Pin It

If you think that your smart phone is secure because you use a fingerprint based ID system, think again. A recent ruling by a Virginia Circuit Court Judge has made it clear that fingerprints are not protected under the 5th Amendment:

  • Police CAN force you to unlock your phone with your fingerprints
  • Police CAN physically place your fingers on the phone to unlock it
  • Police CANNOT force you to reveal your passcode
  • Police MIGHT be able to force you to enter the passcode without telling them

The Rise of Biometric Security

When Apple first debuted its fingerprint-based security system, Touch ID, they touted it as a simple and easy way to keep your iPhone safe. The ability to secure smart phones with passcodes had been around for years. But, according to Apple, fingerprints offered many improvements over passocdes, including ease of use and strength:

Your fingerprint is one of the best passcodes in the world. It’s always with you, and no two are exactly alike…Every fingerprint is unique, so it is rare that even a small section of two separate fingerprints are alike enough to register as a match for Touch ID. The probability of this happening is 1 in 50,000 for one enrolled finger. This is much better than the 1 in 10,000 odds of guessing a typical 4-digit passcode.

Many organizations – from governments to corporations – shared Apple’s view of biometrics. And, because of that, the biometrics security industry has been seeing huge growth. Not limited to cell phones, governments and corporations are already implementing biometrics on ID cards, passports and security badges. However, fingerprint biometrics lead the way:

Among all biometrics technologies, fingerprint biometrics technology has captured majority of the market share. Ease of usage, low cost and benefits over smart card-based access control systems have fuelled the growth of fingerprint biometrics systems globally. Government projects such as national IDs, e-passports and driving license are also playing a vital role for the growth of biometrics market.

Legal Quicksand

But despite the practical applications of the technology, there are legal concerns that may make biometrics less than the ideal solution they appear to be. This was illustrated by a recent ruling by Virginia Circuit Court Judge Steven C. Fucci. His decision centered around how to handle a Touch ID secured iPhone in a case involving a man named David Baust:

… Baust, an Emergency Medical Services captain was charged back in February with attempting to strangle his girlfriend. The prosecutors proposed that video equipment found in Baust’s bedroom might have happened to capture the fight. The prosecutors further speculated that if that was the case, then the video might be on Baust’s cellphone. Thus, the prosecutors wanted the judge to force Baust to unlock his phone.

However, Baust’s lawyer argued that Baust could not be compelled to unlock the phone with his fingerprint because it violated his 5th Amendment right against self incrimination. Judge Fucci saw it differently and ruled that “fingerprints are not protected by the Fifth Amendment.” According to Fucci, not only could you not refuse to give up your fingerprints, the police could physically put your hands on the phone and force you to unlock it.

Unfortunately, this ruling was expected. In fact, when Apple irst revealed its Touch ID feature, some experts – like Marcia Hoffman – predicted this exact scenario:

While there’s a great deal of discussion around the pros and cons of fingerprint authentication — from the hackability of the technique to the reliability of readers — no one’s focusing on the legal effects of moving from PINs to fingerprints.

Because the constitutional protection of the Fifth Amendment, which guarantees that “no person shall be compelled in any criminal case to be a witness against himself,” may not apply when it comes to biometric-based fingerprints

Knowledge vs Physical Objects

Many people don’t see the difference between a passcode and a fingerprint. Both of them unlock your device. They perform the same function, so they must be the same thing. But, in legal terms, they are completely different.

The fifth amendment protects people from having to testify against themselves. However, the courts have interpreted that protection to only apply to testimonial statements. That means that the court can’t force you to divulge anything that you know. But, it also means that only knowledge is protected.

Fingerprints are totally different. In a legal context, fingerprints are treated as physical objects. They don’t exist in your mind, they exist in the physical world. They are no different than keys, rocks, and bullet casings. As such, they are not protected by the 5th Amendment, and the police can forcefully collect them.

This is the same rationale that ruled that the police can forcibly take DNA samples from you. Neither DNA nor fingerprints are considered testimonial in nature. They are physical objects, and as such, the police can take them if they want to.

Biometrics Offer Less Legal Protection

Because of this distinction, even though biometric security solutions may offer practical advantages, currently they offer less legal protection than old-fashioned passwords. That’s because passwords qualify as knowledge, not physical objects, and therefore they trigger 5th Amendment protections.

The distinction between knowledge based protection and physical object based protection is not just theoretical. It has wide ranging security implications.

Suppose you had a safe with a lock on it. Police could force you to give up the key to open it. But, if the safe was guarded with a combination lock, they could not force you to give up the combination. Likewise, if the safe were secured with a biometric lock, the police could force you to physically unlock it using your body. But if were secured with a numeric key-pad, they could not force you to give up the unlock code.

By switching to knowledge based security, you can invoke more Constitutional protections. But that doesn’t mean that law enforcement will just give up. In fact, Law Enforcement Officers have already been looking at ways to get around  Constitutional restrictions.

A Way Around the Constitution

If you ignore the spirit of the 5th Amendment, and read it with an eye to subvert it, you might be able to come up with a loophole to bypass its protections:

…one workaround for everyday cops could come in the form of a different type of legal order: one that requires the suspect not to disclose the passcode, but to enter it himself.

By forcing the person to enter their passcode, they never actually reveal the passcode, and therefore never actually testify against themselves. Law enforcement could argue that even though they might be violating the spirit of the law, they would be obeying the letter. After all, the 5th Amendment only protects testimony.

Why would law enforcement officers want to violate the highest law of the land – the Constitution? That’s a great question to ponder.

But, it is still unclear whether it would be Constitutional or not. As a result, it will no doubt be the next area that will require clarification from the high courts. If law enforcement is allowed to force you to enter a password to unlock your phone, why not force you to decrypt your hard drive or unlock your bitcoin wallet?

For certain, the people don’t want it. With Apple and Google both increasing security on their platforms to avoid government spying, the trend is clear that consumers value security and want their personal data protected. Whether or not that concern is reflected in upcoming court decisions remains to be seen.

 

 

 

3 Responses

    • Rob Hustle

      That was a good decision, and the opinion makes me hopeful that the Supreme Court will continue to support individual rights. However, it’s just one small piece of the puzzle.

      The Fourth Amendment ruling makes sure that police must obtain a warrant prior to searching a phone, but that is a low bar to clear. Look at the FISA courts. They reject 0.03% of requests by the government. At best, the Fourth Amendment ruling is a delay tactic.

      The Fifth Amendment, however, provides another layer of security. Being legally allowed to search a phone is much different than being physically able to do it. In addition to unlocking the phone, the Fifth Amendment also deals with things like passwords and device encryption.

      Although forced decryption has for the most part been protected, it is not unanimous. Massachussetts recently ordered a man charged with real estate fraud to forcibly decrypt his laptop.

      Reply
  1. Walt Griffith

    Smartphone users will need a new app. An app that will delete all of their files if the wrong finger is used, or if the finger is applied sideways. If deletion is too time consuming, the application of a strong voltage surge should fry the memories. Then the only thing that the screen will display is a “finger”.

    Reply

Leave a Reply

Your email address will not be published.