Biometrics: Giving the Government the Finger

A federal court has ruled that suspects can’t be forced to provide a biometric key to unlock their digital devices during an investigation.

When two individuals were involved in a Facebook sextortion case, threatening to release an embarrassing video if the victim did not pay up, the federal court had no problem issuing a search warrant permitting the seizure of the suspects’ phones, computers and other digital devices. But the court balked when the government asked for a warrant permitting them to “compel any person present at the time of the search to press a finger (including a thumb) or utilize other biometric features such as facial or iris recognition, for the purposes of unlocking the digital devices found in order to permit a search of the contents [of the digital devices] as authorized by the warrant.”

First, kudos to the cops for recognizing the Oxford English Dictionary distinction between a “thumb” and a “finger.” Two points for thoroughness.

But can the government compel someone to produce a biometric to unlock a device when the government has established probable cause to believe that the device contains information about a crime? Until now, courts have mostly focused on the “testimonial” nature of what the suspect is being compelled to produce. The new ruling changes that and focuses instead on the effect of the compelled act. As Ricky Ricardo might say, “Let me ‘splain.”

The Fifth Amendment’s guarantee against self-incrimination is a testimonial privilege. The words say, “No person shall … be compelled in any criminal case to be a witness against himself …” Typically this has meant that, while you can force a person to produce evidence that is incriminating to them (with a few caveats), you can’t force them to “be a witness” against themselves—that is, to testify. So the contents of the cell phone, iPad, laptop or computer are not protected from compelled production (although the physical act of producing the machine might be protected). Courts weighing in on compelled decryption of encrypted devices under the Fifth Amendment typically have focused on whether the act of decryption (or alternatively, the act or producing unencrypted files or the act of providing the decryption key, PIN, password or biometric) constitutes making the suspect be “a witness” against themselves. For parochial and historical reasons, courts have distinguished between being forced to say something (“The password is … swordfish …”) being forced to do something (“One of two things will be on that contract, your brains or your signature …”) such as provide a voice exemplar, and just being forced to—well, to exist.

It’s the difference between being forced to state the password, tell someone where the key is or physically unlock a door—all of which might be considered “testifying”—and being forced to provide a fingerprint or faceprint, which, like being forced to provide a blood or alcohol sample, would not be.

The San Francisco court where the case was heard first observed that the warrant called for anyone at the scene to provide their finger- or faceprint irrespective of whether there was probable cause to believe that they had participated in the sextortion matter, or irrespective of whether there was probable cause to believe that a device their face or finger would unlock contained anything covered by the warrant. The court found no probable cause to support such a “being there” warrant. That makes sense, except for the Cinderella problem: When the cops seize a locked device, they can’t tell if anything on it is covered by the warrant until they unlock it, and they can’t unlock it until they have the biometric. If the device has evidence and a suspect’s’ face unlocks it, then there is probable cause linking the suspect to the evidence—the glass slipper fits. If you need probable cause to test the fit, then the prince would need to know that the slipper belonged to Cinderella before he could try the slipper on. OK, dead horse (mouse?) beaten.

It’s not as big a problem in this particular case because the police had already identified two suspects at the apartment. Thus, the court explained, they could not search phones of other persons simply because they were present while the cops searched the phones of the suspects. On the other hand, the warrant was silent on whether the cops could seize phones, hold them up to the two suspects faces, and only examine them if the suspects’ faces unlocked the phones. Using biometrics to identify what is covered by the warrant: Is that any different than taking fingerprints off any phones and computers in the apartment, and using those fingerprints to identify whose computer/phone that is?

In deciding that compelled production of a biometric is “testimonial,” the court noted that a biometric is the “functional equivalent” of a passcode and that “it follows … that if a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device.” The court went on to note here as in at least one other case that “requiring someone to affix their finger or thumb to a digital device is fundamentally different than requiring a suspect to submit to fingerprinting.” The compelled production of such biometrics admits ownership, possession, use and control of the contents of the device—things the government otherwise might not be able to establish without compulsion.

The court also rejected the government’s contention that compelling those present to give a biometric is no big deal because it could get the contents of the phone from other sources without a biometric, such as from Facebook, Apple, Google, etc. Therefore, finding the incriminating files was, to the government’s mind, a “foregone conclusion.” Not so fast, said the court: A phone, a computer or an electronic device is a different kettle of fish, likely to have a wealth of information that the government would not have ready access to. The fingerprint or face scan doesn’t just unlock a file or a device; it unlocks that person’s entire world.

Ultimately, the Supreme Court will have to weigh in on what the government will need to do to get a suspect’s assistance in decrypting or unlocking their own devices. Until then, we can expect these cases to be decided on a case-by-case basis. Or the cops could try to spoof the facial recognition device with a nice 3D mask.

Featured eBook
Container Security: Securing from Within

Container Security: Securing from Within

Containers increase speed, simplify operations, improve development efficiency and bring a slew of other benefits, making them a top choice for agile deployment infrastructure. Everything from web apps, services, data stores, command line apps, desktop apps and other Linux programs can easily be packaged within containers. However, issues regarding their security have grown. Unsecured containers ... Read More
Security Boulevard
Mark Rasch

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 25 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 30 posts and counting.See all posts by mark