Another Federal Court Says Compelled Production Of Fingerprints To Unlock A Phone Doesn't Violate The Constitution

from the must-be-going-so-dark-fingerprint-readers-won't-even-work dept

Where the Fifth Amendment ends for device owners largely seems to be determined by their favored security measure. If it's a password keeping a device encrypted, courts seem more willing to call compelled production a Fifth Amendment violation. If it's a biometric feature -- most commonly fingerprints or faces -- the courts are more likely to consider body parts non-testimonial.

There's not enough of a consensus either way to make it a clear choice, but courts seem to feel faces/fingerprints are like "keys" and passwords like "combinations" when it comes to the metaphorical lockbox that is your phone.

Adding to the case law that is "fingerprints are lockbox keys" is this decision [PDF] from a federal court in Illinois. (via FourthAmendment.com) The court says the Supreme Court says this is how it must be, even if the Supreme Court has yet to field a device encryption case.

The government wants to look in the defendant's phone for evidence of his threats against a confidential informant. There's a built-in limit to this, although it's not one of the government's making. Investigators want to apply the suspect's fingers and thumbs to the seized iPhone to unlock it. The suspect's mind is being taken out of the equation (as it were), which could result in the government getting what it wants in this request without actually getting what it wants from the man's iPhone.

In connection with the government’s motion to revoke Barrera’s bond conditions, District Judge Robert W. Gettlemen ordered that Barrera’s iPhone be turned over to Pretrial Services. The government seeks to search this iPhone, with a home button, that was taken from Barrera in order to develop evidence of his alleged threats. The iPhone has a fingerprint lock function (known as Touch ID), and the government asked this Court for a warrant to compel the defendant to place his fingers and thumbs on the iPhone home button in an attempt to unlock the phone. The government alleged in the affidavit in support of its request for a search warrant that it will select the fingers and thumbs to press on to the home button, and that the iPhone fingerprint unlock function will disable after five incorrect attempts. At that time, the iPhone function will demand a passcode to unlock the phone.

The court says any Fourth Amendment concerns are addressed by the government's warrant, which puts it on the right side of the Riley decision. With that settled, the court addressed the Fifth Amendment issues. (Emphasis in the original.)

Applying those three requirements in reverse order here, a biometric scan is certainly compelled—the government is explicitly requesting the Court’s authority to force the scan. The act may also be incriminating, as unlocking the phone may lead to the discovery of a nearly unlimited amount of potential evidence including text messages, social media posts, call logs, emails, digital calendars, photographs and videos, and location data. [...]

But if a compelled act is not testimonial, and therefore not protected by the Fifth Amendment, it cannot become protected simply because it will lead to incriminating evidence. As a result, the relevant Fifth Amendment inquiry here is whether the compelled act of scanning a subject’s fingerprint to unlock a device is a testimonial act.

The court decides it isn't a Fifth Amendment violation because the government will be choosing the five digits it will apply to the iPhone button, rather than the suspect. To complete the metaphor, the government has ten keys to choose from, but only has five attempts to pick the right key. Since the government is doing all the choosing, the suspect isn't doing anything testimonial since he isn't being asked to tell the government which of his fingers will unlock the phone.

First, the Court holds that the biometric unlock procedure is more akin to a key than a passcode combination. The Supreme Court in Doe, and later in Hubbell, has illustrated the difference between testimonial and non-testimonial physical acts via this helpful comparison, which aptly applies to an iPhone that has two different unlock features – a fingerprint and a passcode. In Doe, the Court noted that the Fifth Amendment permits the government to force an individual to surrender a key to a strongbox containing incriminating documents, but not to reveal the combination to a subject’s wall safe. Thus, using the Doe framework, this Court examines whether a biometric scan of an individual’s finger or thumb is more like a key or a combination.

A combination passcode requires a verbal statement from the possessor of the code. More importantly, compelling someone to reveal a passcode also requires an individual to communicate something against her will that resides in her mind. A key, however, is a physical object just like a finger — it requires no revelation of mental thoughts. Nor does a finger require a communication of any information held by that person, unlike a passcode. In fact, the application of a finger to the home button on a iPhone “can be done while the individual sleeps or is unconscious,” and thus does not require any revelation of information stored in a person’s mind.

But even this conclusion is not that simple. The government must show it knows the phone is owned or controlled by the suspect before it can start asking the court to give it permission to apply the person's fingers to the phone. The court doesn't address whether the government has met this evidentiary burden but rather waves it away by citing a 1988 Supreme Court decision (Doe) dealing with the production of financial records.

[T]he Court holds that the implicit inference from the biometric unlock procedure, that the individual forced to unlock had some point accessed the phone to program his or her fingerprint, is not sufficient to convert the act to testimonial. The Supreme Court considered this similar concept in Doe, when it found that requiring a petitioner to execute a consent directive that would result in the production of bank records would not have testimonial significance.

[...]

Similarly, the implicit inference that one might draw from the biometric unlock procedure — that the cell phone was at some point accessed in order to program the biometric lock feature — is no different in significance than any of the above inferences. It is of the same scale that existed in Doe, Gilbert and the other cases discussed above. The implicit inference is also not necessarily as firm as on first impression – the Touch ID feature on an iPhone permits up to five fingerprints to be programmed, thus allowing the potential for multiple users to program the feature. As a result, the Court concludes that any implicit inference that can be drawn from a biometric unlock procedure is not of testimonial significance.

This decision further muddies the federal waters, making it more likely the Supreme Court will have to address these Fifth Amendment issues in the near future. But until it's all settled, odds are passwords are better than fingerprints if your main concern is unwanted access by government employees.

Filed Under: 4th amendment, 5th amendment, biometrics, compelled production, fingerprints, passwords


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 6 Dec 2019 @ 10:56am

    Fingerprint scan a spot not on your fingertip

    Everyone assumes you have to use the tips of your fingers to create and use these kinds of locks. In reality, you can scan any part of your finger including the line under your joints. Compelling you to provide your fingerprints still wouldn't force you to unlock the phone if you take the proper steps to ensure their request will never hurt you.

    reply to this | link to this | view in chronology ]

    • icon
      Norahc (profile), 6 Dec 2019 @ 11:29am

      Re: Fingerprint scan a spot not on your fingertip

      Or you could really screw with them and set it up using a toe instead of a finger.

      reply to this | link to this | view in chronology ]

      • icon
        Anonymous Anonymous Coward (profile), 6 Dec 2019 @ 11:41am

        Re: Re: Fingerprint scan a spot not on your fingertip

        I can see you now, walking down the street, phone rings and you whip off your shoe and sock and then drop you phone to the ground and press a toe to the sensor, just to answer a spam call.

        reply to this | link to this | view in chronology ]

        • icon
          Norahc (profile), 6 Dec 2019 @ 11:47am

          Re: Re: Re: Fingerprint scan a spot not on your fingertip

          Be grateful I chose a toe instead of another body part. But in your scenario I'd just use the password to unlock the phone.

          reply to this | link to this | view in chronology ]

        • identicon
          TRX, 7 Dec 2019 @ 9:32am

          Re: Re: Re: Fingerprint scan a spot not on your fingertip

          Yeah, at least Maxwell Smart didn't have to take his sock off when he answered his shoe phone...

          reply to this | link to this | view in chronology ]

      • identicon
        nobody, 6 Dec 2019 @ 6:52pm

        Re: Re: Fingerprint scan a spot not on your fingertip

        Can confirm. Toes work (why wouldn't they?). Gave me an excuse to try out a 10 second experiment I've put off for years. Appreciate the information in the first comment too. Hadn't considered using other finger parts.

        reply to this | link to this | view in chronology ]

        • icon
          Norahc (profile), 7 Dec 2019 @ 5:51am

          Re: Re: Re: Fingerprint scan a spot not on your fingertip

          Non-standard biometrics could result interesting possibilities:

          Cops: We need a warrant to force fingerprint unlock of this suspects phone
          Judge: Warrant approved
          cops returning to court
          Cops: Fingerprints didn't work...we need suspect to tell us his password.
          Judge: If fingerprints didn't work how do you know it is even the suspect's phone?
          Cops: Because we REALLY want it to be his phone and can prove it's his once he gives us the password.
          Judge: Do you have anything at all that proves the phone is his?
          Cops: We REALLY want it to be his.

          reply to this | link to this | view in chronology ]

    • identicon
      Anon, 7 Dec 2019 @ 7:12am

      Re: Fingerprint scan a spot not on your fingertip

      My fingerprint scan on my iPhone 8 is about 50% reliable. Sometimes it works, sometimes it take 2 or more tries.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Dec 2019 @ 12:21pm

    If I were the police, I might well call the phone companies and ask the numbers they have (if any) for [accused person], then call those numbers first.

    If the phone doesn't ring, you must acquit.

    reply to this | link to this | view in chronology ]

  • identicon
    stine, 6 Dec 2019 @ 1:07pm

    what about what the court inferred

    If the fingerprint unlock isn't testimonial, then how are they going to demonstrate that the person attached to the finger that unlocked the phone is the person who previously used the phone and put all of the bad stuff on it? Is there any way that the actual guilty party (not this person) used one of this person's fingers to set 1 fingerprint for the lock, and then did the same with one of theirs?

    If the police get the phone unlocked, can they extract the valid prints from it? Or are they encrypted with a 1-way function?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Dec 2019 @ 6:01pm

      Re: what about what the court inferred

      When the government forces companies to provide these biometric security measures on every phone, then it will be unconstitutional to force us to unlock them.

      reply to this | link to this | view in chronology ]

  • icon
    zboot (profile), 6 Dec 2019 @ 1:39pm

    My Solution

    Fingerprint unlock but the phone requires me to enter the password once a day. Presumably, I can delay responding to a fingerprint request for that long a period of time. After that, the fingerprint is useless. Sadly, more people don't bother turning on this feature.

    reply to this | link to this | view in chronology ]

    • identicon
      Anon, 7 Dec 2019 @ 7:19am

      Re: My Solution

      No you can't. If they say "put your finger here" and you refuse, that's obstruction; just like refusing a breathalyzer. Just hope your lawyer is on the ball and the request for a warrant to search takes too long. (Although I assume the police can unlock the phone and promise not to search it until the warrant arrives, right? I sense another court case in the making there) The other issue is to either turn the phone complete off or hit the home button with the wrong finger(s) several times while handing it over. But be careful how you appear to do that. Again, making it impossible to unlock the phone after they ask for it -i.e. when you know it is going to become evidence - is obstruction. Having it difficult to unlock before the police want it is OK.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Dec 2019 @ 6:21am

    I still do not understand why people put all their eggs in one basket.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Dec 2019 @ 10:44am

    Governments globally are a murderous lot. Every politician who takes up a position in them who does not denounce this violence against its own people has blood on their hands. Blood they can never wash away.

    reply to this | link to this | view in chronology ]

  • identicon
    Smartassicus the Roman, 7 Dec 2019 @ 4:21pm

    "Finger"? What's That?

    reply to this | link to this | view in chronology ]

    • identicon
      Smartassicus the Roman, 7 Dec 2019 @ 4:26pm

      Re: "Finger"? What's That?

      Dammit, I <shift><entered>d again.

      I have two prints stored. One is the tip of my finger. The other isn't even a finger, but it's a good spot with a unique and persistent pattern. I actually practice quickly deleting my fingerprint and do any time I'm at/in a location where my phone might be taken. I also have a 10GB encrypted container file on my SD card that only contains one file: A JPEG of a "come back with a warrant" doormat.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Dec 2019 @ 8:16am

    I hope the supreme court says "Fingerprints are usernames, and it's not a problem to compel usernames. If you want security, use a password" and we can all move onto a more sane world where fingerprints are not considered passwords.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Dec 2019 @ 2:19pm

    That would be ludicrous if the Scotus said Fingerprints were user names. Fingerprints can't be changed like user names. No matter what the lock is, it is there so no one can just trapse in and look around and steal data. That is like a lock on your vehicle or house. It says fuck off. Get the hell out of here.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Dec 2019 @ 6:50am

    Don't need the finger...

    I wonder if anyone realizes that if they have the fingerprints from the booking, they can probably create a good enough mimic of the suspects fingers using ballistics gel. They don't need to compel the suspect to do anything beyond what they already do.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Dec 2019 @ 4:07pm

      Re: Don't need the finger...

      Once again here on Techdirt, someone has given these people ideas. No one compells you to give them any ideas. So why do that?

      reply to this | link to this | view in chronology ]

  • icon
    Wyrm (profile), 12 Dec 2019 @ 4:07pm

    Security

    But until it's all settled, odds are passwords are better than fingerprints if your main concern is unwanted access by government employees.

    Not only government.
    If a criminal wants access to your fingerprint-locked phone, he can just knock you out and press a couple of fingers on your phone. It's simpler and faster than forcing you to tell him your password. There is still a margin of error as you have more fingers than the number of allowed attempts, but the chance of success is infinitely higher than guessing a password.

    Moreover, you always have the problem that you can't change your fingerprint if they are compromised. Like if you touch anything, anywhere.

    I'm surprised fingerprints have ever been considered "security" at all. It's ok as an additional layer to a password, but it's definitely not great as a single layer of security. It's convenient when you don't really care about security, but it stops there.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.