, irrespective of how, the cops can infer that the woman had some level of control over the device; she is, in effect, saying 'I use or can access this phone' by unlocking for the cops or anyone else.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 5 May 2016 @ 8:26pm

          Re: Re: Re: Is it a testamonial act?

          >>>By unlocking the device, irrespective of how, the cops can infer that the woman had some level of control over the device;

          >>Being able to unlock the device, either with a pass code or fingerprints are evidence that the person who supplied either had at least some minimal authority and control over the device.

          Yes, if your fingerprints can unlock the device, that's evidence that you have some control over the device. Just like if your fingerprints are on the outside of the device, that's evidence that you had some contact with the device. How is that a straw man?

          Why does it matter whether the fingerprints are on the outside of the device, or in the software?

          reply to this | link to this | view in chronology ]

          • identicon
            Quiet Lurcker, 6 May 2016 @ 5:29am

            Re: Re: Re: Re: Is it a testamonial act?

            The presence of fingerprints on the murder weapon in themselves are not evidence that the person who handled the weapon committed the crime. Place the weapon at a murder scene, add the fingerprints to the weapon, and you still only place the person at the crime scene. There's still no evidence that the person pulled the trigger OR that they intended to do so even if they did.

            Here, the cops are arguing that the phone contains direct evidence - maybe pictures, maybe notes, maybe messages - that show that she was involved in the commission of crimes. They're looking for the equivalent of a video recording or pictures of the woman pulling the trigger.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 6 May 2016 @ 9:42am

              Re: Re: Re: Re: Re: Is it a testamonial act?

              The presence of fingerprints on the murder weapon in themselves are not evidence that the person who handled the weapon committed the crime.


              It absolutely is "evidence"; that's going to be Exhibit A. It's not "proof", though. She can argue the gun was planted. Just like she could argue her fingerprint was planted or the content on the phone was planted.

              Here, the cops are arguing that the phone contains direct evidence - maybe pictures, maybe notes, maybe messages - that show that she was involved in the commission of crimes.


              Well, in THIS case it's unclear - they most likely want information on her gang member boyfriend. But I admit that doesn't matter much, since they COULD use it against her. One way they could solve this is to give her immunity, but they don't want to do that, so it's perfectly logical for her to assume they'd use it against her.

              You seem to think that you can't be forced to provide the means to unlock something that contains evidence against you. But under current law, you absolutely can. If the key to a strongbox is around your neck, the police can take that key from you and unlock the strongbox. If you've swallowed the key, they can use doctors to forcibly get it out of your body one way or another. And if your finger is the key to your smartphone, they can use that finger to unlock your it.

              What they can't make you do is admit that you know HOW to open the thing. Because that would be an actual admission. And if your fingerprint unlocks a phone, that might be evidence that you're connected to the phone, but it's not an admission of anything - maybe someone put your finger on the phone while you were asleep.

              reply to this | link to this | view in chronology ]

  • icon
    Derek Kerton (profile), 5 May 2016 @ 11:16am

    Crappy Workaround

    As long as our rights are being "reinterpreted" by the courts, you can do this:

    Use an unusual finger for your phone's lock.
    Set the "lock after x unsuccessful attempts" to 3
    Then have it fall back to a password

    When compelled by the court, use the wrong fingers three times. Oops, sorry, FBI. My bad. Problem solved.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 May 2016 @ 11:24am

    The thing is, your identity has never been something protected by the fifth amendment. Remember, confirming your identity already opens up a lot of potentially incriminating evidence. After all, without it they can't grab your phone and internet histories from your providers, locate your house to search it, contact your friends/family/employer, pull up your financial records, or a whole host of other things. And despite all of this very clear potentially incriminating info that is only accessible after you are identified, you can't refuse to identify yourself when ordered to.
    And fingerprints are, while very convenient, a method of identification. There's a reason why "something you are" is less popular as a security paradigm than "something you have" and "something you know." It's the only one that you don't actually have any control over (both legally and practically).

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 May 2016 @ 11:26am

    You have laws protecting citizens rights and law agencies that ignore those same laws to harass and intimidate citizens.

    So in effect you have no laws, only goons with badges and guns

    reply to this | link to this | view in chronology ]

  • identicon
    Brian C, 5 May 2016 @ 11:57am

    “The refusal to provide a password may also work against defendants by giving prosecutors a bit more ammo for their "foregone conclusion" justifications. After all, if a locked device didn't contain evidence of criminal activity, any "reasonable" person would have provided a password without hesitation.”

    It is a serious mistake for anyone to conflate a choice with an obligation. A person is afforded the Rights recognized by our Bill of Rights first. This being the case, waving such rights cannot ever be an obligation of a citizen. To think otherwise is a fast track to a Police State that cares not a wit for the Constitution of this country.

    reply to this | link to this | view in chronology ]

  • icon
    R.H. (profile), 5 May 2016 @ 12:07pm

    I'm Thinking Tasker

    If there's not already, I want a Tasker (for Android) plugin that uses the fingerprint scanner to determine which finger you used to unlock the device. You'd be able to set it so that specific fingers will perform an action other than unlocking the device. My personal preference would be powering it off. Android devices (I think iOS devices do this too) require the actual PIN to be typed on powerup for decryption before accepting a fingerprint to unlock the lock screen. That way, I can have the ease-of-use of fingerprint unlock but, the safety of my PIN in case of compulsion.

    Of course, one could have a fingerprint set to factory reset but, I wouldn't want to deal with the legal consequences of a destruction of evidence charges.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 May 2016 @ 12:56pm

      Re: I'm Thinking Tasker

      There's no destruction of evidence by you unless the court specifically directs that you unlock the phone. If you just have to provide your fingers, you compliantly hold your hand out and let the police officer press the finger of their choice on the phone.
      If you're being forced to tell them, "No not that finger.", or "Turn the finger sideways first", then there is a 5th amendment issue.

      reply to this | link to this | view in chronology ]

  • icon
    Richard (profile), 5 May 2016 @ 12:12pm

    Simple technical fix

    There is a simpe technical fix for this.

    Two passwords.

    Password 1 - your real data is decrypted.

    Password 2 - your real data is wiped and replaced by an "innocent" substitute.

    Modern devices generally have enough spare space for both.

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 5 May 2016 @ 2:38pm

      Re: Simple technical fix

      The going version of this is encryption that looks like garbage in unused data sectors.

      That way there's plausible deniability that it's actually data.

      reply to this | link to this | view in chronology ]

  • icon
    mb (profile), 5 May 2016 @ 3:14pm

    Unchangeable Password?

    Why would anyone ever consider having an unchangeable password? Stupidest idea ever!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 May 2016 @ 11:11pm

    after seeing a case where it appeared to me shit was planted on someones pc I will never give up a key password ever, and there will be no auto mounting of usb devices ever again

    reply to this | link to this | view in chronology ]

  • icon
    darren chaker (profile), 6 May 2016 @ 12:38am

    Giving the 5th Amend the Finger

    I actually wrote a post about this topic, http://consenttosearch.com/site/fingerprint-and-fifth-amendment/ The law is well established a person must provide a handwriting exemplar, voice exemplar, and other non-testimonial things to police. Now, due to technology, people enjoy swiping the finger in lieu of using a PW. I know of a couple of cases that said yes, and one that said no. There's a case pending in the 9th Circuit now on this issue. I see it as, police cannot force you to provide the key to your house where you a stolen radio at, but they want you to use your finger to open up a secure phone so they may incriminate you with the contents? For now, I suggest the obvious - take the .05 second to enter in a PW, and do not use your finger for anything less that things you enjoy using it for, since we do not need the government to tell us where to put it!

    reply to this | link to this | view in chronology ]

  • icon
    btr1701 (profile), 9 May 2016 @ 9:47am

    Counsel

    > Not that due process was at the forefront of law
    > enforcement's mind in this case. Or the magistrate
    > judge's either. Jonathan Zdziarski points out the warrant
    > was obtained within 45 minutes of the suspect being
    > arrested -- not even enough time to bring in a lawyer.

    WTF? Due process has *never* required the police wait to apply for a warrant (or the judge to wait to grant one) until the subject/defendant's lawyer shows up at the warrant application hearing.

    In fact, that almost *never* happens.

    reply to this | link to this | view in chronology ]

  • icon
    btr1701 (profile), 9 May 2016 @ 9:52am

    Incrimination

    > If so, it raises even further questions about the
    > constitutionality of this particular warrant, which may
    > have forced this suspect to provide evidence against
    > someone else.

    That's actually less of a constitutional issue. While you do have a 5th Amendment right against self-incrimination, absent something like spousal privilege-- which isn't a constitutional issue-- you have *no* right whatsoever to be free from incriminating others. If you have evidence that can be used to help the government's case against someone else, you can be compelled to provide it. Period. And nothing in the Constitution protects you from that.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Math Is Not A Crime
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.