Slashdot Mirror

← Back to Stories (view on slashdot.org)

Feds Can't Force You To Unlock Your iPhone With Finger Or Face, Judge Rules (forbes.com)

Posted by msmash on from the landmark-ruling dept.

A California judge has ruled that American cops can't force people to unlock a mobile phone with their face or finger. The ruling goes further to protect people's private lives from government searches than any before and is being hailed as a potentially landmark decision. From a report: Previously, U.S. judges had ruled that police were allowed to force unlock devices like Apple's iPhone with biometrics, such as fingerprints, faces or irises. That was despite the fact feds weren't permitted to force a suspect to divulge a passcode. But according to a ruling uncovered by Forbes, all logins are equal. The order came from the U.S. District Court for the Northern District of California in the denial of a search warrant for an unspecified property in Oakland. The warrant was filed as part of an investigation into a Facebook extortion crime, in which a victim was asked to pay up or have an "embarassing" video of them publicly released. The cops had some suspects in mind and wanted to raid their property. In doing so, the feds also wanted to open up any phone on the premises via facial recognition, a fingerprint or an iris.

21 of 172 comments (clear)

  1. I can't imagine... by cayenne8 · · Score: 2, Insightful
    ...why anyone would want to use biometric passcodes to unlock anything so private as a cell phone is today.

    I know, most people don't seem to value privacy, but if you have any at all, doing biometric should be a no go from the start.

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    1. Re:I can't imagine... by Anonymous Coward · · Score: 2, Interesting

      Because I don't want to type in a password every time I look at my phone. I don't keep anything in the general storage that I don't want someone else to see.

      If you don't care about the data behind the biometric lock, and the data you do care about is behind a different lock, why use biometrics at all? I am seriously asking here and genuinely am curious why.

    2. Re:I can't imagine... by Dixie_Flatline · · Score: 3

      Using a biometric system allows me to keep a 15+ character passcode on my phone without meaningfully impacting my day. It means my phone is immune to casual (or even some non-casual) break-ins, but is still very useful and accessible to me. (Particularly now that I have an iPhone XR; it never FEELS locked to me because the transition is so seamless.)

      If someone swipes my phone or I lose it, I have no fear that my data will be taken. If someone has kidnapped me and threatens me, they'll have my data whether it's protected by a password or biometrics.

      I'm FAR more worried about persistent data tracking around the web and the amount of data that filters through google and facebook than my biometrics being the weak point in my security.

      Ultimately, all security is a tradeoff between security and convenience. My phone is a device that I want to be convenient, and that means I trade a tiny bit of security for it.

    3. Re:I can't imagine... by sexconker · · Score: 3, Insightful

      Biometrics are trash from every angle.

      They're incredibly fuzzy, which leads them to being easy to fool. Users can't reset their biometrics when they're compromised. And the biometrics can be used to identify an individual. You can either use a shitty biometric device that records the data directly, or compromise a trusted one to do so, thus letting you go from the "secure" element to the user. OR you can identify a suspected user (or as they tried to do in this case, a swath of them) and then force them to use biometrics to generate a hash and determine if it's a match or not.

      Passwords win out always.

    4. Re:I can't imagine... by bobbied · · Score: 4, Informative

      True security requires two of the following..

      1. Something that I am (biometrics)

      2. Something that I know (password)

      3. Something that I have (A physical login token)

      You can do three and be a bit more secure if you like.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    5. Re: I can't imagine... by Zero__Kelvin · · Score: 2

      Well personally *I* can't imagine why you can't imagine it. The vast portion of people aren't worried about APTs. Well over 99% of the time there is no danger that someone is going to try to gather your biometrics in order to access your phone, and even less chance when you factor in likelihood of success. In almost every case the threat is a thief, a family member, an unscrupulous or "prankster" co-worker, or someone else who lacks the time, access to your person, and / or skill set to break bion biometric based protections. Couple that with the fact that it is far more easy and quick to use your finger to afford "one touch" authorization and you'd have to be ignorant and / or a fool to think it isn't a highly effective tool that maps well to the security landscape.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    6. Re:I can't imagine... by Pascoea · · Score: 4, Funny

      he will get ... my grocery list.

      I keep that in the secure locker. I don't want my health insurer to know how much crappy food I eat.

    7. Re:I can't imagine... by Kjella · · Score: 2

      ...why anyone would want to use biometric passcodes to unlock anything so private as a cell phone is today. I know, most people don't seem to value privacy, but if you have any at all, doing biometric should be a no go from the start.

      It's good enough if it's simply lost. It's a lot easier to shoulder surf a PIN than to create a convincing enough replica of my fingerprint. If you really want access to my phone just rob me, I'll tell you the PIN as it's not worth dying over. There's no need for shears and gory scenarios and it'll unlock the phone forever and after reboots too so it's better than my finger. I suppose I could be dead or incapacitated, but why go to drugs, battery or murder if a simple threat will get you all you want? So the only people who'd have an easier time with biometrics are those where it makes a legal difference and they play by the rules.

      If it's at the border or a traffic stop or knock on the door or anything like that you have plenty time to disable it - it's just five quick taps. So basically it's just a surprise arrest, either on the streets or SWAT rushing in. As I'm already assuming it's cops following rules I suppose that could happen by a case of mistaken identity, but they wouldn't find much incriminating and they wouldn't do much else nasty with it. Basically, the Venn diagram between where the security is significantly weaker and the threats that are of any real concern to me has no overlap.

      --
      Live today, because you never know what tomorrow brings
  2. Tony Soprano could by OffTheLip · · Score: 4, Funny

    obligatory: https://www.xkcd.com/538/

  3. Does it really matter in the long run? by Riceballsan · · Score: 3, Interesting

    If I'm not misunderstanding, the police can still search the phone, if they can find a way in. This seems to say they can't force you to put your finger on your phone, but it doesn't sound like they can't try to figure out the code on phones they are able to bring into evidence. Unless I'm mistaken, that still seems like they can take your phone, run your prints... and I'm sure in a few years they could easily have a device to quickly 3d print the fingerprints onto some form of glove or something.

    1. Re:Does it really matter in the long run? by cayenne8 · · Score: 2

      Unless I'm mistaken, that still seems like they can take your phone, run your prints... and I'm sure in a few years they could easily have a device to quickly 3d print the fingerprints onto some form of glove or something.

      Well, that still won't do them any good, if you do NOT use a biometric passcode, such as a fingerprint.

      They can try your prints all day long if you set a nice, complex passcode you have to type in.

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    2. Re:Does it really matter in the long run? by dissy · · Score: 2

      If I'm not misunderstanding, the police can still search the phone, if they can find a way in.

      From the second link above to the document by the judge, it seems the issue is the police requested a warrant for the phones of the two suspects, and it was both granted and forcing them to unlock the phones is fine.
      But the cops also requested a warrant to force every person also found in those homes that had nothing to do with the case nor were suspects, and the judge said no to both the warrant and said the cops can't force the unrelated people to do anything.

      Which to anyone with common sense this is how it *should* work.
      If the cops can't be bothered or have no reason for asking for a warrant they shouldn't be allowed to violate those peoples rights.
      If the cops ask a judge for a warrant and the judge agrees with it, they can force them.

      So this issue is mainly about illegal warrantless searches being reaffirmed as illegal.

  4. Re:Can't force but... by sunking2 · · Score: 2

    Or use the finger prints that they had no choice but to have taken when they booked you.

  5. Re:what if you had an I want my lawyer = auto wipe by artemis67 · · Score: 2

    I like to play survival video games. And I like to put traps in and around my bases.

    9 times out of 10, the person who ends up getting killed by my traps is me.

    This would not be a good solution for me.

  6. How to crack a password w/o a $5 hammer by davidwr · · Score: 3, Informative

    If the police put you under surveillance, it's likely they will see you unlock your phone at least a few times.

    If they can catch you doing it from different angles, they can probably figure out what the passcode is.

    Once they do that, execute the warrant, seize the phone, unlock the phone, then declare victory.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  7. Now by RickyShade · · Score: 3, Interesting

    Now let's find a sane judge who will stand with the constitution and declare Civil Asset Forfeiture to be unconstitutional as it most certainly is.

  8. Re:Can't force but... by captaindomon · · Score: 4, Insightful

    Yep and then in both of these cases the evidence will be thrown out of court. The point isn't to stop the police from being physically able to do something, it's to take away the incentive. If using the fingerprints they gathered when they booked you to unlock your phone results in the whole case being thrown out of court for lack of admissible evidence, and a civil counter-suit quickly filed by the person who was arrested, the police are going to stop doing that. Quickly. As someone once said on this board, it's the Judicial version of "Judge Hulk SMASH."

    --
    Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
  9. Not likely to make its way through appeals by Headw1nd · · Score: 5, Insightful

    I seriously doubt this is going to survive appeal. Providing your fingers and face, for fingerprints and lineups respectively, is already considered non-testimonial and well accepted. That providing these to unlock a phone is objectively the same as a passcode is irrelevant, a physical key such as a dongle would have the same purpose and it seems to be established that you could be compelled to hand it over to the police. In fact it seems in this case that the law is specifically unconcerned with the objective, and only concerned about the means.

    This does invalidate an earlier comment I made concerning using 3D sculpting to fool face recognition, I guess the government might need to look into it now. If this leads to a ridiculous chain where you cannot be compelled to look at your phone to unlock it, but you can be compelled to have your face 3D scanned so that a copy can be made and used to unlock your phone, then I will be disappointed but not surprised.

  10. Re:Can't force but... by fustakrakich · · Score: 2

    Yep and then in both of these cases the evidence will be thrown out of court.

    Cops will just say you gave it up voluntarily. Then it's your word against theirs (unless the phone recorded it). Happy hunting for your lost rights.

    civil counter-suit quickly filed by the person

    Uh huh, Yeah, we all got plenty of money for that.

    --
    “He’s not deformed, he’s just drunk!”
  11. Re:Can't force but... by sexconker · · Score: 2, Informative

    Cops will just lie. Best case they force you to unlock it, find out what you're doing, then get at that from some other angle, such as an "anonymous tip". Parallel construction.

    If you're not lucky, they'll beat you and force you to unlock it, then it's your word against 3 seasoned cops saying you unlocked the device voluntarily then reached for one of the cops's gun.

  12. Why not do both ? by nehumanuscrede · · Score: 2

    Instead of the either / or aspect, why not the option to require both a biometric AND a passcode / pin ?
    If the biometric AND the pin / passcode match you get access. If either fail, you don't.

    What problems would arise from such a setup ?