Virginia judge: Police can demand a suspect unlock a phone with a fingerprint

But passcodes need not be divulged as per the Fifth Amendment, court says.

Read the whole story

 

[matsayz]

Crap.

 

[Yellowtruck]

"A Virginia Circuit Court judge ruled on Thursday that a person does not need to provide a passcode to unlock their phone for the police. The court also ruled that demanding a suspect to provide a fingerprint to unlock a phone would be constitutional."

So, its not a question of warrantless access to privacy of the data on the phone, it’s the legal method of getting to it?

Wait, let me re-read the article..

 

[Kydaria]

Wouldn't this be detrimental to biometric security used in High Security level locations and other such places as well as on mobile devices?

Cops may be overextending on this one if they compromise the security of biometrics just to avoid a warrant.

 

[bames53]

So, its not a question of warrantless access to privacy of the data on the phone, it’s the legal method of getting to it?

Well presumably they would be required to get a warrant to make you use your fingerprint to unlock the device, just as they would be required to get a warrant to make you hand over a physical key.

 

[Just Joe]

1) Buy iPhone because of the one-way encryption.
2) While you're in the pokey, realize the encryption means nothing if you used a fingerprint for the lock screen.

Solution: Buy an iPhone, don't use a fingerprint for the lock screen.

Edit: The ruling kind of makes sense, because while passcode/PIN locking requires you to divulge information by means only you have access to, your fingerprints can be taken by anyone who has physical access to them, though the ease by which that occurs depends largely on the participation of the accused.

 

[mizkitty]

I was wondering why someone would be stupid enough to record the attack on his cellphone...but you left out the part about him having video equipment set up in his bedroom where the attack occurred...

Easy on the details...

 

[Solomon Black]

Am I out on a limb for thinking it ought not be permitted for the police to expect any cooperation out of you if you are a suspect?

 

[Chemical Tribe]

Just Joe[/url]":1n26sdr3]1) Buy iPhone because of the one-way encryption.
2) While you're in the pokey, realize the encryption means nothing if you used a fingerprint for the lock screen.

Solution: Buy an iPhone, don't use a fingerprint for the lock screen.

Or quickly power it down if possible

 

[wolf_fire]

Just Joe[/url]":2s8wvj4b]1) Buy iPhone because of the one-way encryption.
2) While you're in the pokey, realize the encryption means nothing if you used a fingerprint for the lock screen.

Solution: Buy an iPhone, don't use a fingerprint for the lock screen.

Problem is other judges have ruled that passwords are also not protected under the 5th. So this one will likely go to the SCOTUS.

 

[xoa]

“A passcode, though, requires the defendant to divulge knowledge, which the law protects against.”

Very, very heartening to see this in an actual court ruling, and it's significant enough that I hope it gets confirmed up the line as well. Very strong protections of personal knowledge and information is going to become ever more critical as more and more of our lives, memories and thoughts get stored in our personal digital data stores. I believe the term "exocortex" is becoming ever more appropriate: the sheer amount of information and the personal nature of it makes it ever more like a direct adjunct to our own brains, even before automation like lifelogs enters the picture. And in turn, naturally we can expect certain authorities to grow ever hungrier to be able to dig into all of this, as it may provide information practically akin to mind reading of anyone they find suspicious or undesirable. Drawing strong boundaries around the sanctity of that is something that should happen sooner rather then later.

As far as the biometric issue, no surprises or even concerns there. I don't expect the same sort of protection on something that I quite literally leave all over the world merely by interacting with it. Touch ID and other biometric forms of security have always had a tradeoff in convenience vs security, really any multifactor security that does't include "something you know" as a factor will have that issue. I think it's also relatively trivial to solve technically should there be a demand. Even right now, merely turning off/restarting a phone will require the passcode again and can generally be done in a hurry. I think having a biometric option is still important and useful, because any security is only good to the extent that it actually gets used. Most people will not enter a 20-character passcode every time they want to turn on their phone, even a 4-digit PIN might be something they find too troublesome. Perfect shouldn't be allowed to be the enemy of good, and always-on biometric + strong passcode will be a practical improvement in security for much of the population vs weak PIN that might only sometimes be on or have a long delay set.

 

[Chmilz]

I'm still wondering on what level biometrics make for good security? Fingerprints, eyes, voice - any of that stuff can be spoofed with increasing ease. Knowledge in my brain? No so much.

If what's being protected is valuable enough, someone will cut off hands, heads, carve out eyeballs, etc to get it. There's no way, yet, to suck a code out of my head.

 

[rmcrowley2000]

The judge agreed with Baust, though he noted in his written opinion that “giving police a fingerprint is akin to providing a DNA or handwriting sample or an actual key, which the law permits,” the Virginian Pilot reports. “A passcode, though, requires the defendant to divulge knowledge, which the law protects against.”

Does this leave a loophole that someone could comply by providing their fingerprint n another form, such as a fingerprint scan or ink copy?

Also, for the "or an actual key" part of that quote, does that mean an office could force you to provide a kiey to your house without a warrant? That seems a bit counter intuitive....

 

[ChickenHawk]

This is the problem with the literal version of statutory interpretation - it leads to stupid results that make nonsensical distinctions.

Instead the Judge should have applied the Nuisance rule, or taken a purposeful approach - what is the "Nuisance" that was addressed by the law.

Would the people who drafted the Bill of Rights recognised "Personal Papers" to mean actual bits of paper, or the information in them. If we asked them: "Hey guys, if instead of putting it on Parchment, we had a magical box that displayed the stuff you'd normally write down, a box that displayed it when you put your thumb on it, would that be different?"

I defy anyone to tell me, with a straight face, they would have said that the magical box is different because it wasn't on bits of dead tree.

 

[abj]

Chmilz[/url]":uxhfsuho]There's no way, yet, to suck a code out of my head.

Rubber hose cryptanalysis:

 

[Akemi]

Solomon Black[/url]":3qy8ww38]Am I out on a limb for thinking it ought not be permitted for the police to expect any cooperation out of you if you are a suspect?

Warrants can compel a great deal. Like DNA samples from a murder or rape suspect. I suspect that's the parallel being drawn here. That with a warrant you can be forced to give over certain physical evidence, but never compelled to testify against yourself. After all, you're required to give your fingerprints over to the cops upon arrest - never mind a warrant.

I guess this is just another nail in the coffin for biometrics.

 

[whquaint]

Solomon Black[/url]":3hl3atia]Am I out on a limb for thinking it ought not be permitted for the police to expect any cooperation out of you if you are a suspect?

Police have been taking fingerprints of suspects for years. You can't refuse. Just because recent tech companies have CHOSEN to use the fingerprint for "security" does not eliminate the long-standing right of police to take your fingerprint. The usage of fingerprint to get into an iPhone is a CHOICE made by 1) Apple and 2) the user, as a substitute for a passcode. Recent choices made by Apple and the user do not change the legal treatment of the fingerprint.

 

[Talion]

abj21[/url]":1bs8rcws]

Chmilz[/url]":1bs8rcws]There's no way, yet, to suck a code out of my head.

Rubber hose cryptanalysis:

you beat me to it, that was my first though too.

 

[adipose]

abj21[/url]":350v7yam]

Chmilz[/url]":350v7yam]There's no way, yet, to suck a code out of my head.

Rubber hose cryptanalysis:

"Drug him and put his finger on his phone."

 

[Rosyna]

If you ever think you will be detained or someone will illegally gain access to your iPhone, force a reboot to delete all decryption keys from memory!

This is true whether your use TouchID or not.

 

[Astramancer]

Chmilz[/url]":uvuwqxr0]I'm still wondering on what level biometrics make for good security? Fingerprints, eyes, voice - any of that stuff can be spoofed with increasing ease. Knowledge in my brain? No so much.

If what's being protected is valuable enough, someone will cut off hands, heads, carve out eyeballs, etc to get it. There's no way, yet, to suck a code out of my head.

Repeat after me: Biometrics are not security.

Biometrics are only security if you have actual security on the biometrics reader. (and that's not even counting electronic compromises)

Biometrics are, basically, a secret knock you have with your buddy. It's secure against anyone who doesn't really care enough to break your security, or doesn't have any forethought or warning that they'll need to break your security.

 

[xoa]

wolf_fire[/url]":38p88bc2]Problem is other judges have ruled that passwords are also not protected under the 5th. So this one will likely go to the SCOTUS.

Yeah, this judge got the ruling exactly right, but now the important thing is that it become precedent all the way from the top, and I'm definitely worried about whether that'll actually happen. Law enforcement and politicians are going to argue very, very hard in favor of being granted more power here, invoking all of the typical boogiemen (The Children! The Terrorists! EVIL!) they can. Ideally Congress would act in shutting this down too but I'm not exactly holding my breath there.

Chmilz[/url]":38p88bc2]I'm still wondering on what level biometrics make for good security?

On the level of being security that gets USED. Consistently, and with better security then the sort of PIN codes a lot of people go with ("my birthday will be easy to remember!"). To some extent, security is the art of the possible.

If what's being protected is valuable enough, someone will cut off hands, heads, carve out eyeballs, etc to get it.

But for the vast, vast majority it isn't valuable enough, or at least isn't known to be. On the other hand, a random theft of opportunity, poking around by noisy acquaintances, unruly children, etc are all constant threats. Be careful about optimizing for the wrong attack scenario to the extent of harming the common attack scenario. Probability and what's at risk plays a very important role in implementing security. When a physically coercive attack is required that's massively increasing the cost of the attack and in turn the barrier to utilizing it.

There's no way, yet, to suck a code out of my head.

If you don't have a coercion code set up then this is one area where torture would likely be very effective, and in your imaginary scenario where the attacker is willing to inflict harm there's no reason to believe they wouldn't use torture as well. Are you confident in your ability to resist more then once? Because I sure am not. Only a coercion code (which I don't think any of these support, though someone could make a quick/dirty hack for some devices) or simply not having that information on the device at all would be sufficient.

 

[e2mtt]

I've been saying, ever since Apple introduced Touch ID (which I use & like), that we need an instant erase method.

I'd prefer an alternate fingerprint that when scanned, would erase all of the passcode fingerprints.

Think of muggings, domestic abuse, and unpleasant police encounters, where the assailant is very likely to physically overpower the victim to use their fingerprint to unlock the phone. In these situations, it would be very useful to be able to touch it once to erase the logins, and then have the reassurance that you could peacefully demonstrate that none of your fingerprints unlock the phone, no need for force.

 

[bleeper]

whquaint[/url]":1ay4q88w]

Solomon Black[/url]":1ay4q88w]Am I out on a limb for thinking it ought not be permitted for the police to expect any cooperation out of you if you are a suspect?

Police have been taking fingerprints of suspects for years. You can't refuse. Just because recent tech companies have CHOSEN to use the fingerprint for "security" does not eliminate the long-standing right of police to take your fingerprint. .

Odd i can't find that "right" in the Constitution.

 

[psd]

“A passcode, though, requires the defendant to divulge knowledge, which the law protects against.”

I hope the SCOTUS straightens this out because knowledge in that quoted statement means knowledge about a crime or potential crime which of course a defendant is right to invoke the 5th Amendment on. Pass codes though is clearly not that kind of knowledge.

 

[afidel]

e2mtt[/url]":9xhdync7]I've been saying, ever since Apple introduced Touch ID (which I use & like), that we need an instant erase method.

I'd prefer an alternate fingerprint that when scanned, would erase all of the passcode fingerprints.

Think of muggings, domestic abuse, and unpleasant police encounters, where the assailant is very likely to physically overpower the victim to use their fingerprint to unlock the phone. In these situations, it would be very useful to be able to touch it once to erase the logins, and then have the reassurance that you could peacefully demonstrate that none of your fingerprints unlock the phone, no need for force.

Um, if you used such a method once in custody a judge will correctly convict you of destruction of evidence and will allow the prosecution LOTS of leeway in arguing what the likely contents of the device were (ie in this case they would likely be able to argue in front of the jury that you destroyed a video of you attacking the victim as they had reasonable suspicion that you possessed such a video and destroyed it, something they would not be able to argue if it were password protected and you simply refused to divulge the password)

 

[cmacd]

bames53[/url]":eq3tlu8p]

So, its not a question of warrantless access to privacy of the data on the phone, it’s the legal method of getting to it?

Well presumably they would be required to get a warrant to make you use your fingerprint to unlock the device, just as they would be required to get a warrant to make you hand over a physical key.

Yeah, people seem to be confusing this issue (self-incrimination) with warrantless searches. It sounds like they had a warrant for the phone, the question was whether they could compel him to unlock it using biometrics.

As seems to be the consensus in the thread, this is unsurprising.

 

[Alex777]

There's an easy solution to this possible dilemma, apart from rebooting your phone. (which then requires a passcode when it comes back up)

I have ten different fingers. They don't know which one unlocks the phone.

 

[Sasparilla]

For those wondering, with an iPhone, just turn it off - on restart it requires your PIN (make sure that's longer than the 4 character default).

Any police issues come up, turn off your phone and your finger print will be of no help getting in.

 

[Lyrrad]

So, if you can be compelled to provide a fingerprint, can you be compelled to provide the *right* fingerprint?

The TouchID sensor can only store 5 fingerprints. You get five fingerprint tries before you MUST unlock the phone with the backup passcode/word.

I assume that you don't have to tell the police that your left pinky, for example, is the only finger that will unlock the phone, right? Does that count as knowledge that they can't compel you to divulge to self-incriminate?

 

[cmacd]

I've been saying, ever since Apple introduced Touch ID (which I use & like), that we need an instant erase method.

I'd prefer an alternate fingerprint that when scanned, would erase all of the passcode fingerprints.

Think of muggings, domestic abuse, and unpleasant police encounters, where the assailant is very likely to physically overpower the victim to use their fingerprint to unlock the phone. In these situations, it would be very useful to be able to touch it once to erase the logins, and then have the reassurance that you could peacefully demonstrate that none of your fingerprints unlock the phone, no need for force.

It's true, fingerprint unlocking does just invite the use of force to unlock the phone (a properly equipped thief can just take the finger). But what you propose is no solution, really. In most cases that you'd want such a feature keeping the data safe may not be the primary concern.

As noted, with the police you now open yourself to an entirely new charge (destruction of evidence).

With a thief, abusive husband, etc. you are assuming what, that the perpatrator will just shrug and say "welp guess that's that?" You've just gone out of your way to anger somebody who already just implied a willingness to use force against you. That seems likely to end poorly.

 

[DNick]

Solomon Black[/url]":3ujwmkr6]Am I out on a limb for thinking it ought not be permitted for the police to expect any cooperation out of you if you are a suspect?

It's sort of like if there's probably evidence in your safe or your locked desk drawer. They can get a warrant to compel you to unlock those, and if you don't, they'll break into them. The goal isn't to stop law enforcement from their legitimate pursuit of criminals, it's to prevent them from accessing your data in secret, without a signed warrant. If they have probable cause to get a warrant, they should have access to the data. Encryption is to prevent them from going on a fishing trip through all the world's data, to see what everyone is up to so they can decide who to go after.

 

[ChickenHawk]

bleeper[/url]":m4w5tbji]

whquaint[/url]":m4w5tbji]

Solomon Black[/url]":m4w5tbji]Am I out on a limb for thinking it ought not be permitted for the police to expect any cooperation out of you if you are a suspect?

Police have been taking fingerprints of suspects for years. You can't refuse. Just because recent tech companies have CHOSEN to use the fingerprint for "security" does not eliminate the long-standing right of police to take your fingerprint. .

Odd i can't find that "right" in the Constitution.

Not all "Rights" come from the constutition. The general power would be in the power to provide security et al.

 

[sep332]

Your passcode is a secret. Your fingerprint is not. That's why it's legal for the police to get your fingerprint. You have no right to "privacy" of your fingerprints.

 

[Solomon Black]

ChickenHawk[/url]":249jr64n]This is the problem with the literal version of statutory interpretation - it leads to stupid results that make nonsensical distinctions.

Instead the Judge should have applied the Nuisance rule, or taken a purposeful approach - what is the "Nuisance" that was addressed by the law.

Would the people who drafted the Bill of Rights recognised "Personal Papers" to mean actual bits of paper, or the information in them. If we asked them: "Hey guys, if instead of putting it on Parchment, we had a magical box that displayed the stuff you'd normally write down, a box that displayed it when you put your thumb on it, would that be different?"

I defy anyone to tell me, with a straight face, they would have said that the magical box is different because it wasn't on bits of dead tree.

Well they might... but only because you are clearly a ridiculous charalatan and being enlightened and educated men who have no congress with superstition they'll have no business with such chicanery as magical boxes.

...

Obviously I see your point but I'm not entirely joking. The Founders were capable of both farsighted wisdom and staggering moral blindspots. Speculating what they might have thought of modern technology is always going to be a bit of a leap. In a way you almost reinforce that literal interpretation by placing undue weight on the original drafters opinions as being of prime importance.

What we more of is to not justify things in guessing what people two hundred years gone would have thought, as much as addressing what if any changes in interpretations and/or actual changes in the law are required in light of modern technology.