Feds Finally Get Around To Using Someone's Face To Unlock Their Cellphone

from the FaceTime:-FBI-Edition dept

The only surprise about this is that it took this long to happen.

A child abuse investigation unearthed by Forbes includes the first known case in which law enforcement used Apple Face ID facial recognition technology to open a suspect's iPhone. That's by any police agency anywhere in the world, not just in America.

It happened on August 10, when the FBI searched the house of 28-year-old Grant Michalski, a Columbus, Ohio, resident who would later that month be charged with receiving and possessing child pornography. With a search warrant in hand, a federal investigator told Michalski to put his face in front of the phone, which he duly did. That allowed the agent to pick through the suspect's online chats, photos and whatever else he deemed worthy of investigation.

This won't become a Fifth Amendment test case for several reasons.

First, Michalski apparently consented to the search by using his face to unlock the phone. If this was as voluntary as it appears, it pretty much eliminates a Constitutional challenge.

Beyond that, it's unlikely a court would find someone's face testimonial. For the most part, courts haven't found fingerprints to be testimonial, even if the application of a fingerprint leads directly to the production of evidence to be used against the phone's owner.

The "foregone conclusion" argument would only require law enforcement prove the phone belongs to the person they're asking to unlock it -- information easily acquired with a subpoena from the service provider.

Even if all these hurdles could be jumped, actions taken by the investigating agent pretty much eliminated any evidence the defendant might have challenged, as Forbes' Thomas Brewster reports.

Whilst Knight may've found some evidence of criminal activity when he manually searched the device, in one respect the forced Face ID unlock of the iPhone X was a failure. It wasn't possible to siphon off all the data within using forensic technologies. That was because the passcode was unknown.

In modern iPhones, to hook the cellphone up to a computer and transfer files or data between the two, the passcode is required if the device has been locked for an hour or more. And forensic technologies, which can draw out far more information at speed than can be done manually, need the iPhone to connect to a computer.

It appears Knight didn't keep the device open long enough and so couldn't start pulling out data with forensic kits. He admitted he wasn't able to get all the information he wanted, including app use and deleted files. What Knight did get he documented by taking pictures.

Michalski's lawyer confirms in a comment to Forbes there's been no evidence produced from the unlocked iPhone, leaving him nothing to challenge in court.

Even if this case is a wash in terms of Constitutional challenges, that doesn't mean the status quo will remain unchanged as more phone manufacturers move towards biometric-based security features. Courts may recognize -- as they have with smartphones and cell location data -- that old assumptions about privacy and presumed government access are no longer valid in a world almost wholly reliant on portable devices filled to the brim with personal data and documents.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    ECA (profile), 2 Oct 2018 @ 12:06pm

    Ummm, Ya?

    I said it before..
    USE something that cant be duplicated, EASILY..
    Use your hand over your face to create a different pattern..
    IF the program is GOOD, and works properly...It will KNOW what you did..

    reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 2 Oct 2018 @ 2:48pm

      Re: Ummm, Ya?

      Exactly. If you have any desire for privacy, for God's sake use something testimonial as your unlock token.

      reply to this | link to this | view in chronology ]

    • icon
      Dukrugger (profile), 3 Oct 2018 @ 4:28pm

      Re: Ummm, Ya?

      You can always disable faceID or touchID so it can be unlocked only with a passkey or even a long alphanumeric password but people prefer convenience over security, only "paranoids" and "people who have something to hide" do otherwise.

      reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 2 Oct 2018 @ 12:07pm

    It's cardboard security like fingerprints. Sure it is pretty easy to use but if you really want security set a password and stick to it. Any serious, conscious criminal will avoid using it.

    reply to this | link to this | view in chronology ]

  • icon
    zarprime (profile), 2 Oct 2018 @ 12:38pm

    I have a stupid question...

    So the whole problem is that a face or a fingerprint, or even a passcode on a phone isn't "testimony" and so the 5th Amendment doesn't factor in. So what happens if my passphrase for unlocking my phone is "I robbed a bank"? I suppose if they let me type it in and didn't see what it was then it wouldn't be an incriminating statement, but what if I had to say it aloud, or if they wanted to type it in themselves (so I couldn't do it incorrectly several times and lock up the phone)?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Oct 2018 @ 1:03pm

      Re: I have a stupid question...

      Because a password is just a password and NOT a statement even if its appearance is equivalent to that of a statement.

      If you want protection from decryption orders by a judge you must introduce a system before hand that automatically destroys data as part of its regular every days cycle.

      For example, require that a USB key you posses be presented to an encrypted system at least once per day or it changes encryption keys regardless of if it is attached or not. Justice works slowly you will be in jail and if your system AND encryption device changes keys apart from each other then you are safe.

      Like a dead mans switch. As long as this process is enshrined in your daily routine then you are free of criminal charges of evidence tampering unless such evidence already meets laws the require you to keep it for x amount of time. It is not your fault if the police throw you in jail preventing you from performing the daily requirement of key encryption recovery.

      Not only that but you should most certainly keep a shadow partition filled with even more critical data so that nothing looks amiss under forensic scrutiny. There are many ways to keep your data secure. Fake profiles is one simplified example of this.

      reply to this | link to this | view in chronology ]

      • icon
        Bergman (profile), 2 Oct 2018 @ 2:52pm

        Re: Re: I have a stupid question...

        You could also use a longer password, and if you're feeling cute, make it a confession to what you are trying to hide. A password of "BlueFlower013" is not testimonial. But securing evidence of an armed robbery behind "I committed robbery on that day at that time against that person" is a confession to that crime.

        Any confession is testimonial.

        reply to this | link to this | view in chronology ]

        • icon
          ECA (profile), 3 Oct 2018 @ 11:56am

          Re: Re: Re: I have a stupid question...

          Could also use...
          multiple passwords..1 open the phone, the other simple ones, Erase data..corrupt the phone..

          Or open different sections of the phone, safe, and Private sections..

          dongles are nice, but dongles get lost. OR left in the device.

          What would be Neat, is a skin tag, that has a mag signature to open the phone..and only YOU know on what part of the body to use it.

          reply to this | link to this | view in chronology ]

  • icon
    Nathan F (profile), 2 Oct 2018 @ 1:33pm

    So in a future case, what exactly is stopping the police from sitting a suspect down, holding the phone up to get his face to unlock it and then proceeding. The suspect doesn't have to do anything, just sit there (unlike swiping his finger over a sensor). If providing a biometric like a fingerprint or face isn't testimonial would there even be a 4th or 5th amendment breach?

    reply to this | link to this | view in chronology ]

  • icon
    Michael Long (profile), 2 Oct 2018 @ 2:01pm

    Protection

    For those unaware, on the new iPhone OS's, squeezing the sleep/wake button and the lower volume button for a couple of seconds will lock the phone such that a passcode is required to open it.

    If at all possible, I'd do this before (or while) having to hand the phone over, and I'd definitely do it before hitting a TSA or Homeland security checkpoint.

    It's gotten to the point where some people recommend traveling with a burner phone that has a minimum amount of personal information contained within it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Oct 2018 @ 2:28pm

      Re: Protection

      Lots of folks have pointed this option out but IMHO the execution of the act will be hit or miss.

      I get where Apple was going with how Face-ID works. The camera catches your eyes, recognizes your face and unlocks the phone in next to no time, that's pretty handy. Just the execution wasn't well thought out.

      The 'Fix' should be to add a voice command prompt to complete the unlock. Nothing extraordinary, just the basics: Open/Unlock; Shutdown/Restart; SOS; LOCK. If I were Apple I'd probably throw in voice print recognition to the owner just for an extra layer of security.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Oct 2018 @ 2:55pm

    In the past, facial recognition was easily circumvented by use of a portrait. Has it gotten any better?

    reply to this | link to this | view in chronology ]

  • icon
    Aaron Walkhouse (profile), 2 Oct 2018 @ 5:42pm

    I've got a pair of "Clark Kent" glasses…

    …so if I have to put them on to activate a phone I have
    effectively disarmed Big Brother yet again; particularly
    because I carry dissimilar reading glasses by necessity. ‌‌‌‌ ; ]

    reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 2 Oct 2018 @ 9:25pm

    Submission versus consent

    First, Michalski apparently consented to the search by using his face to unlock the phone. If this was as voluntary as it appears, it pretty much eliminates a Constitutional challenge.

    Was it truly consent? Or just submission to authority?

    When held at gunpoint by a mugger and one voluntarily gives over one's money, that does not imply consent.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 3 Oct 2018 @ 6:07am

      Re: Submission versus consent

      Nonsense, what possible coercive element could there be in an FBI investigator showing up at your house and telling you to do something?

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 3 Oct 2018 @ 3:06am

    How is this still a thing?

    A physical feature like a face, eye or fingerprint should only ever be used as a form of user name, never as a password. At most presenting a face to the camera should identify which account on it the person is requesting access to, it should not unlock the account/device itself.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Oct 2018 @ 7:26am

      Re: How is this still a thing?

      Exactly. Everyone should be using 2 factor authentication which is something you have (face, fingerprint, retina, user name) and something you know (password).

      reply to this | link to this | view in chronology ]

  • identicon
    Digitari, 3 Oct 2018 @ 9:44am

    #changepassword

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories

Close

Email This

This feature is only available to registered users. Register or sign in to use it.