Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Government Wants Your Fingerprint To Unlock Phones (dailygazette.com)

Posted by EditorDavid on from the hand-over-the-evidence dept.

schwit1 quotes this report from the Daily Gazette: "As the world watched the FBI spar with Apple this winter in an attempt to hack into a San Bernardino shooter's iPhone, federal officials were quietly waging a different encryption battle in a Los Angeles courtroom. There, authorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone that had been seized from a Glendale home. The phone contained Apple's fingerprint identification system for unlocking, and prosecutors wanted access to the data inside it.

It marked a rare time that prosecutors have demanded a person provide a fingerprint to open a computer, but experts expect such cases to become more common as cracking digital security becomes a larger part of law enforcement work. The Glendale case and others like it are forcing courts to address a basic question: How far can the government go to obtain biometric markers such as fingerprints and hair?"

43 of 224 comments (clear)

  1. Backlash by De_Boswachter · · Score: 2

    The harder a government tries, the faster a market for hard-to-crack devices will grow.

    1. Re:Backlash by BarbaraHudson · · Score: 2

      I have outwitted them. My fingerprint will not help them. I don't lock my phone. And it doesn't have a fingerprint reader. ha ha :-)

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    2. Re:Backlash by arth1 · · Score: 4, Interesting

      People are always criticising passwords, but passwords can be kept safely in one's mind. And there is no way for the government to extract that password from you.

      One of the US presidential candidates this year disagrees, and believes in "advanced extraction techniques" or whatever the latest euphemism for torture is.

      That said, the biggest problem with biometric authentication is that once the cat is out of the box, it won't get back in. You can change your password, but you cannot change your biometrics. Once they've been copied, they're compromised for the rest of your life.
      For a fingerprint, that can be very easy to lift. A photo, or a glass, or a door handle. You don't even have to know that it's been taken.

      Another big problem is that they're not as unique as we like to think. There have been cases where people have been found in a fingerprint database that were nowhere near where "their" fingerprint was found. With several billion people, there are going to be overlaps. And because of the implicit trust in biometrics, the onus is on the suspects to prove his or her innocence against something that is treated as infallible evidence.

    3. Re:Backlash by BarbaraHudson · · Score: 2

      One place I worked at had one of those fingerprint readers on the time clock. I never used it after demonstrating that it would not read my fingerprint most of the time even with multiple tries and went back to my time sheet.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    4. Re:Backlash by rahvin112 · · Score: 2

      Fingerprints are unique, but the FBI method of mapping them is NOT. You are equating two separate things. The FBI fingerprint systems don't look at the exact fingerprint, they create a dot pattern based on the whorls in the fingerprint and then use the dot pattern for matching. Those dot patterns are not going to be truly unique because fingerprints can generate the same dot pattern and be different.

      This is a problem with the FBI computers that do the matching, NOT because fingerprints aren't unique.

  2. Duress print by Anonymous Coward · · Score: 5, Interesting

    New option: set a finger to use which will cause the device to wipe. (I can think of an appropriate digit to use).

    1. Re: Duress print by omnichad · · Score: 2

      That won't help you. Unless the "wipe" included fake usage and history, that's tampering with evidence and a crime all its own. And if your fake data doesn't match call record metadata, that will still be easy to prove as tampering.

    2. Re: Duress print by Anonymous Coward · · Score: 2, Interesting

      Then do nothing, and let them press your finger to the device. Don't even offer a specific finger, let them pick. It is not your job to inform them that doing so will wipe the device.

    3. Re: Duress print by AK+Marc · · Score: 5, Informative

      Converting the data to an unusable form would be treated like shredding, which is illegal, and well tested to be illegal, if you do so after you know the material shredded was needed for an investigation or lawsuit.

      --
      Learn to love Alaska
    4. Re: Duress print by climb_no_fear · · Score: 4, Interesting

      Converting the data to an unusable form ....

      You said it yourself: "Converting". But it was unusable before (ie., encrypted) and is still encrypted. Hence, no meaningful conversion took place.

      How about this: You could set up the system to unpack itself but with an algorithm that takes 20 years. It was locked before and now it is decrypting itself. You were asked to open it and you did.

      All good things take time...

    5. Re: Duress print by AK+Marc · · Score: 2

      So if your notes were written in code, shredding them would be legal? There's no legal argument for that. Destroying things related to an investigation is illegal, regardless of what form they were in before.

      --
      Learn to love Alaska
    6. Re: Duress print by NicBenjamin · · Score: 2

      Dude,

      Stop watching movies.

      You've just committed multiple felonies relating to obstructing an investigation. Moreover the reaction of Courts to "you can't prove that, the evidence is gone," is typically to assume the evidence was the most damning evidence possible.

    7. Re: Duress print by OrangeTide · · Score: 2

      I'm pretty sure destroying evidence has a less harsh penalty than murder or copyright infringement these days.

      --
      “Common sense is not so common.” — Voltaire
    8. Re: Duress print by cfalcon · · Score: 2

      While you may be held in contempt or face other charges if you deliberately take an action to destroy evidence, I've never heard of "beyond a reasonable doubt" being interpreted as "or, you know, if they destroyed evidence". Much of this also depends on the specifics of the case as well.

      The overall topic- that you can be compelled to use your finger to unlock a phone- isn't even new. This has already been found in older cases. It's a very solid reason to use good crypto- you can be compelled to unlock with a finger by pretty much anyone at any time, legal or not. It is inherently less secure than a password or even a PIN.

    9. Re: Duress print by NicBenjamin · · Score: 2

      Thye standard doesn't change.

      But if you destroy evidence, the cops can tell that to a Jury. Generally they have to, because it would be quite unusual to have separate trials for the destruction of evidence charge and the charge that started the investigation.

      So the Jury goes into that room, where the course of your life will be determined, and yes they are technically using the same standard as always (Reasonable Doubt). But your side has a huge credibility problem because you destroyed evidence.

      Yeah, you can win that case (Casey Anthony, for example, got convicted of impeding the investigation but nor murdering her daughter), but if you;re actually fucking innocent and/or your phone actually does not have incriminating information on it destroying it is a really bad idea.

      Fighting the Court Order in Court, using lawyers, probably makes sense; but destroying the evidence will not only give a Federal Prosecutor a free 5-year felony to pin on your ass (this one), it will also encourage the Jury to believe the Prosecutor in the main bit of the case.

    10. Re: Duress print by fnj · · Score: 2

      I'm pretty sure destroying evidence has a less harsh penalty than murder or copyright infringement these days.

      ... or insulting that verminous prick, Recep Tayyip Erdoan.

    11. Re: Duress print by AK+Marc · · Score: 2

      Nope. If I can prove you shredded something (that I think is relevant), that is the crime. Nobody is assuming anything. Proving they shredded something after being subpoenaed *is* the crime. You can't prove it's related to the crime because it's shredded. So in most cases, you don't have to prove that part, just that they did it.

      --
      Learn to love Alaska
    12. Re: Duress print by TheCarp · · Score: 3, Informative

      > if you do so after you know the material shredded was needed for an investigation or lawsuit.

      This. As a budding young sysadmin this was always one of the first things that came up as why we really need a data retention policy. The last position you want to be in when a lawsuit arrives is having just erased data with no clear policy as to why you did it.

      Its not even entirely about whats true or what can be discovered but what can be proven to the satisfaction of men, and that is always going to be a larger set. Best to have a policy and stick to it.

      --
      "I opened my eyes, and everything went dark again"
  3. Multi Layered Logins by EEPROMS · · Score: 2

    If this starts happening people will just use a multi layer logins ie a sequence of fingers prints instead of just one or a fingerprint and a pass sequence. Also regarding terrorists, they just use burner phones for no more than a day or two now and use cryptic key words that mean nothing to your average key word search engine.

    1. Re:Multi Layered Logins by m0hawk · · Score: 3, Interesting

      Or just using a long password held only in the brain. A lot less complicated than multiple layers of security, works right now and is "safe enough" for most people.

      For example, a police officer that doesn't respect your rights and asks to see the device contents without a warrant, because you were filming or were using your device in a manner they didn't like.

      One drawback is the time it takes entering a long password when you need your device quickly or need to check it often.Although, Android does have a feature so you can set 'safe areas' where your password will not be needed once the device is unlocked once.

      I have work and home set as places where I only have to enter the password about once or twice per day, no matter how many times I check the device.

      If somebody stole my phone it will automatically lock once they leave WiFi range of home or work.

      A good trade off between security and ease of use imo.

    2. Re:Multi Layered Logins by AmiMoJo · · Score: 2

      Current phones have already solved this problem. Can you set both Android and iOS to require a password/PIN after a certain amount of time, rather than just a fingerprint. You should set it to something short so that the police don't have time to get a warrant.

      Android also has a number of Dead Man's Switch apps, which will automatically wipe the phone after a certain period of inactivity. How this affects you legally depends on the jurisdiction I guess. Is failure to act to prevent the destruction of evidence a crime where you live?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. Re:Fingerprinting is new? by Calydor · · Score: 2

    There is no difference in the task - but it used to be you got put in the police archive for easy identification, NOT that you gave up all your personal files to the police.

    --
    -=This sig has nothing to do with my comment. Move along now=-
  5. Re:Fingerprinting is new? by Antique+Geekmeister · · Score: 3, Informative

    And the police fingerprints are still good enough to be used to defeat the best fingerprint scanners. There's been no noticeable improvement in the technology since the paper on defeating it was published in 2002.

                    https://cryptome.org/gummy.htm

    The crack was confirmed by MythBusters in 2011.

                    https://www.youtube.com/watch?...

    There has been no basic change in the technology. Fingerprint scanners are still trivially beaten.

  6. You've been warned: biometrics might not be secure by slimjim8094 · · Score: 4, Interesting

    See this Slashdot article from October 2014: Virginia Court: LEOs Can Force You To Provide Fingerprint To Unlock Your Phone. And that's not the first.

    (IANAL.) The idea is that forcing you to reveal something you know (passcode, etc) is testifying and thus could be self-incrimination and not constitutional, but that forcing you to provide something about yourself is totally kosher. The analogy is being compelled to give up a key or DNA vs a safe combination - the former is searchable, the latter is not. Fingerprints are routinely taken upon arrest, even if the person is released without charges. Physical descriptions or stuff on/about you is not testifying. The argument to make here is a fourth amendment one about being "secure in ones papers" - but they have a warrant so that doesn't do any good anyway.

    What it comes down to is the fifth amendment is a very important, but very circumscribed, right - not a get out of jail free card. Which shouldn't have been a surprise, really, otherwise the police would never be able to prosecute much of anything.

    --
    I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
  7. No problem here... by FrankSchwab · · Score: 2

    They got a warrant. None of my other "persons, houses, papers, and effects" are secure against a warrant, so why should my phone be?

    You may not think that there are other situations where the State could require my cooperation to investigate my alleged crimes, and yet those situations exist commonly. Fingerprints or DNA, for example, are coerced confessions from my body to be used by the state against me - and there's a long history (sometimes sordid) of their acceptance and use. They are coerced cooperation - try not giving fingerprints or DNA and see how far you get.

    The only significant issue I see is that the coerced cooperation required to open my phone, opens a huge window into my private business that doesn't have much of a parallel pre-cellphone. But that isn't much different than a search warrant for my house - the warrant must be specific, but that doesn't mean that the police who search my house won't investigate every document, container, and closet that may (or may not) be covered by the warrant.

    --
    And the worms ate into his brain.
  8. How far according to history. by Dunbal · · Score: 2

    How far can the government go to obtain biometric markers such as fingerprints and hair?

    They can go as far as just taking you around the back of the courthouse and shooting you. Of course those governments don't tend to be popular, but it happens. It all depends how much power the people give the government, until a critical mass is reached where the government no longer needs the people and can just give itself power. Guess which phase the US is in today.

    --
    Seven puppies were harmed during the making of this post.
  9. Re:How far can the (US) government go? by Anonymous Coward · · Score: 5, Informative

    I think you have a bit of a misinterpretation of the fifth amendment.

    The explicit text related to self-incrimination is:

    "...nor shall be compelled in any criminal case to be a witness against himself; ..."

    which is generally interpreted as:

    "The Fifth Amendment protects criminal defendants from having to testify if they may incriminate themselves through the testimony. A witness may 'plead the Fifth' and not answer if the witness believes answering the question may be self-incriminatory."

    So, the fifth amendment specifically applies to testimony.

    So while you can't be compelled to provide authorities with your decryption key for instance, we have recently seen here that you can be ordered to perform the decryption itself and be held in contempt of court for not doing so.

  10. Re:Fingerprinting is new? by omnichad · · Score: 3, Insightful

    Sounds like a mistake to use your fingerprint as a password in that case, then. Not law enforcement's fault.

  11. Not Testimonial by SeattleLawGuy · · Score: 3, Interesting

    Fingerprinting is not new--not only is it required of criminal defendants as a matter of course, but many states take fingerprints for other reasons such as admission to the bar.

    The Fifth Amendment right against self-incrimination does not apply because certain information is not considered "testimonial" in nature. You are not testifying when providing a fingerprint. While this is a slightly different case because the fingerprint is being used to unlock a phone, ultimately they are still not using testimony to unlock the phone--they are using a physical characteristic of an individual. So it will still be considered non-testimonial, and the appeals court that reviews the matter will agree.

    The Fourth Amendment still protects you from a random search of your phone, but there was a warrant in this case.

    --
    Real lawyers write in C++
  12. Re:You've been warned: biometrics might not be sec by Jason+Levine · · Score: 4, Insightful

    Fingerprints are routinely taken upon arrest, even if the person is released without charges.

    I've always wondered why people would think that fingerprints are a highly secured method of authentication. You leave the things around everywhere you go and you can't change them if they are compromised. Imagine if you dropped little strips of paper with your password (that could never be changed) written on it everywhere you went. How long would your "highly secured" password last if someone decided they wanted into your account? Especially if that person was the government?

    Heck, if the government has your phone, chances are they have your fingerprint on your phone (or have access to somewhere you've been that you've left your fingerprints). Even if they don't have you in custody (and thus didn't fingerprint you), they can use those fingerprints to gain access to your phone.

    --
    My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  13. Depends on if they can prove it's yours by raymorris · · Score: 2, Informative

    In at least one well-known case, it was held that a subpoena for the contents of a phone (protected by a password) to be used or provided depends on one factual question. The same question that applies to documents locked in an old-fashioned safe that has a combination.

    If there is a question about whether or not the phone belongs to the defendant, providing the password would be admitting ownership. That would be testimony, which is protected by the 5th.

    On the other hand, if the defendant admits it's his phone (or safe) , they have no 5th amendment right to interfere with a lawful subpoena just because unlocking the documents requires a combination that they know in their head, rather than one they wrote down.

  14. Re:Public Service Announcement by dgatwood · · Score: 5, Interesting

    The government can just wait for your prints to regrow (while you are held in custody)

    That approach won't work. The device won't take fingerprints after 48 hours. In fact, if the person simply refuses to submit to use of their fingers to unlock the device, they might get held in contempt, but after 48 hours, they can submit to the use of their fingers, and they're no longer in contempt, but it won't be of any value to the government.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  15. 9 to 1 odds of wiping the phone? by denzacar · · Score: 2

    1 finger unlocks the phone, other 9 wipe it.

    Also... Back in my teenage days I once got SOOOO drunk my pals thought it would be fun to test if I had any sensation left - by putting a lighter under my left index finger.
    Permanently altered that fingerprint due to scar tissue.

    I'm pretty sure there are various other ways one could alter one's fingerprints rather easily and quickly.
    Causing those 1 to 9 odds to suddenly look a lot more like 100%.
    Look like being the operative word.

    --
    Mit der Dummheit kämpfen Götter selbst vergebens
    1. Re:9 to 1 odds of wiping the phone? by Ihlosi · · Score: 4, Funny
      1 finger unlocks the phone, other 9 wipe it.

      Any finger wipes it, middle toe of right foot unlocks it.

    2. Re:9 to 1 odds of wiping the phone? by jafiwam · · Score: 4, Funny

      I always wondered if a dick-print could be used to unlock an iPhone.

      Never got around to it as it turns out, if you tell everybody that's what you do, nobody touches your phone anyway.

  16. Re:Fingerprinting is new? by Antique+Geekmeister · · Score: 2

    I don't know where you are, nor have hands-on access. MythBusters reprised the 2002 paper: Feel free to repeat the experiment, yourself, with a scanner, a printer, and a permanent marker to print the expanded scan, correct broken lines with a fine marker, then reduce the scan. And yes, I've done this about 3 years ago, at a data center with a laser printed paper fingerprint, moistened, on my own fingerprint. I'm not sure which model it was, but it was a useful proof of concept. The claims of "this is a 3D scanner and therefore cannot be fooled" seem to be complete nonsense.

  17. Re:You've been warned: biometrics might not be sec by tlhIngan · · Score: 2

    I've always wondered why people would think that fingerprints are a highly secured method of authentication. You leave the things around everywhere you go and you can't change them if they are compromised. Imagine if you dropped little strips of paper with your password (that could never be changed) written on it everywhere you went. How long would your "highly secured" password last if someone decided they wanted into your account? Especially if that person was the government?

    And that's why Apple disables the fingerprint reader - after 3 unsuccessful attempts to use the fingerprint reader, 48 hours of no fingerprint, or on a power up.

    And people think Apple's method is "asinine" for requiring a passcode. The only reason Apple has a fingerprint reader was to make phones more secure by having more people actually USE a passcode. Because passcodes are a pain when you're having to enter them in 1000 times a day, so a good majority of users don't do that. The fingerprint reader lets you have a passcode but not have to go through the hassle of entering it thousands of times a day.

  18. Biometrics are a bad idea by rossz · · Score: 2

    The problem with biometrics are they are fixed. So once they are stolen, you are screwed. Duplicating a fingerprint is easy. Iris scans are probably simple enough to defeat given the right equipment. Even some future DNA scan could be defeated, in theory. Keep in mind, no matter what form of security is used, it has to be digitized in some way. That is a crack in security.

    --
    -- Will program for bandwidth
  19. Re:How far can the (US) government go? by borgasm · · Score: 2

    What if you made the passphrase answer a statement that you were guilty of doing something? Then, since you can't be forced to testify against yourself, you can't divulge the passphrase since it is itself self-incriminatory.

    I should have gone to law school.

  20. Thank You Slashdot! by jIyajbe · · Score: 3

    (Yes, this is a serious, non-sarcastic post.)

    Yikes, that scenario had never occurred to me. I just turned TouchID off on all my devices. Entering my (>4 character) passcode isn't really that hard.

    This sort of story is why I like Slashdot. This was interesting and useful. Thanks to the submitter and the editor.

    --
    "Don't blame the log for the fire." --Andrew Ratshin
  21. Sigh by ledow · · Score: 5, Insightful

    Fingerprints are not passwords. If you use them that way, you're an idiot.

    At best, fingerprints are shortcuts for your USERNAME. You can use them in systems like that - school library and dining hall systems are perfect, you're not interested in "security", you're just interested in determining the correct child to a certain degree of accuracy quickly.

    Your password should still be something that only you know.

    People using fingerprints for passwords are deliberately making their machines less secure.

  22. Re:How far can the (US) government go? by pellik · · Score: 2

    This case is so insidious that I really hope it gets more traction on slashdot or other media sites.
    The slashdot summary didn't do it justice, either. The court is holding someone who claims to have forgotten his password indefinitely until such a time that he produces his password.
    If the police search your house, and deep in your basement find a computer hard drive from 6 years ago that you've completely forgotten about, and have no recollection of the passphrase to unlock, do you deserve indefinite detention?

  23. Re:How far can the (US) government go? by Ihlosi · · Score: 2
    What happens if you legitimately can't decrypt a drive.

    Claim that you used OTP encryption, ask for a copy of the encrypted data, generate a key that will decrypt the encrypted data, verifiably and reproducibly, to any plaintext you chose.