from the physical-features-and-the-5th-Amendment-don't-mix dept
Based on (admittedly scattershot) case law, the best protection for your phone (and constitutional rights) seems to depend on whatever device owners feel is the most persistent (or dangerous) threat.
If you, a regular phone owner, feel the worst thing that could happen to you is the theft of your phone, then using biometric features to lock/unlock your device is probably the most secure option. It means thieves have to have access to both you and your phone if they hope to access far more sensitive data. And it makes even more sense if you’re one of the, oh, I don’t know… ~250 million Americans who occasionally reuse passwords. This prevents phone thieves from using a seemingly endless number of data breaches to find a way into your phone.
But if you feel law enforcement agencies are the more worrisome threat, it makes more sense to use a passcode. Why? Because courts have been far more willing to call the compelled production of passcodes the equivalent of testifying against yourself, resulting the rejection of warrant requests and the suppression of evidence.
And it’s not just criminals who may feel the cops are the worst. Activists, journalists, lawyers, security researchers… these are all people who may not want interloping cops to easily access the contents of their devices simply by mashing their faces, retinas, or fingerprints into their lockscreens.
So, since courts have decided (with rare exceptions) that utilizing biometric features is “non-testimonial,” that’s the option law enforcement officers will try to use first. As some courts see it, you get fingerprinted when you’re arrested, so applying a finger to a phone doesn’t seem to be enough of a stretch to bring the Constitution into it.
But to this point, the (compelled) deployment of biometric features has been used to unlock devices. In this case, first reported by Thomas Brewster for Forbes, the FBI went deeper: it secured a warrant allowing it to use a suspect’s face to unlock his Wickr account.
In November last year, an undercover agent with the FBI was inside a group on Amazon-owned messaging app Wickr, with a name referencing young girls. The group was devoted to sharing child sexual abuse material (CSAM) within the protection of the encrypted app, which is also used by the U.S. government, journalists and activists for private communications. Encryption makes it almost impossible for law enforcement to intercept messages sent over Wickr, but this agent had found a way to infiltrate the chat, where they could start piecing together who was sharing the material.
As part of the investigation into the members of this Wickr group, the FBI used a previously unreported search warrant method to force one member to unlock the encrypted messaging app using his face. The FBI has previously forced users to unlock an iPhone with Face ID, but this search warrant, obtained by Forbes, represents the first known public record of a U.S. law enforcement agency getting a judge’s permission to unlock an encrypted messaging app with someone’s biometrics.
As Brewster states, this is the first time biometric features have been used (via judicial compulsion) to unlock an encrypted service, rather than a device. No doubt this will be challenged by the suspect’s lawyer. And, speaking of lawyers, the FBI really wanted this to go another way, but was apparently inconvenienced by someone willing to protect their arrestee’s rights.
Just in case it’s not perfectly clear, law enforcement agencies will do everything they can to bypass a suspect’s rights and often only seem to be deterred by the arrival of someone who definitely knows the law better than they do. I mean, it’s right there in the affidavit [PDF]:
By the time it was made known to the FBI that facial recognition was needed to access the locked application Wickr, TERRY had asked for an attorney.
Therefore, the United States seeks this additional search warrant seeking TERRY’ s biometric facial recognition is requested to complete the search of TERRY’s Apple iPhone, 11.
It looks like the FBI only decided to seek a warrant because the suspect had requested legal counsel. It’s unlikely seeking a warrant was in the cards before the suspect asked for an attorney. The FBI had plenty of options up to that point: using a 302 report to create an FBI-centric narrative, lying to the suspect about evidence, co-defendants (or whatever), endless begging for consent, or simply pretending there was no unambiguous assertions of rights. It was only the presence of the lawyer that forced the FBI to acknowledge the Constitution existed, even if its response was to roll the dice on Fifth Amendment jurisprudence.
This dice roll worked. But it’s sure to be challenged. There’s not enough settled law to say the FBI was in the right, even with a warrant. What’s on the line is the Fifth Amendment itself. And if passcodes can’t be compelled, then biometric features should be similarly protected, since they both accomplish the same thing: the production of evidence the government hopes to use against the people whose compliance it has managed to compel.