Slashdot Mirror
Feds Can't Force You To Unlock Your iPhone With Finger Or Face, Judge Rules (forbes.com)
A California judge has ruled that American cops can't force people to unlock a mobile phone with their face or finger. The ruling goes further to protect people's private lives from government searches than any before and is being hailed as a potentially landmark decision. From a report: Previously, U.S. judges had ruled that police were allowed to force unlock devices like Apple's iPhone with biometrics, such as fingerprints, faces or irises. That was despite the fact feds weren't permitted to force a suspect to divulge a passcode. But according to a ruling uncovered by Forbes, all logins are equal. The order came from the U.S. District Court for the Northern District of California in the denial of a search warrant for an unspecified property in Oakland. The warrant was filed as part of an investigation into a Facebook extortion crime, in which a victim was asked to pay up or have an "embarassing" video of them publicly released. The cops had some suspects in mind and wanted to raid their property. In doing so, the feds also wanted to open up any phone on the premises via facial recognition, a fingerprint or an iris.
obligatory: https://www.xkcd.com/538/
If I'm not misunderstanding, the police can still search the phone, if they can find a way in. This seems to say they can't force you to put your finger on your phone, but it doesn't sound like they can't try to figure out the code on phones they are able to bring into evidence. Unless I'm mistaken, that still seems like they can take your phone, run your prints... and I'm sure in a few years they could easily have a device to quickly 3d print the fingerprints onto some form of glove or something.
If the police put you under surveillance, it's likely they will see you unlock your phone at least a few times.
If they can catch you doing it from different angles, they can probably figure out what the passcode is.
Once they do that, execute the warrant, seize the phone, unlock the phone, then declare victory.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Now let's find a sane judge who will stand with the constitution and declare Civil Asset Forfeiture to be unconstitutional as it most certainly is.
Yep and then in both of these cases the evidence will be thrown out of court. The point isn't to stop the police from being physically able to do something, it's to take away the incentive. If using the fingerprints they gathered when they booked you to unlock your phone results in the whole case being thrown out of court for lack of admissible evidence, and a civil counter-suit quickly filed by the person who was arrested, the police are going to stop doing that. Quickly. As someone once said on this board, it's the Judicial version of "Judge Hulk SMASH."
Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
I seriously doubt this is going to survive appeal. Providing your fingers and face, for fingerprints and lineups respectively, is already considered non-testimonial and well accepted. That providing these to unlock a phone is objectively the same as a passcode is irrelevant, a physical key such as a dongle would have the same purpose and it seems to be established that you could be compelled to hand it over to the police. In fact it seems in this case that the law is specifically unconcerned with the objective, and only concerned about the means.
This does invalidate an earlier comment I made concerning using 3D sculpting to fool face recognition, I guess the government might need to look into it now. If this leads to a ridiculous chain where you cannot be compelled to look at your phone to unlock it, but you can be compelled to have your face 3D scanned so that a copy can be made and used to unlock your phone, then I will be disappointed but not surprised.
Using a biometric system allows me to keep a 15+ character passcode on my phone without meaningfully impacting my day. It means my phone is immune to casual (or even some non-casual) break-ins, but is still very useful and accessible to me. (Particularly now that I have an iPhone XR; it never FEELS locked to me because the transition is so seamless.)
If someone swipes my phone or I lose it, I have no fear that my data will be taken. If someone has kidnapped me and threatens me, they'll have my data whether it's protected by a password or biometrics.
I'm FAR more worried about persistent data tracking around the web and the amount of data that filters through google and facebook than my biometrics being the weak point in my security.
Ultimately, all security is a tradeoff between security and convenience. My phone is a device that I want to be convenient, and that means I trade a tiny bit of security for it.
Biometrics are trash from every angle.
They're incredibly fuzzy, which leads them to being easy to fool. Users can't reset their biometrics when they're compromised. And the biometrics can be used to identify an individual. You can either use a shitty biometric device that records the data directly, or compromise a trusted one to do so, thus letting you go from the "secure" element to the user. OR you can identify a suspected user (or as they tried to do in this case, a swath of them) and then force them to use biometrics to generate a hash and determine if it's a match or not.
Passwords win out always.
True security requires two of the following..
1. Something that I am (biometrics)
2. Something that I know (password)
3. Something that I have (A physical login token)
You can do three and be a bit more secure if you like.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
he will get ... my grocery list.
I keep that in the secure locker. I don't want my health insurer to know how much crappy food I eat.