An Idaho court has denied a warrant asking for authorization for law enforcement to make a smartphone owner unlock their device with their fingerprint, with the decision the latest in an ongoing debate on whether or not police and security services have the right to unlock biometric security on a device like the iPhone's Face ID or Touch ID.
The introduction of biometric security on mobile devices has helped make it easier to keep documents and media safe from prying eyes, at the same time as simplifying access to the content. Law enforcement officials, which are keen to gain access to computing devices to acquire evidence, have found ways to bypass security that works within the law, but in many cases attempts to acquire warrants relating to biometrics are not granted for constitutional reasons.
In a US district court filing in Idaho concerning a sealed complaint, dated May 8, law enforcement officials obtained a warrant for the search of an individual, their vehicle, and place of residence, due to suspicious of the presence of child pornography. The warrant allowed for the seizure of computers, mobile devices, and other items if they were deemed to be evidence of a crime.
As part of the search, officers seized a Google Pixel 3 XL from the residence's bathroom, but it was locked and could be opened by solving a swipe pattern or using a fingerprint. As the suspect was arrested but declined to unlock the device, officers petitioned the court for a warrant to compel the person to unlock it, claiming that the device was owned by the suspect as they identified it was in the bathroom prior to answering the door and being arrested.
The judge declined to grant that particular warrant, citing issues with both the fourth amendment and the fifth amendment. Under the fourth, the search and seizure would be lawful if it was "reasonable," and would be unreasonable if it violated the person's constitutional rights, so the search had the potential to go ahead.
However, the fifth amendment protects against self-incrimination, which the judge believed applied as the compelled unlocking via fingerprint would determine ownership or control over the device. As it was not possible to determine ownership before unlocking, this would in effect incriminate the person via the act of unlocking.
In the end, Chief US Magistrate Judge Ronald E. Bush denied the application.
The use of biometrics and law enforcement's aims in relation to the US constitution has been an issue for some time, with judges varying between states and cases as to whether or not permit members of law enforcement the ability to abuse the biometric security process to gain access without requiring a username or password.
Passwords and passcodes can be stated as a "testimonial communication" in the eyes of a court, meaning that they can be uttered and used as evidence due to the suspect advising of the codes willfully. Biometrics, however, can be acquired through unwilling means, making their legal status less clear cut.
On May 3, a Massachusetts judge granted a warrant to unlock an iPhone with Touch ID in a case relating to gun trafficking. The time-limited warrant may not necessarily have been used successfully, as there is a limited window available to use a fingerprint before Touch ID demands a passcode is used.
A January court filing in California denied a warrant as it risked running "afoul of the Fourth and Fifth Amendments," as well as for being "overbroad" in targeting any devices at a crime scene, rather than ones owned by the suspect.
A 2016 case had a woman forced to use Touch ID on an iPhone confiscated from a property owned by an Armenian Power gang member, in prison at the time for unrelated charges. The fingers of corpses have also been used on iPhones to try and unlock them, though with limited success.
Face ID has also been the subject of warrants, including one in August 2018 where the FBI wanted to unlock an iPhone X as part of a child abuse investigation in Columbus. Face ID's security policies has also led to a warning to police form a forensic firm warning not to look at the display of an iPhone X or other Face ID-equipped device, to avoid accidentally attempting an unlock that would almost certainly fail.
31 Comments
As I've said before, this whole issue becomes moot if Apple or other vendors allowed users to program one or more fingerprints to zeroize the phone upon usage. That's because only the phone's user knows which finger is the one that grants access and which finger zeroizes the phone. That's a password and no court can compel a password to be provided.
I didn't read the whole ruling. Would the ruling also potentially also apply to a Face ID biometric?
This makes me happy to live in Idaho. Also, you don't HAVE to use the biometrics. Use a 16 digit code to access your phone so they don't hold it up to your face or cut your finger off to get access. Biometrics is a complacency that can get you in trouble. I've seen people pass out at parties and other people unlock their phones with finger tips. I'm glad they are upholding the rules of personal devices. This puts confidence into the consumer's pocket. There are millions of "what if" scenarios on the need to force access, but like I said before, use a 16 digit code if your planning on doing dirt, not bio-metrics. I do like the idea of zeroing out a device if a certain digit is used as a counter measure. Ooh Rah on that one.
The judge cited a combination of 4th and 5th amendment questions; if the authorities can prove that the phone belongs to the suspect how would that affect the ruling? It seems like it should be easy to verify the ownership via service records.