Apple’s Fingerprint ID May Make It Easier For Cops To Search Your Phone

Apple's new fingerprint sensor. A cop's best friend?

Apple Fingerprint

Among the many new features unveiled for the iPhone 5s last week is a sensor that will allow users to lock and unlock their phones via a fingerprint rather than a password or any of the other systems that have become common for smartphones. On the surface, it seems like a great idea, and the technology that Apple will utilize for the iPhone could easily be used in other contexts as well, making payments online and other such thing more secure than a password ever could be. In one very important way, though, that same fingerprint sensor could make your phone less secure under the 4th Amendment:

Because the constitutional protection of the Fifth Amendment, which guarantees that “no person shall be compelled in any criminal case to be a witness against himself,” may not apply when it comes to biometric-based fingerprints (things that reflect who we are) as opposed to memory-based passwords and PINs (things we need to know and remember).

The privilege against self-incrimination is an important check on the government’s ability to collect evidence directly from a witness. The Supreme Court has made it clear that the Fifth Amendment broadly applies not only during a criminal prosecution, but also to any other proceeding “civil or criminal, formal or informal,” where answers might tend to incriminate us. It’s a constitutional guarantee deeply rooted in English law dating back to the 1600s, when it was used to protect people from being tortured by inquisitors to force them to divulge information that could be used against them.

For the privilege to apply, however, the government must try to compel a person to make a “testimonial” statement that would tend to incriminate him or her. When a person has a valid privilege against self-incrimination, nobody — not even a judge — can force the witness to give that information to the government.

But a communication is “testimonial” only when it reveals the contents of your mind. We can’t invoke the privilege against self-incrimination to prevent the government from collecting biometrics like fingerprints, DNA samples, or voice exemplars. Why? Because the courts have decided that this evidence doesn’t reveal anything you know. It’s not testimonial.

Take this hypothetical example coined by the Supreme Court: If the police demand that you give them the key to a lockbox that happens to contain incriminating evidence, turning over the key wouldn’t be testimonial if it’s just a physical act that doesn’t reveal anything you know.

However, if the police try to force you to divulge the combination to a wall safe, your response would reveal the contents of your mind — and so would implicate the Fifth Amendment. (If you’ve written down the combination on a piece of paper and the police demand that you give it to them, that may be a different story.)

The important feature about PINs and passwords is that they’re generally something we know (unless we forget them, of course). These memory-based authenticators are the type of fact that benefit from strong Fifth Amendment protection should the government try to make us turn them over against our will. Indeed, last year a federal appeals court held that a man could not be forced by the government to decrypt data.

But if we move toward authentication systems based solely on physical tokens or biometrics — things we have or things we are, rather than things we remember — the government could demand that we produce them without implicating anything we know. Which would make it less likely that a valid privilege against self-incrimination would apply.

The distinction that the Supreme Court has made between a key and a combination has come up in other contexts, such as the issue of whether or not someone can be compelled to reveal a password necessary to decrypt the contents of a computer hard drive. Some courts have held that person’s subject to a criminal investigation cannot be compelled to reveal a password, and thus potentially incriminate themselves when the contents of the encrypted data is revealed, because to do so would be considered a testimonial act in violation of the 5th Amendment. Other courts, though, have held differently and, to date, the matter has yet to make its way far enough through the Court system to get before the Supreme Court. With Apple now taking the lead on biometric access devices, this issue is also likely to start making its way through the Courts, and there is a distinct possibility that Courts will find that there is no 5th Amendment issue raised if a person is compelled to take whatever action is needed to gain access to a given device.

In general, of course, there isn’t much Constitutional protection regarding fingerprints, in no small part because they are so ubiquitous that it’s possible police to obtain them from virtually any surface that a person has touched. Additionally, every person who is placed under arrest has their fingerprints taken for identification purposes and those prints are run against the existing databases and, eventually, any “cold cases.” If the prints turn up as a match in a given case, then that evidence is fully admissible regardless of whether or not the Defendant gave those prints voluntarily or not. Given that context, it’s not hard to see Courts treating the fingerprint needed to gain access to an iPhone much more like a key than a combination, although its likely to take several years of slogging through the Courts to decide the issue once and for all.

So, be careful with that new iPhone, you may be making things a lot easier for the police.

FILED UNDER: Law and the Courts, Policing, Science & Technology, , , , ,
Doug Mataconis
About Doug Mataconis
Doug Mataconis held a B.A. in Political Science from Rutgers University and J.D. from George Mason University School of Law. He joined the staff of OTB in May 2010 and contributed a staggering 16,483 posts before his retirement in January 2020. He passed far too young in July 2021.

Comments

  1. legion says:

    The actual problem is that the law hasn’t caught up with the fact that our phones are no longer simply “things we make phone calls with”. Our email, shopping, banking, reading, and a thousand other intimate details are stored there. Those are things cops aren’t supposed to be able look through without court authorization, but if they have access to your phone, they have access to all of that info. The law _should_ treat phones – at least smart phones – as privately as they would a diary, but in this “the terrorists have already won” world we now live in, I don’t expect that to happen.

  2. Blue Shark says:

    Oh Goody…

    …More erosion of our fourth amendment rights.

  3. James Pearce says:

    From what I’ve read, this concern is a bit overblown. I’m not iPhone user, but I hear it also has a (memorized) passcode that needs to be typed in if the fingerprint function isn’t used in a few days.

    That said, if your big concern is securing your phone from the cops, you might want to rethink how you’re living your life. I’d be much more worried about thieves.

    Of course with that said, once biometric encryption is cracked….it’s cracked. For somewhat obvious reasons, resetting a password is much easier than getting another set of fingerprints.

  4. Ben Wolf says:

    The article is an exercise in ignorance: it is likely the processor on which the biometric key is stored has already been compromised, assuming Apple didn’t build the NSA a backdoor from the get-go. Don’t store any data on your iPhone and use strong encryption services that are peer-to-peer, meaning they don’t store your metadata or keys. Silent Circle is a decent one and easy to use.

    Remember: the police are not your friends.

  5. mantis says:

    But if we move toward authentication systems based solely on physical tokens or biometrics — things we have or things we are, rather than things we remember — the government could demand that we produce them without implicating anything we know.

    That’s a huge “if” right there.

    In case anyone is unaware, there is no constitutional requirement for you to use an iPhone. Likewise biometric access technology.

  6. grumpy realist says:

    There’s a reason why I’m a Luddite and am interested in obscure languages….. write your diary in Basque and using shorthand.

  7. walt moffett says:

    Maybe some one with lexis access can check deeper into this. A lot of high end business laptops have fingerprint locks and so precedent may already be set.

    OTOH, this does sound like a first world problem and not one for those who think the waffle house is fine dining.

  8. Jenos Idanian #13 says:

    I am fairly certain that this will lead to a completely off-topic rehashing of things not many people want to hear about, but there was an element of this in the Trayvon Martin case. The defense wanted to use data from Martin’s cell phone — photos and texts — that they thought could impeach his character and demonstrate that Martin was predisposed towards violence. The judge ruled that since, theoretically, someone else could have accessed Martin’s phone and put the data in question there, it could not be conclusively proven to have been placed there by Martin and therefore could not be admitted into evidence.

    (I’m going from memory here, and I need to get to bed soon. I might have some details wrong, but I think I have the gist there.)

    Had Martin had an iPhone with a fingerprint lock enabled, then the presumption would have been that Martin and no one else had access to place the texts and photos on the phone, and they would likely have been admissible. And that is, to this layman, the point here. A fingerprint lock says, with a great deal of certainty, that you and you alone had access to the device in question, and can be presumed to be solely responsible for the contents thereof. Much like a person found with a baggie of pot in your underwear — it’s damned unlikely that it got there without your knowledge and consent.

  9. Barry says:

    @Blue Shark: “More erosion of our fourth amendment rights. ”

    When the f*ck will these gaping holes in the Fourth Amendment be used against the elites?

    Oh, sorry – I must have been drunk.

  10. Barry says:

    @James Pearce: “That said, if your big concern is securing your phone from the cops, you might want to rethink how you’re living your life. I’d be much more worried about thieves.”

    These days, it seems like everybody’s a criminal for something.
    Visited the wrong website?

  11. Bob @ Youngstown says:

    @James Pearce:

    if your big concern is securing your phone from the cops, you might want to rethink how you’re living your life.

    Indeed!

  12. Barry says:

    @Ben Wolf: “The article is an exercise in ignorance: it is likely the processor on which the biometric key is stored has already been compromised, assuming Apple didn’t build the NSA a backdoor from the get-go.”

    Those might or might not be in the hands of the police (DEA, yea; local cops, no).

  13. Barry says:

    @mantis: “In case anyone is unaware, there is no constitutional requirement for you to use an iPhone. Likewise biometric access technology. ”

    The stupid, it burns!!!!!!!!!!!!!!!!!!!!

    There’s no constitutional requirement for you to [have a residence, bear arms, publicly assemble and petition the government for redress of grievances, worship, print, …..].

  14. Tony W says:

    @Jenos Idanian #13:

    Martin was predisposed towards violence

    I think those, plus recent events have adequately demonstrated who in that altercation was more predisposed to violence.

  15. grumpy realist says:

    Actually I heard a story that during the Bad Old Days of the USSR, one way dissidents managed to get messages in and out of the country was by speaking Latin on the phone. They could assume that it would take at least twenty minutes for the UGPO to round up the local Latin expert and could communicate a lot during that time.

  16. Todd says:

    Maybe a bit tangetial to this conversation, but I think it says something about people when they use words like “cops” instead of police, and/or “Obama” or “Bush” without it being preceded by the title President.

    Perhaps I’m just in a bit of a pissy mood this morning, but these are among the silly little things that sometimes bug me.

    As for the actual topic of this post … among the possibly valid reasons that I might want to password protect my phone, “keeping the cops out” wouldn’t even make the first page.

  17. mantis says:

    @Barry:

    The stupid, it burns!!!!!!!!!!!!!!!!!!!!

    Get an ointment.

    To your poorly expressed point, as I understand it, exercising all of those rights you listed comes with certain complications and requirements. And those are explicit rights unlike, say, using biometric access technology on your iPhone.

  18. Jenos Idanian #13 says:

    @Tony W: Tony, if you’re going to dishonestly quote someone, you shouldn’t try it when the original is right above your quote.

    The defense wanted to use data from Martin’s cell phone — photos and texts — that they thought could impeach his character and demonstrate that Martin was predisposed towards violence.

    I didn’t say that Martin was or was not predisposed, just that the defense wanted to argue that and wanted the cell phone photos and texts to support their argument. The point is that if Martin’s phone had been fingerprint-protected, the argument used to disallow it — that there was no convincing proof that Martin and Martin alone had access to the phone to put those texts and photos on it — would have likely gone differently.

    I said from the first sentence that I expected that at least one person would want to use my example to re-argue the Zimmerman/Martin case, and I have no intention of doing so here. But it does give a concrete example of the issues being raised by Apple’s new gimmick.

  19. Rafer Janders says:

    @grumpy realist:

    Actually I heard a story that during the Bad Old Days of the USSR, one way dissidents managed to get messages in and out of the country was by speaking Latin on the phone.

    I know of at least one case in the closing days of World War II when a German officer who couldn’t speak English and an American officer who couldn’t speak German negotiated in Latin regarding the German unit’s surrender. Thankfully both officers had had a classical education….

  20. wr says:

    @Tony W: You may have come late to this party, so allow me to explain. When Jenos says Martin was “predisposed to violence,” he means “he was black.”

  21. wr says:

    @Jenos Idanian #13: “I said from the first sentence that I expected that at least one person would want to use my example to re-argue the Zimmerman/Martin case, and I have no intention of doing so here. ”

    Nope. Since your hero started running around demonstrating that he was actually the violent nutcase with the hairtrigger mentality that you always denied he was, you’ve decided the whole subject just isn’t fun anymore.

    Which surprises me, actually. I expected you to launch into long explanations about how Zimmerman was justified in beating up and pulling a gun on his unarmed wife. But then, since she’s still alive, maybe you’re afraid of her.

  22. JohnMcC says:

    You know, upon re-reading this post with it’s interesting explanation of the difference between the ‘key’ which one can be required to surrender and the ‘combination’ that one keeps private inside one’s mind, it occurred to me that i-phone users are using their device as an extention of their minds. And guarding the contents of their tiny little computers as they would their deepest thoughts

    OK, I’m slow in catching on. It’s been a problem all my life.

    But seriously — since so much of what goes on from synapse to synapse ends up imbedded in the silicone of the device for so many people…. Is the singularity here yet?

    And again seriously — how rapidly should the law respond to those of us who choose to merge our meat-brain with our silica-brain? The term PDA was apparently first used in Jan 92. Is the law going to have to undergo planned annual updates? Seems like that would be necessary if little palm-sized computers in our pockets become virtually identical with the content of our minds for legal purposes. What’s going to happen when — as we are promised — microprocessors fill our clothing? I imagine a person charged, say, with a stabbing. A prosecuter wants to interrogate the shirt to see if in it’s memory is the act of plunging forward with arm slashing. The defence argues against because the ‘memory’ of the clothing is inseparable from the content of the accused’s mind. Is that memory, too, something to keep from the cops.

  23. Barry says:

    @mantis: “And those are explicit rights unlike, say, using biometric access technology on your iPhone. ”

    Perhaps you should have a friend read the comment you wrote, to point out the stupid.

  24. grumpy realist says:

    @JohnMcC: It’s questions like this that are why laws dealing with technology usually fail. Heck, we haven’t even figured out what to do with taxation of on-line sales, and that started eons ago.

    And let’s not even get into the entire rats nest that involve patents covering nanotechnology. THERE’S a pretty how-dee-do sitting right at the middle of our patent system. The only reason it hasn’t blown up in our face yet is no one has yet discovered the ultimate killer app making sufficient money that firms want to fight about the inconsistencies. Patent litigation attorneys, man your engines….

  25. mantis says:

    @Barry:

    Perhaps you should have a friend read the comment you wrote, to point out the stupid

    Since you are incapable of doing so, but still feel compelled to comment? Sounds like your problem, not mine.

  26. rudderpedals says:

    Some takeaways:
    – Passphrases should be long, strong like bull, and not written down.
    – Consumer biometrics remain the next new thing and will still be the next new thing in a couple of years
    – Prefer symmetric ciphers over public/private key ciphers and elliptical ciphers
    – Avoid rc4 even though it’s sweet and elegant
    – Schneier’s still the go-to person

  27. legion says:

    @James Pearce:

    That said, if your big concern is securing your phone from the cops, you might want to rethink how you’re living your life.

    Ah, but that’s the rub. Some of the more recent Snowden releases are implying that the NSA was not just doing favors for other US law enforcement orgs, or even allied countries’ intel agencies, but possibly engaging in industrial espionage as well. So if you work for a company whose competitors the NSA has decided to help out, and your phone might have some emails with trade secrets or insider info on it, that might just find its way into your competitors’ hands…

  28. Todd says:

    @JohnMcC:

    If technology was just as likely to be able to prove someone innocent as guilty, then why shouldn’t it be able to be used?

    Sometimes I think that we as a society may be confused about the purpose of some of the Amendments in the Bill of Rights. When a person who is truly guilty of a crime can use the 4th or 5th Amendements to avoid consequences, that’s a side effect, not the intent.

    While the Constitution does protect our rights against unreasonable search & seizure and self-incrimination, I think it’s a stretch to interpret that to mean that we have some sort of a Constitutional right to knowingly violate the law … as long as we don’t get caught.

    In some ways, I think that advances in technology such as those you describe above could actually make our justice system more fair. Think about it, if technology enabled us to determine guilt or innocence for most crimes with a fairly high degree of accuracy, that could theoretically become the new burden of proof to be convicted of a crime.

    Beyond a reasonable doubt has served us well for hundreds of years, but only because that’s the best we could do with what had. In our efforts to protect the rights of those who may be innocent, we willingly accept that some guilty people will not be caught. But even so, we still have too many documented cases of wrongly convicted citizens.

    If technology advanced to the point that we could be fairly certain that an innocent person would almost never be convicted, there would no longer be a need for the necessary evil of the guilty also being able to sometimes get away with their crime.

  29. Jenos Idanian #13 says:

    @wr: Here are three indisputable facts.

    1) The information contained on Trayvon Martin’s cell phone is exactly the kind of information that is being discussed here.

    2) Had Martin used a unique biometric identifier to protect his phone, the admissibility of that information would have been far more likely.

    3) You are, as always, a complete and utter idiot.

  30. Bob @ Youngstown says:

    @legion:

    Some of the more recent Snowden releases are implying that the NSA was… possibly engaging in industrial espionage as well.

    Is there any evidence of NSA engaging in industrial espionage? Or is it that theorized that NSA might have that capability?

  31. legion says:

    @Bob @ Youngstown: It’s becoming more and more apparent that the NSA does have the capability, and now it is alleged that the NSA intercepted the communications of the President of Brazil and Brazilian oil company Petrobras in order to, among other things, compromise the upcoming auction of drilling rights to oilfields off Brazil’s coast. As yet there’s no public evidence, but Brazil is taking the charges _extremely_ seriously.

  32. wr says:

    @Jenos Idanian #13: So, still worshipping at the altar of wife-beating Zimmerman, eh Jenos? I can see why: He’s brave enough to shoot an unarmed black child and beat up and threaten his wife with a gun. If only you were so fierce… but of course, it’s hard to take any action when you’re hiding behind the name of a Star Wars character.

  33. JohnMcC says:

    @Todd: Thank you for the thoughtful reply. Can’t really disagree with what you say. However it is somewhat unrealistic (IMHO) to think that the entire legal profession would politely disappear into the same hole that buggy-whip-makers pioneered And the “Law” is of course about process instead of truth/innocence/guilt.

  34. Bob @ Youngstown says:

    @legion:
    I have every reason to believe that NSA has capability, and may well have intercepted communications, however making the case that NSA took some overt action (with the intercepts) so as to interfer with an business deal requires some evidence.

    Absent some evidence (or a confession of interference) what is left is the conspiracy theory of a criminal and fugitive. The notion that the theory is advanced by media does not make it more credible

  35. Jenos Idanian #13 says:

    @wr: You are simply too stupid to be real. My comments here are completely unrelated to Zimmerman’s guilt or innocence, as anyone with two brain cells to rub together could tell. It was just an actual real-world example of the principle being discussed.

    Which excludes you. I thought you had at least those two brain cells, but I think I overestimated it.

    By at least two. Probably more.

  36. Todd says:

    @JohnMcC:

    However it is somewhat unrealistic (IMHO) to think that the entire legal profession would politely disappear into the same hole that buggy-whip-makers pioneered And the “Law” is of course about process instead of truth/innocence/guilt.

    I agree.

    Imagining a world where technology makes something possible is not the same as imaging that we humans (especially of the American variety) would actually use it in the most enlightened way.

  37. wr says:

    @Jenos Idanian #13: In other words, yup, still worshipping Zimmerman. That’s why your “example” in this thread is another rant about what a dangerous terrorist the dead innocent teenager was before the brave white guy bravely put him down, and then bravely beat up his wife and threatened her with a gun.

    You brought it up, Bucky. You can pretend you didn’t, you can pretend it was really all about something else, but this is your obsession and you can’t let it go.

  38. Jenos Idanian #13 says:

    @wr: If you can’t address the actual point I brought up, chump — that the issues raised by Apple’s fingerprint ID are quite well exemplified by the recent legal wrangling over the admissibility of the texts and photos from Trayvon Martin’s cell phone — then you really owe yourself the service of shutting up and stop demonstrating to all and sundry just how stupid and obsessed you are.

    This is NOT a place for discussing Zimmerman’s guilt or innocence, his character, or what you might have had for breakfast this morning. I brought up an actual real-life case that everyone is familiar with that had actual bearing on the topic at hand, and you can’t seem to quite grasp that.

    Tell you what, Skippy: you seem to be doing just fine arguing both sides of the “is Zimmerman a good guy or not” topic, as no one else has shown the slightest bit of interest in engaging you. So why don’t you just skip off somewhere else, have your epic rhetorical throwdown against the straw men you’ve put so much effort (but zero thought) into constructing, and then come back once you’ve sated yourself?

  39. wr says:

    @Jenos Idanian #13: “If you can’t address the actual point I brought up, chump ”

    On the day you bring up an actual point, instead of some mindless trolling designed only to annoy people so as to prove that you exist, there will be a grand hockey game in hell.

  40. Jenos Idanian #13 says:

    @wr: I’m not playing your game this time, chump. You’re playing with yourself.

    Get back to us when you actually have something to say about biometrics and legal admissibility — you know, the actual topic of the thread.

  41. legion says:

    @Bob @ Youngstown: I don’t disagree with any of that. But given that we all tend to agree that the NSA likely has the capability, and that it’s shown no hesitation in the past about using whatever capabilities it has however it sees fit (regardless of laws or morals), I personally tend not to give them the benefit of the doubt – YM obviously V.
    What I find interesting about this particular accusation is that I haven’t seen any additional details come from it. I don’t expect the NSA to admit it, but they haven’t vehemently denied it either (that I’ve yet seen). Of course, since the auctions they are alleged to have tampered with haven’t actually occurred yet, it’s impossible to detect any influence, and I suspect we’ll never learn any more about it unless someone on the corporate side starts blabbing too, but since this is the oil industry, I don’t see that happening…

  42. Jenos Idanian #13 says:

    @legion: Last week’s Dilbert touched on this. His company had accidentally deleted a bunch of data, so Dilbert hacked into the NSA and copied their copies.

  43. Bob @ Youngstown says:

    @legion:

    YM obviously V

    Sorry I don’t understand your “text language”, could you please tell me what this means.

    it’s (NSA) shown no hesitation in the past about using whatever capabilities it has however it sees fit

    Can you show us where NSA has used it’s capabilities to influence events that are clearly outside of the national security interests. Has NSA surveillence been used to catch tax cheats, or sex predators, or disability cheats, or people conspiring to commit voter fraud or political corruption, or persons committing insurance fraud.

    I’ve tried to google for some connection, but all the allegations seem to arise from an unnamed source to organizations like WND or National Enquirer.

    If NSA is interferring with business (like industrial espionage), surely someone has filed lawsuits to that effect. I can’t find any. Do you have any in mind?

  44. Jenos Idanian #13 says:

    @Bob @ Youngstown: YM obviously V

    I think that’s short for “Your mileage may vary.”

  45. Matt says:

    @Barry: With all the laws on the books right now it’s almost impossible to not be a criminal.