Suspect Required To Unlock iPhone Using Touch ID in Second Federal Case

An anonymous reader shares a report on 9to5Mac: A second federal judge has ruled that a suspect can be compelled to unlock their iPhone using their fingerprint in order to give investigators access to data which can be used as evidence against them. The first time this ever happened in a federal case was back in May, following a District Court ruling in 2014. The legal position of forcing suspects to use their fingerprints to unlock devices won't be known with certainty until a case reaches the U.S. Supreme Court, but lower court rulings so far appear to establish a precedent which is at odds with that concerning passcodes. Most constitutional experts appear to believe that the Fifth Amendment prevents a suspect from being compelled to reveal a password or passcode, as this would amount to forced self-incrimination -- though even this isn't certain. Fingerprints, in contrast, have traditionally been viewed as 'real or physical evidence,' meaning that police are entitled to take them without permission.Ars Technica has more details.

what about copying them and makeing there own

[Joe_Dragon]

what about copying them and making there own 3d printer finger? They have the finger prints from booking right?

Re:what about copying them and makeing there own

[Salgak1]

That would depend on the sensor, but I can think of several ways to try, especially with recent tech. Heck, the Mythbusters hacked a biometric lock with a photocopy a decade ago. . .

Re: what about copying them and makeing there own

Wow, why are angry children always so disconnected from the real world?

You harp on about Muslim immigration then say you want to elect the only pro Muslim immigration candidate in th US. At least make some sense before you rant. Write it down first and read it, check it doesn't make you look like a downs syndrome child before you post.

Re:what about copying them and makeing there own

[prograsm]

Current really cheap phone sensors will work with a 2D printed photocopy of the fingerprint, slightly less cheap sensors are capacitive and but should still work with a 2D print using, say, capacitive ink (would the standard magnetic toner used to print official bank cheques work here?). For the more complex sensors (I used to work at a company that manufactured this type, but don't know of any used in phones) even using the suspect's real finger wouldn't work if it happened to be cut off of the suspect... we were reading the EM field of the flowing blood capillaries behind the fingerprint itself. This is common with more security oriented sensors, and while we were able to shrink them enough to operate fine in a phone, they aren't the sub $5 cost that most phone sensors seem to have budgeted. Summing up: A capacitive 3D print should work, but overkill. 2D prints will definitely work, but capacitant sensors makes that less trivial than it used to be. Good sensors are tough as hell to spoof because EM is tougher than optical to replicate in fingerprint format.

Re: what about copying them and makeing there own

[piojo]

Your post is a fantastic example. Your writing is not illegal, but if it ever became publicly tied to you, you'd never be able to find a decent job again.

TFA is not terribly clear...

[LichtSpektren]

Was he compelled to actually put his finger on the phone, or was he just compelled to surrender his fingerprints? TFA is not precisely clear about that. If it's the former then that's incontrovertibly a violation of the Fifth Amendment. If it's the latter then it's just routine--he's going to leave a trace somewhere eventually.

In either case, the moral of the story is, don't use your biometrics to lock your phone.

Re:TFA is not terribly clear...

Moral of the story is Don't leave evidence on your phone. Or anywhere else for that matter.

Re: TFA is not terribly clear...

[ArmoredDragon]

I don't think it makes a difference. It's well known that in IT security, the authentication factors are who you are, what you have, and what you know. The Constitution only protects the what you know factor. The who you are factor, which is almost entirely biometric, has almost zero protection. Why? Because all three branches of the government can compel you to identify who you are, and there is nothing in either the Constitution or any written laws saying otherwise.

Re:TFA is not terribly clear...

An app that automatically wipes the phone after a certain amount of time with no successful unlocks, say 5 days, would be awesome. Problem solved.

Re:TFA is not terribly clear...

[JaredOfEuropa]

This sounds like one of those instances where the spirit rather than the letter of the law should be applied. When using a fingerprint to unlock a phone, it is clearly being used as a passcode rather than "physical evidence". FTA:

iOS also only permits five Touch ID unlock attempts before the passcode is required, so smart criminals would either register their little finger and use up those attempts with other fingers.

So in this case, where a judge compels a suspect to unlock his phone using his fingerprint, and he blocks the phone with 5 bogus attempts, can he be held in contempt of court? Or he could claim that the phone didn't recognize his fingers because of sweaty hands.

Re:TFA is not terribly clear...

iPhone can be set to do that at 10 failed unlocks.

Re:TFA is not terribly clear...

[willoughby]

"...smart criminals would either register their little finger and use up those attempts with other fingers."

That would be just as clear to me if it were written in German. What does that mean?

Re: TFA is not terribly clear...

[DougOtto]

Which is why you should reboot your phone (or power it off) if you're expecting an inspection.

Re:TFA is not terribly clear...

[bobbied]

(Current political stories not withstanding..) Can you say destruction of evidence is a crime? IF you have such a setup, I'm pretty sure you need to discuss it with your lawyer (you DO have one RIGHT?) who is likely going tell you to disclose this fact to authorities. Better yet, just don't let incriminating stuff end up on your phone if you choose to step over onto the wrong side of the line unlike most stupid criminals.

Re: TFA is not terribly clear...

[alvinrod]

It makes a big difference. The government may well have the legal authority to take my fingerprint, but they cannot compel me to reveal which of them or which part of one of them could unlock my device. Otherwise what's the difference between that and compelling me to indicate which combination of letters or numbers would unlike the device by using a pass code?

I hope device manufacturers include functionality to allow one time fingerprint access before falling back to needing password or PIN access. That way, even if law enforcement does have access to your prints, it would not guarantee them access to your device.

Re:TFA is not terribly clear...

[jratcliffe]

Was he compelled to actually put his finger on the phone, or was he just compelled to surrender his fingerprints? TFA is not precisely clear about that. If it's the former then that's incontrovertibly a violation of the Fifth Amendment.

Not a Fifth Amendment violation. He's not being required to testify as to anything he knows, it's just a physical characteristic. Other example would be voice exemplars - it's Constitutional to require a defendant to say "hands up, give me the money," as part of a "voice lineup," since saying that doesn't require the defendant to testify to any content or knowledge. United States v. Dionisio

Re:TFA is not terribly clear...

There's a finite number of failed attempts that once recorded will put the phone in a "password only" state. "Accidentally" using the fingerprint reader incorrectly could be used as a method preventing this thuggish practice.

Guten Nacht

Re:TFA is not terribly clear...

[fustakrakich]

Exactly. I am very disappointed that people think it's okay to compel anyone to assist in any way one's own prosecution, so, to get around that issue and avoid the philosophical bullshit, a panic button or a preset timer would be very nice. Something that actually fries the chip inside, just to be sure. The worst they can charge you with then is destruction of evidence, which might be a hell of a lot better than the original indictment.

Re:TFA is not terribly clear...

[jxander]

While I can't speak to every phone and every OS, apple devices on iOS9 already have a "fix" for this: Power off your phone.

When an iPhone is powered on, it requires that you type in the pin code or pass phrase. No biometrics here.

Re:TFA is not terribly clear...

[Kiralan]

He means that he would use his little finger for the correct finger, and fail the 5 attempts using any other finger or fingers. At that point, it would also require the PIN.

Re:TFA is not terribly clear...

[Aaden42]

There's (not a lot of...) case law that suggests a truly deadman switch that erases a device isn't considered destroying evidence. If you *do* something actively that triggers it, that's destruction and you can be charged. If by doing nothing, the device is erased, that's okay. You're also not under any obligation to mention such a thing exists.

So for example if you set something up to wipe the device if you sent a magic text message, that would be a problem. Something that wipes if you don't touch it for a week is generally considered legal. It generally goes with the idea that you can be held to consequences for your *actions*, but there's a higher bar to hold you accountable for your *inactions*.

Re:TFA is not terribly clear...

[bhcompy]

Not necessary. Android and iOS both require passcode unlocks after reboots. Android requires it after 48hr of disuse. Just need to tweak the scenarios where passcodes are required to overcome this privacy hurdle

Re: TFA is not terribly clear...

Scheduled destruction of data shouldn't be construed as destruction of evidence. Let's say your company has a 30-day email retention policy. On day 30 the FBI decides there might be evidence in an email, and takes an hour to get a warrant and deliver it to you. You get an IT person to pull up the file, but let's say the email was deleted and HDD overwritten 10 seconds prior.

You scheduled the destruction before it was evidence.

I think there would be plenty of similar examples with scheduled shredding of files, or running a trash compactor, or operation of a sump pump, etc.

Re: TFA is not terribly clear...

I would like to see a "duress fingerprint". Force me to use my fingerprint? Fine, I'll use my middle finger which disables all biometrics until further notice.

Re:TFA is not terribly clear...

[sexconker]

Not a Fifth Amendment violation. He's not being required to testify as to anything he knows, it's just a physical characteristic. Other example would be voice exemplars - it's Constitutional to require a defendant to say "hands up, give me the money," as part of a "voice lineup," since saying that doesn't require the defendant to testify to any content or knowledge. United States v. Dionisio

That's a clear 1st amendment violation.

Re:TFA is not terribly clear...

[bobbied]

Do you happen to have any case law on that? I'd love to see the precedence on that idea because somehow it looks like a distinction without a difference to me. If you routinely destroy evidence to avoid implicating yourself in a crime, I think the intent is pretty clear. That you automated the process, might not be a good thing when heading to trial because that's going to be used against you to show intent to cover up what you where doing, which may actually be worse than the "evidence" you got rid of.

Re: TFA is not terribly clear...

It depends on the size of the company, who the shareholders are, how well connected the CEO or board are... The law must take those important factors into consideration.

Re: TFA is not terribly clear...

^^^^^^ def need this.

Re:TFA is not terribly clear...

[fustakrakich]

Given the choice between destruction of evidence or facing much more serious prison time on trumped up charges (even if you plead out). Picking the lesser charge is the way to go. I don't see any point on philosophizing on the matter when simple math will do.

Re:TFA is not terribly clear...

There's a finite number of failed attempts that once recorded will put the phone in a "password only" state. "Accidentally" using the fingerprint reader incorrectly could be used as a method preventing this thuggish practice.

Guten Nacht

Not really.

If the court holds that they have the authority to compel you to unlock the device with your finger than the'd call deliberately choosing the wrong finger 5 times "contempt of court".

It'd be difficult to prove you did it deliberately in the mathematical sense, but pretty easy to convince a jury that you did which is the standard for prove in court.

Re: TFA is not terribly clear...

[swb]

And if they compel me to provide fingerprints, not only should I not have to tell them which fingerprint may unlock the device, it should be up to them to convert my fingerprint into a useful tool to actually unlock the phone.

Hopefully device manufacturers will include a configurable time window for the time to PIN/password fallback. It would be useful to adjust it based on usage from anywhere 0 to days, depending on what you think your exposure is.

Re:TFA is not terribly clear...

[naughtynaughty]

Routinely destroying evidence to avoid implicating yourself could be a crime. However, having an automatic data retention policy likely would not be a crime. If you routinely back up your data to encrypted storage, a good practice, and then automatically delete old data you are being prudent, not a criminal. Just don't sit around with your partners in crime discussing how to thwart law enforcement by using data retention policies.

Intent matters. And intent is difficult to prove if there isn't any hard evidence and your actions have a legitimate purpose.

Re:TFA is not terribly clear...

[TroII]

No, the moral of the story is don't use your fingerprint as a password.

Re:TFA is not terribly clear...

[JosephDoeden]

The moral is that testimony is not actually the same as giving a fingerprint, even though it's yours and you own it. It's unlikely the Supreme Court will be able to rule that the 5th Amendment protects us from any information release all the time. I think they will be forced to differentiate between testimony on court and general society requirements, like being able to identify yourself. If a password is protected by the 5th amendment under such simplistic reasons as we currently use, then fingerprints should be to. We are not going to give up fingerprints use after all these years. It's a difficult position for the government and for citizens that want a functional justice system, which ultimately means most. Many people might say the government cannot compel you to answer questions, but that's just not a practical model. Our interpretation of the Constitution as a document of procedural justice and essentially how to live cannot be so idealistic that it can only exist inside out own minds. The laws have to be realistically enforceable within the bounds of natural law aka reality and the end result has to be we are all better off together under these rules, otherwise the civil mangement experiment that is US democracy is failing. If we stand too arrogantly behind a rigid interpretation of our Constitution, it will harm society because many of the provisions which bypass the general interpretation of the 5th Amendment are required to manage the millions of people we have in society today. That all being said, I see no legal reason why anyone can be compelled to give up identifying information of any kind. however, that is not a realistic stance I can take as citizen with practical management requirements of keeping relative order of 330+ million free will biological automatons. We can't have people refusing to produce a driver's license because they are protected by the 5th amendment. Identifying people is how we determine their integrity. If people can too easily refuse that it will cost us a lot more money in managing those millions of people. From a bureaucratic viewpoint, the 5th amendment is dangerously ambiguous. If it were interpreted wrong it could easily undermine governments ability to enforce the law. I don't think this is all that big of a problem. If police really want the cell phone, they will grab people while they are on calls before they can lock them or they will wiretap enough that they don't need them. What isn't going to happen is we aren't going to spend millions of dollars investigating real violent organized criminals and then letting them go because we couldn't get into their stupid cell phones. Somewhere, something will give before that becomes the new normal. People who want digital security need to come to this realization. You don't fight this battle out in the public. You cannot expect to sustain a strategy of using technology to supercede government. The suggests to me you have not taken the time to consider what government really is. You can't escape it. It can effectively change the reality you live in. Government is like your bios or OS. You can't outsmart it because you are actually operating within it. Any gains you make are short term and unsustainable because the OS adjusts to your actions and in 30 years if your actions change the OS adjusts to those actions too. Government is a dynamic management OS for humans and it can actually change rapidly if enough of those bits get together with a unified goal. On the other hand it's self healing and resists change. It will tend to gravitate back to a center no matter how hard you manage to exploit it.. this is because it generally represents the majority well enough. The problem most of you have is that your personal opinions are not ALL the majority and it's actually democracy and other people's conflicting opinions you hate. That is represented in government, but it's not the system that creates racism or a police state. It's the people. So, the stance that we cannot legally compel people to give us this information is just n

Re:TFA is not terribly clear...

[Curunir_wolf]

If you routinely destroy evidence to avoid implicating yourself in a crime, I think the intent is pretty clear.

But that's perfectly legal. That is, you're destroying documents or files (something routinely done everywhere, all the time), which is not currently "evidence". If you think you're under investigation, or have some reason to believe you might be investigated, then you are not allowed to destroy or tamper with any evidence. But, if you're in the habit of routinely wiping your devices and files, it would be difficult or impossible to prove that in some specific incident you knowingly did it to tamper with evidence.

So routinely wiping your data is a good strategy.

Re:TFA is not terribly clear...

[naughtynaughty]

Which finger you use is akin to a password and you shouldn't be required to reveal it. Of course the police could be observant and notice which finger you use so it wouldn't be a very good technique.

Re:TFA is not terribly clear...

[rahvin112]

They aren't stupid, they bit copy (dd) the device when it's seized. Now a local police agency might not do this but anything involving the fed's is going to be copied the second they get their hands on the data, even if it's encrypted. This is directly to prevent challenges on data integrity and to prevent dead man switches.

Re:TFA is not terribly clear...

[Jhon]

"Exactly. I am very disappointed that people think it's okay to compel anyone to assist in any way one's own prosecution,"

I knew the wording of this would toss up responses like yours.

This is no different than an order to produce blood/cheek swab or even passwords. The accused have the right to remain silent -- they do not have the right to ignore lawful search warrants. If you really want to keep information that the law cannot touch then either memorize it or have a trusted spouse memorize it.

Re:TFA is not terribly clear...

[cfalcon]

Whenever this gets brought up on the "social" media, it gets downvoted or otherwise silenced. The convenience of the fingerprint seems to blind people to the fact that it is fundamentally terrible at security. A password or passphrase is the way to go.

I mean, if a bad guy has access to you and your phone, he doesn't need your permission or even your life to unlock a phone with the fingerprint. The fact that it is also more secure against governments should not be surprising, because it is more secure to use a password against ANY adversary.

Re:TFA is not terribly clear...

[Grishnakh]

What you need is software in the phone that detects how you swipe your finger over the sensor. So, if you down-swipe, it unlocks the phone and works fine. But if you up-swipe, then it erases the phone and then unlocks it.

To avoid you getting prosecuted for destruction of evidence, the software needs to "wipe" the device back to an innocuous-looking state: delete all the photos, contacts, texts, etc., except for a few pre-selected harmless cat photos, and the only contacts and calls and texts left are ones to your mom.

Re:TFA is not terribly clear...

[gurps_npc]

Works better if you put a false flag photo in there. Something that you can legitimately claim is the reason why you had the security in the first place.

A picture of a naked woman that is not your wife works well. Just bad enough to hide, not bad enough to get you in real legal trouble.

Re:TFA is not terribly clear...

[Kernel+Kurtz]

Ideally the print on one finger would unlock the phone, and the print on the other 9 would wipe it.

Would also be useful to have a specific passcode that wipes the phone immediately as well.

Re:TFA is not terribly clear...

[jratcliffe]

Actually, it's not, since there's no way any reasonable person could believe that, by repeating the words you're being instructed to say, you're endorsing those words. While it may be "spoken," it's not "speech."

Re:TFA is not terribly clear...

[plague911]

You are wrong. Period. People who are much more intelligent, with much more expertise, and have been communally appointed to decide (all three are important in their own way) have declared you are incorrect. You have no recourse, you are wrong.

Re:TFA is not terribly clear...

[Anubis+IV]

If [he was compelled to put his finger on the phone], then that's incontrovertibly a violation of the Fifth Amendment.

As someone who used to stand by that view, nowadays it strikes me as the stance of someone who values their privacy (as we all should!), but who hasn't thought through the ramifications of their stance yet.

For instance, I'd wager you have no problem when the police swab a suspect for their DNA, nor when a passed-out drunkard is compelled to provide a blood sample in the hospital after a DUI, yet in both cases the suspect is being compelled, potentially against their will, to provide something incriminating of themselves to a machine in the police's custody that will tell the police whether the evidence from the suspect is incriminating or not. That's no different than compelling a suspect to provide their fingerprint to a phone in the police's custody that may have the ability to incriminate the suspect.

In fact, both DNA evidence and the BAC measurement situation I described have made it through and been affirmed by the Supreme Court already (in some cases, multiple times), for the simple reason that the right against self-incrimination only extends to "testimonial" evidence (a.k.a. "communicative" evidence), not to "real" evidence...nor should it.

I recall reading portions of the majority opinions for some of the seminal cases in this area a year or two back when researching the topic, and one of them basically stated that if we took the notion that we can't collect incriminating "real" evidence to its logical conclusion, we wouldn't even be able to compel someone to reveal enough of their physical appearance for them to be recognizable to an eyewitness, which they asserted was utterly absurd and was clearly beyond the bounds of the protections afforded by the 5th Amendment. More or less, so long as the police have a warrant and aren't trying to compel any form of demonstration of knowledge (i.e. testimony), they're within their rights.

You've already said that you're fine with the police collecting fingerprints, which is good, since fingerprints are not testimonial/communicative in nature. But how the police collect and use them is left up to them to decide. Whether they collect them on a piece of paper, via an electronic scanner that stores them to local database, or by way of a sensor that writes them into a transient piece of memory on a mobile device makes no difference. In all three, they're simply compelling the suspect to provide a piece of evidence in their custody to a device or system in the police's custody. It's a simple transfer of physical evidence from the suspect to the police. The means may be different, but the thing being compelled is the same in all three cases.

That the evidence can be used to incriminate the suspect does not mean their rights have been violated. And the best course of action if you don't like that fact is to stop using real evidence (e.g. keys, fingerprints, etc.) as a locking mechanism.

Re:TFA is not terribly clear...

[fustakrakich]

This is no different than an order to produce blood/cheek swab or even passwords.

No, it's way different. With the burnt chip there is no evidence. That is the intention, and is what I would do to protect myself. I can have a backup buried elsewhere behind a "secret panel". There is no reason to grant the state undue advantage, they can go suck on it. The law is far too fickle to give blind obedience. Leave the armchair philosophy at home please.

Re:TFA is not terribly clear...

[Jawnn]

Exactly. I am very disappointed that people think it's okay to compel anyone to assist in any way one's own prosecution,

So... you would hold that opening the door when the police inform you that they have a warrant to search your premises for evidence of a crime is somehow different from unlocking your phone in the face of the same kind of legal request. Fine. Please tell us. In what way is it different?

Re:TFA is not terribly clear...

[meerling]

Of course if they're fishing for proof because they only have suspicions, I would think they'd find it very hard to convict you of something they have no proof of.
(I wouldn't put it past them to try, after all, they have before, but that's an uphill battle even for them.)

Re:TFA is not terribly clear...

[meerling]

Of course, if you are using a voice lock on something that opens with you saying, "Alibaba was a fool", and they try to force you to say that to the lock to open it, I doubt anyone would consider that anything other than being forced to give up your password and open your locked items.
After all, it's not the existence of the voice/fingerprint/password/key, it's the being forced to provide it for unlocking purposes that's F'd up.

Re:TFA is not terribly clear...

[Etcetera]

Or, more specifically, obstruction of justice.

If you refuse to give a legible fingerprint when your fingerprints are being taken at the jail, for example by trying to move your fingers back and forth so the ink smudges, the bailiff or other police official will just hold you down until they can get a valid read. You have no right to prevent that from being done.

If you do the same thing, but in a way that surreptitiously destroys the evidence on the phone in the process (knowledge of the switch, and your awareness that you're using the wrong finger to do it), you're destroying evidence. That's not just contempt, that's obstruction of justice .. and a nice federal jail sentence.

Re:TFA is not terribly clear...

[jratcliffe]

Of course, if you are using a voice lock on something that opens with you saying, "Alibaba was a fool", and they try to force you to say that to the lock to open it, I doubt anyone would consider that anything other than being forced to give up your password and open your locked items.
After all, it's not the existence of the voice/fingerprint/password/key, it's the being forced to provide it for unlocking purposes that's F'd up.

Depends on the circumstances. If the gov't knows the password, and there's no question that the device is yours, then you could be required to state the voice passphrase. Again, the Fifth Amendment protects you from having to testify (i.e state something you know) against yourself. It doesn't protect you from having to provide charactistics of yourself (appearance, fingerprints, DNA, voice, etc.).

Re:TFA is not terribly clear...

[flargleblarg]

No, the moral of the story is don't use your fingerprint as a password.

My voice is my password.

Re:TFA is not terribly clear...

[vux984]

Was he compelled to actually put his finger on the phone, or was he just compelled to surrender his fingerprints?

The 5th only applies to testimony. Your finger print is not testimony.

They can already compel you to put your finger onto a finger print scanner or inkpad to collect your fingerprint.

It seems to me, that if we allow the government the authority to compel you to stick your finger onto anything (e.g. an inkpad) to collect your fingerprint; its not unreasonable that they have the authority to make you touch your phone too. With a warrant of course.

The upshot really should be, a fingerprint is a good way to keep random theives, children, and coworkers out of your phone. Not the government. Use a proper password for stuff you don't want the government to see.

Re:TFA is not terribly clear...

[fustakrakich]

I can destroy the phone without having to think twice. I doubt very much I would blow up my house for the same purpose. The cops can do that. And no, I will never invite an on duty cop into my house, even with the warrant. They can talk through the screen door, which they will have to open themselves if they want in. The minute you invite them, the warrant issue is moot and they can tear the whole place up and shoot the dog, and probably you if you even flinch. The trust is gone until we reform our system and demand adequate oversight. It's not really an argument anymore.

Re:TFA is not terribly clear...

[Altrag]

the best course of action if you don't like that fact is to stop using real evidence

That's the trick though. Why is my phone not protected because I used a fingerprint while your phone is because you used a passcode?

In both cases, the access to evidence is exactly the same. Neither of us are providing testimonial information -- a passcode by itself says nothing about who you are or what you've done any more than my fingerprint does (and perhaps less since my fingerprint could potentially be matched against the crime scene.. but lets assume they've already got other copies of my print by the time they get to trying to unlock my phone!)

Honestly all of these laws are kind of bogus in the digital age. The fact of the matter is that if you refused police entry to your house or other place of interest, they picked up a ram and knocked the door in and had their way with your documents belongings (hopefully with right of warrant or they'd be breaking the fourth!)

In the digital world though, the police have no recourse. If you refuse to give up your password, and assuming its strong enough to prevent brute forcing, the police are left with no recourse whatsoever. Whether that's good or bad is up for debate of course. (My personal opinion is that they should be allowed to compel you no matter what type of lock you use -- As long as they get a warrant, same as when they enter your home to search for physical evidence. Not that my opinion matters in the grand scheme of things.)

But whichever side of the equation you fall on, the underlying problem is that its still different from a physical entry and trying to rely on laws created 200 years before anyone even dreams of these kind of devices to give us more than vague direction is a bit foolhardy.

And I mean you see it all the time already. Your digital devices are considered physical evidence when the cops want to stop you from taking the fifth, but non-physical evidence when they want to confiscate so that it doesn't fall under the fourth. How does that work out? Its like the cops coming into your home and making photocopies of all your documents and then saying its not a fourth amendment violation because they didn't technically "search" (blindly copying everything) nor "seize" (just making copies) the originals. Yeah that doesn't work out so well for them.. and yet its no less of a valid digital vs analog analogy than many of the ones they actually use to justify their doings.

Of course, half the lawmakers today seem to have no more knowledge of digital devices than the founders did so I'm not sure I'd really trust them to make fair laws at this point even if they did realize that the old laws aren't completely applicable.. but that's a whole other issue in its own right.

Re:TFA is not terribly clear...

I would like to know what "compelling" means in this context anyway. Was the suspect physically forced? What if the suspect refuses such a court order? Will he be imprisoned for the rest of his life? Or executed?

Re:TFA is not terribly clear...

[Altrag]

Its different in one major way: If you fail to open the door, they can (and will) just break it down.

If you fail to unlock your phone on the other hand, the police are kind of screwed.

Sure they can beg Apple or Google for unlock abilities, but that's literally not possible for those companies to provide -- they intentionally do not retain the encryption keys in order to reduce their liability in cases like this.

The whole Apple fiasco a while ago wasn't them giving up the encryption key. What they did was provide a version of the OS that didn't lock the phone after too many failed attempts. The cops still had to brute force the passcode (which luckily for them is only 10,000 possibilities.) If that guy had used a full password or other strong lock instead of a regular 4 digit passcode, the cops would have had no recourse at all.

Re:TFA is not terribly clear...

[WormholeFiend]

So all you have to do is lead the police to believe they can use your finger print, try all ten fingers, then boom no more data?

Re: TFA is not terribly clear...

Great idea! I believe shutting down the phone when duress fingerprint is read should be sufficient.

Re: TFA is not terribly clear...

I am married to my smartphone, I should be fine.

Re: TFA is not terribly clear...

Very clever. In some countries this is Perverting the course of justice. Maximum is life imprisonment.
Obstruction of justice with up to 20 years of prison in the US.

Re:TFA is not terribly clear...

[MooseTick]

Making an image of a random phone is not always possible nowadays. There is no hard drive to remove and make a forensic copy. That was the very issue with the iPhone case a few months back. If you have a way, I'm sure you could make millions at the next RSA event.

Re: TFA is not terribly clear...

[JesseMcDonald]

And if they compel me to provide fingerprints ... it should be up to them to convert my fingerprint into a useful tool to actually unlock the phone.

Sorry, but that's simply not a reasonable restriction. If they can compel you to provide fingerprints, they can compel you to provide them by placing your finger(s) on the scanner of the iPhone they already seized as evidence. There is no rational cause to limit fingerprint collection to ink transfers on paper, or their own imaging equipment.

At most you could argue that the fingerprint scanner in the iPhone cannot be trusted to uniquely identify its user. That would be a difficult argument to win at the best of times, however, and they may just want access to the data—either because they already know that it's your device or because they expect to be able to prove as much from the contents once it's unlocked.

A reasonable case could be made for limiting the number of times one can be required to provide one's fingerprints. Two or three times per finger would probably be sufficient; much more than that would be unduly burdensome. If they want to brute-force a system requiring both a password or PIN and a fingerprint simultaneously they'll need to come up with something more imaginative than making the suspect put their finger on the scanner repeatedly for the hours/years/centuries/eons it would take to stumble onto the right code.

Re: TFA is not terribly clear...

Actually, the Constitution is a document saying what the government CAN do, not what it can't. If it's not on the list, the government cannot do it.

Lord help us, though.

AC

Re:TFA is not terribly clear...

[hawguy]

They aren't stupid, they bit copy (dd) the device when it's seized. Now a local police agency might not do this but anything involving the fed's is going to be copied the second they get their hands on the data, even if it's encrypted. This is directly to prevent challenges on data integrity and to prevent dead man switches.

Ideally, whenever the phone wipes itself and destroys its copy of the master encryption key to the phone's storage, then the only way to get the data is to use brute force the 128 bit random key. Even if you have a perfect copy of the data, without the key that's locked up in the phone's security processor, your copy is useless.

Re: TFA is not terribly clear...

[stephanruby]

I don't think it makes a difference either. The court probably waited too long before getting his fingerprint. If the phone had to restart for any reason, then the fingerprint won't work anymore. It will need his passcode. Both iPhones and Samsung phones require passcodes on restart.

Back to square one. The police will probably need a court order to get his passcode now.

Re:TFA is not terribly clear...

[JesseMcDonald]

Why is my phone not protected because I used a fingerprint while your phone is because you used a passcode?

The phone is not legally protected in either case. If they can find a way in, they can use the data. What is protected in the latter case is the fact that you know the passcode. If there is anything incriminating on the device then knowing the passcode which unlocks it would be tantamount to an admission of guilt. (Note that the passcode is generally not protected if they can separately prove that you have the ability to unlock the device, since at that point you would not be revealing anything incriminating.)

The principle behind the prohibition on self-incrimination is that no one who has not already proven guilty should be placed in a catch-22 where their only options are to confess their guilt or be punished for failing to do so. Allowing records to be taken of your physical characteristics does not even amount to providing testimony, much less testifying against yourself.

Re:TFA is not terribly clear...

[Anubis+IV]

Why is my phone not protected because I used a fingerprint while your phone is because you used a passcode?

That's the thing: neither is protected against being searched. Your statement conflates the question of whether the police are allowed to access your phone with the question of whether the police are capable of accessing your phone. You appear to be well aware of the distinction, so your statement seemed a bit out of place in the rest of your comment, but as you suggested, in many situations, the police have the legal authority to access a device without necessarily having the means to do so.

And while the "access to the evidence is exactly the same" between a fingerprint and passcode (i.e. both would give the police access to evidence that a warrant says they are entitled to collect), you're incorrect about a passcode not being testimonial in nature. A passcode communicates the fact that you had an awareness of your access, for the simple reason that if you lacked that knowledge, you wouldn't be capable of supplying the requested passcode in the first place. In contrast, a fingerprint demonstrates access, but not necessarily an awareness or knowledge of that access (though they obviously often go hand-in-hand).

As you said, it may be necessary for the legal system to be updated to deal with the modern era, but I don't share your perspective that the police should be able to compel passcodes from individuals, since it's impossible to prove the negative statement that you never had an awareness of the passcode to begin with. If a courier carrying a package containing a laptop with an encrypted drive was compelled to provide the passcode, what recourse would they ever have against being jailed, despite having never known the passcode or done anything wrong? Could we just start planting encrypted drives on our enemies, anonymously tipping the police off that the drives contain something illegal, and then watch as our enemies face jail time for refusing to provide the passcodes? Obviously that's not a tenable situation.

In the meantime, while we work out those issues, we're left with what we have. Using a passcode doesn't provide you with any sort of legal protection against search and seizure, since that's a separate 4th Amendment issue, but it may provide practical protection against a search, simply on account of it cutting off the police's ability to rely on physical evidence to gain access to the device.

Re:TFA is not terribly clear...

[boristdog]

Moral of the story is not to have a password.

If you have a phone cops cannot unlock, a reasonable jurist can assume that no one could have put any incriminating evidence on it to frame you, even if they could have.

If you have a phone anyone can use (no password) and you are separated from it at any time, you can bring up a very good reasonable doubt in court.

So just hang on to your phone and have no password. Don't put it on the table at restaurants, don't let it leave your person except at home, then you don't need a password. If it gets confiscated by cops, you have a very big out.

Re:TFA is not terribly clear...

[viperidaenz]

Are they not allowed to use a phone to collect fingerprints?

Re:TFA is not terribly clear...

[viperidaenz]

How about a voice unlock?
You have the right to remain silent.

Re: TFA is not terribly clear...

[viperidaenz]

You forgot the most important factor: political campaign contributions.

Re:TFA is not terribly clear...

This is no different than an order to produce blood/cheek swab or even passwords.

So... then you agree with fustakrakich? Because a person should never be required to produce any of that, nor should the police be allowed to take any of it by force. In my opinion, the level of evidence required to justify forcibly taking a DNA/blood sample from someone, is enough to convict that person without obtaining the DNA/blood sample. Anything less is just a fishing expedition. "We don't actually know which of these 100 people committed the crime, but if we draw blood from them all, then we'll know for sure." No, sorry, but fuck that.

The accused have the right to remain silent -- they do not have the right to ignore lawful search warrants.

But I'm not ignoring it, I'm enforcing it. I do not have to assist them in their search.

Now then, if you meant an order to turn over documents... well, I'd still say they cannot compel you to unlock your phone, just as they cannot compel you to teach them the made-up language that you used when writing in your diary.

Re:TFA is not terribly clear...

[bobbied]

That's mostly true, however, as soon as you have reason to believe your prudent step of automated data deletion MIGHT be deleting something that is likely to be considered evidence in some kind of litigation, you had better turn it off. Letting it run can (and will likely) be construed as destruction of evidence.

So... IF you get served, get a threating letter ostensibly from a lawyer or have somebody threaten a civil suit in private, you BETTER turn off the automation until you know for sure. If you catch even a rumor of a criminal investigation, you better do the same. PLUS you had better have a documented process for both what's getting deleted when and how that gets adjusted during legal proceedings AND PROOF you actually follow it. Anything short of that is going to be a legal problem...

Re:TFA is not terribly clear...

[dcollins]

"For instance, I'd wager you have no problem when the police swab a suspect for their DNA, nor when a passed-out drunkard is compelled to provide a blood sample in the hospital after a DUI..."

Certainly in my case I absolutely have a problem, and always have, with any of things happening without a warrant. The Fourth Amendment seems very clear: "The right of the people to be secure in their persons...", listing the person him- or herself as having a right to security first and foremost before any other item.

Yes, this has passed SCOTUS muster, but it boggles the mind how it could be read in any other way. Certainly I would vote against any such warrantless personal evidence gathering if I had a voice in the matter.

Re:TFA is not terribly clear...

[bobbied]

I'm not arguing the routine clean up of data. By all means, do that. But I am saying that you CANNOT allow your automated clean up processes to delete ANYTHING that you have even an inkling *might* be evidence in a legal proceeding (civil or criminal). So the instant the police call you in and start asking questions about something, you'd better turn that automation off. Or if you get a letter threatening legal action, you had better turn that automation off or make sure it's not deleting stuff that's related. Companies do this all the time, but they have DOCUMENTED processes and usually proof they followed their process, to use as a defense in court.

If they have any inkling that you did this automation thing to hide incriminating evidence, it doesn't matter if it was routine or not. So if you are a criminal and know it, but insist on collecting evidence you need to destroy, what difference does it make? Do what you want and let you lawyer fight it out in court. Just know that it could land you a longer stay...

Re:TFA is not terribly clear...

[Jhon]

"But I'm not ignoring it, I'm enforcing it. I do not have to assist them in their search."

I think you are confusing "unreasonable search and seizure" with "any search and seizure". Swiping a finger is non-intrusive. Swabbing a cheek is non-intrusive. Maryland V King is a fairly recent example.

Re: TFA is not terribly clear...

I actually use my penis to unlock my phone.

Re: TFA is not terribly clear...

Can a person be required not only to provide a key to a physical lock, but to personally insert and turn the key?

Re: TFA is not terribly clear...

[mattventura]

Better yet, some kind of heart rate monitoring when you touch your finger to it. If your heart is racing due to an emergency, remember that the phone still lets you make emergency calls even when it is locked.

Re:TFA is not terribly clear...

[Anubis+IV]

Yes, obviously there are 4th Amendment considerations (that I intentionally glossed over), but those are a separate topic and are not particularly relevant to the situation we're discussing given that warrants were issued. Moreover, warrants were also issued in both of the cases I described, but I purposefully left mention of them out of my comment so that I could focus on the 5th Amendment questions that are of significantly more interest to the case at hand.

When it comes to 4th Amendment matters, the case being discussed here isn't particularly interesting, so I see little point in getting bogged down in a discussion about warrants.

Re: TFA is not terribly clear...

[Kjella]

Probably a bad idea. Any active action to prevent the police from gaining access would probably be considered obstruction of justice, any non-police duress won't stop there. It would also prove the phone in question is programmed to respond to your fingerprints, which by itself is evidence. Perhaps it's your teenage kid's phone that he forgot and you're bringing it to him, possession is not proof of access.

If you do want a panic button and is willing to deal with the consequences it should simply irrecoverably wipe the device. Either way offer only passive resistance. If they have to do paperwork and time runs out, tough. If they try the wrong fingers and run out of attempts, tough. Configure your device any way you want up front but don't help, don't obstruct. But if you're seriously worried I'd just turn it off and use a PIN.

Re: TFA is not terribly clear...

Locally, in oregon, sheriff palmer is having to defend an FOI email denial. Appartently every email sent or received on this address is immeadiately deleted. This sounds relevant to the discussion in some way.

Re:TFA is not terribly clear...

[Dixie_Flatline]

Moreover, after 12 (or 24? I think it's 12) hours of being locked, the timer resets, and you're forced to enter the passcode anyway. If the police have had your phone, and it's been locked longer than 12 hours, they're out of luck.

Re:TFA is not terribly clear...

[david_thornley]

Having your iPhone set up to delete itself after ten failed logins is the sort of nice unequivocal policy that companies use, and as a policy it provides protection against other potential intruders. You'd have to deliberately fail to login ten times to do anything really wrong, and that will take a long time because of lockouts. Therefore, according to a pseudonymous guy on the Internet who will assure you he's not a lawyer, it should be fine.

Re:TFA is not terribly clear...

[david_thornley]

Sure, they can do that. On an iPhone, anyway, what they'll get is the contents encrypted with a random 256-bit key using encryption that is pretty much universally considered uncrackable. In other words, it's secure from anything short of a Kardashev Type III civilization with ultra-efficient quantum computers, and if one of them wants to get me they will anyway.

The key is held in a separate piece or area of silicon, and can only be extracted from it with extremely exacting physical analysis of the chip, which is likely to destroy the key permanently. The Secure Enclave is perfectly capable of erasing the key, and then nothing is recoverable. It handles the verification of the PIN itself. There's got to be ways to breach the security, but Apple is trying to remove them.

Re:TFA is not terribly clear...

[david_thornley]

In the US, you can be compelled to provide physical evidence and do certain things, such as allow a cheek swab or have your finger pressed to a sensor. Whether the courts can compel the use of a password isn't really settled. It seems that it's allowed if it decrypts something already known to exist, and it's certainly not legal to compel someone to give up the password to a phone if it isn't known that the person has used the password. (Example: a phone is found at a crime scene. If I demonstrate that I can unlock it, I'm incriminating myself by tying myself to an object at the scene.)

Re:TFA is not terribly clear...

[david_thornley]

The Apple fiasco was actually the FBI trying to compel Apple to produce that modified OS (after thoroughly muffing the evidence collection), and Apple argued that it couldn't be compelled to cooperate in that way. The FBI's dropping of the legal action suggests to me that Apple would have won. The FBI claimed that it had found another way to read it.

The technique the FBI tried to get Apple to do would work on an iPhone 5 or earlier, and not on any phone Apple currently sells.

Re:TFA is not terribly clear...

[david_thornley]

The choice for most people is not between more or less security, it's between some security and no security. People use the fingerprint unlock, including those who wouldn't stand for entering a PIN each time. An actual passphrase would be really awkward to type on the device, and almost nobody would ever use it. (It's still an option, I believe, but just having the phone wipe itself on ten failed logins and having a four-digit PIN means an intruder has only a 1% chance of getting through.)

Re:TFA is not terribly clear...

[david_thornley]

What the Fifth does here is prevent the government from compelling you to turn over a password or PIN or whatever if knowing you can unlock the phone will have any value as evidence. If they know a certain phone is involved in a crime, and they don't already know it's yours, then compelling you to unlock it would be compelling you to admit your phone was involved in a crime, and that's self-incrimination. (If you've got a passphrase that's a confession on some device, they can't force you to reveal the passphrase. If it's found legal to compel you to provide a password, they can force you to type it in yourself.)

Re:TFA is not terribly clear...

[fustakrakich]

I don't consider the law. I am only talking about being compelled to do anything at all. There is no reason to allow the state, or anybody else to do that.

Re:TFA is not terribly clear...

[Agripa]

That's mostly true, however, as soon as you have reason to believe your prudent step of automated data deletion MIGHT be deleting something that is likely to be considered evidence in some kind of litigation, you had better turn it off. Letting it run can (and will likely) be construed as destruction of evidence.

Storage space is not infinite so how does that work if your backup onto media organized as a circular buffer? After being notified that you must retain all data, new data cannot be stored and gets lost. If the new data is backed up, then old data is overwritten. Heads they win and tails you lose?

Re:TFA is not terribly clear...

[Agripa]

They aren't stupid, they bit copy (dd) the device when it's seized. Now a local police agency might not do this but anything involving the fed's is going to be copied the second they get their hands on the data, even if it's encrypted. This is directly to prevent challenges on data integrity and to prevent dead man switches.

It is a good thing then that there is no way to overcome this by storing the encryption key in such a way that it will be destroyed (or at least plausibly destroyed) in the act of seizing it.

Implementing a dead man switch for an encryption key is much easier then doing the same for volumes of data.

Re:TFA is not terribly clear...

[david_thornley]

There are good reasons to allow the state to gather evidence, provided of course there are legal safeguards. You may think the reasons not to are more compelling, but there are real advantages for law enforcement, and hence the general public, in being able to get DNA, fingerprints, etc.

Re:TFA is not terribly clear...

[fustakrakich]

When the public fails to properly oversee the state, and considers it infallible in terms of self defense (I would like to know if they believe self defense even exists when faced with a trigger happy cop), I don't hold much value for their opinion. But they are the ones pointing the gun, so I'm sure they hold much less value for mine. They already won the war.

Re:TFA is not terribly clear...

[bobbied]

You cannot let evidence get destroyed. If you know, or should know, or even if you should have had an inkling that data that could be subject to discovery request is being destroyed and you don't stop it, it will go badly for you at trial. I suggest you go out and buy more storage space in your hypothetical. Think of it this way.. If you knew that there was a box of evidence headed to the paper shredder because it was in the closet with the rest of the "to be shredded" boxes and you didn't go find that box, they'd come after you for letting evidence get destroyed. A disk drive or backup tape is no different.

You see, the opposing lawyers will argue that you knew evidence was being shredded and did nothing to stop it, so you allowed damming evidence to get destroyed, KNOWINGLY. Which, they will argue, means you knew you where guilty and where trying to cover it up. So do what you want, but any competent lawyer will tell you that you'd better do everything in your power to preserve data once you become aware of a legal action that might involve said data. Now if you are a criminal, then you are going to do what you want anyway and why are we having this conversation?

Re:TFA is not terribly clear...

[jgoemat]

Providing a passcode is testimony because by it's nature it proves you know the password and have access to the device. The government must prove that you have access to that device. That can also get you into a catch-22 because what if you don't know the password, and what if the device isn't yours? Touching your finger to a sensor is something they can do to any suspect, guilty or innocent. The fact that your finger is the one that unlocks the phone does prove that you have access to it, but that is not forcing you to incriminate yourself anymore than giving a DNA sample or your fingerprints "incriminate" you if they match the evidence the police already have. You might as well argue against letting eye-witnesses see you in a lineup because that would incriminate you.

It seems that many people don't understand the purpose of the right against self incrimination. Hundreds of years ago it was common to force people to confess to crimes even using torture and that was the primary means of getting a conviction. The police would (hopefully) figure out who they think probably committed a crime and just browbeat or torture them until they confessed. You shouldn't have to answer any questions that relate to knowledge that may provide evidence against you. There is no protection against harmlessly making you do something to allow evidence to be interpreted, such as standing in a line-up, getting your fingerprints, getting a dna sample, getting dental impressions to match to bite marks, getting hair samples, getting your blood for blood type testing, etc. That would include placing your finger on a sensor.

Re:TFA is not terribly clear...

[david_thornley]

You're missing my point. I'm claiming that there are good reasons to allow law enforcement to do certain things, since law enforcement on that level generally is good for the majority of the people. You claimed there are no good reasons. I believe there are excellent reasons to stop law enforcement from doing some things they are doing now, but that wasn't your claim.

The public never properly oversees the State. That's wishful thinking on the order of a Communist or Libertarian utopia. When the public gets sufficiently upset about certain things the State does, it forces things to be done about them. They aren't necessarily very good things, but they will happen.

Few abuses of the public can be considered "already won". We're seeing changes that will result in reduced police violence and increased penalties for police officers who are too egregious in their use of violence. I don't know how far these are going to go. Also, "the public" is not a unified hive mind. There are people (including some I generally respect) who support the police and dislike Black Lives Matter, and there are people who think the police need immediate reform and that certain officers should be convicted and sent to prison for a long time.

Re:TFA is not terribly clear...

[fustakrakich]

There are people (including some I generally respect) who support the police and dislike Black Lives Matter, and there are people who think the police need immediate reform and that certain officers should be convicted and sent to prison for a long time.

To me it's not up to opinion. That latter group needs to go on the "attack". I mean, how bad does it have to get before corrective measures are taken? How many innocents must remain locked up while we wait for the 51% to "discuss" the matter? And most of the time it's the former group that washes them down to the point of meaninglessness. So, as far as I am concerned, let's just create and use the technical means of protecting ourselves. For the phone issue, a panic button to fry the chip is the best way to go. We have to be able to *burn the tapes*, just like they do. Then we don't have to waste time discussing it. Of course, I am fairly certain the sate would prohibit such protective devices in our phones, leaving us holding the bag until we can someday 3D print our own.

Re:TFA is not terribly clear...

[david_thornley]

You can use an iPhone. Have the fingerprint sensor turned off, use a 6-digit PIN, and have wipe-after-ten-tries selected. A 4-digit PIN allows a 1% chance at guessing the PIN, which may or may not be satisfactory for you. There may well be Androids with that attention to security, but I don't know for certain, not following Android phones all that closely.

Fingerprints aren't witnesses.

your fingerprints aren't a testimony against yourself. Read the damn thing. "nor shall be compelled in any criminal case to be a witness against himself."

Re:Fingerprints aren't witnesses.

[Calydor]

Would a key to the safe in which you keep your secret accounting be self-incrimination?

Re:Fingerprints aren't witnesses.

[nate_in_ME]

If they found that key on their own, no....if they forced you to provide the location of the key, yes. (I'm assuming in this case that they already have you in custody, so the whole "we know this key is in your pocket, give it to us" doesn't apply)

Re:Fingerprints aren't witnesses.

[bobbied]

That may be true, but in this case the issue is about unlawful searches of your personal papers...

However, with a judge's consent, authorities CAN search for evidence within your personal effects (papers, phones, computers what ever) and all it usually takes to get a Search Warrant is probable cause, and they had that. So in this case, I see no constitutional problem. If they have a search warrant, unlock the stupid phone and save yourself all the trouble. It's like opening the safe in your house.... If they have a warrant, just open it for them... Don't like that? Fine, just go directly to jail then..

Re:Fingerprints aren't witnesses.

[jratcliffe]

Yup, because that's something (the location) that you know, not something that you are.

Fingerprint might not work

My fingerprint only works for a set period of time. Then it demands a password instead. What if the fingerprint doesn't work for the police, then what?

Re:Fingerprint might not work

[Archangel+Michael]

What if only one out of your nine fingers actually unlocked the phone, and the other nine deleted everything as a kill switch?

Re:Fingerprint might not work

[v1]

I have the same question, I know that if I don't unlock my phone with my finger for several days (usually over the weekend) or if it powers down due to exhausted battery. it will require my entering my passcode. Unless they have a way to trick the phone into thinking no time has passed, I don't see what good a fingerpint will do them? The secure enclave will have dumped the fingerprint-tied key by that point and will require the regular passcode.

Re:Fingerprint might not work

[Tourney3p0]

What if the courts subpoenaed your financial statements from last year, and instead you lit them on fire in front of the police? Nothing good. That's what would happen.

Re:Fingerprint might not work

What if one finger set the nukes off, and the other 9 piloted the get away space shuttle?

Re:Fingerprint might not work

[bobbied]

Destruction of evidence is a crime (current political figures aside) which will get you sent to jail.

May I suggest that it's a stupid idea to knowingly destroy evidence if you are the subject of a criminal investigation (or a civil lawsuit for that matter)? Now I guess if you know you are guilty, it might be worth the risk to you, but in general it's going to be a bad idea..

Re:Fingerprint might not work

That's a bad example, they can print new financial statements. You're a moron. You need to think before you speak.

Re:Fingerprint might not work

[Tourney3p0]

Ah, okay. I guess there wouldn't be any negative repercussions at all then. No destroying evidence charges. No contempt.. no parallels at all, really. Thanks for the enlightenment!

Re:Fingerprint might not work

[flink]

Destruction of evidence is a crime (current political figures aside) which will get you sent to jail.

May I suggest that it's a stupid idea to knowingly destroy evidence if you are the subject of a criminal investigation (or a civil lawsuit for that matter)? Now I guess if you know you are guilty, it might be worth the risk to you, but in general it's going to be a bad idea..

But you are under no obligation to indicate which finger correctly unlocks the phone. As long as you comply with the court order "place index finger on fingerprint sensor", you don't have to tell them that doing so will erase the phone.

Re:Fingerprint might not work

[Archangel+Michael]

Nope. Refuse to tell which finger unlocks the phone. They cannot COMPEL testimony, and that is what that would be. They have one in ten shot of getting it right.

Re:Fingerprint might not work

[Archangel+Michael]

BINGO!

Refuse to testify against yourself, comply with orders to place "finger" (you didn't say which one) on the reader. Place finger on reader and ... ooops.

Re:Fingerprint might not work

[Golddess]

Hell, don't even tell them that 9 of your 10 fingers will delete data. And don't offer a finger. Let them grab your hand, single out a finger, and swipe it over the reader on your phone.

Personally, I'd configure it such that none of my fingers unlocks the phone, they should all delete data. But only after.. I don't know, lets say 3... successful reads of my fingerprint. That way I don't accidentally erase my data myself.

Re:Fingerprint might not work

Bad example. More like you and the bank have some sort of agreement where they have 10 addresses on file for you, and a request to send financial statements to 9 of those addresses results in the immediate shredding of all financial documents pertaining to you.

"But what if..."

Irrelevant. It isn't supposed to be a perfect analogy. It's merely intended to demonstrate the flaws in yours. Which is that you are not the one destroying the documents, it's the police destroying the documents, through a lack of understanding of the process for retrieving the documents.

Re:Fingerprint might not work

Screw that. I unlock my phone with one of my toes. It's damn hard to answer a call but I can give the Feds my fingerprints all day.

Re:Fingerprint might not work

[bobbied]

But you ARE obligated to disclose what the court orders you too. You are risking a criminal contempt charge which gets you put in jail at the pleasure of the judge, no bail hearing, no trial, no passing go or collecting $200....

IF the order says "index finger" then so be it. However, if you have not been forthcoming about what might happen here (i.e. you mislead them into ordering you to use your index finger) then you are withholding evidence at best, and willfully destroying it at worst, neither of which will go well for you at trial.

Enjoy your time in the Big House... But if it's worth it to risk destroy evidence, have at it. I just suggest you get a lawyer and discuss it with them before you go out and do something unnecessarily stupid to yourself.

Re:Fingerprint might not work

However, if you have not been forthcoming about what might happen here (i.e. you mislead them into ordering you to use your index finger) then you are withholding evidence at best, and willfully destroying it at worst, neither of which will go well for you at trial.

You're clearly not from the US. In the US, you have no obligation whatsoever to be forthcoming in criminal proceedings against yourself. There is such thing here as a defendant "withholding evidence" in his own trial. Willfully destroying evidence is illegal, but allowing the prosecution to be mislead or disadvantaged through inaction is not.

Re:Fingerprint might not work

[david_thornley]

If you do have a duress finger, you could try not telling them. You can't legally prevent them from holding your fingers to the sensor, but I don't know that they can compel you to say which one. (If there's any doubt that the phone is yours, they probably can't.) However, there are people who, unlike me, have actually studied law and who can answer these sorts of questions much better than I can. Before relying on anything I may have said in a criminal case, ask one of those guys first.

Re:Fingerprint might not work

[bobbied]

I'm not a lawyer, I don't play one on TV and I didn't stay at a Holiday Inn Express.... BUT, I have been sued and a party to a couple of legal actions over my 5 decades, so I have some experience, but I'm no expert.

Please note that I almost ALWAYS say something along the lines of "consult YOUR lawyer" in posts that deal with legal questions. The law isn't really *that* difficult to understand if you *think* about it. I found that once you understood the principles underlying the whole, what the rules are actually make pretty good sense. Rules of evidence, in general are not that difficult to understand.

I do know that if you are ordered by the court to unlock your device, you are obliged to do so. I also know you are obliged to make sure you don't destroy potential evidence and cannot take steps to hide evidence from being found. Failing to follow any of these rules leaves you at risk of being sanctioned (punished) by the court. In criminal trials, you can plead the 5th and refuse to testify or assist law enforcement by answering their questions, but you cannot hide or destroy evidence or be misleading in the statements you DO choose to make. In civil court, the rules are a bit different because you are not being tried for a crime, you have less 5th amendment protection and generally MUST produce evidence requested and answer the questions asked by the other side truthfully and completely.

So don't think you will get away with destruction of evidence by claiming the court ordered you to do something.... You won't. But please ask your lawyer, though I'm pretty sure they will agree with me.

Re:Fingerprint might not work

[david_thornley]

In a criminal case, last I looked it appeared questionable whether you're required to provide unlocking information for a device in some circumstances. You can't be required to do that if providing that information is potentially incriminating in itself, and you can be required to provide a password if it shelters stuff that is already known to be on your device (the first case, I believe, was the guy who showed some of his child pornography to a customs agent). As you point out, the civil rules are different.

What I don't know, because I don't think it's settled, is how much information I need to provide if accused of a crime. Assume there's a phone with a duress fingerprint that is connected with a crime, and it isn't clear that I know how to unlock it. I don't have to volunteer a thing about unlocking the phone, since that would mean incriminating myself. If the police require me to put a finger on the sensor, I have to comply, whether it's the unlocking or duress finger, and what will happen will happen. Any warning or refusal to use the duress finger would incriminate me. I don't know the rules if the phone is known to be mine, but I suspect I'd get into serious trouble if I didn't warn about the duress fingerprint.

Fingerprints are protected in Europe

In Europe, we understand that, in this context, a fingerprint is equivalent to a password and deserves to be protected as such. You dumb fat Americans really should extend the same protections to fingerprints in this context.

Re:Fingerprints are protected in Europe

[Archangel+Michael]

We "fat dumb Americans" are about to elect one of the two biggest mistakes we have ever made, because we have devolved into arguing over emotional labels and not actual character and qualifications. That, the our court system is rigged against the electorate, since we can vote on laws and have them overturned by one (or more) person(s) in a black robe.

Re: Fingerprints are protected in Europe

Yes, Americans really are quite stupid, aren't they? I'm glad our laws here in Europe are so much better. Yay Europe! Fuck the USA and Canada!

Re:Fingerprints are protected in Europe

[bobbied]

Why? Given investigators apparently have a Search Warrant blessed by a judge, the whole affair has been subject to judicial review and meets the constitutional standards set forth in our bill of rights. It's not like jack booted thugs just physically forced somebody to unlock a phone, they have a court order. At this point, it's a stupid idea to resist, just unlock the phone.

Unless, of course, you know you are guilty and the prenatally for non-compliance is less than the crimes you know the phone will implicate you for... In which case, you are playing a loosing hand anyway. But for most of us, the smart thing to do is unlock the stupid phone at this point.

Re:Fingerprints are protected in Europe

[Curunir_wolf]

In Europe, we understand that, in this context, a fingerprint is equivalent to a password and deserves to be protected as such. You dumb fat Americans really should extend the same protections to fingerprints in this context.

Europeans don't know the difference between something you have and something you know. No wonder Great Britain wants out.

Re: Fingerprints are protected in Europe

Three, not two. FTFY

Fingerprint unlock stop working after that long

[magarity]

I got an OTA pushed to my Note from TMobile and now the fingerprint unlock stops being the unlock after reboot or so much time goes by. It wants a password after that. So, OK judge, here's my finger. Sorry, forgot the password.

Re:Fingerprint unlock stop working after that long

[OrangeTide]

I guess you'll be held in contempt of court until you remember the password. Duration: indefinite.

Reboot your iPhone

[charles05663]

My iPhone 5S requires a password on reboot. Just reboot you iPhone before the cops can grab it.

I do not use finger print readers, period.

Your finger print is a physical fact, so is your DNA (non-invasive gathered). So giving it freely to others to use to track you, like unlock your phone, or to a website to find your history is stupid.

Do not do it. Do not use cloud stored facts, since a third party has it now.

Re:I do not use finger print readers, period.

[bobbied]

In almost ALL cases, defying a court order is even more stupid... Even if there is incriminating evidence on the thing you unlock it. I'm sure your lawyer (and you better have one by this point) will tell you the same thing.

Re: I do not use finger print readers, period.

You missed the point. Do not use finger readers period. Do not set it up on your phone or laptop. If you are forced to get a sample when setting up the phone initially, use your big toe or your kids toe. Always use passwords!!! Better than finger prints when comes to courts.

Re:More Federal Stupidity

[Archangel+Michael]

If you're not doing illegal stuff on your phone, you don't have to worry.

That works, until the government decides that your particular activity is a threat to government and makes it illegal. So no, you're incorrect, you should worry about what your government can do to you.

My particular solution would be to have a deadman's switch that erases the phone when using any finger but the one correct one. Or better yet, disable the Finger Prints from your phone, and use a proper PIN, which they cannot force you to divulge.

Passwords are better in this case

Since you can't be compelled to give up a password, the thing to do when crossing borders is to ensure you have full disk encryption on and power off the device when going through...

I know my Android phone has this and when powering back on it requires the password to decrypt. Since you can't be compelled to provide a password, this seems like the best thing to do to protect your privacy...

Forcing you to aid in a search

[sjbe]

your fingerprints aren't a testimony against yourself. Read the damn thing. "nor shall be compelled in any criminal case to be a witness against himself."

Your fingerprints absolutely can be evidence against you. That's not even a question. The police have a long established right to take your fingerprints when you are arrested and to compare them with gathered evidence.

That said I have a hard time reconciling this with the right against self incrimination in the Constitution. In principle I feel a biometric pass code should be legally no different than a memorized one. Either way you are being forced to potentially incriminate yourself. But I suspect that the legal system will rule that they are different and so if you want your phone to be secure against search and seizure you must avoid biometric pass codes unfortunately. The problem here is that they are not comparing your fingerprints against evidence they have found. They are in effect forcing you to open a lock on their behalf. I don't have a problem with them having the right to search but I don't see why the target of the investigation should be forced to aid in that search. If they can break down a door to do a search (with a warrant) then have that right but I don't see why I should have to hand over the key to the house so to speak.

Re:Forcing you to aid in a search

[Curunir_wolf]

your fingerprints aren't a testimony against yourself. Read the damn thing. "nor shall be compelled in any criminal case to be a witness against himself."

Your fingerprints absolutely can be evidence against you. That's not even a question. The police have a long established right to take your fingerprints when you are arrested and to compare them with gathered evidence.

That said I have a hard time reconciling this with the right against self incrimination in the Constitution. In principle I feel a biometric pass code should be legally no different than a memorized one. Either way you are being forced to potentially incriminate yourself. But I suspect that the legal system will rule that they are different and so if you want your phone to be secure against search and seizure you must avoid biometric pass codes unfortunately. The problem here is that they are not comparing your fingerprints against evidence they have found. They are in effect forcing you to open a lock on their behalf. I don't have a problem with them having the right to search but I don't see why the target of the investigation should be forced to aid in that search. If they can break down a door to do a search (with a warrant) then have that right but I don't see why I should have to hand over the key to the house so to speak.

Courts have long held that you are required (once a proper warrant has been issued) to provide keys to any lock (such as a safe) that is the subject of search or evidence. However, you cannot be compelled to provide the combination of a safe that is secured that way. So they're using the same principle. Your fingerprint is something that you HAVE, so you can be required to provide it. A combination or password is something that you KNOW, and you're allowed to keep your mental secrets secret.

Re:Forcing you to aid in a search

[spire3661]

The difference is your fingerprints are physical items that exist in the real world. The entire point of the 5th Amendment is protection for whats in your head, nothing else. Its a check on the State's power to compel you to provide something it cannot prove is real. Your fingerprints are real, thus they can compel you. The simplest solution is to not rely on biometrics, they suck as security devices.

Re:Forcing you to aid in a search

Can't you just say one or a combination of the following:

a) You don't remember what finger you used
b) You used someone else's finger
c) Let them "have" your hand but use the wrong fingers or make them guess what finger is correct
d) Use the correct finger but do it incorrectly such that the device won't unlock
e) say you never properly set a fingerprint id
f) Or, and this is actually true for me, I pick my fingers and the fingerprint id doesn't work because my prints are not exactly the same for very long (and they were in a not-natural state when the passcode was set so it would be impossible to compel me to not pick at my fingers to gain access)

Or in other words - how can a court compel this when the court doesn't even know what they are compelling. Seems to me the easiest thing to do is say you never properly authenticated any of your fingers and thus are unable to comply. If they force you to try all your fingers - just do it wrong. We all know how finicky these devices are and it would seem easy to purposely incorrectly authenticate or damage your print enough to cause a failure.

Re:Forcing you to aid in a search

[Curunir_wolf]

Can't you just say one or a combination of the following:

a) You don't remember what finger you used b) You used someone else's finger c) Let them "have" your hand but use the wrong fingers or make them guess what finger is correct d) Use the correct finger but do it incorrectly such that the device won't unlock e) say you never properly set a fingerprint id f) Or, and this is actually true for me, I pick my fingers and the fingerprint id doesn't work because my prints are not exactly the same for very long (and they were in a not-natural state when the passcode was set so it would be impossible to compel me to not pick at my fingers to gain access)

Or in other words - how can a court compel this when the court doesn't even know what they are compelling. Seems to me the easiest thing to do is say you never properly authenticated any of your fingers and thus are unable to comply. If they force you to try all your fingers - just do it wrong. We all know how finicky these devices are and it would seem easy to purposely incorrectly authenticate or damage your print enough to cause a failure.

1. a) Could get you charged for lying to investigators, which is a crime
2. b) See a
3. c) Or just ask "which finger" - They have a 50% chance of selecting the right one before the iPhone reverts to passwords
4. d) They'll just keep trying, but again only get 5 tries
5. e) See a
6. f) This is the best advice - use a password, not your fingerprint.

7. There's a youtube video of a girl trying to get into her boyfriends phone while he's asleep. She tries one hand, then the other, then other fingers, and finally gives up and leaves. The guy then wakes up, takes off his shoe and unlocks his phone with his toe. Hilarious!

   So just use your toe. They'll never figure that one out.

Re:Forcing you to aid in a search

[rastos1]

Your fingerprints absolutely can be evidence against you. That's not even a question.

(IANAL, ...) The fingerprint is usually used as a means to identify the person - the fingerprint itself is the evidence. Here it is used as means to gain access to the evidence - i.e. it is not itself used in the role of the evidence.

Re:Forcing you to aid in a search

Courts have long held that you are required (once a proper warrant has been issued) to provide keys to any lock (such as a safe) that is the subject of search or evidence. However, you cannot be compelled to provide the combination of a safe that is secured that way.

Given the 5th amendment, it at first appears reasonable that the government cannot compel you to reveal a combination, even though they can compel you to provide a key. However, if you dig a little deeper, there's often little meaningful difference between these cases.

If the police know the location of the key and have a warrant, they'll just go take it. There's no compelling involved, so there's no 5th amendment issue. This case is pretty cut and dry, but if the police don't know the location of the key it gets much more interesting.

Maybe you hide the key under a rock in your neighbor's yard. Perhaps key was on your old keychain, and you legitimately can't remember where it is. Or you might keep the key in another safe that's guarded by a combination. Without accessing the data in your mind, the government has no way of knowing where the key is, or if it even exists. Should the government be able to compel you to provide the key in these circumstances? What should your punishment be if you (legitimately or otherwise) can't provide the key?

Regardless of where you stand on the issues of privacy, it's pretty clear that we don't have a good distinction between these cases. Why should the choice of securing your safe with a combination or a key mean the difference between conviction and acquittal?

Re:Forcing you to aid in a search

>I feel a biometric pass code should be legally no different than a memorized one.

Designing a button that can read fingerprints was developed as a convenience & a saleable demonstration of oh-so-shiny tech.
If you want true obscurity use a memorized password and accept the two second inconvenience. Oh the horror with such yesteryear technology!

Re:Forcing you to aid in a search

Courts have long held that you are required (once a proper warrant has been issued) to provide keys to any lock (such as a safe) that is the subject of search or evidence.

Courts in the USA have long held that unethical practice of law is acceptable under many circumstances. That's the status quo, and an incontestable point for any honest person that has studied the US legal system in detail. Every major area of US law is contaminated with legal ethics problems, something that has been pointed out on many occasions on this forum.

Worse, lawyers are allowed to contribute 'campaign donations', and do so actively in huge amounts. The judges we end up with, selected by politicians who receive those campaign contributions, do little or nothing to fix the many ethics problems in the US legal system. There are major ethics problems all the way up to the Supreme Court.

It's the same issue that led to the continuation of slavery for so long, or to allowing the Jim Crow rules that discriminated on the basis of race. Both of those have been corrected, but the underlying ethics problems that allowed those cancers to happen are still present. Only a few symptoms of the disease have been treated, topically, without changing anything underneath.

All this was anticipated by some of the folks who objected to the original Constitution. The Bill of Rights was created, and made open-ended, specifically to deal with that objection. It gets violated routinely, with a wide variety of propaganda being created to give the impression that the government or the lawyers or other entities have the right to do that: they don't.

If something is long held by judges, that's not a reason to consider it ethical, moral, or even legal. The status quo in US law is an unethical one.

No person should be compelled to assist the government in ANY way in an investigation involving them, whether or not a warrant is present, whether or not Congress is asking the questions, whether or not a pardon or immunity is given, whether or not it happens in the Continental USA or in some other location such as a military base overseas. If they need a key, then they can get a locksmith.

confusion about self-incrimination

[supernova87a]

A lot of people are confused by what self-incrimination means. Self-incrimination is forcing someone to testify (testimonial obligation), be a witness against their own interest/side in a criminal action, or generally be forced to say/admit anything that might be used against them unwittingly later as part of a prosecution. The right to non self-incrimination does not mean you are immune from having evidence produced that incriminates you!

The key thing is that it is a right to not testify, or be a witness, which is the act of saying or stating something. If a person can be compelled to produce his/her fingerprints (something which in itself is not a testimonial act), then just because that unlocks something that incriminates the person does not mean they have been self-incriminated.

Re: confusion about self-incrimination

I agree, in that case I feel your finger is a key made out of meat, not testimony. It is interesting that you already can be compelled to provide fingerprints for booking but if you put it on a touch sensor it potentially becomes testimony in some peoples opinion.

Re:confusion about self-incrimination

That's kind of reductionist: the fifth amendment actually says no person "‘shall be compelled in any criminal case to be a witness against himself". In Schmerber v. California the Supreme Court held that intrusions into the human body require a warrant, overriding the right to privacy with a judicial review - the same as invading a home.

While in a an earlier, non-electronic age limiting the definition to only spoken testimony may have covered everything the advent of hard encryption changes the game. In the particular case here, it's a thumbprint for access - but can the government compel you say a password aloud that will open a device, especially in that having that password proves you had access to incriminating documents.

In short, this is not cut and dried and what happens in this case is going to shape how society, encryption, and devices work for years to come. I just wish we had a full nine-seat Court to work on it.

Re:confusion about self-incrimination

[JosephDoeden]

I expect password refusal once ordered by court to not fall under the 5th eventually. Encryption is most likely to be used by criminals for protecting themselves from court review than citizens looking at porn. What happens when corporations say.. well.. we are people too and our entire IT structure pleads the 5th?

Re:confusion about self-incrimination

[supernova87a]

but can the government compel you say a password aloud that will open a device, especially in that having that password proves you had access to incriminating documents

No, and it's a good point. Currently I don't believe that in any US jurisdiction a person can be forced to reveal a password (knowledge that would implicate him/her) in some action. That is different (or has been treated as different) from objective physical evidence that generally does not have a bias for or against a person (until it is linked to some other evidence that does incriminate the person in an criminal matter).

Re:confusion about self-incrimination

[supernova87a]

I actually think it might go the opposite way. I think passwords will be absolutely continue to be regarded as testimonial (and indicative that someone has intent in creating a password, and it is thus a compulsion to testify against onesself if forced to reveal it). Fingerprints, if they become widespread security measures, could conceivable also become regarded as very intentional acts when implemented, to the point that a court *might* believe that it shows that someone has the intention of keeping something private, which is due protection against search without enough evidence to warrant it.

Re:confusion about self-incrimination

[gnasher719]

I think that is what has actually happened in court cases: If the police doesn't have actual evidence that you know the password, then giving the password is quite obviously proof that you know it. And if the fact that you know the password is incriminating evidence, then giving the password is self incriminating.

On the other hand, if the police has evidence that the computer or phone is yours, and that you have repeatedly used the password to unlock it, then giving the password is not self incriminating.

Re:confusion about self-incrimination

By that logic a person can be forced to write down their password. After all, "just because that unlocks something that incriminates the person does not mean they have been self-incriminated."

Re:confusion about self-incrimination

[Anubis+IV]

In the particular case here, it's a thumbprint for access - but can the government compel you say a password aloud that will open a device, especially in that having that password proves you had access to incriminating documents.

The distinction here would be that a password not only demonstrates that you had access, which is a simple matter of fact that can be established using physical evidence, but also that you had knowledge, which is testimonial in nature and can be used to incriminate you, meaning that they cannot request it. In contrast, a fingerprint merely demonstrates that you had access. The fact that that your access may help establish other incriminating evidence against you is secondary.

Re:confusion about self-incrimination

[StormReaver]

The key thing is that it is a right to not testify, or be a witness...

The clear intent of the 5th Amendment can be distilled to a single, unambiguous sentence: You cannot be compelled to assist in your own prosecution.

Collecting DNA evidence via compelled swabs, forcing a device to be unlocked, forced fingerprinting, etc. are all clear violations of the 5th Amendment. That our Judiciary has neutered our Constitutional protections over time is not a compelling counter-argument. If the framers of the Constitution could have predicted how, "paper and effects" have mutated over time, I am 100% certain they would have included all of the above in the explicit protections that they enumerated.

Re:confusion about self-incrimination

[supernova87a]

Sorry, your interpretation of the 5th Amendment is not correct, or at least is quite different from what our judicial system thinks of it.

The wording is not "you may not be compelled to assist in your own prosecution", which is quite a broadly interpretable word, "assist". You clearly have taken that idea and turned it into being protected against anything that contributes to your prosecution. That is just incorrect.

The law says that you cannot be compelled as a witness against your own prosecution. A witness is someone who testifies, and who has testimonial privileges. A fingerprint, or cheek swab, or blood draw -- none of these fall into the realm of testifying as a witness according to the law.

Re:confusion about self-incrimination

[david_thornley]

You're confusing the Fourth and the Fifth. The Fourth shields you from unreasonable search and seizure and provides certain criteria for warrants. It doesn't stop the government from doing anything, provided they have probable cause and go through the formalities. The Fifth is absolute: the government cannot require you to say or type anything incriminating, no matter what. (If you are ordered to say or type something specific, that's not incriminating.) Exactly what that means in relation to passwords is not yet fully clarified in US law, but it's definite that you can't be compelled to divulge a password if there's any reasonable case to be made that it provides evidence. If they know the phone's yours, that's unsettled. If they know the phone is possibly evidence, and they don't know it's yours, then divulging the password is admitting that you're connected with the phone.

Re:confusion about self-incrimination

[david_thornley]

Taking cheek swabs, forced fingerprinting, etc., are all things the police do to you. They will happen if the court orders, whether you agree or not. Since they can take your fingerprints no matter whether you're innocent or guilty, the act itself doesn't incriminate you. You can be compelled to do all sorts of things, as long as they aren't under your initiative, but if there's any decision you make then the fact that you can make that decision has evidentiary value and you may not be compelled. If you're ordered to enter a password, and there's any doubt you know it, and the phone has some connection to something illegal, then entering a password reveals that you know the password, and that may not be compelled.

"Papers and effects" have nothing to do with the Fifth. The Fourth doesn't prevent the police from doing any searches or seizures, as long as they have probable cause and go through the right formalities. They can conduct reasonable searches and seizures at their own discretion, and can seek warrants for all others.

If forced to choose between yes and no...

[michaelcole]

... how can it not be a case of the 5th amendment protections? If forced to choose between using the correct finger, or using a finger that will lock the phone, how can this not be a case of self-incrimination? This seems like extreme legal antics to ignore the fact this person has been accused of a crime, without sufficient evidence to prosecute on it's own merits.

biometrics have always been shit.

[nimbius]

ever since lenovo/ibm started adding finger swipes to their laptops, biometrics have been handily dismissed as entirely insecure. iphone thumbreaders have been bypassed with 3d printings of the deceased's fingers. and even simple scans and printouts of thumbs and fingers have been more than enough to render the technology ineffective.

the solution is complex passphrases, hardened keystores, and challenge limits. if you cant guess the password in 3 attempts, you now have to wait $N amount of time. if you cant guess it in $X attempts, the device destroys its private keys.

fingerprint id insecure by nature

fingerprint id insecure by nature, because your fingerprint likely covers your device, your glasses and everything else you touch.

Re:fingerprint id insecure by nature

Would orientation of the fingerprint be a factor? e.g. - I unlock with my forefinger pointed toward the bottom of the phone, rather than the top.

Re:fingerprint id insecure by nature

There should be an option for a "complex bio-metric" unlock method which would allow you for example the use of two fingers to unlock in a particular order. Since the order in which the registered fingers is knowledge they can't compel you to unlock the device since it would be self-incrimination.

What exactly is the problem?

[mi]

The original problem — one with actual passwords — came from the painfully perverted reading of the Fifth Amendment (I wish, ACLU et al were as liberal reading the Second!). If you have to tell police your password that could be used against you, then the password became testimony (written or verbal) and so the police could not compel you to do that under the Fifth Amendment.

Well, fingerprints are neither said nor written, so the Fifth Amendment does not apply. End of story — whether police can look at your smart phone's contents is now controlled by the Fourth... If the judge issues a warrant, you have to open up...

Re:What exactly is the problem?

The original problem — one with actual passwords — came from the painfully perverted reading of the Fifth Amendment (I wish, ACLU et al were as liberal reading the Second!). If you have to tell police your password that could be used against you, then the password became testimony (written or verbal) and so the police could not compel you to do that under the Fifth Amendment.

Well, fingerprints are neither said nor written, so the Fifth Amendment does not apply. End of story — whether police can look at your smart phone's contents is now controlled by the Fourth... If the judge issues a warrant, you have to open up...

Except I don't think that's actually how the 4th amendment works.

You don't have to open the door to your house for example. The police instead have the right to break in likely damaging your property to execute the search, You still don't actually have to assist them in any way (you juts can't actively impede them).

Similarly you should not have to unlock the device. If the cops want to search it and they have a warrant they can break into it on their own. If they can't figure out how to spoof a fingerprint they're idiots, and if they need to know what finger to use well... telling them would be testimony wouldn't it?

Re:What exactly is the problem?

[mi]

You don't have to open the door to your house for example.

I doubt, that's the case, but IANAL. All of the "layman" guides out there emphasize, that you don't have to open your house unless police have a warrant, which would seem to imply, that, when they do have it, you must open.

The police instead have the right to break in likely damaging your property to execute the search

Or they can go back to the judge, who issued the warrant, and complain, And the judge may then find you in contempt — which is exactly, what happened in this case...

Also, quite obviously, if you think police are justified in applying violence, they'd also be able to forcefully apply the suspect's fingerprint to his phone — it would, of course, be far less painful and damaging to him, than the forced entry, which you've already allowed, and other aspects of a resisted arrest, that is sure to follow.

Nothing to hide != nothing to fear

[sjbe]

Moral of the story is Don't leave evidence on your phone. Or anywhere else for that matter.

Idiotic statement. Sometimes what isn't actually evidence of anything can be used against you. Just because you have nothing to hide does NOT mean you have nothing to fear.

If you need an explanation why watch this video.

physical - knowledge

It means: transform Touch ID from a physical request to a knowledge request (thinking that would get the same protection as a password).

You have to give them a fingerprint ... but do you have to give them your knowledge of which fingerprint will unlock a device?

Ah, traditions ...

[PinkyGigglebrain]

"Fingerprints, in contrast, have traditionally been viewed as 'real or physical evidence,'"

I wonder it these judges would also consider the practice of strapping a male baby to a board and cutting off part of it's penis without anesthesia to be acceptable because it is "tradition"

I can think of many other "traditions" that need to be reconsidered in light of modern times.

Re:Ah, traditions ...

No, it's because the male version in the USA is always the removal of a tiny piece of skin under sterile medical conditions with almost zero actual consequences except cleanliness (with the only people saying otherwise being true crackpots who make pseudoscientific arguments citing scientific-sounding statements to attemtp to sound like they have any authority whatsoever when even basic bio, much less medical, students can spy them from 1000 miles as deluded idiots) whereas the female equivalent throughout much of the world tends to be the removal of the parts equivalent to the entire end of the male penis.

Tiny skin piece != gspot/glans-like parts.

The female equivalent is, in effect, remove the "sexual" part of "sexual organ", the male version is "all done, he'll feel better in a few days."

Re:Ah, traditions ...

In western circumcision, they're not cutting off a part of the penis in the sense you write this: a lot of millenial fucktards and their more-fucktard parents bought bullshit about this by pseudo-experts, but it's just a bit of skin.

In the female equivalent in non-western cultures, it actually is part of their sexual organs--it tends, in fact, to be the "sexual" (stimulus) part of the organ. It's like cutting-off the head/glans of a male penis rather than...the bit of skin (that leads to lower STD infection, which is not bullshit, as much as the propagandists might cry "BUT BUT BUT BUT PROBLEMS!!!")

Now the propagandists went shrilly crying that "OMG, in males it's removing NERVE ENDINGS!!!"

BUT SO DOES CUTTING YOUR ****ING FINGER.

They're ENDINGS and NOT the nerves--the nerve ENDINGS grow back.

End rant against fucking idiot.

Return to scene

I think we should also require suspects to return to the crime scene and handle all the evidence with ink on their fingers.

What if?

You don't use your finger?
Nose? Penis ( men only )? Left Big Toe ( sandals hipsters...)?
Lower palm?

All viable alternatives, usually, and if no one knows what part you use, they may have to manipulate the 'member' quite a bit
to find the magic spot...

Re:What if?

[Locke2005]

You have 10 fingers. Use any finger except for the obvious one (right index finger), and you can pretty much guarantee the fingerprint scan will fail. Of course, you have to have the foresight to not use the obvious finger to program the fingerprint scanner BEFORE the court demands you unlock the phone, so this helps actual criminals a lot more than innocent civilians, but still... I need to redo my fingerprint scanner data.

Destruction of evidence

[sjbe]

Can you say destruction of evidence is a crime?

There are many circumstances where it is a crime to destroy evidence.

Re:DNS sample

[JcMorin]

I guess that would go in the same line as forcing something to give a DNA sample to match stuff found on the victim/crime scene?

Power off, reboot, or stall

[Aaden42]

Starting with iOS 9, there's an 8 hour timeout on TouchID. Longer than that, and you need to re-enter your passcode. TouchID won't work. (Source: http://www.macworld.com/articl...)

And of course as others have mentioned, on power up, passcode is required once. So if there's any possibility of a police interaction, crashboot your phone (hold power & home for five seconds), or shut it down normally if you have the time. Failing that, have your attorney appeal EVERYTHING to blow the 8 hour timeout away.

Also, FFS run the latest version of iOS, since this and other protections (some of which have worked in the San Bernardino case) aren't present in older releases.

Re:Power off, reboot, or stall

[david_thornley]

The crashboot might be construed as obstruction of justice, since it's an intentional act that you do once you know that what you've got is likely to be evidence. If you worry about it, set your iPhone to wipe after ten failed login attempts and disable the fingerprint activation (or whatever the equivalent is for your phone) ahead of time. They can't complain about that.

I am from Alabama,

And it's a lot like all the other states ( just 20 years late in adopting any trends... fashion, education, etc )
Yes, we use cell phones, and biometrics exist here.
Not as much animal husbandry as in the past... The women don't want ugly babies/stepkids....
Less inbreeding thanks to porn.

As for incriminating evidence or secrets - can't the android OS be made dual-booting? Fingerprint selection?
Add an optional second micro card that is visible to only one OS....

Backwards

[sled.kutch]

This is why biometric identification should be used as a username, never a password.

Re:Backwards

[mrun4982]

Exactly. I'd never use a fingerprint as a password.

Quick!

[wonkey_monkey]

Bite off your fingertips and eat 'em!

Re: Fingerprint unlock stop working after that lon

No 4 & 5 protect. Get fbi to pay another $1m to break in. If it comes from your mind it is not a fact.

Firth amendment doesn't apply to biometrics

[nbritton]

This is consistent with previous interpretations of the law, and the reasoning is the fifth amendment only applies to the information that is stored in your brain. The fifth amendment is the only protection you have that prevents the government from being able to compel you to divulge your passwords. The important thing to take away from this is that all authentication systems that rely on biometric information can be lawfully circumvented with a court order. The only authentication system that is protected under the fifth amendment is a token stored in your mind.

Re:DNS sample

[supernova87a]

It is very much related, but an ongoing debate within the justice system, I would say. Things like people being compelled to have their blood drawn (for the purpose of testing blood alcohol after a DUI) or their DNA tested (but in different circumstances compared to what you suggest), are extensions of the "fingerprint" argument.

And courts have held that these things can be compelled to be produced by (or from) a person without their consent if certain circumstances are met. But it requires a warrant -- it can't just be done by the police because they feel they need to.

In some states, if you're under suspicion of a felony DUI charge, the police can seek a warrant to have your blood drawn/tested for alcohol. Regarding DNA, for example, in California, if you are a suspect for a felony, you can be forced by the court to have your blood/DNA tested. In all 50 states, someone who has been convicted of a felony can have his/her blood/DNA required to be drawn.

Evidence vs searching

[QuietLagoon]

...Fingerprints, in contrast, have traditionally been viewed as 'real or physical evidence,' meaning that police are entitled to take them without permission....

Historically, fingerprints have had value only as evidence. That is quite different than the biometric security usage that fingerprints also enjoy nowadays. Biometric security has morphed fingerprints from being only evidence to also being security passcodes.

.
imo, fingerprints, when used purely as evidence (i.e, as they have been used historically), should not require a search warrant.

However, when fingerprints are used for a security purpose (i.e.are not evidence, but a security key), then they should be treated as being part of a search that the security key enables.

It will be interesting to see how the Supreme Court eventually rules on this.

evil

[fche]

It is unconscionable to force a criminal defendant to assist his or her own prosecution in any way whatsoever.

Re:Better idea (but unpopular)

[Curunir_wolf]

Don't break the law. If you don't like the law, work to get it changed.

Unpossible. There are so many laws that can be interpreted in so many ways, if an agent wants to pin something on you, they WILL find something. It has been widely reported that the average American commits 3 felonies a day, without even knowing it.

Yet another reason

[MitchDev]

Not to use your fingerprint to unlock/decrypt anything.

Thieves will love having to chop off fingers rather than trusting a victims claim of what their password/PIN is....

Idea

Couldn't you, like, set it to be a password lock, then make your password a phrase that would be self-incriminating? Wouldn't you be unable to be forced to give the passcode as the passcode itself is incriminating?

Re:Idea

[david_thornley]

You can't be compelled to divulge a password that's incriminating in itself. Assuming it's legal to compel your cooperation anyway, it's legal to compel you to enter it yourself.

iOS auto-lock timeout: passcode after 8 hours

Which is why you should reboot your phone (or power it off) if you're expecting an inspection.

With recent version of iOS, if you haven't unlocked your phone via Touch ID in the last 8 (?) hours, it asks you for your password/phrase. Your finger print won't work:

http://www.macworld.com/article/3072181/ios/new-touch-id-rules-why-you-have-to-enter-your-passcode-when-you-wake-up.html

I often have to type something in if I sleep in. I thought it was imagining things, but Apple actually reduced the time down from 48 hours.

So while you're right in that a reboot will do the same thing, if the iDevice has been sitting around for a while (and is running iOS 9+), then the passcode will kick in automatically.

Joke's on them...

[wardrich86]

My fingerprint won't unlock shit. I used my DICK as the fingerprint. Would they like me to whip it out to unlock it in front of them?

Biometrics are just stupid

[DCFusor]

And this is yet another reason to think that instead of paying too much attention to "oh shiny".
I was against them as "passwords" due to - you can't change them if you're hacked.
I guess Apple isn't magic fairy dust after all...oh, wait.

Can an entire corporate IT plead the 5th?

[JosephDoeden]

Corporations are people.. if they can keep terabytes and beyond of data encrypted and just have their IT guy plead the 5th. Why would they not all do that?

Stupid.

iPhone users are not smart enough to have anything important.

Pretty easy to circumvent court order

[Locke2005]

And that, my friends, is why I also use my middle finger instead of my index finger as input to my phone's fingerprint scanner.! How many times does it need to fail before the phone locks you out? My phone requires a PIN code, not a fingerprint, every time it gets turned back on, and after updating software as well. Seems like a court order to "put your finger on the fingerprint scanner" would be VERY easy to make fail to actually unlock the phone, and charging with contempt of court for the phone not recognizing your fingerprint seems pretty shaky to me.

Use your pinky

[StikyPad]

By the time they get to that finger, it will require a passcode to be unlocked.

Re:More Federal Stupidity

I thought everyone switched to passcode instead of PIN a while ago when we realized that iPhone will happily boot (properly signed) tampered firmware that can brute force PINs.

Still a race...

...to beat the 8 hour timeout which requires the PIN again. And of course if you care about this, all your email is cert-encrypted with its own PIN. But I digress.

So it's ok for us to chop judges fingers off then?

[WillAffleckUW]

Seems fair to me.

Time to update Elliot Spitzer

[knorthern+knight]

THEN...
"Never write when you can talk. Never talk when you can nod.
And never put anything in an e-mail."

NOW...
"Never write when you can talk. Never talk when you can nod.
And never put anything in an e-mail, or on your smartphone."

A good reason not to use fingerprint unlocking

[jonwil]

Is there any good reason to even use Touch ID or other fingerprint unlocks instead of just using a password or passcode?

Re:A good reason not to use fingerprint unlocking

[ejasons]

Is there any good reason to even use Touch ID or other fingerprint unlocks instead of just using a password or passcode?

Less chance of someone seeing you typing in your passcode.

When I used to use a passcode, I had the phone lock after an hour of not having been used. With the fingerprint sensor, it locks immediately when it goes to sleep, and then requires the code after not having been used for 8 hours. I'm comfortable with this, and consider it an improvement...

Unlocking

Simple solution for iPhones....simply power off the phone completely if you think you'll be compelled to give up its contents. They can compel fingerprints, but they cannot compel passwords. Once powered off, it cannot be turned back on with a fingerprint....only a password.

Use a toeprint?

Would that be stupid or clever?

Re: Fingerprint unlock stop working after that lon

The 4th and 5th amendment issues and the limitations of an All Writs are still not settled, so expect to sit in jail without a trial if you refuse to comply with the instructions from a judge to release your passwords. If an FBI agent or prosecuting attorney demand your password, you can tell them to go pound sand if you want. They have to convince a judge to order you before you really have to do anything. (IANAL)

Glad to hear it

[hackel]

There's no excuse for not using suspects fingerprints in this way, so long as they have legally obtained a search warrant. It's certainly no different than breaking a lock to enter someone's home. I believe this is mostly going to affect poorly educated criminals like drug dealers, petty thieves, and such. Anyone with half a brain would not rely on a simple phone lock to encrypt their data in the first place. It's so trivial to do, those who don't really must be the worst, most obnoxious criminals out there.

Chick & the Egg...

[Marful]

How exactly does the DA have a case if he doesn't have any evidence, or requires the evidence on the phone to further carrying the case?

What if you....

....damage your fingerpad right after they take away your phone? By the time your fingerpad heals, the time limit will have passed.

In other news

[easyTree]

"Authorities" required to demonstrate the legitimate source of their authority.

Re:More Federal Stupidity

[idji]

yep, you are "racist". you like certain ethnic groups and hate others, and say some ethnic groups are subhuman - meaning you are not only racist, you are a racial supremist and hence ignore facts about human genetics, including the fact that there is only one human race - we probably killed the remaining human races 10's of thousands of years ago.

It's taken a while for me to grok this

[rickb928]

But isn't the government's stand that this is, essentially, discovery, which can be compelled in civil cases...?

So is there criminal discovery in states or federally that would compel a defendant or suspect to surrender incriminating evidence, and how does that not run afoul of the Fifth Amendment?

Re:More Federal Stupidity

[david_thornley]

Passcodes are inconvenient for objects that are part of our daily lives. However, Apple did plug that firmware hole in the 5S and later phones. There have got to be vulnerabilities still, because there always are, but Apple's closing them as they find out about them.

Why is this even being pursued?

[ramriot]

I may be later to this post but I seem to remember, backed up by this page clipping from Apple (https://support.apple.com/en-us/HT204587)
"To configure Touch ID, you must first set up a passcode. Touch ID is designed to minimize the input of your passcode; but your passcode will be needed for additional security validation:
After restarting your device
When more than 48 hours have elapsed from the last time you unlocked your device
To enter the Touch ID & Passcode setting"
Therefore, this is not this whole case moot, since 48 hours has most certainly expired since the phone was taken as evidence, thus the fingerprint is not a valid unlock and the legally protected passcode is back in play.