When A Fingerprint IS The Password, Where Does The Fifth Amendment Come Into Play?
from the a-non-testimonial-appendage? dept
FBI Director James Comey is still complaining about encryption but it doesn’t seem to be preventing law enforcement from accessing devices. To date, law enforcement has paid hackers to break into a phone, had an iPhone owner suddenly “remember” his password, seen a person jailed for 7 months (so far) for refusing to provide a password and, now, a law enforcement agency has used a warrant to force a suspect to unlock an iPhone using a fingerprint.
[A]uthorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone that had been seized from a Glendale home. The phone contained Apple’s fingerprint identification system for unlocking, and prosecutors wanted access to the data inside it.
The mostly-unanswered question is whether this violates the Fifth Amendment by forcing a person to provide evidence against themselves. (Not that due process was at the forefront of law enforcement’s mind in this case. Or the magistrate judge’s either. Jonathan Zdziarski points out the warrant was obtained within 45 minutes of the suspect being arrested — not even enough time to bring in a lawyer.) While the law allows police to collect data from detained individuals — including fingerprints — it doesn’t say much about physically applying someone’s finger to their phone to unlock its contents.
The concern that fingerprint “passwords” would be less insulated against court orders and warrants was brought up here more than two years ago, shortly after Apple announced the new security feature. Biometric data isn’t something anyone “knows” that could be considered “testimonial.” It simply is an indicator of who you are, which courts have held isn’t covered under Fifth Amendment protections against self-incrimination.
The additional concern is that law enforcement may have also used this Fifth Amendment workaround to obtain information on a separate suspect. The LA Times article adds these details to the general murkiness:
Why authorities wanted [Paytsar] Bkhchadzhyan to unlock the phone is unclear. The phone was seized from a Glendale residence linked to Sevak Mesrobian, who according to a probation report was Bkhchadzhyan’s boyfriend and a member of the Armenian Power gang with the moniker of “40.” Asst. U.S. Atty. Vicki Chou said the search was part of an ongoing probe. She declined further comment.
Bkhchadzhyan was arrested and pled no contest to one count of identity theft. But the US Attorney’s comment seems to imply law enforcement was looking for more than just evidence on Bkhchadzhyan when it searched the phone. If so, it raises even further questions about the constitutionality of this particular warrant, which may have forced this suspect to provide evidence against someone else.
The only prior case to raise this issue isn’t very instructive and a dataset of one is hardly an indicator of prevailing judicial winds. But the reasoning in the 2014 case draws a line between what the court considers “testimonial” and what is merely providing access.
In 2014, a judge said Baust could be compelled to provide his fingerprint to open a locked phone but could not be ordered to disclose a passcode. The judge reasoned that providing a fingerprint was akin to giving a key, while giving a passcode — stored in one’s mind — entailed revealing knowledge and therefore testifying. Baust was later acquitted.
But does that line even exist? It’s difficult to say it does when both fingerprints and passwords are virtually interchangeable, thanks to Apple’s Touch ID system. The fingerprint is the password. The difference is detained suspects can only retain one of these “keys” in their minds. The rationale used by the court presumes vocal utterances are the only way a person can provide incriminating evidence against themselves.
It’s not like withholding passwords will work in all cases either. Those who aren’t jailed for contempt of court may instead find judges deciding that providing a password to law enforcement isn’t a “testimonial” act on its own. The refusal to provide a password may also work against defendants by giving prosecutors a bit more ammo for their “foregone conclusion” justifications. After all, if a locked device didn’t contain evidence of criminal activity, any “reasonable” person would have provided a password without hesitation.
It’s a stretch of an argument though — considering the prosecution needs to provide evidence it knows the stuff it’s looking for resides on the devices, which is something extremely difficult to prove when the device is fully encrypted.
The limits of the Fifth Amendment’s protections against self-incrimination are far from clearly defined when it comes to encrypted devices.. This leaves the security question in the hands of each individual user. Your choice of security method depends on who you’re more worried about having access to your phone. If it’s phone thieves, then a fingerprint might do. But if it’s the government, use a password.
Filed Under: 5th amendment, encryption, fingerprint, fingerprint swipe, id, paytsar bkhchadzhyan, self-incrimination, sevak mesrobian, touch id
Comments on “When A Fingerprint IS The Password, Where Does The Fifth Amendment Come Into Play?”
The more I see where this country is headed, the more I don’t want anything more to do with digital technology of pretty much any kind. (and I say this, having been in the IT industry for the last 20 years)
I guess I have a yearning for the olden days, when the screws would just beat the info out of me with truncheons and brass knuckles.
Re: Re:
when you see you’re country that you love sliding wholeheartedly into a police state. You can either emigrate or try and weather out the decades of citizen opression and murder that tends to happen.
Re: "Foregone Conclusion"
After all, if a locked device didn’t contain evidence of criminal activity, any “reasonable” person would have provided a password without hesitation.
By that logic, if a home didn’t contain evidence of criminal activity, any “reasonable” person would provide permission for warrant-less searches without hesitation.
Yeah, I don’t think so. That’s quite a stretch.
Bkhchadzhyan? How is that pronounced? What in the world is your mouth supposed to do with B-K-H-CH with no vowels between them?
Re: Re:
I’m not sure of the exact sound, but I imagine it’s a phlegmy throat noise.
Re: Re:
BYKHADZIAN
Pronounce the DZ like the J in JAM.
I’m not even Armenian but I’m pretty sure that’s it.
Re: Re: Re:
Hmmm, jam!
Laws about this
I think someone should try bringing in the Anti-Circumvention laws. Isn’t it illegal to bypass protection on a device you don’t own? If I call it “DRM” instead of encryption, do I suddenly get more rights?
Re: Laws about this
You get all the rights and each infraction gets you a gazillion bucks!
Re: Re: Laws about this
Do I get to hire a lawyer with the gazillion bucks, or does the state take it because the money may have committed a crime?
Re: Laws about this
Silly AC, CISPA doesn’t apply to the law, only to the little people like you!
duh
This is why a fingerprint *should not be* a password, it should be a userid.
Re: duh
Man I feel like I go breathless trying to explain this to people.
Re: Re: duh
I have the same problem with explaining to people why political parties are terrible.
Re: Re: Re: duh
They don’t even allow kegs any more….
Re: duh
This. Using fingerprints as passwords is insanely dumb. And yet you have even banks using it. It must be paired with a key to unlock the account/device/etc.
Re: Re: duh
To be fair, banks use it because the customers demand it.
Re: Re: Re: duh
They do?? Not that I don’t believe you, but I’ve spent years going to great lengths to avoid giving my fingerprints to banks. Including refusing checks drawn against certain ones such as Bank of America.
Re: Re: Re: duh
If I told them to jump off a bridge, would they do it?
Though honestly, if multiple random people on the internet can trick fingerprint readers with printed fingerprints, you’d have to think the FBI could do the same.
The problem is the prosecutors had an easy argument “we’ve always been able to collect fingerprints so why not now, too?!”, while defense lawyers have had weak arguments and didn’t say stuff like “but the fingerprint is not just for identification now, it’s to get access to all of our lives’ data, so clearly it’s not the same?”
Defense lawyers need to smarten up.
The line exists.
The question is if the line should exist, I think.
So long as our laws are so numerous that it’s impossible to know or follow them, so long as law enforcement can arrest people for what they imagine to be crimes, so long as prosecutory discretion allows officials to choose to convict some people and not others arbitrarily, I say the individual citizen needs all the protects it can get.
In the meantime you never want a part of your body worth more to someone than you are.
They can already get fingerprints, DNA, hair and blood...
With a warrant there is really no question of whether they can compel a fingerprint. They already have the right to book you and fingerprint you – no warrant needed. They can get warrants to force you to give up a DNA sample, blood samples, hair samples. They can get warrants to x-ray your body for drugs. They can give you laxatives and make you use an evidence collecting, nonflushing toilet. Fingerprints for a cell phone? Bah, that horse left the barn before cell phones were even invented.
So, the lesson is don’t use just biometrics for critical security. Things you can’t change and can’t insure control over are not sufficient to insure that only you or people you willingly authorize will have access.
Plausible Deniability
I do not see providing a fingerprint and different than a DNA/Blood/Stool/Whatever sample.
If you have secrets you want to keep private don’t use biometrics/physical keys/etc to protect them.
Forcing someone to give up a password is wrong. First you can’t prove they remember it and 2nd you can’t force someone to testify against themselves. Attempting to force someone to reveal knowledge that they can plausibly deny having any knowledge of is wrong.
Re: Plausible Deniability
Actually, with iPhones, fingerprints ARE plausible deniability. Simply present a print that you know won’t work until the print scanner is locked out. Then say that you’ve forgotten the password after mis-entering it a few times.
Both of these are reasonable, and they can’t prove intent here.
Of the mind
A fingerprint may not be “of the mind” and may not ultimately have protection, however the knowledge of which finger was used and the orientation of that finger is.
Come on girl, hold up your ten fingers and say “here”.
What most people keep forgetting is that your fingerprint is not constitutionally protected. By using your fingerprint to lock your cellphone, you open yourself up to being forced to unlock your cellphone. This is different than a passcode.
Re: Re:
heat up a hotplate to about 200C.
Place finger on hotplate.
(go straight to hospital – but your phone is now locked forever)
Re: Re: Re:
Dillinger tried this in efforts to obfuscate his fingerprints. (Though he used acid, not a hot-plate)
The results were temporary. They grew back.
Re: Re:
You don’t even have to be forced to provide a fingerprint. It’s reasonably easy (but not always trivially so) to unlock those phones using a latent print lifted from something you’ve touched.
Fingerprint authentication is a terrible idea on all fronts. It’s not very secure, it can’t be easily changed or revoked when desired, and you can suffer many kinds of injuries that will alter your prints.
Is it a testamonial act?
Heck yes!
By unlocking the device – no matter the method used – you are implying that you had control over or authority to use the device and by extension, what was or was not on that device.
Re: Is it a testamonial act?
The state refuses to be governed by what it’s allowed to do.
The state is only governed by what it can do.
That said, yes, a phone opened by compulsion without a specific warrant should be inadmissible for any reason.
Not that we can expect that to happen in this society.
Re: Re: Is it a testamonial act?
“The state refuses to be governed by what it’s allowed to do.
The state is only governed by what it can do.”
^ So much this. They see tech development as specifically FOR them.
Re: Re: Is it a testamonial act?
That said, yes, a phone opened by compulsion without a specific warrant should be inadmissible for any reason.
It’s a good thing they got a warrant then, isn’t it?
Re: Re: Re: Is it a testamonial act?
Ah, but the get a warrant to actually search the phone, which is a different issue from compelling an unlock.
Re: Re: Re: Is it a testamonial act?
Yeah, I betcha it’s not a specific one.
Such as a warrant to get a specific contact, not a warrant to search her email archives for something with which to incriminate her.
Re: Is it a testamonial act?
No, it isn’t a testimonial act.
The person is NOT being asked to verify that they know how to unlock the phone. The police claim to already know how to unlock the phone – they claim it unlocks via her fingerprint. And the fact that she does indeed HAVE a fingerprint is obvious and not testimonial.
If her fingerprint does in fact unlock the device – well, perhaps that’s evidence against her, but fingerprints on a murder weapon or something would also be evidence against her, and it’s pretty well established that police can demand fingerprints (with a warrant) to check against a crime scene.
Demanding a password is different; complying with that means admitting that you know what the password is. The woman here doesn’t have to admit she knows anything about the phone, just like someone with their prints on a gun doesn’t have to admit they know anything about the gun. Also, with fingerprints there’s not a problem like there is with a password where the person may legitimately not know (or remember) the password – if her fingerprint doesn’t unlock the device, that’s that.
Re: Re: Is it a testamonial act?
No, it isn’t a testimonial act.
The person is NOT being asked to verify that they know how to unlock the phone. The police claim to already know how to unlock the phone – they claim it unlocks via her fingerprint. And the fact that she does indeed HAVE a fingerprint is obvious and not testimonial.
>>>I’m not addressing the matter of whether she has a fingerprint or whether she knows how to unlock the phone.
If her fingerprint does in fact unlock the device – well, perhaps that’s evidence against her, but fingerprints on a murder weapon or something would also be evidence against her, and it’s pretty well established that police can demand fingerprints (with a warrant) to check against a crime scene.
>>>Being able to unlock the device, either with a pass code or fingerprints are evidence that the person who supplied either had at least some minimal authority and control over the device. Fingerprints on a murder weapon – or anywhere at a crime scene – are a straw man fallacy for this discussion.
Demanding a password is different; complying with that means admitting that you know what the password is.
>>>Yes and no. The fingerprint acts as a password here. In either case, the means of unlocking the device is being demanded.
The woman here doesn’t have to admit she knows anything about the phone, just like someone with their prints on a gun doesn’t have to admit they know anything about the gun.
>>>Straw man fallacy again.
Also, with fingerprints there’s not a problem like there is with a password where the person may legitimately not know (or remember) the password – if her fingerprint doesn’t unlock the device, that’s that.
>>>Not knowing does not equal not remembering.
>>>Please remember here. We are talking about a woman being ordered to unlock a device. It doesn’t matter how the device is locked. It only matters that a) the device is locked; b) the cops think (or perhaps know) she has the means to unlock it; and c) the cops want the device unlocked. By unlocking the device, irrespective of how, the cops can infer that the woman had some level of control over the device; she is, in effect, saying ‘I use or can access this phone’ by unlocking for the cops or anyone else.
Re: Re: Re: Is it a testamonial act?
Re: Re: Re:2 Is it a testamonial act?
The presence of fingerprints on the murder weapon in themselves are not evidence that the person who handled the weapon committed the crime. Place the weapon at a murder scene, add the fingerprints to the weapon, and you still only place the person at the crime scene. There’s still no evidence that the person pulled the trigger OR that they intended to do so even if they did.
Here, the cops are arguing that the phone contains direct evidence – maybe pictures, maybe notes, maybe messages – that show that she was involved in the commission of crimes. They’re looking for the equivalent of a video recording or pictures of the woman pulling the trigger.
Re: Re: Re:3 Is it a testamonial act?
It absolutely is “evidence”; that’s going to be Exhibit A. It’s not “proof”, though. She can argue the gun was planted. Just like she could argue her fingerprint was planted or the content on the phone was planted.
Well, in THIS case it’s unclear – they most likely want information on her gang member boyfriend. But I admit that doesn’t matter much, since they COULD use it against her. One way they could solve this is to give her immunity, but they don’t want to do that, so it’s perfectly logical for her to assume they’d use it against her.
You seem to think that you can’t be forced to provide the means to unlock something that contains evidence against you. But under current law, you absolutely can. If the key to a strongbox is around your neck, the police can take that key from you and unlock the strongbox. If you’ve swallowed the key, they can use doctors to forcibly get it out of your body one way or another. And if your finger is the key to your smartphone, they can use that finger to unlock your it.
What they can’t make you do is admit that you know HOW to open the thing. Because that would be an actual admission. And if your fingerprint unlocks a phone, that might be evidence that you’re connected to the phone, but it’s not an admission of anything – maybe someone put your finger on the phone while you were asleep.
Crappy Workaround
As long as our rights are being “reinterpreted” by the courts, you can do this:
Use an unusual finger for your phone’s lock.
Set the “lock after x unsuccessful attempts” to 3
Then have it fall back to a password
When compelled by the court, use the wrong fingers three times. Oops, sorry, FBI. My bad. Problem solved.
Re: Crappy Workaround
Or, even better, disable the ability to unlock with a fingerprint entirely.
The thing is, your identity has never been something protected by the fifth amendment. Remember, confirming your identity already opens up a lot of potentially incriminating evidence. After all, without it they can’t grab your phone and internet histories from your providers, locate your house to search it, contact your friends/family/employer, pull up your financial records, or a whole host of other things. And despite all of this very clear potentially incriminating info that is only accessible after you are identified, you can’t refuse to identify yourself when ordered to.
And fingerprints are, while very convenient, a method of identification. There’s a reason why “something you are” is less popular as a security paradigm than “something you have” and “something you know.” It’s the only one that you don’t actually have any control over (both legally and practically).
You have laws protecting citizens rights and law agencies that ignore those same laws to harass and intimidate citizens.
So in effect you have no laws, only goons with badges and guns
“The refusal to provide a password may also work against defendants by giving prosecutors a bit more ammo for their “foregone conclusion” justifications. After all, if a locked device didn’t contain evidence of criminal activity, any “reasonable” person would have provided a password without hesitation.”
It is a serious mistake for anyone to conflate a choice with an obligation. A person is afforded the Rights recognized by our Bill of Rights first. This being the case, waving such rights cannot ever be an obligation of a citizen. To think otherwise is a fast track to a Police State that cares not a wit for the Constitution of this country.
I'm Thinking Tasker
If there’s not already, I want a Tasker (for Android) plugin that uses the fingerprint scanner to determine which finger you used to unlock the device. You’d be able to set it so that specific fingers will perform an action other than unlocking the device. My personal preference would be powering it off. Android devices (I think iOS devices do this too) require the actual PIN to be typed on powerup for decryption before accepting a fingerprint to unlock the lock screen. That way, I can have the ease-of-use of fingerprint unlock but, the safety of my PIN in case of compulsion.
Of course, one could have a fingerprint set to factory reset but, I wouldn’t want to deal with the legal consequences of a destruction of evidence charges.
Re: I'm Thinking Tasker
There’s no destruction of evidence by you unless the court specifically directs that you unlock the phone. If you just have to provide your fingers, you compliantly hold your hand out and let the police officer press the finger of their choice on the phone.
If you’re being forced to tell them, “No not that finger.”, or “Turn the finger sideways first”, then there is a 5th amendment issue.
Simple technical fix
There is a simpe technical fix for this.
Two passwords.
Password 1 – your real data is decrypted.
Password 2 – your real data is wiped and replaced by an “innocent” substitute.
Modern devices generally have enough spare space for both.
Re: Simple technical fix
The going version of this is encryption that looks like garbage in unused data sectors.
That way there’s plausible deniability that it’s actually data.
Unchangeable Password?
Why would anyone ever consider having an unchangeable password? Stupidest idea ever!
after seeing a case where it appeared to me shit was planted on someones pc I will never give up a key password ever, and there will be no auto mounting of usb devices ever again
Giving the 5th Amend the Finger
I actually wrote a post about this topic, http://consenttosearch.com/site/fingerprint-and-fifth-amendment/ The law is well established a person must provide a handwriting exemplar, voice exemplar, and other non-testimonial things to police. Now, due to technology, people enjoy swiping the finger in lieu of using a PW. I know of a couple of cases that said yes, and one that said no. There’s a case pending in the 9th Circuit now on this issue. I see it as, police cannot force you to provide the key to your house where you a stolen radio at, but they want you to use your finger to open up a secure phone so they may incriminate you with the contents? For now, I suggest the obvious – take the .05 second to enter in a PW, and do not use your finger for anything less that things you enjoy using it for, since we do not need the government to tell us where to put it!
Counsel
> Not that due process was at the forefront of law
> enforcement’s mind in this case. Or the magistrate
> judge’s either. Jonathan Zdziarski points out the warrant
> was obtained within 45 minutes of the suspect being
> arrested — not even enough time to bring in a lawyer.
WTF? Due process has *never* required the police wait to apply for a warrant (or the judge to wait to grant one) until the subject/defendant’s lawyer shows up at the warrant application hearing.
In fact, that almost *never* happens.
Incrimination
> If so, it raises even further questions about the
> constitutionality of this particular warrant, which may
> have forced this suspect to provide evidence against
> someone else.
That’s actually less of a constitutional issue. While you do have a 5th Amendment right against self-incrimination, absent something like spousal privilege– which isn’t a constitutional issue– you have *no* right whatsoever to be free from incriminating others. If you have evidence that can be used to help the government’s case against someone else, you can be compelled to provide it. Period. And nothing in the Constitution protects you from that.