Apple’s Fingerprint ID May Make It Easier For Cops To Search Your Phone
Among the many new features unveiled for the iPhone 5s last week is a sensor that will allow users to lock and unlock their phones via a fingerprint rather than a password or any of the other systems that have become common for smartphones. On the surface, it seems like a great idea, and the technology that Apple will utilize for the iPhone could easily be used in other contexts as well, making payments online and other such thing more secure than a password ever could be. In one very important way, though, that same fingerprint sensor could make your phone less secure under the 4th Amendment:
Because the constitutional protection of the Fifth Amendment, which guarantees that “no person shall be compelled in any criminal case to be a witness against himself,” may not apply when it comes to biometric-based fingerprints (things that reflect who we are) as opposed to memory-based passwords and PINs (things we need to know and remember).
The privilege against self-incrimination is an important check on the government’s ability to collect evidence directly from a witness. The Supreme Court has made it clear that the Fifth Amendment broadly applies not only during a criminal prosecution, but also to any other proceeding “civil or criminal, formal or informal,” where answers might tend to incriminate us. It’s a constitutional guarantee deeply rooted in English law dating back to the 1600s, when it was used to protect people from being tortured by inquisitors to force them to divulge information that could be used against them.
For the privilege to apply, however, the government must try to compel a person to make a “testimonial” statement that would tend to incriminate him or her. When a person has a valid privilege against self-incrimination, nobody — not even a judge — can force the witness to give that information to the government.
But a communication is “testimonial” only when it reveals the contents of your mind. We can’t invoke the privilege against self-incrimination to prevent the government from collecting biometrics like fingerprints, DNA samples, or voice exemplars. Why? Because the courts have decided that this evidence doesn’t reveal anything you know. It’s not testimonial.
Take this hypothetical example coined by the Supreme Court: If the police demand that you give them the key to a lockbox that happens to contain incriminating evidence, turning over the key wouldn’t be testimonial if it’s just a physical act that doesn’t reveal anything you know.
However, if the police try to force you to divulge the combination to a wall safe, your response would reveal the contents of your mind — and so would implicate the Fifth Amendment. (If you’ve written down the combination on a piece of paper and the police demand that you give it to them, that may be a different story.)
The important feature about PINs and passwords is that they’re generally something we know (unless we forget them, of course). These memory-based authenticators are the type of fact that benefit from strong Fifth Amendment protection should the government try to make us turn them over against our will. Indeed, last year a federal appeals court held that a man could not be forced by the government to decrypt data.
But if we move toward authentication systems based solely on physical tokens or biometrics — things we have or things we are, rather than things we remember — the government could demand that we produce them without implicating anything we know. Which would make it less likely that a valid privilege against self-incrimination would apply.
The distinction that the Supreme Court has made between a key and a combination has come up in other contexts, such as the issue of whether or not someone can be compelled to reveal a password necessary to decrypt the contents of a computer hard drive. Some courts have held that person’s subject to a criminal investigation cannot be compelled to reveal a password, and thus potentially incriminate themselves when the contents of the encrypted data is revealed, because to do so would be considered a testimonial act in violation of the 5th Amendment. Other courts, though, have held differently and, to date, the matter has yet to make its way far enough through the Court system to get before the Supreme Court. With Apple now taking the lead on biometric access devices, this issue is also likely to start making its way through the Courts, and there is a distinct possibility that Courts will find that there is no 5th Amendment issue raised if a person is compelled to take whatever action is needed to gain access to a given device.
In general, of course, there isn’t much Constitutional protection regarding fingerprints, in no small part because they are so ubiquitous that it’s possible police to obtain them from virtually any surface that a person has touched. Additionally, every person who is placed under arrest has their fingerprints taken for identification purposes and those prints are run against the existing databases and, eventually, any “cold cases.” If the prints turn up as a match in a given case, then that evidence is fully admissible regardless of whether or not the Defendant gave those prints voluntarily or not. Given that context, it’s not hard to see Courts treating the fingerprint needed to gain access to an iPhone much more like a key than a combination, although its likely to take several years of slogging through the Courts to decide the issue once and for all.
So, be careful with that new iPhone, you may be making things a lot easier for the police.