Passcode vs. Touch ID: A Legal Analysis

[Ed. note: Jason Stern is a Criminal Defense Attorney in private practice in New York City]

8:34 am. A college professor receives a text message threatening to blow up the history building. The professor immediately contacts law enforcement, who trace the origin of the call to a student who lives off-campus.

When FBI agents arrive at the student’s residence, they arrest the student and seize his smartphone. In an attempt to search the device to recover evidence of the crime (and perhaps stop other related crimes), they find the smartphone is protected by fingerprint security measures.

With the suspect in handcuffs, the agent swipes the student’s finger across the phone to access his call history and messages. Once the FBI swipes the suspect’s finger and bypasses the biometric security, the phone asks for the student’s passcode. The FBI agent asks for his password but the student refuses to speak. How can the FBI agent access the phone? Whereas a fictional Federal Agent like Jack Bauer would simply pull out his gun, jam it in the suspect’s mouth and scream, “WHERE IS THE BOMB?”, in our example, the FBI agent would hit the proverbial brick wall.

Yes, the phone could be brought back to the lab for analysis and hacking by forensics personnel, but the suspect in this case could not be forced to disclose the password on the phone…

In the above example, per a recent Virginia Circuit Court decision, law enforcement could not legally compel self-incrimination (and thereby violate the Fifth Amendment) by forcing the student to reveal his passcode; however, they are legally allowed to take a suspect’s fingerprint following an arrest. Some would argue this example proves that a password provides better security and privacy than a fingerprint. But let’s continue the example to see why choosing a passcode over Touch ID technology.

9:41 am. During the search of the suspect’s apartment, they find a second phone under the couch. This phone also has both biometric and passcode protection. But when the FBI agent repeatedly swipes the suspect’s finger without success, it becomes clear that the phone belongs to someone else. Does the suspect have an accomplice? If so, how can the FBI unlock the device without being having access to the owner of the fingerprint?

The answer is that without knowing the identity of the owner of the phone and without the actual owner present (or at least his finger), law enforcement may never be able to access the content of a phone in this example, thus demonstrating that in some cases, biometric technology offers better protection against prying eyes, especially for a lost or stolen phone. Of course, this is assuming that the same phone locked by Touch ID doesn’t have the owner’s same fingerprint all over the glass, back of the iPhone, or case.

touchID-legal

When fingerprint scanning technology first became available for smartphones, most writers applauded the technology as a breakthrough for privacy and security (Wired’s Marcia Hoffman being the lone exception). Whereas a four-digit numerical password had a finite number of hack-able combinations (10,000 to be exact), a fingerprint was “unique”, claimed security experts. The reality of the password versus fingerprint debate is that both security measures can be flawed: A full third of passwords can be easily hacked because they are commonly chosen numerical combinations; and there is no evidence to suggest that a print from a single finger is wholly unique to the presently-available biometric security applications in our smartphones. Even the television program Mythbusters successfully debunked ‘foolproof’ biometric technology.

Touch ID and other fingerprint scanning technologies are far from perfect. The FBI and other law enforcement agencies compare, match, and classify fingerprints based upon the type of pattern (loops, whorls, and arches), the direction of the print’s pattern (radial or ulnar) and finally, the position of the epicenter of the print relative to the delta of the print.

Many people share identical patterns and directions on a single finger and the likelihood of a device (or expert) mistakenly matching similar prints is fairly high. While it’s remotely possible that two or more people share a print from a single finger, it’s infinitesimal that two individuals share an identical set of ten fingerprints (identical twins do NOT), and even more unlikely that these two individuals would find themselves operating the same smart phone (or leaving prints on the same murder weapon). This logical application of mathematical probabilities is what provides the basis for the effective use of fingerprint analysis, and not any tangible proof that no two individuals can have a matching single finger print.

For example, about 60-65% of all individual fingerprints have a loop fingerprint pattern. The most common fingerprint type is an ulnar loop (a loop that appears to originate from the pinkie side). Assuming two individuals use a finger with an ulnar loop for their fingerprint security and possess similar ridge features, it is possible that these same individuals will be able to access each other’s smartphones. After all, even law enforcement fingerprint experts testifying in court will often disagree as to fingerprint identification.

Even if each single finger print was unique and fingerprint technology in smartphones was flawless, there would still be a good reason to avoid using fingerprints as your prime security measure: Fingerprints do not have the right to remain silent.

When police make an arrest, there are constitutional protections in place to prevent the police from forcing a confession. Per the Fifth Amendment’s protection against self-incrimination, a person who has been arrested may legally refuse to speak to the police. The right to be free from self-incrimination specifically applies to knowledge that the arrested person can communicate. This type of knowledge is called testimonial content. Per the US Supreme Court, one cannot be compelled to provide testimonial content to law enforcement.

10:29. A man in a blue Prius is stopped and pulled over for running a red light. The description of the vehicle matches that of a vehicle used earlier in the day in the commission of a bank robbery and the police order the man out of the vehicle. They notice a black ski mask sitting on the back seat and a Trader Joe’s bag stuffed with cash on the floor. The police arrest him. They question him as to where the rest of the money is and who his accomplices are.

Based on the above legal analysis, he may refuse to answer those questions and choose to remain silent. Without the ability to force the suspect to answer any questions, law enforcement will be forced to rely on the collection of circumstantial evidence, such as obtaining the suspect’s fingerprints to match them against prints found at the bank to prove that the suspect was there, in an effort to make their case.

Here, the police questions about money and accomplices are analogous to questions about passcodes. However, fingerprints, by the nature of their availability and the fact that they do not constitute testimonial content, do not implicate the Fifth Amendment’s right to be free from self-incrimination.

On the other hand, the four-digit passcodes we commonly see on smartphones, while not inherently flawed, are typically easy to hack. Studies show that the 40 most popular passcode combinations make up one-third of all smartphone (and ATM) passwords. For example, 1-2-3-4 makes up about 8% of all passwords, followed by 0-0-0-0, 1-1-1-1 and other easily memorized (and hacked) passcodes. Even if the chosen passcode is not obvious, the fact remains that there are only 10,000 possible combinations. Any law enforcement agency or computer security expert would be able to easily hack the pass code via Brute Force in less than an hour.

For most smartphone owners, the decision on which security and privacy measures to implement are largely dependent on the activities they undertake on their phone. A law-abiding person who uses their smartphone as an Internet-connected device to pay bills may care greatly about security and privacy but may not be concerned with the risk of law enforcement using his or her fingerprints. A drug dealer, inside trader, or gang member operating outside the law may have a heightened sense of paranoia that requires them to implement the highest security and privacy settings. On the other hand, an innocent high school teenager who sends and receives nude selfies from other underage teens may be liable for federal and state crimes if those images were to be discovered on that device, and would want to implement similar high security measures for legal reasons and privacy concerns.

For most law-abiding smartphone users, the legal difference between the two security measures amounts to semantics, but for those seeking the highest degree of security and privacy, it should be clear that passcodes and biometrics each have their own strengths and weaknesses. A combination of the two would be recommended to individuals with legal concerns and to parents of teenagers who may be engaged in unknowing violations of the law.

1:48 pm. A five year-old polishing off her last Halloween chocolate bar grabs her daddy’s iPad and announces that she is creating a NEW password. Moments later, she hands the slightly fudgy iPad back to her father, who successfully hacks the new password (1-2-3-4) and thinks to himself: I’m just glad it wasn’t her fingerprint.

Author Jason Stern is a Criminal Defense Attorney in private practice in New York City. His interviews have appeared in The New York Times, Wall Street Journal, Good Morning America, ABC News, The Financial Times, US News & World Report, BBC, Bottom Line, and he is a frequently cited expert for Fox News in the area of law and technology, including internet privacy and security. He obtained his undergraduate degree in Criminology from the University of Maryland.

About the Author