Face ID, Touch ID unlocks can't be compelled by law enforcement, rules federal judge
The police cannot force a person to unlock their iPhone with Face ID or Touch ID, a U.S. federal judge has ruled, a move that effectively provides users the same protection for the biometric security for their devices as previously afforded to passcodes.

In the United States, a suspect's property has the potential to be searched by law enforcement officials as part of an investigation, but some items are typically left alone. While people are protected from having to unlock their devices via a passcode, biometric security has been considered fair game for use by investigators, bypassing the passcode rules.
A January 10 filing in the United States District Court for the Northern District of California applying for a search warrant for a residence in Oakland reveals investigators wanted to look into the affairs of suspects in an alleged blackmail attempt, where they were claimed to have threatened to "distribute an embarrassing video" of the victim unless a payment was made.
As part of the warrant request, there was also a request to compel individuals present in the search to use a fingerprint reader, facial recognition, or iris recognition to unlock devices found on the property. In the filing, the court denies the request, as it "runs afoul of the Fourth and Fifth Amendments," specifically in relation to unlocking devices.
Judge Kanis Westmore deemed the request was too "overbroad" due to not being limited to any particular computers or devices owned by an individual or multiple persons. More importantly, Westmore declared the government and its agents were not allowed to use biometrics to force an unlock of a device, due to the potential for self-incrimination.
The problem is that, while a user can state a passcode as a "testimonial communication," biometrics do not count in the same way, as they can easily be acquired via unwilling means. For example, it would be feasible for Touch ID to be triggered by forcibly holding a finger to the Home button for reading, or for Face ID to be defeated by the suspect being forced to look in the TrueDepth camera's direction for a moment.
"If a person cannot be compelled to provide a passcode because it is testimonial communication, a person cannot be compelled to provide one's finger, thumb, iris, face, or other biometric feature to unlock that same device," wrote Westmore. "The undersigned finds that a biometric feature is analogous to the 20 nonverbal, physiological responses elicited during a polygraph test, which are used to determine guilt or innocence, and are considered testimonial."
While this does effectively block one avenue of evidence collection for the law enforcement agents, it doesn't completely stop the investigation from going down that route. The ruling could be overturned in the future, a second narrower warrant could be requested, or the government could make a request for the data from Facebook itself.
Since the introduction of biometric security to iPhones and other smartphones, there have been reports of law enforcement agencies taking advantage of the technology to gain access to mobile devices, with the courts permitting their use in warrants.
In 2016, a woman was compelled to use her fingerprint to unlock an iPhone confiscated from a property owned by an Armenian Power gang member, one who at the time was in prison for unrelated charges. There have also been multiple instances where members of law enforcement have used fingers of corpses to attempt to access iPhones and obtain evidence, though with little success due to the amount of time that had passed since the last successful unlock.
Such actions are not limited to fingerprints. In August 2018, the FBI ordered the unlocking of an iPhone X using Face ID as part of a child abuse investigation in Columbus, Ohio. A forensic firm has also warned police to avoid looking at the screen of an iPhone X or other Face ID-secured device, or else potentially lose the ability to attempt a face-based unlock in the future.

In the United States, a suspect's property has the potential to be searched by law enforcement officials as part of an investigation, but some items are typically left alone. While people are protected from having to unlock their devices via a passcode, biometric security has been considered fair game for use by investigators, bypassing the passcode rules.
A January 10 filing in the United States District Court for the Northern District of California applying for a search warrant for a residence in Oakland reveals investigators wanted to look into the affairs of suspects in an alleged blackmail attempt, where they were claimed to have threatened to "distribute an embarrassing video" of the victim unless a payment was made.
As part of the warrant request, there was also a request to compel individuals present in the search to use a fingerprint reader, facial recognition, or iris recognition to unlock devices found on the property. In the filing, the court denies the request, as it "runs afoul of the Fourth and Fifth Amendments," specifically in relation to unlocking devices.
Judge Kanis Westmore deemed the request was too "overbroad" due to not being limited to any particular computers or devices owned by an individual or multiple persons. More importantly, Westmore declared the government and its agents were not allowed to use biometrics to force an unlock of a device, due to the potential for self-incrimination.
The problem is that, while a user can state a passcode as a "testimonial communication," biometrics do not count in the same way, as they can easily be acquired via unwilling means. For example, it would be feasible for Touch ID to be triggered by forcibly holding a finger to the Home button for reading, or for Face ID to be defeated by the suspect being forced to look in the TrueDepth camera's direction for a moment.
"If a person cannot be compelled to provide a passcode because it is testimonial communication, a person cannot be compelled to provide one's finger, thumb, iris, face, or other biometric feature to unlock that same device," wrote Westmore. "The undersigned finds that a biometric feature is analogous to the 20 nonverbal, physiological responses elicited during a polygraph test, which are used to determine guilt or innocence, and are considered testimonial."
While this does effectively block one avenue of evidence collection for the law enforcement agents, it doesn't completely stop the investigation from going down that route. The ruling could be overturned in the future, a second narrower warrant could be requested, or the government could make a request for the data from Facebook itself.
Since the introduction of biometric security to iPhones and other smartphones, there have been reports of law enforcement agencies taking advantage of the technology to gain access to mobile devices, with the courts permitting their use in warrants.
In 2016, a woman was compelled to use her fingerprint to unlock an iPhone confiscated from a property owned by an Armenian Power gang member, one who at the time was in prison for unrelated charges. There have also been multiple instances where members of law enforcement have used fingers of corpses to attempt to access iPhones and obtain evidence, though with little success due to the amount of time that had passed since the last successful unlock.
Such actions are not limited to fingerprints. In August 2018, the FBI ordered the unlocking of an iPhone X using Face ID as part of a child abuse investigation in Columbus, Ohio. A forensic firm has also warned police to avoid looking at the screen of an iPhone X or other Face ID-secured device, or else potentially lose the ability to attempt a face-based unlock in the future.
4-19-70053 by on Scribd
Comments
As a practical matter, faceID expires and requires a passcode after a set time limit, so the police act quickly your phone would require a passcode anyway. I can't say I agree with Gatorguy. I want privacy and I don't want the NSA snooping on everything I do, but as I've said before, the 4th amendment prevents "unreasonable search and seizure." It is not absolute, nor is the right to privacy. If law enforcement has adequate grounds for doing so, I see nothing wrong with compelling the use of FaceID to unlock a device.
A ruling at one level can be over-ruled by the next higher until it gets to the Supreme Court, who has the final say (until something is legislated and it potentially starts over).
IMO it's not entirely unlike asking for the location records of every smartphone, laptop, or other mobile device over a 24-hour period in a 2 mile radius of a major crime scene in order to find potential suspects, and then searching a couple dozen devices that might match. Way too broad and intrusive. No one should be compelled to turn over their personal devices and ready them for inspection for such a search. There's a difference between "might" and "probable", and the courts are narrowing that re: our smartphones.
Regarding biometrics specifically: If the warrant specifies the detailed reasoning for a particular targeted search I'm not at all saying that a suspect shouldn't ever be compelled to open their device(s) if secured purely by biometrics like fingerprint or face ID as long as a judge has reviewed it and agrees. i suspect another court may see this differently and SCOTUS, if it were to go that far, would narrow the decision regarding biometrics and device encryption.
Not really accurate -- a search warrant is limited to the type of evidence being sought after. For instance if they're looking for banking papers they can't go through your medicine cabinet and throw substance abuse charges at you. Etc.
We do have rights that protect us from our government in this country. Crazy, huh?
We've already seen decisions from other federal courts which run substantively contrary to the noteworthy finding of this decision. We'll probably see conflicting decisions for a while, to include conflicting precedents from different federal circuits. But eventually the Supreme Court will likely have to decide the core issue and, at this point, I'd lay odds against the Supreme Court's decision being consistent with the one in this case.
That said, as I see it part of the problem is a fundamental mischaracterization of what encryption is. Even in this case, which I'd say reached the correct result, that fundamental mischaracterization is evinced and complicates the reasoning unnecessarily. Encryption isn't analogous to, in the physical world, locking a safe or filing cabinet or building. Decryption isn't analogous to unlocking such things. Encryption is an alteration of data - it means destroying what might otherwise exist and replacing it with something meaningfully incomprehensible. Decryption means recreating something which had, before the decryption, no longer existed.
When someone is forced to decrypt something - whether it be via biometrics or entering a passcode - they aren't unlocking something such that the government might have access to it. The government already (with a minimal amount of effort) has access to whatever actually exists. Instead, when someone is forced to decrypt something they are facilitating the recreation of something which the government thinks might be more useful than that which currently exists. It's more like forcing a suspect to recreate evidence which they had previously destroyed than it is like forcing a suspect to turn over or unlock evidence which they still have possession of. The forgone conclusion doctrine shouldn't even matter because we aren't talking about an act of production (as that term is used in this context - meaning, to turn over rather than to create), we're talking about an act of recreation.
It’s incumbent on law enforcement to collect evidence, nor take a shortcut by forcing people to self-incriminate.
And to all you “what do you have to hide” people...F$&@ off. Move to China then where they have a subjective scoring system from the government based on how submissive you are.
“I prefer dangerous freedom over peaceful slavery.” - Thomas Jefferson