Slashdot Mirror
The Government Wants Your Fingerprint To Unlock Phones (dailygazette.com)
schwit1 quotes this report from the Daily Gazette: "As the world watched the FBI spar with Apple this winter in an attempt to hack into a San Bernardino shooter's iPhone, federal officials were quietly waging a different encryption battle in a Los Angeles courtroom. There, authorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone that had been seized from a Glendale home. The phone contained Apple's fingerprint identification system for unlocking, and prosecutors wanted access to the data inside it.
It marked a rare time that prosecutors have demanded a person provide a fingerprint to open a computer, but experts expect such cases to become more common as cracking digital security becomes a larger part of law enforcement work. The Glendale case and others like it are forcing courts to address a basic question: How far can the government go to obtain biometric markers such as fingerprints and hair?"
It marked a rare time that prosecutors have demanded a person provide a fingerprint to open a computer, but experts expect such cases to become more common as cracking digital security becomes a larger part of law enforcement work. The Glendale case and others like it are forcing courts to address a basic question: How far can the government go to obtain biometric markers such as fingerprints and hair?"
New option: set a finger to use which will cause the device to wipe. (I can think of an appropriate digit to use).
And the police fingerprints are still good enough to be used to defeat the best fingerprint scanners. There's been no noticeable improvement in the technology since the paper on defeating it was published in 2002.
https://cryptome.org/gummy.htm
The crack was confirmed by MythBusters in 2011.
https://www.youtube.com/watch?...
There has been no basic change in the technology. Fingerprint scanners are still trivially beaten.
See this Slashdot article from October 2014: Virginia Court: LEOs Can Force You To Provide Fingerprint To Unlock Your Phone. And that's not the first.
(IANAL.) The idea is that forcing you to reveal something you know (passcode, etc) is testifying and thus could be self-incrimination and not constitutional, but that forcing you to provide something about yourself is totally kosher. The analogy is being compelled to give up a key or DNA vs a safe combination - the former is searchable, the latter is not. Fingerprints are routinely taken upon arrest, even if the person is released without charges. Physical descriptions or stuff on/about you is not testifying. The argument to make here is a fourth amendment one about being "secure in ones papers" - but they have a warrant so that doesn't do any good anyway.
What it comes down to is the fifth amendment is a very important, but very circumscribed, right - not a get out of jail free card. Which shouldn't have been a surprise, really, otherwise the police would never be able to prosecute much of anything.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
I think you have a bit of a misinterpretation of the fifth amendment.
The explicit text related to self-incrimination is:
"...nor shall be compelled in any criminal case to be a witness against himself; ..."
which is generally interpreted as:
"The Fifth Amendment protects criminal defendants from having to testify if they may incriminate themselves through the testimony. A witness may 'plead the Fifth' and not answer if the witness believes answering the question may be self-incriminatory."
So, the fifth amendment specifically applies to testimony.
So while you can't be compelled to provide authorities with your decryption key for instance, we have recently seen here that you can be ordered to perform the decryption itself and be held in contempt of court for not doing so.
Sounds like a mistake to use your fingerprint as a password in that case, then. Not law enforcement's fault.
Fingerprinting is not new--not only is it required of criminal defendants as a matter of course, but many states take fingerprints for other reasons such as admission to the bar.
The Fifth Amendment right against self-incrimination does not apply because certain information is not considered "testimonial" in nature. You are not testifying when providing a fingerprint. While this is a slightly different case because the fingerprint is being used to unlock a phone, ultimately they are still not using testimony to unlock the phone--they are using a physical characteristic of an individual. So it will still be considered non-testimonial, and the appeals court that reviews the matter will agree.
The Fourth Amendment still protects you from a random search of your phone, but there was a warrant in this case.
Real lawyers write in C++
I've always wondered why people would think that fingerprints are a highly secured method of authentication. You leave the things around everywhere you go and you can't change them if they are compromised. Imagine if you dropped little strips of paper with your password (that could never be changed) written on it everywhere you went. How long would your "highly secured" password last if someone decided they wanted into your account? Especially if that person was the government?
Heck, if the government has your phone, chances are they have your fingerprint on your phone (or have access to somewhere you've been that you've left your fingerprints). Even if they don't have you in custody (and thus didn't fingerprint you), they can use those fingerprints to gain access to your phone.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
That approach won't work. The device won't take fingerprints after 48 hours. In fact, if the person simply refuses to submit to use of their fingers to unlock the device, they might get held in contempt, but after 48 hours, they can submit to the use of their fingers, and they're no longer in contempt, but it won't be of any value to the government.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Or just using a long password held only in the brain. A lot less complicated than multiple layers of security, works right now and is "safe enough" for most people.
For example, a police officer that doesn't respect your rights and asks to see the device contents without a warrant, because you were filming or were using your device in a manner they didn't like.
One drawback is the time it takes entering a long password when you need your device quickly or need to check it often.Although, Android does have a feature so you can set 'safe areas' where your password will not be needed once the device is unlocked once.
I have work and home set as places where I only have to enter the password about once or twice per day, no matter how many times I check the device.
If somebody stole my phone it will automatically lock once they leave WiFi range of home or work.
A good trade off between security and ease of use imo.
(Yes, this is a serious, non-sarcastic post.)
Yikes, that scenario had never occurred to me. I just turned TouchID off on all my devices. Entering my (>4 character) passcode isn't really that hard.
This sort of story is why I like Slashdot. This was interesting and useful. Thanks to the submitter and the editor.
"Don't blame the log for the fire." --Andrew Ratshin
Fingerprints are not passwords. If you use them that way, you're an idiot.
At best, fingerprints are shortcuts for your USERNAME. You can use them in systems like that - school library and dining hall systems are perfect, you're not interested in "security", you're just interested in determining the correct child to a certain degree of accuracy quickly.
Your password should still be something that only you know.
People using fingerprints for passwords are deliberately making their machines less secure.
Any finger wipes it, middle toe of right foot unlocks it.
People are always criticising passwords, but passwords can be kept safely in one's mind. And there is no way for the government to extract that password from you.
One of the US presidential candidates this year disagrees, and believes in "advanced extraction techniques" or whatever the latest euphemism for torture is.
That said, the biggest problem with biometric authentication is that once the cat is out of the box, it won't get back in. You can change your password, but you cannot change your biometrics. Once they've been copied, they're compromised for the rest of your life.
For a fingerprint, that can be very easy to lift. A photo, or a glass, or a door handle. You don't even have to know that it's been taken.
Another big problem is that they're not as unique as we like to think. There have been cases where people have been found in a fingerprint database that were nowhere near where "their" fingerprint was found. With several billion people, there are going to be overlaps. And because of the implicit trust in biometrics, the onus is on the suspects to prove his or her innocence against something that is treated as infallible evidence.
I always wondered if a dick-print could be used to unlock an iPhone.
Never got around to it as it turns out, if you tell everybody that's what you do, nobody touches your phone anyway.