Suspect Required To Unlock iPhone Using Touch ID in Second Federal Case (9to5mac.com)

← Back to Stories (view on slashdot.org)

Suspect Required To Unlock iPhone Using Touch ID in Second Federal Case (9to5mac.com)

Posted by msmash on Monday July 25, 2016 @04:00AM from the that-escalated-quickly dept.

An anonymous reader shares a report on 9to5Mac: A second federal judge has ruled that a suspect can be compelled to unlock their iPhone using their fingerprint in order to give investigators access to data which can be used as evidence against them. The first time this ever happened in a federal case was back in May, following a District Court ruling in 2014. The legal position of forcing suspects to use their fingerprints to unlock devices won't be known with certainty until a case reaches the U.S. Supreme Court, but lower court rulings so far appear to establish a precedent which is at odds with that concerning passcodes. Most constitutional experts appear to believe that the Fifth Amendment prevents a suspect from being compelled to reveal a password or passcode, as this would amount to forced self-incrimination -- though even this isn't certain. Fingerprints, in contrast, have traditionally been viewed as 'real or physical evidence,' meaning that police are entitled to take them without permission.Ars Technica has more details.

32 of 233 comments (clear)

Min score:

Reason:

Sort:

TFA is not terribly clear... by LichtSpektren · 2016-07-25 04:05 · Score: 5, Insightful

Was he compelled to actually put his finger on the phone, or was he just compelled to surrender his fingerprints? TFA is not precisely clear about that. If it's the former then that's incontrovertibly a violation of the Fifth Amendment. If it's the latter then it's just routine--he's going to leave a trace somewhere eventually.

In either case, the moral of the story is, don't use your biometrics to lock your phone.
1. Re: TFA is not terribly clear... by ArmoredDragon · 2016-07-25 04:15 · Score: 5, Insightful
  
  I don't think it makes a difference. It's well known that in IT security, the authentication factors are who you are, what you have, and what you know. The Constitution only protects the what you know factor. The who you are factor, which is almost entirely biometric, has almost zero protection. Why? Because all three branches of the government can compel you to identify who you are, and there is nothing in either the Constitution or any written laws saying otherwise.
2. Re:TFA is not terribly clear... by willoughby · 2016-07-25 04:24 · Score: 2
  
  "...smart criminals would either register their little finger and use up those attempts with other fingers."
  That would be just as clear to me if it were written in German. What does that mean?
3. Re: TFA is not terribly clear... by DougOtto · 2016-07-25 04:26 · Score: 2
  
  Which is why you should reboot your phone (or power it off) if you're expecting an inspection.
  
  --
  Solving Unix problems since 1989...
4. Re: TFA is not terribly clear... by alvinrod · 2016-07-25 04:27 · Score: 2
  
  It makes a big difference. The government may well have the legal authority to take my fingerprint, but they cannot compel me to reveal which of them or which part of one of them could unlock my device. Otherwise what's the difference between that and compelling me to indicate which combination of letters or numbers would unlike the device by using a pass code?
  
  I hope device manufacturers include functionality to allow one time fingerprint access before falling back to needing password or PIN access. That way, even if law enforcement does have access to your prints, it would not guarantee them access to your device.
5. Re:TFA is not terribly clear... by jratcliffe · 2016-07-25 04:27 · Score: 2
  
  Was he compelled to actually put his finger on the phone, or was he just compelled to surrender his fingerprints? TFA is not precisely clear about that. If it's the former then that's incontrovertibly a violation of the Fifth Amendment.
  
  Not a Fifth Amendment violation. He's not being required to testify as to anything he knows, it's just a physical characteristic. Other example would be voice exemplars - it's Constitutional to require a defendant to say "hands up, give me the money," as part of a "voice lineup," since saying that doesn't require the defendant to testify to any content or knowledge. United States v. Dionisio
6. Re:TFA is not terribly clear... by jxander · 2016-07-25 04:38 · Score: 2
  
  While I can't speak to every phone and every OS, apple devices on iOS9 already have a "fix" for this: Power off your phone.
  When an iPhone is powered on, it requires that you type in the pin code or pass phrase. No biometrics here.
  
  --
  This signature is false.
7. Re:TFA is not terribly clear... by Kiralan · 2016-07-25 04:42 · Score: 2
  
  He means that he would use his little finger for the correct finger, and fail the 5 attempts using any other finger or fingers. At that point, it would also require the PIN.
  
  --
  V for Vendetta: People should not be afraid of their governments. Governments should be afraid of their people.
8. Re:TFA is not terribly clear... by Aaden42 · 2016-07-25 04:46 · Score: 4, Insightful
  
  There's (not a lot of...) case law that suggests a truly deadman switch that erases a device isn't considered destroying evidence. If you *do* something actively that triggers it, that's destruction and you can be charged. If by doing nothing, the device is erased, that's okay. You're also not under any obligation to mention such a thing exists.
  So for example if you set something up to wipe the device if you sent a magic text message, that would be a problem. Something that wipes if you don't touch it for a week is generally considered legal. It generally goes with the idea that you can be held to consequences for your *actions*, but there's a higher bar to hold you accountable for your *inactions*.
9. Re: TFA is not terribly clear... by Anonymous Coward · 2016-07-25 04:54 · Score: 5, Interesting
  
  I would like to see a "duress fingerprint". Force me to use my fingerprint? Fine, I'll use my middle finger which disables all biometrics until further notice.
10. Re:TFA is not terribly clear... by fustakrakich · 2016-07-25 05:06 · Score: 2
  
  Given the choice between destruction of evidence or facing much more serious prison time on trumped up charges (even if you plead out). Picking the lesser charge is the way to go. I don't see any point on philosophizing on the matter when simple math will do.
  
  --
  “He’s not deformed, he’s just drunk!”
11. Re:TFA is not terribly clear... by naughtynaughty · 2016-07-25 05:10 · Score: 4, Interesting
  
  Routinely destroying evidence to avoid implicating yourself could be a crime. However, having an automatic data retention policy likely would not be a crime. If you routinely back up your data to encrypted storage, a good practice, and then automatically delete old data you are being prudent, not a criminal. Just don't sit around with your partners in crime discussing how to thwart law enforcement by using data retention policies.
  Intent matters. And intent is difficult to prove if there isn't any hard evidence and your actions have a legitimate purpose.
12. Re:TFA is not terribly clear... by TroII · 2016-07-25 05:12 · Score: 3, Informative
  
  No, the moral of the story is don't use your fingerprint as a password.
  
  --
  "If there was a gay Afro-Puertorican Linux distribution, I'd give it a try" ~lucm
13. Re:TFA is not terribly clear... by Curunir_wolf · 2016-07-25 05:15 · Score: 3, Insightful
  
  If you routinely destroy evidence to avoid implicating yourself in a crime, I think the intent is pretty clear.
  But that's perfectly legal. That is, you're destroying documents or files (something routinely done everywhere, all the time), which is not currently "evidence". If you think you're under investigation, or have some reason to believe you might be investigated, then you are not allowed to destroy or tamper with any evidence. But, if you're in the habit of routinely wiping your devices and files, it would be difficult or impossible to prove that in some specific incident you knowingly did it to tamper with evidence.
  So routinely wiping your data is a good strategy.
  
  --
  "Somebody has to do something. It's just incredibly pathetic it has to be us."
  --- Jerry Garcia
14. Re:TFA is not terribly clear... by rahvin112 · 2016-07-25 05:28 · Score: 3, Informative
  
  They aren't stupid, they bit copy (dd) the device when it's seized. Now a local police agency might not do this but anything involving the fed's is going to be copied the second they get their hands on the data, even if it's encrypted. This is directly to prevent challenges on data integrity and to prevent dead man switches.
15. Re:TFA is not terribly clear... by Jhon · 2016-07-25 05:30 · Score: 2
  
  "Exactly. I am very disappointed that people think it's okay to compel anyone to assist in any way one's own prosecution,"
  I knew the wording of this would toss up responses like yours.
  This is no different than an order to produce blood/cheek swab or even passwords. The accused have the right to remain silent -- they do not have the right to ignore lawful search warrants. If you really want to keep information that the law cannot touch then either memorize it or have a trusted spouse memorize it.
16. Re:TFA is not terribly clear... by gurps_npc · 2016-07-25 05:47 · Score: 2
  
  Works better if you put a false flag photo in there. Something that you can legitimately claim is the reason why you had the security in the first place.
  A picture of a naked woman that is not your wife works well. Just bad enough to hide, not bad enough to get you in real legal trouble.
  
  --
  excitingthingstodo.blogspot.com
17. Re:TFA is not terribly clear... by Anubis+IV · 2016-07-25 06:14 · Score: 4, Interesting
  
  If [he was compelled to put his finger on the phone], then that's incontrovertibly a violation of the Fifth Amendment.
  As someone who used to stand by that view, nowadays it strikes me as the stance of someone who values their privacy (as we all should!), but who hasn't thought through the ramifications of their stance yet.
  For instance, I'd wager you have no problem when the police swab a suspect for their DNA, nor when a passed-out drunkard is compelled to provide a blood sample in the hospital after a DUI, yet in both cases the suspect is being compelled, potentially against their will, to provide something incriminating of themselves to a machine in the police's custody that will tell the police whether the evidence from the suspect is incriminating or not. That's no different than compelling a suspect to provide their fingerprint to a phone in the police's custody that may have the ability to incriminate the suspect.
  In fact, both DNA evidence and the BAC measurement situation I described have made it through and been affirmed by the Supreme Court already (in some cases, multiple times), for the simple reason that the right against self-incrimination only extends to "testimonial" evidence (a.k.a. "communicative" evidence), not to "real" evidence...nor should it.
  I recall reading portions of the majority opinions for some of the seminal cases in this area a year or two back when researching the topic, and one of them basically stated that if we took the notion that we can't collect incriminating "real" evidence to its logical conclusion, we wouldn't even be able to compel someone to reveal enough of their physical appearance for them to be recognizable to an eyewitness, which they asserted was utterly absurd and was clearly beyond the bounds of the protections afforded by the 5th Amendment. More or less, so long as the police have a warrant and aren't trying to compel any form of demonstration of knowledge (i.e. testimony), they're within their rights.
  You've already said that you're fine with the police collecting fingerprints, which is good, since fingerprints are not testimonial/communicative in nature. But how the police collect and use them is left up to them to decide. Whether they collect them on a piece of paper, via an electronic scanner that stores them to local database, or by way of a sensor that writes them into a transient piece of memory on a mobile device makes no difference. In all three, they're simply compelling the suspect to provide a piece of evidence in their custody to a device or system in the police's custody. It's a simple transfer of physical evidence from the suspect to the police. The means may be different, but the thing being compelled is the same in all three cases.
  That the evidence can be used to incriminate the suspect does not mean their rights have been violated. And the best course of action if you don't like that fact is to stop using real evidence (e.g. keys, fingerprints, etc.) as a locking mechanism.
18. Re:TFA is not terribly clear... by Etcetera · 2016-07-25 06:39 · Score: 3, Informative
  
  Or, more specifically, obstruction of justice.
  If you refuse to give a legible fingerprint when your fingerprints are being taken at the jail, for example by trying to move your fingers back and forth so the ink smudges, the bailiff or other police official will just hold you down until they can get a valid read. You have no right to prevent that from being done.
  If you do the same thing, but in a way that surreptitiously destroys the evidence on the phone in the process (knowledge of the switch, and your awareness that you're using the wrong finger to do it), you're destroying evidence. That's not just contempt, that's obstruction of justice .. and a nice federal jail sentence.
  
  --
  Hire a Linux system administrator, systems engineer,
19. Re:TFA is not terribly clear... by JesseMcDonald · 2016-07-25 08:33 · Score: 3, Informative
  
  Why is my phone not protected because I used a fingerprint while your phone is because you used a passcode?
  The phone is not legally protected in either case. If they can find a way in, they can use the data. What is protected in the latter case is the fact that you know the passcode. If there is anything incriminating on the device then knowing the passcode which unlocks it would be tantamount to an admission of guilt. (Note that the passcode is generally not protected if they can separately prove that you have the ability to unlock the device, since at that point you would not be revealing anything incriminating.)
  The principle behind the prohibition on self-incrimination is that no one who has not already proven guilty should be placed in a catch-22 where their only options are to confess their guilt or be punished for failing to do so. Allowing records to be taken of your physical characteristics does not even amount to providing testimony, much less testifying against yourself.
  
  --
  "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
Re:Fingerprint unlock stop working after that long by OrangeTide · 2016-07-25 04:15 · Score: 2

I guess you'll be held in contempt of court until you remember the password. Duration: indefinite.

--
“Common sense is not so common.” — Voltaire
Re:More Federal Stupidity by Archangel+Michael · 2016-07-25 04:17 · Score: 4, Informative

If you're not doing illegal stuff on your phone, you don't have to worry.
That works, until the government decides that your particular activity is a threat to government and makes it illegal. So no, you're incorrect, you should worry about what your government can do to you.
My particular solution would be to have a deadman's switch that erases the phone when using any finger but the one correct one. Or better yet, disable the Finger Prints from your phone, and use a proper PIN, which they cannot force you to divulge.

--
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Forcing you to aid in a search by sjbe · 2016-07-25 04:22 · Score: 3, Insightful

your fingerprints aren't a testimony against yourself. Read the damn thing. "nor shall be compelled in any criminal case to be a witness against himself."
Your fingerprints absolutely can be evidence against you. That's not even a question. The police have a long established right to take your fingerprints when you are arrested and to compare them with gathered evidence.
That said I have a hard time reconciling this with the right against self incrimination in the Constitution. In principle I feel a biometric pass code should be legally no different than a memorized one. Either way you are being forced to potentially incriminate yourself. But I suspect that the legal system will rule that they are different and so if you want your phone to be secure against search and seizure you must avoid biometric pass codes unfortunately. The problem here is that they are not comparing your fingerprints against evidence they have found. They are in effect forcing you to open a lock on their behalf. I don't have a problem with them having the right to search but I don't see why the target of the investigation should be forced to aid in that search. If they can break down a door to do a search (with a warrant) then have that right but I don't see why I should have to hand over the key to the house so to speak.
1. Re:Forcing you to aid in a search by Curunir_wolf · 2016-07-25 05:51 · Score: 4, Informative
  
  your fingerprints aren't a testimony against yourself. Read the damn thing. "nor shall be compelled in any criminal case to be a witness against himself."
  Your fingerprints absolutely can be evidence against you. That's not even a question. The police have a long established right to take your fingerprints when you are arrested and to compare them with gathered evidence.
  That said I have a hard time reconciling this with the right against self incrimination in the Constitution. In principle I feel a biometric pass code should be legally no different than a memorized one. Either way you are being forced to potentially incriminate yourself. But I suspect that the legal system will rule that they are different and so if you want your phone to be secure against search and seizure you must avoid biometric pass codes unfortunately. The problem here is that they are not comparing your fingerprints against evidence they have found. They are in effect forcing you to open a lock on their behalf. I don't have a problem with them having the right to search but I don't see why the target of the investigation should be forced to aid in that search. If they can break down a door to do a search (with a warrant) then have that right but I don't see why I should have to hand over the key to the house so to speak.
  Courts have long held that you are required (once a proper warrant has been issued) to provide keys to any lock (such as a safe) that is the subject of search or evidence. However, you cannot be compelled to provide the combination of a safe that is secured that way. So they're using the same principle. Your fingerprint is something that you HAVE, so you can be required to provide it. A combination or password is something that you KNOW, and you're allowed to keep your mental secrets secret.
  
  --
  "Somebody has to do something. It's just incredibly pathetic it has to be us."
  --- Jerry Garcia
confusion about self-incrimination by supernova87a · 2016-07-25 04:23 · Score: 4, Insightful

A lot of people are confused by what self-incrimination means. Self-incrimination is forcing someone to testify (testimonial obligation), be a witness against their own interest/side in a criminal action, or generally be forced to say/admit anything that might be used against them unwittingly later as part of a prosecution. The right to non self-incrimination does not mean you are immune from having evidence produced that incriminates you!

The key thing is that it is a right to not testify, or be a witness, which is the act of saying or stating something. If a person can be compelled to produce his/her fingerprints (something which in itself is not a testimonial act), then just because that unlocks something that incriminates the person does not mean they have been self-incriminated.
Nothing to hide != nothing to fear by sjbe · 2016-07-25 04:30 · Score: 5, Insightful

Moral of the story is Don't leave evidence on your phone. Or anywhere else for that matter.
Idiotic statement. Sometimes what isn't actually evidence of anything can be used against you. Just because you have nothing to hide does NOT mean you have nothing to fear.
If you need an explanation why watch this video.
Re:Fingerprint might not work by bobbied · 2016-07-25 04:38 · Score: 2

Destruction of evidence is a crime (current political figures aside) which will get you sent to jail.
May I suggest that it's a stupid idea to knowingly destroy evidence if you are the subject of a criminal investigation (or a civil lawsuit for that matter)? Now I guess if you know you are guilty, it might be worth the risk to you, but in general it's going to be a bad idea..

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Backwards by sled.kutch · 2016-07-25 05:03 · Score: 2

This is why biometric identification should be used as a username, never a password.
Quick! by wonkey_monkey · 2016-07-25 05:05 · Score: 2

Bite off your fingertips and eat 'em!

--
systemd is Roko's Basilisk.
Re:Fingerprint might not work by flink · 2016-07-25 05:06 · Score: 3, Insightful

Destruction of evidence is a crime (current political figures aside) which will get you sent to jail.
May I suggest that it's a stupid idea to knowingly destroy evidence if you are the subject of a criminal investigation (or a civil lawsuit for that matter)? Now I guess if you know you are guilty, it might be worth the risk to you, but in general it's going to be a bad idea..
But you are under no obligation to indicate which finger correctly unlocks the phone. As long as you comply with the court order "place index finger on fingerprint sensor", you don't have to tell them that doing so will erase the phone.
Re:what about copying them and makeing there own by prograsm · 2016-07-25 05:17 · Score: 2

Current really cheap phone sensors will work with a 2D printed photocopy of the fingerprint, slightly less cheap sensors are capacitive and but should still work with a 2D print using, say, capacitive ink (would the standard magnetic toner used to print official bank cheques work here?). For the more complex sensors (I used to work at a company that manufactured this type, but don't know of any used in phones) even using the suspect's real finger wouldn't work if it happened to be cut off of the suspect... we were reading the EM field of the flowing blood capillaries behind the fingerprint itself. This is common with more security oriented sensors, and while we were able to shrink them enough to operate fine in a phone, they aren't the sub $5 cost that most phone sensors seem to have budgeted. Summing up: A capacitive 3D print should work, but overkill. 2D prints will definitely work, but capacitant sensors makes that less trivial than it used to be. Good sensors are tough as hell to spoof because EM is tougher than optical to replicate in fingerprint format.
Biometrics are just stupid by DCFusor · 2016-07-25 06:02 · Score: 2

And this is yet another reason to think that instead of paying too much attention to "oh shiny".
I was against them as "passwords" due to - you can't change them if you're hacked.
I guess Apple isn't magic fairy dust after all...oh, wait.

--
Why guess when you can know? Measure!