Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Iphone Privacy The Courts Your Rights Online

Suspect Required To Unlock iPhone Using Touch ID in Second Federal Case (9to5mac.com) 233

An anonymous reader shares a report on 9to5Mac: A second federal judge has ruled that a suspect can be compelled to unlock their iPhone using their fingerprint in order to give investigators access to data which can be used as evidence against them. The first time this ever happened in a federal case was back in May, following a District Court ruling in 2014. The legal position of forcing suspects to use their fingerprints to unlock devices won't be known with certainty until a case reaches the U.S. Supreme Court, but lower court rulings so far appear to establish a precedent which is at odds with that concerning passcodes. Most constitutional experts appear to believe that the Fifth Amendment prevents a suspect from being compelled to reveal a password or passcode, as this would amount to forced self-incrimination -- though even this isn't certain. Fingerprints, in contrast, have traditionally been viewed as 'real or physical evidence,' meaning that police are entitled to take them without permission.Ars Technica has more details.
This discussion has been archived. No new comments can be posted.

Suspect Required To Unlock iPhone Using Touch ID in Second Federal Case

Comments Filter:
  • what about copying them and making there own 3d printer finger? They have the finger prints from booking right?

    • by Salgak1 ( 20136 )

      That would depend on the sensor, but I can think of several ways to try, especially with recent tech. Heck, the Mythbusters hacked a biometric lock with a photocopy a decade ago. . .

      • Current really cheap phone sensors will work with a 2D printed photocopy of the fingerprint, slightly less cheap sensors are capacitive and but should still work with a 2D print using, say, capacitive ink (would the standard magnetic toner used to print official bank cheques work here?). For the more complex sensors (I used to work at a company that manufactured this type, but don't know of any used in phones) even using the suspect's real finger wouldn't work if it happened to be cut off of the suspect...
  • by LichtSpektren ( 4201985 ) on Monday July 25, 2016 @11:05AM (#52575649)
    Was he compelled to actually put his finger on the phone, or was he just compelled to surrender his fingerprints? TFA is not precisely clear about that. If it's the former then that's incontrovertibly a violation of the Fifth Amendment. If it's the latter then it's just routine--he's going to leave a trace somewhere eventually.

    In either case, the moral of the story is, don't use your biometrics to lock your phone.
    • by ArmoredDragon ( 3450605 ) on Monday July 25, 2016 @11:15AM (#52575735)

      I don't think it makes a difference. It's well known that in IT security, the authentication factors are who you are, what you have, and what you know. The Constitution only protects the what you know factor. The who you are factor, which is almost entirely biometric, has almost zero protection. Why? Because all three branches of the government can compel you to identify who you are, and there is nothing in either the Constitution or any written laws saying otherwise.

      • Which is why you should reboot your phone (or power it off) if you're expecting an inspection.
      • It makes a big difference. The government may well have the legal authority to take my fingerprint, but they cannot compel me to reveal which of them or which part of one of them could unlock my device. Otherwise what's the difference between that and compelling me to indicate which combination of letters or numbers would unlike the device by using a pass code?

        I hope device manufacturers include functionality to allow one time fingerprint access before falling back to needing password or PIN access. That
        • by Anonymous Coward on Monday July 25, 2016 @11:54AM (#52576163)

          I would like to see a "duress fingerprint". Force me to use my fingerprint? Fine, I'll use my middle finger which disables all biometrics until further notice.

        • by swb ( 14022 )

          And if they compel me to provide fingerprints, not only should I not have to tell them which fingerprint may unlock the device, it should be up to them to convert my fingerprint into a useful tool to actually unlock the phone.

          Hopefully device manufacturers will include a configurable time window for the time to PIN/password fallback. It would be useful to adjust it based on usage from anywhere 0 to days, depending on what you think your exposure is.

          • And if they compel me to provide fingerprints ... it should be up to them to convert my fingerprint into a useful tool to actually unlock the phone.

            Sorry, but that's simply not a reasonable restriction. If they can compel you to provide fingerprints, they can compel you to provide them by placing your finger(s) on the scanner of the iPhone they already seized as evidence. There is no rational cause to limit fingerprint collection to ink transfers on paper, or their own imaging equipment.

            At most you could argue that the fingerprint scanner in the iPhone cannot be trusted to uniquely identify its user. That would be a difficult argument to win at the bes

      • I don't think it makes a difference either. The court probably waited too long before getting his fingerprint. If the phone had to restart for any reason, then the fingerprint won't work anymore. It will need his passcode. Both iPhones and Samsung phones require passcodes on restart.

        Back to square one. The police will probably need a court order to get his passcode now.

    • This sounds like one of those instances where the spirit rather than the letter of the law should be applied. When using a fingerprint to unlock a phone, it is clearly being used as a passcode rather than "physical evidence". FTA:

      iOS also only permits five Touch ID unlock attempts before the passcode is required, so smart criminals would either register their little finger and use up those attempts with other fingers.

      So in this case, where a judge compels a suspect to unlock his phone using his fingerprint, and he blocks the phone with 5 bogus attempts, can he be held in contempt of court? Or he could claim that the phone didn't recognize his fingers because of sweaty hands.

      • "...smart criminals would either register their little finger and use up those attempts with other fingers."

        That would be just as clear to me if it were written in German. What does that mean?

        • by Kiralan ( 765796 )
          He means that he would use his little finger for the correct finger, and fail the 5 attempts using any other finger or fingers. At that point, it would also require the PIN.
      • Which finger you use is akin to a password and you shouldn't be required to reveal it. Of course the police could be observant and notice which finger you use so it wouldn't be a very good technique.

    • Was he compelled to actually put his finger on the phone, or was he just compelled to surrender his fingerprints? TFA is not precisely clear about that. If it's the former then that's incontrovertibly a violation of the Fifth Amendment.

      Not a Fifth Amendment violation. He's not being required to testify as to anything he knows, it's just a physical characteristic. Other example would be voice exemplars - it's Constitutional to require a defendant to say "hands up, give me the money," as part of a "voice lineup," since saying that doesn't require the defendant to testify to any content or knowledge. United States v. Dionisio

      • Not a Fifth Amendment violation. He's not being required to testify as to anything he knows, it's just a physical characteristic. Other example would be voice exemplars - it's Constitutional to require a defendant to say "hands up, give me the money," as part of a "voice lineup," since saying that doesn't require the defendant to testify to any content or knowledge. United States v. Dionisio

        That's a clear 1st amendment violation.

        • Actually, it's not, since there's no way any reasonable person could believe that, by repeating the words you're being instructed to say, you're endorsing those words. While it may be "spoken," it's not "speech."

        • You are wrong. Period. People who are much more intelligent, with much more expertise, and have been communally appointed to decide (all three are important in their own way) have declared you are incorrect. You have no recourse, you are wrong.
      • Of course, if you are using a voice lock on something that opens with you saying, "Alibaba was a fool", and they try to force you to say that to the lock to open it, I doubt anyone would consider that anything other than being forced to give up your password and open your locked items.
        After all, it's not the existence of the voice/fingerprint/password/key, it's the being forced to provide it for unlocking purposes that's F'd up.
         
        • Of course, if you are using a voice lock on something that opens with you saying, "Alibaba was a fool", and they try to force you to say that to the lock to open it, I doubt anyone would consider that anything other than being forced to give up your password and open your locked items.
          After all, it's not the existence of the voice/fingerprint/password/key, it's the being forced to provide it for unlocking purposes that's F'd up.

          Depends on the circumstances. If the gov't knows the password, and there's no question that the device is yours, then you could be required to state the voice passphrase. Again, the Fifth Amendment protects you from having to testify (i.e state something you know) against yourself. It doesn't protect you from having to provide charactistics of yourself (appearance, fingerprints, DNA, voice, etc.).

    • While I can't speak to every phone and every OS, apple devices on iOS9 already have a "fix" for this: Power off your phone.

      When an iPhone is powered on, it requires that you type in the pin code or pass phrase. No biometrics here.

    • Ideally the print on one finger would unlock the phone, and the print on the other 9 would wipe it.

      Would also be useful to have a specific passcode that wipes the phone immediately as well.

    • by Anubis IV ( 1279820 ) on Monday July 25, 2016 @01:14PM (#52576813)

      If [he was compelled to put his finger on the phone], then that's incontrovertibly a violation of the Fifth Amendment.

      As someone who used to stand by that view, nowadays it strikes me as the stance of someone who values their privacy (as we all should!), but who hasn't thought through the ramifications of their stance yet.

      For instance, I'd wager you have no problem when the police swab a suspect for their DNA, nor when a passed-out drunkard is compelled to provide a blood sample in the hospital after a DUI, yet in both cases the suspect is being compelled, potentially against their will, to provide something incriminating of themselves to a machine in the police's custody that will tell the police whether the evidence from the suspect is incriminating or not. That's no different than compelling a suspect to provide their fingerprint to a phone in the police's custody that may have the ability to incriminate the suspect.

      In fact, both DNA evidence and the BAC measurement situation I described have made it through and been affirmed by the Supreme Court already (in some cases, multiple times), for the simple reason that the right against self-incrimination only extends to "testimonial" evidence (a.k.a. "communicative" evidence), not to "real" evidence...nor should it.

      I recall reading portions of the majority opinions for some of the seminal cases in this area a year or two back when researching the topic, and one of them basically stated that if we took the notion that we can't collect incriminating "real" evidence to its logical conclusion, we wouldn't even be able to compel someone to reveal enough of their physical appearance for them to be recognizable to an eyewitness, which they asserted was utterly absurd and was clearly beyond the bounds of the protections afforded by the 5th Amendment. More or less, so long as the police have a warrant and aren't trying to compel any form of demonstration of knowledge (i.e. testimony), they're within their rights.

      You've already said that you're fine with the police collecting fingerprints, which is good, since fingerprints are not testimonial/communicative in nature. But how the police collect and use them is left up to them to decide. Whether they collect them on a piece of paper, via an electronic scanner that stores them to local database, or by way of a sensor that writes them into a transient piece of memory on a mobile device makes no difference. In all three, they're simply compelling the suspect to provide a piece of evidence in their custody to a device or system in the police's custody. It's a simple transfer of physical evidence from the suspect to the police. The means may be different, but the thing being compelled is the same in all three cases.

      That the evidence can be used to incriminate the suspect does not mean their rights have been violated. And the best course of action if you don't like that fact is to stop using real evidence (e.g. keys, fingerprints, etc.) as a locking mechanism.

      • by Altrag ( 195300 )

        the best course of action if you don't like that fact is to stop using real evidence

        That's the trick though. Why is my phone not protected because I used a fingerprint while your phone is because you used a passcode?

        In both cases, the access to evidence is exactly the same. Neither of us are providing testimonial information -- a passcode by itself says nothing about who you are or what you've done any more than my fingerprint does (and perhaps less since my fingerprint could potentially be matched against the crime scene.. but lets assume they've already got other copies of my print by

        • by JesseMcDonald ( 536341 ) on Monday July 25, 2016 @03:33PM (#52577781) Homepage

          Why is my phone not protected because I used a fingerprint while your phone is because you used a passcode?

          The phone is not legally protected in either case. If they can find a way in, they can use the data. What is protected in the latter case is the fact that you know the passcode. If there is anything incriminating on the device then knowing the passcode which unlocks it would be tantamount to an admission of guilt. (Note that the passcode is generally not protected if they can separately prove that you have the ability to unlock the device, since at that point you would not be revealing anything incriminating.)

          The principle behind the prohibition on self-incrimination is that no one who has not already proven guilty should be placed in a catch-22 where their only options are to confess their guilt or be punished for failing to do so. Allowing records to be taken of your physical characteristics does not even amount to providing testimony, much less testifying against yourself.

        • Why is my phone not protected because I used a fingerprint while your phone is because you used a passcode?

          That's the thing: neither is protected against being searched. Your statement conflates the question of whether the police are allowed to access your phone with the question of whether the police are capable of accessing your phone. You appear to be well aware of the distinction, so your statement seemed a bit out of place in the rest of your comment, but as you suggested, in many situations, the police have the legal authority to access a device without necessarily having the means to do so.

          And while the "

    • by vux984 ( 928602 )

      Was he compelled to actually put his finger on the phone, or was he just compelled to surrender his fingerprints?

      The 5th only applies to testimony. Your finger print is not testimony.

      They can already compel you to put your finger onto a finger print scanner or inkpad to collect your fingerprint.

      It seems to me, that if we allow the government the authority to compel you to stick your finger onto anything (e.g. an inkpad) to collect your fingerprint; its not unreasonable that they have the authority to make you touch your phone too. With a warrant of course.

      The upshot really should be, a fingerprint is a good way to kee

  • I got an OTA pushed to my Note from TMobile and now the fingerprint unlock stops being the unlock after reboot or so much time goes by. It wants a password after that. So, OK judge, here's my finger. Sorry, forgot the password.

  • by supernova87a ( 532540 ) <kepler1.hotmail@com> on Monday July 25, 2016 @11:23AM (#52575819)
    A lot of people are confused by what self-incrimination means. Self-incrimination is forcing someone to testify (testimonial obligation), be a witness against their own interest/side in a criminal action, or generally be forced to say/admit anything that might be used against them unwittingly later as part of a prosecution. The right to non self-incrimination does not mean you are immune from having evidence produced that incriminates you!

    The key thing is that it is a right to not testify, or be a witness, which is the act of saying or stating something. If a person can be compelled to produce his/her fingerprints (something which in itself is not a testimonial act), then just because that unlocks something that incriminates the person does not mean they have been self-incriminated.
    • I guess that would go in the same line as forcing something to give a DNA sample to match stuff found on the victim/crime scene?
      • It is very much related, but an ongoing debate within the justice system, I would say. Things like people being compelled to have their blood drawn (for the purpose of testing blood alcohol after a DUI) or their DNA tested (but in different circumstances compared to what you suggest), are extensions of the "fingerprint" argument.

        And courts have held that these things can be compelled to be produced by (or from) a person without their consent if certain circumstances are met. But it requires a warrant
    • The key thing is that it is a right to not testify, or be a witness...

      The clear intent of the 5th Amendment can be distilled to a single, unambiguous sentence: You cannot be compelled to assist in your own prosecution.

      Collecting DNA evidence via compelled swabs, forcing a device to be unlocked, forced fingerprinting, etc. are all clear violations of the 5th Amendment. That our Judiciary has neutered our Constitutional protections over time is not a compelling counter-argument. If the framers of the Constitution could have predicted how, "paper and effects" have mutated over

  • Comment removed based on user account deletion
  • The original problem — one with actual passwords — came from the painfully perverted reading of the Fifth Amendment (I wish, ACLU et al were as liberal reading the Second!). If you have to tell police your password that could be used against you, then the password became testimony (written or verbal) and so the police could not compel you to do that under the Fifth Amendment.

    Well, fingerprints are neither said nor written, so the Fifth Amendment [wikipedia.org] does not apply. End of story — whether poli

  • Starting with iOS 9, there's an 8 hour timeout on TouchID. Longer than that, and you need to re-enter your passcode. TouchID won't work. (Source: http://www.macworld.com/articl... [macworld.com])

    And of course as others have mentioned, on power up, passcode is required once. So if there's any possibility of a police interaction, crashboot your phone (hold power & home for five seconds), or shut it down normally if you have the time. Failing that, have your attorney appeal EVERYTHING to blow the 8 hour timeout away

  • This is why biometric identification should be used as a username, never a password.
  • by wonkey_monkey ( 2592601 ) on Monday July 25, 2016 @12:05PM (#52576255) Homepage

    Bite off your fingertips and eat 'em!

  • This is consistent with previous interpretations of the law, and the reasoning is the fifth amendment only applies to the information that is stored in your brain. The fifth amendment is the only protection you have that prevents the government from being able to compel you to divulge your passwords. The important thing to take away from this is that all authentication systems that rely on biometric information can be lawfully circumvented with a court order. The only authentication system that is protected

  • ...Fingerprints, in contrast, have traditionally been viewed as 'real or physical evidence,' meaning that police are entitled to take them without permission....

    Historically, fingerprints have had value only as evidence. That is quite different than the biometric security usage that fingerprints also enjoy nowadays. Biometric security has morphed fingerprints from being only evidence to also being security passcodes.

    .
    imo, fingerprints, when used purely as evidence (i.e, as they have been used historically), should not require a search warrant.

    However, when fingerprints are used for a security purpose (i.e.are not evidence, but a security key), then they sho

  • by fche ( 36607 )

    It is unconscionable to force a criminal defendant to assist his or her own prosecution in any way whatsoever.

  • Not to use your fingerprint to unlock/decrypt anything.

    Thieves will love having to chop off fingers rather than trusting a victims claim of what their password/PIN is....

  • My fingerprint won't unlock shit. I used my DICK as the fingerprint. Would they like me to whip it out to unlock it in front of them?
  • by DCFusor ( 1763438 ) on Monday July 25, 2016 @01:02PM (#52576743) Homepage
    And this is yet another reason to think that instead of paying too much attention to "oh shiny".
    I was against them as "passwords" due to - you can't change them if you're hacked.
    I guess Apple isn't magic fairy dust after all...oh, wait.
  • And that, my friends, is why I also use my middle finger instead of my index finger as input to my phone's fingerprint scanner.! How many times does it need to fail before the phone locks you out? My phone requires a PIN code, not a fingerprint, every time it gets turned back on, and after updating software as well. Seems like a court order to "put your finger on the fingerprint scanner" would be VERY easy to make fail to actually unlock the phone, and charging with contempt of court for the phone not recog
  • By the time they get to that finger, it will require a passcode to be unlocked.

Successful and fortunate crime is called virtue. - Seneca

Working...