Slashdot Mirror
The Government Wants Your Fingerprint To Unlock Phones (dailygazette.com)
schwit1 quotes this report from the Daily Gazette: "As the world watched the FBI spar with Apple this winter in an attempt to hack into a San Bernardino shooter's iPhone, federal officials were quietly waging a different encryption battle in a Los Angeles courtroom. There, authorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone that had been seized from a Glendale home. The phone contained Apple's fingerprint identification system for unlocking, and prosecutors wanted access to the data inside it.
It marked a rare time that prosecutors have demanded a person provide a fingerprint to open a computer, but experts expect such cases to become more common as cracking digital security becomes a larger part of law enforcement work. The Glendale case and others like it are forcing courts to address a basic question: How far can the government go to obtain biometric markers such as fingerprints and hair?"
It marked a rare time that prosecutors have demanded a person provide a fingerprint to open a computer, but experts expect such cases to become more common as cracking digital security becomes a larger part of law enforcement work. The Glendale case and others like it are forcing courts to address a basic question: How far can the government go to obtain biometric markers such as fingerprints and hair?"
The harder a government tries, the faster a market for hard-to-crack devices will grow.
I've got a finger for you!
New option: set a finger to use which will cause the device to wipe. (I can think of an appropriate digit to use).
Since when was it uncommon for someone allegedly involved (directly or otherwise) to be fingerprinted? So they made someone do it to a phone instead of an ink pad this time. What's the task difference here?
Smell my finger! Now pull it. Wouldn't matter anyway. My phone demands a password every XX hours no matter what.
I would assume not so far as to deny someone's 5th-amendment privilege to decline to self-incriminate. But IANAL.
If it weren't for deadlines, nothing would be late.
If this starts happening people will just use a multi layer logins ie a sequence of fingers prints instead of just one or a fingerprint and a pass sequence. Also regarding terrorists, they just use burner phones for no more than a day or two now and use cryptic key words that mean nothing to your average key word search engine.
This is a PSA completely unrelated to the article and for educational purposes only.
You can painlessley sand off your fingerprints in about 3 minutes. What are they going to do if you literally do not have fingerprints? Okay so you can't unlock your phone normally either then anyway but I think Slashdot people are smart enough to not use pathetic attempts at biometrics.
If you're government worker, you need to turn in your fingerprints every year anyway. I'm not sure if the government has the capability to pull my fingerprint records and be able to spoof the fingerprint sensor on my iPhone. Not that I have anything sensitive on iPhone.
So I guess I am screwed. But there is hope for everyone else.
Ugh.
Self Defense - A Human Right www.a-human-right.com
See this Slashdot article from October 2014: Virginia Court: LEOs Can Force You To Provide Fingerprint To Unlock Your Phone. And that's not the first.
(IANAL.) The idea is that forcing you to reveal something you know (passcode, etc) is testifying and thus could be self-incrimination and not constitutional, but that forcing you to provide something about yourself is totally kosher. The analogy is being compelled to give up a key or DNA vs a safe combination - the former is searchable, the latter is not. Fingerprints are routinely taken upon arrest, even if the person is released without charges. Physical descriptions or stuff on/about you is not testifying. The argument to make here is a fourth amendment one about being "secure in ones papers" - but they have a warrant so that doesn't do any good anyway.
What it comes down to is the fifth amendment is a very important, but very circumscribed, right - not a get out of jail free card. Which shouldn't have been a surprise, really, otherwise the police would never be able to prosecute much of anything.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
They got a warrant. None of my other "persons, houses, papers, and effects" are secure against a warrant, so why should my phone be?
You may not think that there are other situations where the State could require my cooperation to investigate my alleged crimes, and yet those situations exist commonly. Fingerprints or DNA, for example, are coerced confessions from my body to be used by the state against me - and there's a long history (sometimes sordid) of their acceptance and use. They are coerced cooperation - try not giving fingerprints or DNA and see how far you get.
The only significant issue I see is that the coerced cooperation required to open my phone, opens a huge window into my private business that doesn't have much of a parallel pre-cellphone. But that isn't much different than a search warrant for my house - the warrant must be specific, but that doesn't mean that the police who search my house won't investigate every document, container, and closet that may (or may not) be covered by the warrant.
And the worms ate into his brain.
don't remember password, type wrong 3 times (adjustable) - oh, sorry, device wipes... have to be quick though with typing...
No finger print sensing BS.
How far can the government go to obtain biometric markers such as fingerprints and hair?
They can go as far as just taking you around the back of the courthouse and shooting you. Of course those governments don't tend to be popular, but it happens. It all depends how much power the people give the government, until a critical mass is reached where the government no longer needs the people and can just give itself power. Guess which phase the US is in today.
Seven puppies were harmed during the making of this post.
The government can compel you to give over certain things that you posses, and the use of fingerprints is so old that there is no question that they can do with that pretty much what they want.
What is protected is your right not to give testimony against yourself. A password is covered. A fingerprint is not. Facial recognition would not be covered either. Remember that before using those whiz-bang new features.
Law enforcement is always so much easier when you can force suspects to "confess". Only now, instead of beating people with a rubber hose, they can force someone's finger onto a part of a screen. Once the phone is open they can "find evidence" of whatever crime they want to accuse you of. After all, the FBI crime labs are routinely caught falsifying/manufacturing evidence in order to get convictions against people they don't like.
"Might" not be? You can't replace your fingerprint, meaning it's up for grabs to the least secured database it happens to be on and once it's out it's not secure anymore.
Fingerprints and other non replaceable biometrics as a substitute for a password is insecure and always will be. Convenience it may be but obviously don't use it for anything actually important.
... because the "key," analogy fails.
When police knock on our door with a warrant, the warrant specifies what they are looking for.
Recall the example of overreach in the case where an individual is suspected of stealing a TV and LEO looks in desk drawers and cubbyholes.
Officers are not allowed to toss your house, looking for a TV.
A smart device contains information that is private to other, unknown, persons .
I may have photos of you. I may have emails from you. I may have text messages from you, and I may have your phone number.
Hell, I could have a list of passwords to all my banking stuff on there.
--
Citizens should have a place to store shit without LEO getting its fucking hands on it.
If it's not a smart device, then where is it?
It little behooves the best of us to comment on the rest of us.
I want the finger prints of this old fart whom lives in my house, being pressed in a joint if the bastard doesn't remind which magic kit he bought for me the first time we dated with him at the mall.
Fingerprinting is not new--not only is it required of criminal defendants as a matter of course, but many states take fingerprints for other reasons such as admission to the bar.
The Fifth Amendment right against self-incrimination does not apply because certain information is not considered "testimonial" in nature. You are not testifying when providing a fingerprint. While this is a slightly different case because the fingerprint is being used to unlock a phone, ultimately they are still not using testimony to unlock the phone--they are using a physical characteristic of an individual. So it will still be considered non-testimonial, and the appeals court that reviews the matter will agree.
The Fourth Amendment still protects you from a random search of your phone, but there was a warrant in this case.
Real lawyers write in C++
Biometrics can be used safely to identify you, not to authorize you.
Small but important difference.
Why go all the trouble to get a warrant etc, when reading out publicly available hi-res photographs from surveillance cameras showing the finger of the target would be more than enough to print a fine replica of the fingerprint on a 3D printer, to be applied / pressed on the fingerprint sensor by some FBI agent at a later time? C'mon, image data processing has come a long way to read your fingerprints from most photos with a decent enough lighting and resolution. Transferring that to the sensor is trivial from here.
cpghost at Cordula's Web.
Convenience it may be but obviously don't use it for anything actually important.
But you should totally use Apple pay and connect your bank accounts and credit cards to that phone. What could possibly go wrong?
By the time they have convinced me to press my finger to the fingerprint sensor of my phone, they will find a nicely encrypted storage.
"Trump!!", the new Godwin.
Since you cannot rely on each scan being exactly identical to the previous one, can you even use it to encrypt anything?
How is this check done in hardware? Would it be possible to simply override the hardware and send the "these fingerprints match" signal?
seems like a good reason to use some other form of unlock than fingerpirnts
because you pussies will let them.
Honestly, fingerprint dusting is so easy that I'm surprised it's so supposedly "secure". I mean, the phone is covered with fingerprints. Dust for them and construct fakes and voila, there's your phone. Which is why we should all push for Iris scanners on our phones instead.
I've always wondered why people would think that fingerprints are a highly secured method of authentication. You leave the things around everywhere you go and you can't change them if they are compromised. Imagine if you dropped little strips of paper with your password (that could never be changed) written on it everywhere you went. How long would your "highly secured" password last if someone decided they wanted into your account? Especially if that person was the government?
Heck, if the government has your phone, chances are they have your fingerprint on your phone (or have access to somewhere you've been that you've left your fingerprints). Even if they don't have you in custody (and thus didn't fingerprint you), they can use those fingerprints to gain access to your phone.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
...since the terrorist phone case and how easy it would be to force someone to unlock a bio-locked phone. What I'd like to see is Apple/whatever Android phones have that level of biometrics to either require a passcode or self-destruct if the wrong registered print is used to try and unlock it.
> the warrant specifies what they are looking for.
There's no law which prevents them from seeing things they aren't looking for. Yeah, your phone may contain nudie pics. Your house may also contain nudie pics. That doesn't mean police can't get a warrant to search a house, or that such a warrant would be improper, given probable cause.
Any of the items you mentioned which may be on a phone may also be in a house or a car. With a warrant, properly obtained, authorities can rightfully search a house, car, or phone.
In at least one well-known case, it was held that a subpoena for the contents of a phone (protected by a password) to be used or provided depends on one factual question. The same question that applies to documents locked in an old-fashioned safe that has a combination.
If there is a question about whether or not the phone belongs to the defendant, providing the password would be admitting ownership. That would be testimony, which is protected by the 5th.
On the other hand, if the defendant admits it's his phone (or safe) , they have no 5th amendment right to interfere with a lawful subpoena just because unlocking the documents requires a combination that they know in their head, rather than one they wrote down.
Note to self,
If I ever want to secure my phone and it's privacy, do not use the fingerprint. Only use a pin code.
And if I am using android, attempt to find a 3rd party software to securely communicate and store information as that functionality is not yet built into the device yet.
Unfortunately the government is unwilling to do their jobs in this regard so we must secure it even from them.
Can't an app be made that simply does not store any of this history and evidence on the phone ? It's not as if I can't get information from a distant server when I want it most of the time. The phone could otherwise hold music and other innocuous content.
Nullius in verba
Remember this?
Apple's got a security feature where the phone verifies all components of the fingerprint-security system installed on the thing today are the ones that were installed yesterday since iOS9, much to the chagrin of the poor fuckers who got some part of the system repaired by non-Apple shops prior to iOS9. They fixed that on 9.3, but I doubt hacking the system is actually non-trivial.
On the other hand, to get a warrant all you need is a) a limited area to search (such as a phone), b) a reason to search it (aka: "probable cause"), and c) a LEO to swear that b) is true to a Judge via "oath or affirmation."
For the iPhone power up or 48 hours of lock screen requires a 6 digit passcode not a finger print.
And the lesson, kiddies, is never rely on ONLY biometrics to secure anything.
For the iPhone power up or 48 hours of lock screen requires a 6 digit passcode not a finger print.
Or strong alphanumeric password with possibly many many bits of entropy - like mine. Does their TouchID precedent allow for forcing you to produce your password? I thought at least that was protected under the 5th amendment?
Make sure everyone's vote counts: Verified Voting
Good thing we don't use our fingers to hold the phone. Hold it, we do. As a starting point: https://srlabs.de/spoofing-fingerprints/
It's almost as bad as leaving the combo for the gun safe lock next on the gun safe.
... devices can evaluate the state of mind of the person using whatever pass code is required to ordinarily access it, and then failing to allow such access if what would otherwise be the correct pass is provided while under any kind of duress?
File under 'M' for 'Manic ranting'
Other than consumer level gadgets, they just have never been proven to be even remotely secure. It's Hollywood stuff, like facial scanners. I'm not saying you can't improve those to the point they are very secure, but none of the login gadgets are secure or worth it. The most secure is probably the USB keys, but I think nothing beats a strong password in one place.. the users brain. One point of failure, less vectors of attack, simple and proven to be about as good as it gets. These login methods have potential as 2 factor logins with a secondary 2 factor in case the technology fails, like picture/voice/fingerprint with a pin backup, but picture/voice and fingerprint are all easy to beat, so you've just opened a backdoor to your device.. there isn't much point. It's added complexity and added code right where you don't want it - in the authentication process. As insecure as phones already are, they don't need added login backdoors with massive vulnerabilities.
If your fingerprint does anything more than let you answer a call or rear a text message, you're doing it wrong.
Fingerprints are not secure, unless you always wear gloves you're leaving the key to unlock your phone on the phone itself.
"Grab them by the pussy" -- President of the United States of America
1 finger unlocks the phone, other 9 wipe it.
Also... Back in my teenage days I once got SOOOO drunk my pals thought it would be fun to test if I had any sensation left - by putting a lighter under my left index finger.
Permanently altered that fingerprint due to scar tissue.
I'm pretty sure there are various other ways one could alter one's fingerprints rather easily and quickly.
Causing those 1 to 9 odds to suddenly look a lot more like 100%.
Look like being the operative word.
Mit der Dummheit kämpfen Götter selbst vergebens
Aside from the fact that your fingerprint could be used to unlock your device easier than getting you to reveal a password, there is also the possibility the device (as manufactured, or if compromised) could report that it is in fact you using it, due to your fingerprint. Anyone might know your password, but the fingerprint can place you at the location of the phone (which is already tracking your location).
Welcome to contempt of court. Enjoy your indefinite stay in jail until the judge lets you out.
Only the State obtains its revenue by coercion. - Murray Rothbard
And that's why Apple disables the fingerprint reader - after 3 unsuccessful attempts to use the fingerprint reader, 48 hours of no fingerprint, or on a power up.
And people think Apple's method is "asinine" for requiring a passcode. The only reason Apple has a fingerprint reader was to make phones more secure by having more people actually USE a passcode. Because passcodes are a pain when you're having to enter them in 1000 times a day, so a good majority of users don't do that. The fingerprint reader lets you have a passcode but not have to go through the hassle of entering it thousands of times a day.
So the next step will be to have distress fingers, i.e. if I use my left thumb, the phone will lock up and I need to enter my code, TouchID will not work by itself anymore.
Problem solved. Apple, you listening? Wait, you don't have to. Any expert in security knows about canaries and distress signals, so you're probably working on it already, right?
Assorted stuff I do sometimes: Lemuria.org
The problem with biometrics are they are fixed. So once they are stolen, you are screwed. Duplicating a fingerprint is easy. Iris scans are probably simple enough to defeat given the right equipment. Even some future DNA scan could be defeated, in theory. Keep in mind, no matter what form of security is used, it has to be digitized in some way. That is a crack in security.
-- Will program for bandwidth
(Yes, this is a serious, non-sarcastic post.)
Yikes, that scenario had never occurred to me. I just turned TouchID off on all my devices. Entering my (>4 character) passcode isn't really that hard.
This sort of story is why I like Slashdot. This was interesting and useful. Thanks to the submitter and the editor.
"Don't blame the log for the fire." --Andrew Ratshin
I always thought Randall should do a followup to this XKCD comic with "hold him down and swipe his finger on his phone to unlock it."
Fingerprints are not passwords. If you use them that way, you're an idiot.
At best, fingerprints are shortcuts for your USERNAME. You can use them in systems like that - school library and dining hall systems are perfect, you're not interested in "security", you're just interested in determining the correct child to a certain degree of accuracy quickly.
Your password should still be something that only you know.
People using fingerprints for passwords are deliberately making their machines less secure.
So,
1) as others have said, a real criminal/drug dealer/terrorist etc will just use a throwaway phone. Any 'data' on this phone is throwaway and 'they' know this and use random 'code words' or what ever for the day/event. - To make things easy they will use 1234 as the code to show they have nothing to hide and await REAL evidence etc.
2) Apps will appear (if not already) to 'clear' the phone on a daily basis automatically (not hard). So, when you use your finger, passcode, eye, its no big deal, the 'data' will be nothing more than a text or phone call (if any on that day) which the phone companies already log.
3) Back to basics: We are at a point now that, actual criminals won't/don't store anything ON the phone anymore, they will just use use random 'cloud' services on the device which is just like a dumb terminal etc and or code words for 'texting' so the phone will never have anything other than a few holiday pics and music. For ordinary paranoid people, Apps will become popular to use my second point when people want to just clear things up on an automatic regular basis and there is NO laws saying you can't automatically clean your own phone every 24 hours with an app. So there won't be anything of value too see.. because people come to terms that you clearly can't and never should trust a phone.
The only reason I use a pin code on my phone is to stop a thief knowing my boring private text's/facebook/pics and stuff is at least out of there reach.
Oh and videos for a long time can stream this data to a cloud, lots of apps around now, so if the cop wants to 'delete it', he/she can't as it's already uploaded, sorry about that. There are apps that do both let it be 'deleted' but hide the fact it was uploaded somewhere lol.
The US Government wants to force people of interest to use their fingerprints to unlock phones
FTFY. Fixed the stupid capitalisation too.
systemd is Roko's Basilisk.
(IANAL. Either) The courts had indicated in a dissent that they may oppose forcing someone to turn over the combination to a safe. They set no precedent, and made no ruling to uphold that statement. Furthermore, the court is different now.
So, then wouldn't Apple's software signing key be technically obtainable through a warrant? Clearly it would, but I don't think you'd find a judge willing to sacrifice the security of everyone with an iPhone for any cause. Despite the hysteria that they are all corrupt despots.
If it ain't broke, don't fix it.
So maybe a new form of magic? A wand that gives a biometric verification of the wand holder and communicates with the device in a really obscure protocol with encryption levels approaching 1024 bit AES or better?
And/Or, on a failure to verify, maybe the sudden generation of calls to the FBI office, the CIA office and congressmen/senators. And lawyers. And streaming recordings of sound in the area...
In Delaware, I had to give my fingerprints (and palm) to the government in order to get my CCDW permit. I had to pay them for this too.
SBI
I thought that TouchID could be bypassed by a fake finger with a fingerprint printed on it. (Source: YouTube) Making someone unlock a phone with their own finger seems like an unnecessary step.
Calvin:Do you believe in the devil? Hobbes:I'm not sure man needs the help.
blahblah blah my fingerprints are secure. Quick, hide your fiingers. Oh no the bad guys cut one off and used it to access terrorist data on Akhmed's iPhone. Oh shit they used Jello to transfer the prints then advanced hacking techniques to access the encrypted data. blah
blind fuckers.
I recently got fingerprinted for the license to carry permit and the attendant mentioned to me that my prints are very shallow and were hard to properly scan them. She said that it's normal, after a lifetime of accumulating damage from dealing with domestic chemicals and handling hot pans. I had no idea that this could happen. That also explained why I gave up on using the fingerprint to unlock my phone, since it took several unsuccessful attempts before I'd finally type in the backup password. Which means that the only finger I have to give for this idea is the middle one.
Tell that to this guy https://nakedsecurity.sophos.c...
Only the State obtains its revenue by coercion. - Murray Rothbard
Any act on your part that causes proof to appear is testimony, but bad court rulings are twisting meanings. You are the only person who knows the finger you may have used in a fingerprint passcode, therefore, divulging that information is no different than providing the code to a combination lock, which you have no obligation to do; the differences are only in the potential and actual lengths of the combination.
There's no law which prevents them from seeing things they aren't looking for. Yeah, your phone may contain nudie pics. Your house may also contain nudie pics. That doesn't mean police can't get a warrant to search a house, or that such a warrant would be improper, given probable cause.
Any of the items you mentioned which may be on a phone may also be in a house or a car. With a warrant, properly obtained, authorities can rightfully search a house, car, or phone.
In the US there are limits that LEOs must abide by. The case in point made by the gp revolves around looking inside desk drawers when searching for a stolen TV. Anything in plain sight is fair game. Anything found in a place that could reasonably be expected to possibly hold the item being searched for is fair game. Everything else is off limits. It's not reasonable to expect that someone hid a 32" TV in a 3"x12"x12" desk drawer. If the drawer were open and the bag of weed was plainly visible then it becomes fair game. If the LEO smells marijuana he could request a new warrant to search for marijuana, then the closed drawer of the desk would be fair game because it could reasonably be expected to contain a stash of weed.
This limit should also extend to your phone. If they are searching your phone for communications to confirm that you spoke with someone, then the warrant should be restricted to the call logs on the phone. If pictures are within a password protected application, then a warrant for call logs would not give LEOs the right to demand that you unlock that application. Unfortunately all of this would require that the judges granting the warrants understand the technology and understand when LEOs were being overly broad with their warrant request. The judge could then require the LEO to limit the "places to be searched" on the phone to just the relevant sections. Defense attorneys will have to successfully challenge the warrant in court as being overly broad and get evidence excluded though before anyone will tighten up the warrant requests.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
> This limit should also extend to your phone. If they are searching your phone for communications to confirm that you spoke with someone, then the warrant should be restricted to the call logs on the phone
And perhaps a search of communications (again based on good probable cause, with a proper warrant) would also include text messages, Snapchat, Facebook, etc I suppose? It's interesting because unlike a TV, which can't fit in a drawer (though the remote can), communications can fit in many applications.
This is why the advice is: If you think you're about to get arrested, shut your phone off. With an iPhone, upon first boot, it requires the passcode; the fingerprints won't work. The latest precedent that I know of (late 2015) is that you can be compelled to provide your fingerprints, but not your passwords.
And this is why I have not and probably will not ever activate my fingerprint recognition on my iPhone. The other reason is that compared to a well-selected pass code, the security is worse with fingerprints!
Simple solution: use your pinky finger as your unlock finger. By the time the authorities figure out that your index finger isn't working, you will have exceeded the iPhone try limit, and be forced back to using the passcode.
This is a gross violation of the 4th Amendment right to be secure in our papers and effects. Worse our computational devices are more intimate and part of us that mere paper could ever be. As they become ever more extensions of our brain forcing access may fairly be compared to directly wiring your brain to testify against you. Enough with these petty tyrants!