Apple’s iPhone Fingerprint ID Means You’re Screwed
6 Comments
blog.simplejustice.us
Biometrics seems like such a cool way to control access, so when Apple offered fingerprint ID in place of a PIN to access its iPhone, what hipster could resist? Of course, David Baust in Virginia Beach may well wish he had gotten a droid instead.
A Circuit Court judge has ruled that a criminal defendant can be compelled to give up his fingerprint, but not his pass code, to allow police to open and search his cellphone.
The question of whether a phone’s pass code is constitutionally protected surfaced in the case of David Baust, an Emergency Medical Services captain charged in February with trying to strangle his girlfriend.
While the Supreme Court has held that police must obtain a warrant to search a cellphone, the question now becomes whether a warrant is sufficient to compel a person to provide the police with access to his cellphone. This is where it gets trickier, and far more technical.
Judge Steven C. Frucci ruled this week that giving police a fingerprint is akin to providing a DNA or handwriting sample or an actual key, which the law permits. A pass code, though, requires the defendant to divulge knowledge, which the law protects against, according to Frucci’s written opinion.
The critical distinction comes from the Fifth Amendment, the right not to bear witness against oneself. If access to the cellphone requires the defendant to give up information, it violates the “act of production” privilege. His fingerprints, on the other hand, are just another physical thing that he can be forced to provide.
It’s unclear in Baust’s case whether his phone is locked by fingerprints or PIN or both, as the argument relates to the hypothetical demands that can be made of him in complying with the warrant. There is no clue whether he actually won or lost, as far as being forced to provide access to his phone, but the point of the opinion is well made: a defendant cannot be forced to provide his pass code. His fingerprint, not so private.
This point was made by Marcia Hoffman, who anticipated that biometrics would open the door to collateral testimonial problems down the road.
There’s a lot of talk around biometric authentication since Apple introduced its newest iPhone, which will let users unlock their device with a fingerprint. Given Apple’s industry-leading position, it’s probably not a far stretch to expect this kind of authentication to take off. Some even argue that Apple’s move is a death knell for authenticators based on what a user knows (like passwords and PIN numbers).
While there’s a great deal of discussion around the pros and cons of fingerprint authentication — from the hackability of the technique to the reliability of readers — no one’s focusing on the legal effects of moving from PINs to fingerprints.
I know, the lawyer keep harping on lawyerish stuff when the techno-lovers only want to talk about the cooliosity of every new shiny toy. Why are lawyers so mean?
Because the constitutional protection of the Fifth Amendment, which guarantees that “no person shall be compelled in any criminal case to be a witness against himself,” may not apply when it comes to biometric-based fingerprints (things that reflect who we are) as opposed to memory-based passwords and PINs (things we need to know and remember).
This seems to be the recurring battle between tech advancement and law (ugh), always mired in the past century or more. There is an easy answer, which is to except biometrics from the things which we can be compelled to provide to the government upon a court order, except that there is no rational basis to create such an exception. Bear in mind, the only thing that protects a person from being compelled to spew out his PIN is the “act of production” privilege. We should be thankful we have that going for us, or the fingerprint issue would be moot as the government could get access to everything.
There is, of course, a technical means of defeating the warrant, which is to use both biometric as well as PIN (or anything that requires that the information come from a person’s mind rather than body). But that really undermines the whole point of biometrics, and takes the shine right off your iPhone.
Nor is this solely an iPhone issue, but a biometrics one, even if Apple has been at the forefront of bringing this tech to the public. On the one hand, the argument that each snowflake is special, and therefore our biometrics provide a fool-proof means of ascertaining identity (provided the reader actually works, but let’s not go there as it makes technophiles sad) favors biometrics.
On the other hand, much as it may stop hackers, who adore those of you whose password is “password” because who can remember that crap anyway, it won’t stop a judge from ordering a defendant to stick his finger where he doesn’t want it to be. The takeaway isn’t so much to favor one means over the other, or that a smart person anticipating that law enforcement may one day want to see all the cool stuff on your iPhone, but that every methodology has its unintended consequences and pitfalls. Of course, by the time this becomes painfully obvious, it’s usually too late. |
