[Ed. note: Jason Stern is a Criminal Defense Attorney in private practice in New York City]
8:34 am. A college professor receives a text message threatening to blow up the history building. The professor immediately contacts law enforcement, who trace the origin of the call to a student who lives off-campus.
When FBI agents arrive at the student’s residence, they arrest the student and seize his smartphone. In an attempt to search the device to recover evidence of the crime (and perhaps stop other related crimes), they find the smartphone is protected by fingerprint security measures.
With the suspect in handcuffs, the agent swipes the student’s finger across the phone to access his call history and messages. Once the FBI swipes the suspect’s finger and bypasses the biometric security, the phone asks for the student’s passcode. The FBI agent asks for his password but the student refuses to speak. How can the FBI agent access the phone? Whereas a fictional Federal Agent like Jack Bauer would simply pull out his gun, jam it in the suspect’s mouth and scream, “WHERE IS THE BOMB?”, in our example, the FBI agent would hit the proverbial brick wall.
Yes, the phone could be brought back to the lab for analysis and hacking by forensics personnel, but the suspect in this case could not be forced to disclose the password on the phone…
In the above example, per a recent Virginia Circuit Court decision, law enforcement could not legally compel self-incrimination (and thereby violate the Fifth Amendment) by forcing the student to reveal his passcode; however, they are legally allowed to take a suspect’s fingerprint following an arrest. Some would argue this example proves that a password provides better security and privacy than a fingerprint. But let’s continue the example to see why choosing a passcode over Touch ID technology.
9:41 am. During the search of the suspect’s apartment, they find a second phone under the couch. This phone also has both biometric and passcode protection. But when the FBI agent repeatedly swipes the suspect’s finger without success, it becomes clear that the phone belongs to someone else. Does the suspect have an accomplice? If so, how can the FBI unlock the device without being having access to the owner of the fingerprint?
The answer is that without knowing the identity of the owner of the phone and without the actual owner present (or at least his finger), law enforcement may never be able to access the content of a phone in this example, thus demonstrating that in some cases, biometric technology offers better protection against prying eyes, especially for a lost or stolen phone. Of course, this is assuming that the same phone locked by Touch ID doesn’t have the owner’s same fingerprint all over the glass, back of the iPhone, or case.
When fingerprint scanning technology first became available for smartphones, most writers applauded the technology as a breakthrough for privacy and security (Wired’s Marcia Hoffman being the lone exception). Whereas a four-digit numerical password had a finite number of hack-able combinations (10,000 to be exact), a fingerprint was “unique”, claimed security experts. The reality of the password versus fingerprint debate is that both security measures can be flawed: A full third of passwords can be easily hacked because they are commonly chosen numerical combinations; and there is no evidence to suggest that a print from a single finger is wholly unique to the presently-available biometric security applications in our smartphones. Even the television program Mythbusters successfully debunked ‘foolproof’ biometric technology.
Touch ID and other fingerprint scanning technologies are far from perfect. The FBI and other law enforcement agencies compare, match, and classify fingerprints based upon the type of pattern (loops, whorls, and arches), the direction of the print’s pattern (radial or ulnar) and finally, the position of the epicenter of the print relative to the delta of the print.
Many people share identical patterns and directions on a single finger and the likelihood of a device (or expert) mistakenly matching similar prints is fairly high. While it’s remotely possible that two or more people share a print from a single finger, it’s infinitesimal that two individuals share an identical set of ten fingerprints (identical twins do NOT), and even more unlikely that these two individuals would find themselves operating the same smart phone (or leaving prints on the same murder weapon). This logical application of mathematical probabilities is what provides the basis for the effective use of fingerprint analysis, and not any tangible proof that no two individuals can have a matching single finger print.
For example, about 60-65% of all individual fingerprints have a loop fingerprint pattern. The most common fingerprint type is an ulnar loop (a loop that appears to originate from the pinkie side). Assuming two individuals use a finger with an ulnar loop for their fingerprint security and possess similar ridge features, it is possible that these same individuals will be able to access each other’s smartphones. After all, even law enforcement fingerprint experts testifying in court will often disagree as to fingerprint identification.
Even if each single finger print was unique and fingerprint technology in smartphones was flawless, there would still be a good reason to avoid using fingerprints as your prime security measure: Fingerprints do not have the right to remain silent.
When police make an arrest, there are constitutional protections in place to prevent the police from forcing a confession. Per the Fifth Amendment’s protection against self-incrimination, a person who has been arrested may legally refuse to speak to the police. The right to be free from self-incrimination specifically applies to knowledge that the arrested person can communicate. This type of knowledge is called testimonial content. Per the US Supreme Court, one cannot be compelled to provide testimonial content to law enforcement.
10:29. A man in a blue Prius is stopped and pulled over for running a red light. The description of the vehicle matches that of a vehicle used earlier in the day in the commission of a bank robbery and the police order the man out of the vehicle. They notice a black ski mask sitting on the back seat and a Trader Joe’s bag stuffed with cash on the floor. The police arrest him. They question him as to where the rest of the money is and who his accomplices are.
Based on the above legal analysis, he may refuse to answer those questions and choose to remain silent. Without the ability to force the suspect to answer any questions, law enforcement will be forced to rely on the collection of circumstantial evidence, such as obtaining the suspect’s fingerprints to match them against prints found at the bank to prove that the suspect was there, in an effort to make their case.
Here, the police questions about money and accomplices are analogous to questions about passcodes. However, fingerprints, by the nature of their availability and the fact that they do not constitute testimonial content, do not implicate the Fifth Amendment’s right to be free from self-incrimination.
On the other hand, the four-digit passcodes we commonly see on smartphones, while not inherently flawed, are typically easy to hack. Studies show that the 40 most popular passcode combinations make up one-third of all smartphone (and ATM) passwords. For example, 1-2-3-4 makes up about 8% of all passwords, followed by 0-0-0-0, 1-1-1-1 and other easily memorized (and hacked) passcodes. Even if the chosen passcode is not obvious, the fact remains that there are only 10,000 possible combinations. Any law enforcement agency or computer security expert would be able to easily hack the pass code via Brute Force in less than an hour.
For most smartphone owners, the decision on which security and privacy measures to implement are largely dependent on the activities they undertake on their phone. A law-abiding person who uses their smartphone as an Internet-connected device to pay bills may care greatly about security and privacy but may not be concerned with the risk of law enforcement using his or her fingerprints. A drug dealer, inside trader, or gang member operating outside the law may have a heightened sense of paranoia that requires them to implement the highest security and privacy settings. On the other hand, an innocent high school teenager who sends and receives nude selfies from other underage teens may be liable for federal and state crimes if those images were to be discovered on that device, and would want to implement similar high security measures for legal reasons and privacy concerns.
For most law-abiding smartphone users, the legal difference between the two security measures amounts to semantics, but for those seeking the highest degree of security and privacy, it should be clear that passcodes and biometrics each have their own strengths and weaknesses. A combination of the two would be recommended to individuals with legal concerns and to parents of teenagers who may be engaged in unknowing violations of the law.
1:48 pm. A five year-old polishing off her last Halloween chocolate bar grabs her daddy’s iPad and announces that she is creating a NEW password. Moments later, she hands the slightly fudgy iPad back to her father, who successfully hacks the new password (1-2-3-4) and thinks to himself: I’m just glad it wasn’t her fingerprint.
—
Author Jason Stern is a Criminal Defense Attorney in private practice in New York City. His interviews have appeared in The New York Times, Wall Street Journal, Good Morning America, ABC News, The Financial Times, US News & World Report, BBC, Bottom Line, and he is a frequently cited expert for Fox News in the area of law and technology, including internet privacy and security. He obtained his undergraduate degree in Criminology from the University of Maryland.
FTC: We use income earning auto affiliate links. More.
I’m just going to pop here and ask – what are the chances that location of the bomb is in fact saved on the phone?!
shut up and put your finger on the phone punk
I think something is missing from the VA court decision and could use some clarity. Yes, the court says that law enforcement can have a copy of my fingerprint. Traditionally, that is done with an ink pad and a piece of paper. Why is it fair to extrapolate that permission into one that forces me to place my finger on my own device in an act that is just as incriminating as uttering the four character password? The fact that the shape of my finger is translated into a N-character password by the phone and applied seems to be lost on the judge. The semantic distinction between a deaf/mute individual being forced to provide their passcode with gestures of their fingers and providing the code for a fingerprint via the motion of a single finger is a thin distinction, for example.
I think the judge got this wrong and it needs further refinement. I don’t think anyone will disagree with the precedent of providing an ink copy of one’s fingerprints. Forcing you to perform an action with a device against your will to extract private information can’t really be seen as anything besides a violation of one’s Fifth Amendment rights. Let the cops deal with figuring out how to get the ink copy of my fingerprint onto the scanner on my phone. I shouldn’t be required to assist in that exercise.
As a further example, suppose the phone was secured with a voice print instead of a fingerprint? Or a retina scanner? Or any other of a wide range of biometric keys that are possible? The police should be free to collect whatever physical evidence that the law allows. But forcing someone to speak so a microphone can record a voice print, or stare into a scanner so their retina can be imaged, etc. is really no different than being asked to utter a password. Since the latter is self-incrimination, why isn’t it lawful to withhold these other forms of password information under the Fifth Amendment? And why doesn’t that encompass placing my fingertip on my phone’s scanner?
Long story short its all legalese. A person can be forced to submit to a photograph and stand in a lineup and not be violative of the 5th Amendment. Why not a fingerprint? We get to carried away little things rather than focusing on the big picture, apprehending the guilty.
You raise some excellent points, but the Virginia Court decision set no new legal precedent regarding the right of the government to compel a fingerprint. Nearly 50 years ago, in Schmerber v. California, 384 U.S. 757 (1966), the US Supreme Court declared that fingerprints may be compelled as non-testimonial evidence (not invoking the fifth amendment). https://supreme.justia.com/cases/federal/us/384/757/case.html#764
An interesting analysis of the testimonial issue was undertaken by the US Supreme Court in Doe v. United States, 487 U.S. 201 (1988), in which a defendant was ordered to be compelled to sign his name on an authorization form to reveal hidden bank accounts in the Cayman Islands and Bermuda, under the premise that providing a signature was not ‘testimonial’. http://www.law.cornell.edu/supremecourt/text/487/201
Chuck’s response is spot on as the Brits say. I could have saved a lot of typing in my own response had I read this first. He has said it best.
I appreciate the points you raised. Just some additional food for thought…
For me there is some important nuance between actively and passively incriminating oneself. For instance, had the passcode been written on a piece of paper next to the phone, he might have been “passively incriminated” if the police found something. A fingerprint that is entered into a database that yields a hit for a separate crime is also “passive incrimination”.
Moving a finger across a screen or rolling a finger across an inkpad don’t require a suspect to engage his free will. Your analogy of the mute signing would require his intent and participation; the police can’t force him to sign anything with meaning in the same way they can’t move your jaw to speak words. It seems that protecting against that type of active participation is the intent of the law. Things that are in plain sight, be they fingers, fingerprints, passcodes written down, or a bag of cash on the backseat, may all be forms of “incrimination”, but they incriminate passively. Since a person doesn’t have to “do” but rather only let something be “done to” him, it doesn’t seem that they could accurately be deemed “self-incrimination”.
Not a lawyer, just playing with semantics and hoping to add to the discussion.
This Ruling is an abuse of judicial power (legislating from the bench.) I’m certain the intent & spirit of the law is to prevent self-incriminating of all form/shape/manner. That’s why pillow-talk is also inadmissible.
Therefore, using “my finger” against my will to access “my personal information” against my will is wholly wrong, because it gives them access to stuff protected by the constitution “personal property.”
When is someone going to take this manner to a higher court. I cannot imagine sane justices to uphold this ludicrous ruling.
BIG GOVERNMENT LOOKING FOR LOOPHOLES TO HARASS CITIZENS.
Screw you.
This is not legislating from the bench.
Judges do not create legislation.
I dare you to show me one piece of legislation created by a judge.
You need a lesson in American government and spend less time with the tin-foil-hat Tea Party.
Thanks for your comment. The job of the Supreme Court is to interpret the US Constitution. There is no higher judicial authority than the US Supreme Court and nearly 50 years ago, in Schmerber v. California, 384 U.S. 757 (1966), they declared that fingerprints may be compelled as non-testimonial evidence (not in violation of the fifth amendment). https://supreme.justia.com/cases/federal/us/384/757/case.html#764
Obtaining a finger print as non-testimonial evidence and unlocking a password protected device with that finger print are two very different matters entirely.
It’s not the finger print that’s important here, it’s the action of unlocking the phone. The unlocking is the self incriminating part and needs clarification. If a password can be kept confidential, then the police (or anyone) should not be legally able to use your fingerprint to unlock a phone (or similar device). Take your finger print as non-testimonoial evidence, yes, unlocking phones no.
Who robs a bank with a prius?
Definitely the best comment this thread will see today! I figured that a Prius is a good vehicle for bank robberies because it is relatively silent, you won’t have to stop to refuel, and as you pointed out, unlikely to be stopped as a suspected getaway vehicle. The blue though, was a poor choice.
“The blue though, was a poor choice.”
Really? I thought they only came in blue!
I find it offensive that the article is built around this ridiculous premise of the imminent bomb explosion. It taints the whole article to have such an obvious attempt to paint having personal security, a “bad thing” underlying all his arguments.
Obviously, it’s a step backwards for the intrusive police state to not be able to sneak into every nook and cranny of the private lives of individuals, but it’s nothing new and the trade-offs are well worth it. Those of us that have been around a while lived through long eras when police and the military did not have the powers they have today and the world survived just fine.
Over the years, the powers of the police state have grown and grown and grown to the point where privacy and anonymity is all but impossible today. One tiny step for personal privacy is not going to change much overall, and to immediately start thinking of terrorists and bombs and try to use that as a justification for this sort of nonsense is offensive and stupid.
I appreciate your comments, but many people would disagree with your statement that the trade-offs (sacrificing personal liberties for the illusion of safety) are “well worth it.”
Touch ID don’t just record fingerprint pattern. It map the depth of fingerprint, pores (so if you’re sweaty, TouchID could shut you out), and the distance with the edge of fingerprint.
So, the chance your finger can unlock others phone drop from 60%-65% to almost zero. (Human pores are consider as random characteristics)
I know the author is a lawyer, but at least ask some engineers first.
(P.S. I always thought FBI will just use Patriot Act and some pressure on your finger to break Touch ID. Or let you use your iPhone to call your lawyer, but take your phone once it’s unlocked. So when you see FBI, use the wrong finger tap on TouchID five times. )
“So when you see FBI, use the wrong finger tap on TouchID five times” nice I did know this…
I did not know this that is…
Thanks for your comments, especially about the potential abuse of the Patriot Act to break iPhone security. Please provide any engineering references to support your claim that Touch ID measures “depth” or “pores” so that I can review same for accuracy. I don’t see how depth can be measured by a finger pressed against glass any more than a copy machine can provide a measure of depth, but I’m eager to read more.
http://support.apple.com/en-us/HT5949 – It outlines it on their site “It categorizes your fingerprint as one of three basic types—arch, loop, or whorl. It also maps out individual details in the ridges that are smaller than the human eye can see and even inspects minor variations in ridge direction caused by pores and edge structures.” Not necessarily depth per say, but variations in ridge direction caused by pores.
If you get pulled over then restart your phone. It needs a password after being reset.
Thank god for smartphones, since apparently law enforcement couldn’t solve any crimes before smartphones and unprecedented access to people’s lives through technology. It was IMPOSSIBLE.
At least that seems to be their tired line nowadays.
No, that’s not it at all. People who commit crimes tend to keep evidence of the crime on their smartphones. A person, generally will not admit their involvement in a crime. This requires the police prove their case with evidence. What better evidence is there when it is found on the suspect own phone. Lawyers can’t attack the police credibility unless they are alleging the police put the evidence on the person phone. Evidence on a phone eliminate a lot of police headaches. A suspect says he was not at the scene of a crime but the cellular navigation data says the phone was there. The suspect says he didn’t commit the crime but text messages indicate he was texting a co-conspirator about where he was going to hide the loot. Are you suggesting all this evidence be ignored.
fwiw — the mythbusters episode that was quoted was from 2006. While I understand that TouchID is not perfect, it is far from the same technology used almost a decade ago…
The ideas in this article are total nonsense. First off, why are we so concerned with how the authorities will get into a criminal’s phone? Secondly, how is the police going to force your print onto the phone without illegal excessive force if you don’t want them to? If they are going to forcibly do this, why couldn’t they just the same forcibly get your passcode out of you by putting your arm or finger in a painful armbar or finger twist, etc. Physical force is physical force, forcing open a clenched fist is no different.
You raise some valid points and the example used in the article was not necessarily how the government may compel a fingerprint. Typically, a fingerprint is obtained by a combination of authority, fear and intimidation. Legally, the only way a fingerprint may be compelled is by court order; the refusal to submit thereto would subject the detained individual to incarceration until he or she submitted to the fingerprinting.
The best thing to do is have touch ID on with a complex password. Then if you get pulled over for any reason completely Power off the phone. When an iPhone is powered on from being off it requires the complex password to be entered. I have nothing to hide, but I don’t need any one going through my phone without my permission for any reason. Its a principle kind of thing.
Wow your ignorance of how technology works is staggering.
Firstly, you don’t ‘swipe’ the finger under Apple touch ID (by far the largest biometric security provider). Secondly – part of the point in biometrics are that it’s quicker than a code.
Once you use your finger you no longer need a code.
I suggest you stay away from tech blogs while you are this clueless.
Sorry, just saw your comment. I wrote something similar. Yep, this guy has no idea what he’s talking about.
Please feel free to substitute the verb ‘scan’ at your own discretion. My Star-Tac requires a swipe.
But touch id switches to demanding a passcode after three finger press failures. Police would be able to use finger or passcode – which ever they can get hold of.
‘Swipe’ vs ‘Press’ is trivial to legal issues ( isn’t Samsung S5 a swipe?)
It asks for a passcode, but you can still use touch ID to unlock it.
Patrick: you can, but after a total of five tries it will accept ONLY the passcode.
“Once the FBI swipes the suspect’s finger and bypasses the biometric security, the phone asks for the student’s passcode.” This doesn’t happen with Touch ID though. It’s either or.
Thanks for catching that. I apologize for the lack of clarity — there was some debate about whether all information contained in the article be solely Apple-based or inclusive of other devices. In the future, we anticipate Apple and other manufacturers offering multiple layers of security options.
Jason, I don’t know if you are familiar with UK law on this?
Under the Regulation of Investigatory Powers Act 2000 a suspect can be served with a notice requiring them to disclose the password for a device, hard drive etc. Failure to do so is an offence. Max penalty is two years imprisonment (5 years if the case is national security or child porn).
There are defences such as not knowing the password, burden of proof is on the prosecution.
This is used and there have been successful prosecutions/jail time.
(In reality a phone with a 4 digit PIN will be accessed very quickly with or without the PIN)
Thanks for providing us with information about how the UK deals with these issues. Please feel free to link to any authoritative sites for further reading. Cheers!
Here is the law …
http://www.legislation.gov.uk/ukpga/2000/23/part/III
Here is a typical case …
http://www.bbc.co.uk/news/uk-england-11479831
Thanks for posting this piece.
Certainly an interesting debate that won’t be fully played out for years .. and then new technology will create new issues.
So here’s my issue with the whole legal fingerprint thing. I believe that it is legal for the police to take your fingerprint. They already do that when they take you to the station. But I think it is ILLEGAL to take someones fingerprint and use it to unlock their phone or any fingerprint locked device. The same runs for iris scans and any other biometrical locked device.
How can forcibly taking someones fingerprint and unlocking their phone to generate incriminating evidence be legal?
“However, fingerprints, by the nature of their availability and the fact that they do not constitute testimonial content, do not implicate the Fifth Amendment’s right to be free from self-incrimination.”
Disagreed. the nature of their availability shouldn’t come into play.
Secondly, you should qualify “do not constitute testimonial content”, with “UP UNTIL NOW”.
With fingerprints now a means of access to content (just like a passcode), I’m willing to bet that sooner rather than later that the combination of a fingerprint PLUS biometric access constitutes “content”. i.e., the information contained in the pattern of my fingerprint is akin to a passcode as information obtained from the suspect.
Case law attempts to distinguish between compelling testimonial content “what’s inside your mind” versus physical content (e.g. blood, fingerprints, hair and handwriting samples) and this has remained relatively consistent over the past fifty years. The actual use of a fingerprint or passcode to search a phone would typically require a warrant, absent exigent circumstances (hence, the bomb scenario).
law changes. But not, obviously, as quickly as technology.
Under warrant, would the owner of a combination safe be required to give the combination? Or does a warrant invalidate the 5th Amendment?
“Any law enforcement agency or computer security expert would be able to easily hack the pass code via Brute Force in less than an hour.”
After 6 failed passcode attempts… iPhone is Disabled, try again after 1 minute
After 1 failed passcode attempts… iPhone is Disabled, try again after 5 minutes
After 1 failed passcode attempts… iPhone is Disabled, try again after 15 minutes
After 1 failed passcode attempts… iPhone is Disabled, try again after 60 minutes
Your brute force is rate limited to 9 guess in the first hour.
I was operating under the assumption that law enforcement and security experts have more sophisticated means of hacking or decrypting passwords than you or me, but I may be mistaken.
So many misinformed, ignorant, and paranoid comments here.
People are providing knee-jerk responses based on the belief law enforcement act as bogey man, wanting to nefariously swipe all of your embarrassing data.
Law enforcement is not interested in your dick pics, Chive photos, emails to mistresses, or whatever else your innocent life you have led that has shielded you from the very real crimes of:
Serious drug offenses, human trafficking, sex crimes, money laundering, hate crimes, gang activity, robberies, burglaries, murders, financial crimes, and other serious criminal activity.
It may seem hyperbole to tech-heads when law enforcement mention the possibility of terrorist activity, but I can assure you this is, especially home-grown terrorism. a serious concern to all American law enforcement entities.
So while we surf sites like 9to5mac.com on our iMacs or iDevices, from our comfy chairs, sipping on our excellent pumpkin spice lattes, from a climate controlled-environment in lives that are rarely touched by badness or outright evil, you should believe that there is a very real concern to suspects’ data being “too secure”.
As long as the right to search is legal, and a judge has approved a warrant or subpoena, and its scope and purpose, law enforcement have and require the need/right/duty to search.
Just think, the next victim could be you, your child, parents, significant, other, friends, or other supposed innocents…you would want law enforcement to move heaven and earth to get you answers…
The possibly incorrect assumption here is that evidence gotten by forcing a suspect to place their finger on the home button of an iPhone would be admissible. Yes, you are allowed to take the fingerprints of the suspect in order t positively identify him or her and, yes, you might be able to use that to gain access to the iPhone and its content as documented bt various hackers. Even further, you might use the info gained to avert some impending evil deed but what about bringing this perp to justice? The permission to take fingerprints for the purpose of identification may not extend to other purposes. This is a far reach for law enforcement. Th perp will likely walk.
Quote: “Any law enforcement agency or computer security expert would be able to easily hack the pass code via Brute Force in less than an hour.” -end quote.
Just go to Settings->Touch ID & Code”, deactivate simple code. Then change your old “0-0-0-0” (bad habit PIN to something like “The blue sheep is in the red barn before 23:30!” This will take the security expert a significant longer time to Brute Force, by then your lawyer should be present…
I’d rather tick the ‘Erase data’, ‘Erase all data on this iPhone after 10 failed passcode attempts. button.
How prophetic this article was in light of the ongoing Apple vs. Government battle.