Virginia judge: Police can demand a suspect unlock a phone with a fingerprint

But passcodes need not be divulged as per the Fifth Amendment, court says.

Read the whole story

 

[cmacd]

DNick[/url]":3eka8yzc]

Solomon Black[/url]":3eka8yzc]Am I out on a limb for thinking it ought not be permitted for the police to expect any cooperation out of you if you are a suspect?

It's sort of like if there's probably evidence in your safe or your locked desk drawer. They can get a warrant to compel you to unlock those, and if you don't, they'll break into them. The goal isn't to stop law enforcement from their legitimate pursuit of criminals, it's to prevent them from accessing your data in secret, without a signed warrant. If they have probable cause to get a warrant, they should have access to the data. Encryption is to prevent them from going on a fishing trip through all the world's data, to see what everyone is up to so they can decide who to go after.

Can anybody refresh me as to the argument on passwords versus safes? As I recall, the issue was that the police can always just open the safe (through tools) with or without your assistance, given time. But that forcing you to give a password (assuming encryption that is not feasible to crack) amounts to testimony, because by giving the password (as with the combo to a safe) you are admitting to, at the very least, access to the data (if not ownership).

Whereas a fingerprint is just a fingerprint. It's a fact. It also amounts to an admission of access/ownership, but because there's no demonstrated knowledge or testimony involved they can compel it.

 

[jameskatt2]

To prevent this gross use of police powers, one can simply require BOTH your fingerprint AND your passcode to unlock the iPhone.

This TWO-FACTOR way of protection not only is BETTER, but also PROTECTS the consumer from violations of their FIFTH AMENDMENT RIGHTS.

 

[cmacd]

jameskatt2[/url]":3ndjwni5]To prevent this gross use of police powers, one can simply require BOTH your fingerprint AND your passcode to unlock the iPhone.

This TWO-FACTOR way of protection not only is BETTER, but also PROTECTS the consumer from violations of their FIFTH AMENDMENT RIGHTS.

What's the point of that then? Why bother with the fingerprint? The entire point of the fingerprint is convenience vice having to enter a passcode. It's not really added security.

 

[GILDude]

DyDx[/url]":114kcyu8]This judge is an idiot. Can't wait to see this overturned in the future. There's absolutely no rational basis to conclude that forcing a suspect to give up a passcode is in violation of the 5th but it's OK to force them to permit access via biometrics. That's moronic! There IS NO DIFFERENCE.

I see a difference. The fingerprint is "what you are". The passcode is "what you know". In security terms, those are different things. In real terms they are different too. One of them is knowledge. The other is the shape of some ridges on your finger. Similar to how you cannot tell the police that they cannot measure your height, apparently you can't reserve your fingerprint either. I don't know that I 100% buy into the decision but it isn't moronic and there IS a difference.

 

[Midnitte]

To me it seems like an arbitrary difference, both are technically "passcodes" (I.e. a set of information use to unlock a device).

What if I use a printout of someone else's (or artificial) fingerprint as a pass code? If the definition for by "divulging information", wouldn't being forced to hand over my fingerprints be "divulging information" since they aren't likely to know which particular finger I chose as my unlock?

 

[Boreas]

The tech giants have a lot of truly brilliant lawyers in their employ, most of them in IP. If they're not currently hiring people to contemplate the legal implications of such innovations ahead of time, they should be. Like it or not, this is a pretty commonsense reading of the law, and the law obviously can't move at the same speed as engineering. It seems more and more like user privacy is an after-thought, and that problems are addressed only after something goes wrong--at which point, we collectively tend to blame the ordinary end-users, rather than the inventors.

 

[e2mtt]

cmacd[/url]":19k3csch]

I've been saying, ever since Apple introduced Touch ID (which I use & like), that we need an instant erase method.

I'd prefer an alternate fingerprint that when scanned, would erase all of the passcode fingerprints.

Think of muggings, domestic abuse, and unpleasant police encounters, where the assailant is very likely to physically overpower the victim to use their fingerprint to unlock the phone. In these situations, it would be very useful to be able to touch it once to erase the logins, and then have the reassurance that you could peacefully demonstrate that none of your fingerprints unlock the phone, no need for force.

It's true, fingerprint unlocking does just invite the use of force to unlock the phone (a properly equipped thief can just take the finger). But what you propose is no solution, really. In most cases that you'd want such a feature keeping the data safe may not be the primary concern.

As noted, with the police you now open yourself to an entirely new charge (destruction of evidence).

With a thief, abusive husband, etc. you are assuming what, that the perpatrator will just shrug and say "welp guess that's that?" You've just gone out of your way to anger somebody who already just implied a willingness to use force against you. That seems likely to end poorly.

There's no destruction of evidence... Just the removal of the physical bypass to the encryption. All of the other details stay the same. Warrant still compels unlock, with contempt if you refuse.

With the thief or abuser, at least you'd have the choice.

 

[Kydaria]

cmacd[/url]":3vvqarrz]

jameskatt2[/url]":3vvqarrz]To prevent this gross use of police powers, one can simply require BOTH your fingerprint AND your passcode to unlock the iPhone.

This TWO-FACTOR way of protection not only is BETTER, but also PROTECTS the consumer from violations of their FIFTH AMENDMENT RIGHTS.

What's the point of that then? Why bother with the fingerprint? The entire point of the fingerprint is convenience vice having to enter a passcode. It's not really added security.

It is if you use both at the same time.

Choose Fingerprint only: Get convenience at the expense of some security.
Choose 2FA Fingerprint: Get increased security against .govs at the expense of convenience.

Wouldn't be hard for Apple to add 2FA option to TouchID.

 

[cmacd]

DyDx[/url]":29z92476]This judge is an idiot. Can't wait to see this overturned in the future. There's absolutely no rational basis to conclude that forcing a suspect to give up a passcode is in violation of the 5th but it's OK to force them to permit access via biometrics. That's moronic! There IS NO DIFFERENCE.

Not sure if it's worth the effort, but I'll take a crack at this.

The fifth amendment protects against self-incrimination, not against being incriminated. If you want your data to be secure, lock it with something other than a physical characteristic of your body. Knowledge of a password can be denied, but your fingerprint is your fingerprint. You can't deny that, it's not ambiguous, aside from some fairly remote mathematical probabilities.

 

[Akemi]

cmacd[/url]":1fe4wrwp]

I've been saying, ever since Apple introduced Touch ID (which I use & like), that we need an instant erase method.

I'd prefer an alternate fingerprint that when scanned, would erase all of the passcode fingerprints.

Think of muggings, domestic abuse, and unpleasant police encounters, where the assailant is very likely to physically overpower the victim to use their fingerprint to unlock the phone. In these situations, it would be very useful to be able to touch it once to erase the logins, and then have the reassurance that you could peacefully demonstrate that none of your fingerprints unlock the phone, no need for force.

It's true, fingerprint unlocking does just invite the use of force to unlock the phone (a properly equipped thief can just take the finger). But what you propose is no solution, really. In most cases that you'd want such a feature keeping the data safe may not be the primary concern.

As noted, with the police you now open yourself to an entirely new charge (destruction of evidence).

With a thief, abusive husband, etc. you are assuming what, that the perpatrator will just shrug and say "welp guess that's that?" You've just gone out of your way to anger somebody who already just implied a willingness to use force against you. That seems likely to end poorly.

The alarm system on my home has a fake code that when entered silently calls police. Say, if someone ambushed me entering my home, held a gun to my head, and demanded I turn off the alarm. Entering this code would deactivate only the audible alarm sound.

 

[DyDx]

sep332[/url]":qe3ty7j6]Your passcode is a secret. Your fingerprint is not. That's why it's legal for the police to get your fingerprint. You have no right to "privacy" of your fingerprints.

I'm shocked you are all seemingly on board with this.

This is a violation of the 5th Amendment -- there's no other way around it. While your fingerprint is a 'fact,' police should not be allowed to compel you to provide it if doing so will provide them evidence that incriminates you. That's the entire point of the 5th Amendment, damnit.

Can they use the fingerprint they've collected via stamp or digital means to make a fake 'finger' to open it? Sure, just like they could use physical means to open a safe or lock box or locked desk drawer. But forcing a suspect to provide it crosses a line.

I realize it's a small difference, but it's an important one IMO.

 

[cmacd]

Kydaria[/url]":27lbfwd0]

cmacd[/url]":27lbfwd0]

jameskatt2[/url]":27lbfwd0]To prevent this gross use of police powers, one can simply require BOTH your fingerprint AND your passcode to unlock the iPhone.

This TWO-FACTOR way of protection not only is BETTER, but also PROTECTS the consumer from violations of their FIFTH AMENDMENT RIGHTS.

What's the point of that then? Why bother with the fingerprint? The entire point of the fingerprint is convenience vice having to enter a passcode. It's not really added security.

It is if you use both at the same time.

Choose Fingerprint only: Get convenience at the expense of some security.
Choose 2FA Fingerprint: Get increased security against .govs at the expense of convenience.

Wouldn't be hard for Apple to add 2FA option to TouchID.

How is your security against governments significantly increased?

If they're accessing your data remotely, I can't imagine it'd significantly bump the barriers to decryption. If they're trying to get specific access to a device in your presence, it can be compelled.

 

[Solomon Black]

DNick[/url]"rpowyty]

Solomon Black[/url]"rpowyty]Am I out on a limb for thinking it ought not be permitted for the police to expect any cooperation out of you if you are a suspect?

It's sort of like if there's probably evidence in your safe or your locked desk drawer. They can get a warrant to compel you to unlock those, and if you don't, they'll break into them. The goal isn't to stop law enforcement from their legitimate pursuit of criminals, it's to prevent them from accessing your data in secret, without a signed warrant. If they have probable cause to get a warrant, they should have access to the data. Encryption is to prevent them from going on a fishing trip through all the world's data, to see what everyone is up to so they can decide who to go after.

And for me I'll say that I should (even if I don't nessecarily in the law right now) have the right to tell the cops they're free to execute that warrant by cracking my safe (if they can) but they should not be able to compel me through force of law meaning I get charged with some penalty for not complying AND they still crack my safe.

Now if I'm refusing to cooperate I can't sue them for damage to my safe either since I had the chance to open it in the context of a search warrant and did not.

 

[alexclst]

Does the Find my iPhone remote locking disable unlock by Touch ID? If not, something makes me think that we may see that as a new feature in iOS 8.2 or 8.3, or 9.0 as a response to this ruling. That way, even if your phone was taken by police, but before they could get you to unlock it, you could remotely make it not accept Touch ID unlock, so that it is then still using a password (because, who actually uses the simple passcode on devices with Touch ID anyway) to actually unlock.

 

[Kydaria]

cmacd[/url]":1e8ya8kr]

Kydaria[/url]":1e8ya8kr]

cmacd[/url]":1e8ya8kr]

jameskatt2[/url]":1e8ya8kr]To prevent this gross use of police powers, one can simply require BOTH your fingerprint AND your passcode to unlock the iPhone.

This TWO-FACTOR way of protection not only is BETTER, but also PROTECTS the consumer from violations of their FIFTH AMENDMENT RIGHTS.

What's the point of that then? Why bother with the fingerprint? The entire point of the fingerprint is convenience vice having to enter a passcode. It's not really added security.

It is if you use both at the same time.

Choose Fingerprint only: Get convenience at the expense of some security.
Choose 2FA Fingerprint: Get increased security against .govs at the expense of convenience.

Wouldn't be hard for Apple to add 2FA option to TouchID.

How is your security against governments significantly increased?

If they're accessing your data remotely, I can't imagine it'd significantly bump the barriers to decryption. If they're trying to get specific access to a device in your presence, it can be compelled.

On top of the biometric security that they can demand you provide without a warrant, there is the password which they need to use a warrant to get past.

Unless I have been misreading the article. Legalese is a devilishly tricky language.

 

[cmacd]

DyDx[/url]":1txfkchl]

sep332[/url]":1txfkchl]Your passcode is a secret. Your fingerprint is not. That's why it's legal for the police to get your fingerprint. You have no right to "privacy" of your fingerprints.

I'm shocked you are all seemingly on board with this.

This is a violation of the 5th Amendment -- there's no other way around it. While your fingerprint is a 'fact,' police should not be allowed to compel you to provide it if doing so will provide them evidence that incriminates you. That's the entire point of the 5th Amendment, damnit.

That's not the point of the 5th amendment at all. The point of the 5th was to prevent the government from compelling you to witness against yourself, particularly because such confessions were often coerced (through torture or other means).

It has nothing to do with the actual collection of legitimate evidence. Giving up your fingerprint incriminates you if you left it at the scene of a crime as well. Giving up your DNA incriminates you if you left semen. And so on. But your biometrics are facts that the police and prosecutors are allowed access to for investigation.

If you're uncomfortable with this, don't use use an immutable physical characteristic of yourself to lock your data.

EDIT: Also, note that the government (from the sound of it) has a warrant allowing them to look at the data on the phone. This is merely about granting access. If it was password-protected, you can claim not to know it. You can't claim your finger is not your finger. So, again, don't use your finger to lock it.

 

[sep332]

DyDx[/url]":femqks2h]

sep332[/url]":femqks2h]Your passcode is a secret. Your fingerprint is not. That's why it's legal for the police to get your fingerprint. You have no right to "privacy" of your fingerprints.

I'm shocked you are all seemingly on board with this.

This is a violation of the 5th Amendment -- there's no other way around it. While your fingerprint is a 'fact,' police should not be allowed to compel you to provide it if doing so will provide them evidence that incriminates you. That's the entire point of the 5th Amendment, damnit.

Can they use the fingerprint they've collected via stamp or digital means to make a fake 'finger' to open it? Sure, just like they could use physical means to open a safe or lock box or locked desk drawer. But forcing a suspect to provide it crosses a line.

I realize it's a small difference, but it's an important one IMO.

What if you get one of those phones that unlocks when it sees your face? http://www.androidcentral.com/how-set-f ... evo-4g-lte If the cops are already taking your mugshot and fingerprinting you, they can use your face or your fingerprint to unlock your phone.

 

[e2mtt]

afidel[/url]":e7tvueys]

e2mtt[/url]":e7tvueys]I've been saying, ever since Apple introduced Touch ID (which I use & like), that we need an instant erase method.

I'd prefer an alternate fingerprint that when scanned, would erase all of the passcode fingerprints.

Think of muggings, domestic abuse, and unpleasant police encounters, where the assailant is very likely to physically overpower the victim to use their fingerprint to unlock the phone. In these situations, it would be very useful to be able to touch it once to erase the logins, and then have the reassurance that you could peacefully demonstrate that none of your fingerprints unlock the phone, no need for force.

Um, if you used such a method once in custody a judge will correctly convict you of destruction of evidence and will allow the prosecution LOTS of leeway in arguing what the likely contents of the device were (ie in this case they would likely be able to argue in front of the jury that you destroyed a video of you attacking the victim as they had reasonable suspicion that you possessed such a video and destroyed it, something they would not be able to argue if it were password protected and you simply refused to divulge the password)

In my example, I assume you would want to wipe the fingerprints at the first sign of an altercation that might result in a physical attempt to force unlock the phone, not in custody & survaliance.

Furthermore, if you are familiar with Touch ID, the full passcode must be used after a reboot or 48 hrs disuse, so this mechanism only accelerates this, it doesn't destruct the data or destroy evidence.

 

[Meailda]

wolf_fire[/url]":3t4mgj6h]And this would be why we need actual computer *science* in education rather than 'keyboarding' and learning how to click on icons in Word.

The judge doesn't know there's no difference in accessing an encoded archive, from a practical standpoint, between a fingerprint and a password/passcode. Both should be under the 5th Amendment as the end result is the same.

That's not correct. The difference is that the fingerprint doesn't correspond to a password in the security world, the fingerprint corresponds to a token (Think RSA token or google hitting your cell phone with the code to get in) It is the something you have part of "Something you have and something you know".

 

[cmacd]

Kydaria[/url]":3ow37o5g]

cmacd[/url]":3ow37o5g]

Kydaria[/url]":3ow37o5g]

cmacd[/url]":3ow37o5g]

jameskatt2[/url]":3ow37o5g]To prevent this gross use of police powers, one can simply require BOTH your fingerprint AND your passcode to unlock the iPhone.

This TWO-FACTOR way of protection not only is BETTER, but also PROTECTS the consumer from violations of their FIFTH AMENDMENT RIGHTS.

What's the point of that then? Why bother with the fingerprint? The entire point of the fingerprint is convenience vice having to enter a passcode. It's not really added security.

It is if you use both at the same time.

Choose Fingerprint only: Get convenience at the expense of some security.
Choose 2FA Fingerprint: Get increased security against .govs at the expense of convenience.

Wouldn't be hard for Apple to add 2FA option to TouchID.

How is your security against governments significantly increased?

If they're accessing your data remotely, I can't imagine it'd significantly bump the barriers to decryption. If they're trying to get specific access to a device in your presence, it can be compelled.

On top of the biometric security that they can demand you provide without a warrant, there is the password which they need to use a warrant to get past.

Unless I have been misreading the article. Legalese is a devilishly tricky language.

From my reading of the article, a warrant is required for access via biometrics.

The court has said that the password can't be compelled even with a warrant. Because it'd be a fifth amendment violation (access to the data would be a fourth amendment issue).

 

[CatOne41]

What I wonder:

Touch ID is quite good, but it's not 100% good. If I'm just out of the shower or finishing up a bike ride and my fingers are "humid," sometimes Touch ID complains.

How are law enforcement to know which finger you use? If you don't manage to get the phone turned off before they request this, why not just use the wrong finger 3 times? If they don't know for sure which finger it is, it's an odds game, and Touch ID will lock you out after 5 failed attempts. After which point they can't compel you to enter your passcode.

 

[jeromeyers2]

What you need is the ability to set many passwords, or use many fingerprints, each with a different meaning or unlock level. Or fingerprints that require gestures on screen afterwards that have no cue.

I like this approach for logins, etc. A single username with many passwords that unlock different permission levels for the "session" or whatever.

EDIT: Maybe use your toes. That would probably throw their assumptions for a loop.

EDIT2: Best for flip flop wearers.

 

[talz13]

How might this apply to "trusted bluetooth devices"?

http://www.androidcentral.com/trusted-b ... ng-forward

If the phone remains unlocked when in proximity to the device (a headset, a BT enabled ring, etc.), the lock is disabled and requires no "testimony" to open.

If the police do not know that you have a trusted bluetooth link set up with your ring, will they know to bring your phone nearby, or take your ring with the phone to keep it unlocked? And if not, would you have to divulge that information?

 

[nononsense]

Law enforcement is already complaining about encryption being enabled by default on new phones. They really aren't going to like the reaction to this.

Apple has shown they are receptive to consumers concerns about privacy. All they need to do is add a 'boss mode' fingerprint. If you use the designated finger to unlock your phone it just reboots or requires a password.

No data is erased so no evidence has been destroyed. Simple and effective.

I wonder which finger I would pick to give the police?

 

[Kydaria]

cmacd[/url]":u1a6kz5a]

Kydaria[/url]":u1a6kz5a]

cmacd[/url]":u1a6kz5a]

Kydaria[/url]":u1a6kz5a]

cmacd[/url]":u1a6kz5a]

jameskatt2[/url]":u1a6kz5a]To prevent this gross use of police powers, one can simply require BOTH your fingerprint AND your passcode to unlock the iPhone.

This TWO-FACTOR way of protection not only is BETTER, but also PROTECTS the consumer from violations of their FIFTH AMENDMENT RIGHTS.

What's the point of that then? Why bother with the fingerprint? The entire point of the fingerprint is convenience vice having to enter a passcode. It's not really added security.

It is if you use both at the same time.

Choose Fingerprint only: Get convenience at the expense of some security.
Choose 2FA Fingerprint: Get increased security against .govs at the expense of convenience.

Wouldn't be hard for Apple to add 2FA option to TouchID.

How is your security against governments significantly increased?

If they're accessing your data remotely, I can't imagine it'd significantly bump the barriers to decryption. If they're trying to get specific access to a device in your presence, it can be compelled.

On top of the biometric security that they can demand you provide without a warrant, there is the password which they need to use a warrant to get past.

Unless I have been misreading the article. Legalese is a devilishly tricky language.

From my reading of the article, a warrant is required for access via biometrics.

The court has said that the password can't be compelled even with a warrant. Because it'd be a fifth amendment violation (access to the data would be a fourth amendment issue).

If that is the case then this isn't so bad. Thanks for the clarification.

So if passwords cannot be compelled even with a warrant then having a 2FA option for TouchID would shore up the limitations of biometrics would it not? Then again the existence of biometric security along with a password might provide enough proof to the court that the device does belong to the suspect and therefore must know the password.

 

[jeromeyers2]

nononsense[/url]":2n1y05n7]Law enforcement is already complaining about encryption being enabled by default on new phones. They really aren't going to like the reaction to this.

Apple has shown they are receptive to consumers concerns about privacy. All they need to do is add a 'boss mode' fingerprint. If you use the designated finger to unlock your phone it just reboots or requires a password.

No data is erased so no evidence has been destroyed. Simple and effective.

I wonder which finger I would pick to give the police?

Regular unlock mode: Pointer Finger
Police unlock mode: Middle Finger
Naughty unlock mode: Big toe

 

[mewmew]

bleeper[/url]":2uycd5wp]

whquaint[/url]":2uycd5wp]

Solomon Black[/url]":2uycd5wp]Am I out on a limb for thinking it ought not be permitted for the police to expect any cooperation out of you if you are a suspect?

Police have been taking fingerprints of suspects for years. You can't refuse. Just because recent tech companies have CHOSEN to use the fingerprint for "security" does not eliminate the long-standing right of police to take your fingerprint. .

Odd i can't find that "right" in the Constitution.

It's right next to your "right" to privacy.

i.e., it's assumed to derive from other rights, such as legally recognized and accepted police practices, and is not explicitly written.

 

[BioTurboNick]

CatOne41[/url]":2fay4mj4]What I wonder:

Touch ID is quite good, but it's not 100% good. If I'm just out of the shower or finishing up a bike ride and my fingers are "humid," sometimes Touch ID complains.

How are law enforcement to know which finger you use? If you don't manage to get the phone turned off before they request this, why not just use the wrong finger 3 times? If they don't know for sure which finger it is, it's an odds game, and Touch ID will lock you out after 5 failed attempts. After which point they can't compel you to enter your passcode.

I would think this would be the issue. They can tell you to put your right index finger on the TouchID sensor, and you would have to do it, but I don't think you would have to volunteer the correct finger. Of course, that seems like a distinction that will easily get lost along the way.

But this all has to do with self-incrimination. If they have established through other means that you already own and used the device, then providing your finger or passcode is no longer self-incrimination.

 

[Kydaria]

nononsense[/url]":3pbdowz4]Law enforcement is already complaining about encryption being enabled by default on new phones. They really aren't going to like the reaction to this.

Apple has shown they are receptive to consumers concerns about privacy. All they need to do is add a 'boss mode' fingerprint. If you use the designated finger to unlock your phone it just reboots or requires a password.

No data is erased so no evidence has been destroyed. Simple and effective.

I wonder which finger I would pick to give the police?

Technically data IS erased when you reboot your phone, when TouchID is enabled the encryption keys to unlock the iPhone are wrapped in another key that only TouchID can unlock which then can unlock the system. That key is what is destroyed when any of the conditions that force a passcode entry instead of TouchID occur.

 

[Theala Sildorian]

Alex777[/url]":fizwhyln]There's an easy solution to this possible dilemma, apart from rebooting your phone. (which then requires a passcode when it comes back up)

I have ten different fingers. They don't know which one unlocks the phone.

If the law requires you to supply your fingerprint to comply with a warrant, it doesn't matter which finger is the right one.

 

[Eddy Current]

I'm going to put a suggestion in the "Suggested Features" box for the next version of Android.

You have a passcode, and you also have the option of setting up a "Self Destruct Code".

If the cops enter your self destruct code when trying to unlock your phone, it deletes all the data/texts/call data from the past 7 days (or some time frame that you select).

 

[Theala Sildorian]

CatOne41[/url]":3d985o5s]What I wonder:

Touch ID is quite good, but it's not 100% good. If I'm just out of the shower or finishing up a bike ride and my fingers are "humid," sometimes Touch ID complains.

How are law enforcement to know which finger you use? If you don't manage to get the phone turned off before they request this, why not just use the wrong finger 3 times? If they don't know for sure which finger it is, it's an odds game, and Touch ID will lock you out after 5 failed attempts. After which point they can't compel you to enter your passcode.

If it is lawful for the police to compel you, then doing that would get you convicted of obstruction of justice.

 

[ewelch]

The judge used twisted logic (twisted until it's the opposite) when he says the fingerprint is like DNA. It's not like DNA when it's used as a password. It's a password! And I have a right to not be forced into self-incrimination.

Until the law comes to its senses, whenever I am approached by a police officer, I will shut my phone down so that it requires a passcode.

Just because I have nothing incriminating on my phone doesn't mean I have to let them look.

 

[SavedByTechnology]

xoa[/url]":3aa9ogbi]

abj21[/url]":3aa9ogbi]

Chmilz[/url]":3aa9ogbi]There's no way, yet, to suck a code out of my head.

Rubber hose cryptanalysis:

This is a comic, it's a joke. It's not meant to be a serious commentary on security, and while someone who understands the topic can get a mild laugh it gets massively over posted where it doesn't belong. "What would actually happen" would be more along the lines of:

• "Oh wait, our target lives hundreds of miles away, guess this crypto has defeated us after all."
• "This information isn't worth the risk of drugging and assaulting somebody."
• "We wanted to get this information anonymously, directly attacking the target will tip our hand and ruin its value."
• "Doing that would destroy our case in court."
• "I'm here to drug and hit yo-BAMBAMBAMBLARGH" (a lot of private citizens are massively armed).

Etc etc. If the first panel is a "crypto nerd" then the latter is a "crime movie fetishist" who is having a bit of trouble separating fantasy from reality. Security is about increasing the energy cost of attack beyond the means of an attacker or the value of information, anything that does so increases security. A laptop with uncrackable (any decent) encryption is much more secure then one where they can simply grab everything in plain text rapidly without the target ever even knowing it.

Yes, it is a joke...and it's funny. Laugh once in a while, it does the body good.

 

[glennmaximilian42]

I had the exact same thought! Knowledge of the correct finger seems to fit under the so-called logic of the judge. They couldn't physically force you to use the right fingers presumably either.

Lyrrad[/url]":2hjaepsx]So, if you can be compelled to provide a fingerprint, can you be compelled to provide the *right* fingerprint?

The TouchID sensor can only store 5 fingerprints. You get five fingerprint tries before you MUST unlock the phone with the backup passcode/word.

I assume that you don't have to tell the police that your left pinky, for example, is the only finger that will unlock the phone, right? Does that count as knowledge that they can't compel you to divulge to self-incriminate?

 

[TheShark]

Chmilz[/url]":39rrgh9y]I'm still wondering on what level biometrics make for good security? Fingerprints, eyes, voice - any of that stuff can be spoofed with increasing ease. Knowledge in my brain? No so much.

If what's being protected is valuable enough, someone will cut off hands, heads, carve out eyeballs, etc to get it. There's no way, yet, to suck a code out of my head.

Oh I'm willing to bet that once someone starts cutting off your hands and carving out your eyeballs that code is going to come out of your head pretty quick. Personally I plan to divulge any secret codes I know before my eyeballs get carved out.

 

[YetAnotherAnonymousAppellation]

Solution 1: create a lock app that uses one fingerprint to unlock and a different one to wipe memory.

Solution 2: create an app that detects when the phone is shaken in a particular pattern and wipe the memory.

Solution 3: don't take your phone with you if you're going to be evil.

 

[bames53]

Chmilz[/url]":11ky54gs]I'm still wondering on what level biometrics make for good security? Fingerprints, eyes, voice - any of that stuff can be spoofed with increasing ease. Knowledge in my brain? No so much.

If what's being protected is valuable enough, someone will cut off hands, heads, carve out eyeballs, etc to get it. There's no way, yet, to suck a code out of my head.

Well, actually...

http://newscenter.berkeley.edu/2011/09/22/brain-movies/

 

[mewmew]

maximilian42[/url]":19ld97zh]I had the exact same thought! Knowledge of the correct finger seems to fit under the so-called logic of the judge. They couldn't physically force you to use the right fingers presumably either.

Lyrrad[/url]":19ld97zh]So, if you can be compelled to provide a fingerprint, can you be compelled to provide the *right* fingerprint?

The TouchID sensor can only store 5 fingerprints. You get five fingerprint tries before you MUST unlock the phone with the backup passcode/word.

I assume that you don't have to tell the police that your left pinky, for example, is the only finger that will unlock the phone, right? Does that count as knowledge that they can't compel you to divulge to self-incriminate?

I would think that it's not as specific as "provide your left index finger". More likely it will simply cover the general legality of using a warrant to compel you to unlock your fingerprint-locked phone.

 

[TheShark]

CatOne41[/url]":2dsq2rnv]What I wonder:

Touch ID is quite good, but it's not 100% good. If I'm just out of the shower or finishing up a bike ride and my fingers are "humid," sometimes Touch ID complains.

How are law enforcement to know which finger you use? If you don't manage to get the phone turned off before they request this, why not just use the wrong finger 3 times? If they don't know for sure which finger it is, it's an odds game, and Touch ID will lock you out after 5 failed attempts. After which point they can't compel you to enter your passcode.

Exactly. My phone regularly refuses my print if I've just showered, washed dishes, etc. It's certainly plausible or even probable that somebody under the stress of interrogation is going to be sweaty enough that the TouchID isn't going to work even if they want it to. And like you said it locks you out pretty fast. Try with the wrong finger a few times till it locks out then shrug. "Sorry. I tried."