Massachusetts Judge Says ATF Can Apply A Suspect's Fingerprints To Unlock An IPhone

from the five-finger-Fifth-Amendment-discount dept

It looks like a passcode still beats a fingerprint when it comes to securing your info. Maybe not from criminals, but definitely from the government. Lisa Vaas of Naked Security reports the ATF has received permission from a federal judge to apply a suspect's fingerprints to a phone to unlock it.

[T]he document, issued on 18 April, Massachusetts federal district judge Judith Dein gave agents from the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) the right to press a suspect’s fingers on any iPhone found in his apartment in Cambridge that law enforcement believes that he’s used, in order to unlock the devices with iPhone Touch ID.

The warrant [PDF] authorizes ATF agents to "press the fingers (including the thumbs)" of suspect Robert Brito-Pina to the "Touch ID sensor of any Apple cellular phone" recovered during the search. Brito-Pina is suspected of buying and selling weapons -- neither of which are permissible given his felon status. The ATF apparently believes evidence of this will be found on Pina's iPhone.

There doesn't appear to be any limit on how many fingers the ATF can use to unlock the phone. The warrant says only that officers will decide which fingers to apply. Presumably, that means all of them (including thumbs), since there's no language limiting officers to a certain number of finger applications. The only thing preventing every finger from being applied during the search is the iPhone itself, which will require a passcode after five wrong fingerprint applications.

The phone's nexus is established pretty thoroughly in the warrant application, which much of the sting operation using an arrestee-turned-informant being carried out via text messages. The government moved to unseal the warrant five days after applying for it, suggesting it has already executed this warrant.

The weird thing about the warrant application, which thoroughly details the sting operation and the ATF's surveillance of the suspect, is it appears the swearing agent isn't actually sure Pina owns an iPhone.

Given the popularity of Apple brand devices, I believe it is likely that I will find Apple brand devices such as an Apple iPhone at the Target Location.

And, despite authorizing the agents to only use Pina's finger to unlock any recovered iPhones, the warrant still contains boilerplate stating agents may demand fingerprint applications from anyone at the searched residence.

In some cases, it may not be possible to know with certainty who is the user of a given device, such as if the device is found in a common area of a premises without any identifying information on the exterior of the device. Thus, it will likely be necessary for law enforcement to have the ability to require any occupant of the Target Location to press their finger(s) against the Touch ID sensor of the locked Apple device(s) found during the search of the Subject Premises in order to attempt to identify the device's user(s) and unlock the device(s) via Touch ID.

This case likely won't budge the needle on the Fifth Amendment question. At least, not yet. If Pina wants the evidence gleaned from the iPhone suppressed (assuming there is an iPhone), there may be further discussion of this crucial issue in the future. Most judicial decisions on the use of biometrics to unlock devices have sided with government, asserting that faces and fingerprints are "non-testimonial," even if they're the gateway to plenty of evidence that will be used against the defendant. But there have been a few judges who've taken contrary stances, so the issue is far from settled.

Filed Under: 4th amendment, 5th amendment, atf, fingerprints, massachusetts, search, unlock


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Anonymous Anonymous Coward (profile), 3 May 2019 @ 9:36am

    Fishing expedition, they brought the bait, but the wrong hook

    If the text messages came from and ATF informant, then they already have both parts of the conversation, are they looking for other conversations?

    If the Iphone belongs to someone else, why is Robert Brito-Pina being charged? If the Iphone belongs to someone else, how can they assert that Robert Brito-Pina used it?

    Makes one wonder what that Federal Judge was thinking. Presumably the warrant was sufficiently detailed as to what they were looking for, but the nexus between the stated defendant and phone seems very tenuous.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 May 2019 @ 9:38am

    This just reinforces the assertion that you should never use biometrics for securing your devices. Stick with passwords/passcodes.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 May 2019 @ 11:34am

      Re:

      Who but a criminal would use a passcode instead of biometrics? Just like those deviants that encrypt thier e-mail, I say.

      reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 3 May 2019 @ 9:50am

    Is it normal to be able to include anyone at a target residence to be part of a warrant even if they are not a suspect?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 May 2019 @ 10:19am

    Wouldn't it be nice if you could configure your phone to perform different actions in response to different fingerprints?
    Right index finger: insta-brick.
    Left thumb: set the volume to max and play an audio clip featuring an air raid siren and a voice screaming "Hijacking in progress! Hijacking in progress!"

    reply to this | link to this | view in chronology ]

    • identicon
      Baron von Robber, 3 May 2019 @ 10:24am

      Re:

      Or better yet, something like TrueCrypt.
      Enter one code, you get a dummy version of your phone.
      Enter another, you get your real version of your phone.

      And then maybe a third code, phone = brick.

      reply to this | link to this | view in chronology ]

      • icon
        Uriel-238 (profile), 3 May 2019 @ 12:22pm

        Plausible deniability

        The nice thing about having a dummy partition is that it provides plausible deniability, in case a court forces a person to unlock their phone for law enforcement.

        Or law enforcement decides to use the $5 wrench approach.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 May 2019 @ 11:10am

      Re:

      Or better yet, don't use bio-metrics to lock your phone. Use a strong pass-code and don't worry about the malleable laws used to circumvent your right to privacy.

      reply to this | link to this | view in chronology ]

      • icon
        Bamboo Harvester (profile), 3 May 2019 @ 12:23pm

        Re: Re:

        Better yet, don't discuss or text incriminating evidence on your phone.

        Even better, don't CARRY what is THE best tracking and spying device ever created.

        As I've told my wife repeatedly, Facebook will survive half a day without her input.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Hero, 3 May 2019 @ 11:56am

    I am a resident of The People's Republic of Cambridge in Massachusetts Oblast.

    I thought we were supposed to be hippy-commies. This is the reason why people jokingly refer to Cambridge, MA as The People's Republic of Cambridge.

    This ruling doesn't sound very hippy-commie to me. I'd like to sit down and chat with this judge at one of our many artisan coffee shops or one of our organic, vegan delis.

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 3 May 2019 @ 12:34pm

      The People's Republic of Cambridge

      China is unapologetically the People's Republic of China

      North Korea is, unsarcastically the Democratic People's Republic of Korea or DPRK

      Congo is the Democratic Republic of the Congo

      East Germany when it was behind the iron curtain was the German Democratic Republic

      What were you guys thinking?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Hero, 3 May 2019 @ 12:52pm

        Re: The People's Republic of Cambridge

        That's why I dubbed us hippy-commies.

        We were the first city/town in MA to ban plastic bags for all retail establishments that provide a bag to a customer. They actually call it BYOB: bring your own bag.

        Though I've never been to North Korea, my guess is that Cambridge has a different vibe than the DPRK. Do the citizens of DPRK have two Whole Foods within a mile from their homes?

        I certainly did not come up with the nickname of The People's Republic of Cambridge. I'm only responsible for the "Massachusetts Oblast" I stuck at the end for fun.

        I don't even see this ruling as a loophole or run-around the 5th Amendment. I see it as a gross violation of it.

        reply to this | link to this | view in chronology ]

        • icon
          Uriel-238 (profile), 3 May 2019 @ 5:27pm

          Hippy-commies

          Being an old and self-identified San Franciscan. Cambridge sounds delightful. I now live two hours away in the basin and one of the things I most miss are the non-franchise cafés.

          I was just noting that nations that call themselves people's republics include the worst offenders of crimes against humanity. It was an attempt at humor.

          reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 3 May 2019 @ 12:26pm

    Does the iPhone software compensate for obtuse angles?

    If you unlock your phone with your left thumb at 90°, will the iPhone still unlock if you try it straight up?

    Given the five-tries limit, utilizing an obtuse angle as well as a fingerprint might improve the odds.

    reply to this | link to this | view in chronology ]

    • icon
      Cynyr (profile), 4 May 2019 @ 8:59pm

      Re: Does the iPhone software compensate for obtuse angles?

      If it's anything like the finger print reader on my android phone, then yes it will compensate for any angle you use.

      reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 3 May 2019 @ 12:29pm

    General non-specific warrants

    It's disconcerting, and lowers confidence in the DoJ being actually interested in justice when they have warrants to seize all phones at a venue for any of them to be unlocked.

    Phones belonging to non-suspects should have to require separate warrants.

    At least that's how I ascertain it should work according to Law and Order or Dragnet. Otherwise it looks like law enforcement is fishing for warm bodies to fill private prisons and property to loot via forfeiture.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 May 2019 @ 1:25pm

    At least this action by the ATF requires a warrant. As many international travelers are now painfully aware of, border police and airport customs have been doing it without a search warrant, as we all should know the Constitution does not apply at (or near) the border. And using a passcode is hardly any better, as they can detain you or prevent you from ever getting into the country (even US citizens) essentially forever if you refuse to give up your laptop or iphone password.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 3 May 2019 @ 2:04pm

    From the top then...

    Biometrics can be used as account names.

    Biometrics should never be used as account passwords.

    reply to this | link to this | view in chronology ]

  • identicon
    bobob, 3 May 2019 @ 5:04pm

    The whole fingerprint id concept was just marketing bullshit. I'm not sure why anyone thought that fingerprint id was some sort of security panacea. People will buy into anything that let's them think they are technically sophisticated, no matter how stupid it is.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 May 2019 @ 7:17am

      Re:

      They saw it in a movie?

      reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 4 May 2019 @ 7:42am

      Re:

      It's no panacea, but it has improved my security. Before I had a fingerprint scanner, I didn't have any security on my phone. In the many years I'd had a cell phone I had not once lost it or left it anywhere or had it outside my control when not at home. So entering a passcode every time I wanted to use it was just not worth the trouble. A fingerprint scanner is a very convenient way to add some level of security. And if I have time to turn the phone off, a password will be required on startup.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 May 2019 @ 11:21pm

    This shows the distinction of "testimonial" evidence versus "tangible" evidence.

    A fingerprint, DNA is tangible. A password is testimonial, meaning that a 5th amendment defense can be raised.

    The government is fully dedicated towards destroying this 5th amendment right.

    reply to this | link to this | view in chronology ]

  • identicon
    Dr evil, 5 May 2019 @ 7:17am

    Da truth

    The gub'ment is WRONG on the fingerprint passcode thing. If they knew that his personal phone was locked with the finger print of someone else, can they compell the OTHER person to unlock it? :-P

    reply to this | link to this | view in chronology ]

  • icon
    True (profile), 6 May 2019 @ 9:16am

    Limits

    Is't there like a 12 hour time limit from last finger print unlock before pass code becomes mandatory? I know after a reboot its mandatory also after so many bad fingers.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.