Idaho judge denies warrant to compel suspect to unlock smartphone with biometrics
An Idaho court has denied a warrant asking for authorization for law enforcement to make a smartphone owner unlock their device with their fingerprint, with the decision the latest in an ongoing debate on whether or not police and security services have the right to unlock biometric security on a device like the iPhone's Face ID or Touch ID.
The introduction of biometric security on mobile devices has helped make it easier to keep documents and media safe from prying eyes, at the same time as simplifying access to the content. Law enforcement officials, which are keen to gain access to computing devices to acquire evidence, have found ways to bypass security that works within the law, but in many cases attempts to acquire warrants relating to biometrics are not granted for constitutional reasons.
In a US district court filing in Idaho concerning a sealed complaint, dated May 8, law enforcement officials obtained a warrant for the search of an individual, their vehicle, and place of residence, due to suspicious of the presence of child pornography. The warrant allowed for the seizure of computers, mobile devices, and other items if they were deemed to be evidence of a crime.
As part of the search, officers seized a Google Pixel 3 XL from the residence's bathroom, but it was locked and could be opened by solving a swipe pattern or using a fingerprint. As the suspect was arrested but declined to unlock the device, officers petitioned the court for a warrant to compel the person to unlock it, claiming that the device was owned by the suspect as they identified it was in the bathroom prior to answering the door and being arrested.
The judge declined to grant that particular warrant, citing issues with both the fourth amendment and the fifth amendment. Under the fourth, the search and seizure would be lawful if it was "reasonable," and would be unreasonable if it violated the person's constitutional rights, so the search had the potential to go ahead.
However, the fifth amendment protects against self-incrimination, which the judge believed applied as the compelled unlocking via fingerprint would determine ownership or control over the device. As it was not possible to determine ownership before unlocking, this would in effect incriminate the person via the act of unlocking.
In the end, Chief US Magistrate Judge Ronald E. Bush denied the application.
The use of biometrics and law enforcement's aims in relation to the US constitution has been an issue for some time, with judges varying between states and cases as to whether or not permit members of law enforcement the ability to abuse the biometric security process to gain access without requiring a username or password.
Passwords and passcodes can be stated as a "testimonial communication" in the eyes of a court, meaning that they can be uttered and used as evidence due to the suspect advising of the codes willfully. Biometrics, however, can be acquired through unwilling means, making their legal status less clear cut.
On May 3, a Massachusetts judge granted a warrant to unlock an iPhone with Touch ID in a case relating to gun trafficking. The time-limited warrant may not necessarily have been used successfully, as there is a limited window available to use a fingerprint before Touch ID demands a passcode is used.
A January court filing in California denied a warrant as it risked running "afoul of the Fourth and Fifth Amendments," as well as for being "overbroad" in targeting any devices at a crime scene, rather than ones owned by the suspect.
A 2016 case had a woman forced to use Touch ID on an iPhone confiscated from a property owned by an Armenian Power gang member, in prison at the time for unrelated charges. The fingers of corpses have also been used on iPhones to try and unlock them, though with limited success.
Face ID has also been the subject of warrants, including one in August 2018 where the FBI wanted to unlock an iPhone X as part of a child abuse investigation in Columbus. Face ID's security policies has also led to a warning to police form a forensic firm warning not to look at the display of an iPhone X or other Face ID-equipped device, to avoid accidentally attempting an unlock that would almost certainly fail.
The introduction of biometric security on mobile devices has helped make it easier to keep documents and media safe from prying eyes, at the same time as simplifying access to the content. Law enforcement officials, which are keen to gain access to computing devices to acquire evidence, have found ways to bypass security that works within the law, but in many cases attempts to acquire warrants relating to biometrics are not granted for constitutional reasons.
In a US district court filing in Idaho concerning a sealed complaint, dated May 8, law enforcement officials obtained a warrant for the search of an individual, their vehicle, and place of residence, due to suspicious of the presence of child pornography. The warrant allowed for the seizure of computers, mobile devices, and other items if they were deemed to be evidence of a crime.
As part of the search, officers seized a Google Pixel 3 XL from the residence's bathroom, but it was locked and could be opened by solving a swipe pattern or using a fingerprint. As the suspect was arrested but declined to unlock the device, officers petitioned the court for a warrant to compel the person to unlock it, claiming that the device was owned by the suspect as they identified it was in the bathroom prior to answering the door and being arrested.
The judge declined to grant that particular warrant, citing issues with both the fourth amendment and the fifth amendment. Under the fourth, the search and seizure would be lawful if it was "reasonable," and would be unreasonable if it violated the person's constitutional rights, so the search had the potential to go ahead.
However, the fifth amendment protects against self-incrimination, which the judge believed applied as the compelled unlocking via fingerprint would determine ownership or control over the device. As it was not possible to determine ownership before unlocking, this would in effect incriminate the person via the act of unlocking.
In the end, Chief US Magistrate Judge Ronald E. Bush denied the application.
The use of biometrics and law enforcement's aims in relation to the US constitution has been an issue for some time, with judges varying between states and cases as to whether or not permit members of law enforcement the ability to abuse the biometric security process to gain access without requiring a username or password.
Passwords and passcodes can be stated as a "testimonial communication" in the eyes of a court, meaning that they can be uttered and used as evidence due to the suspect advising of the codes willfully. Biometrics, however, can be acquired through unwilling means, making their legal status less clear cut.
On May 3, a Massachusetts judge granted a warrant to unlock an iPhone with Touch ID in a case relating to gun trafficking. The time-limited warrant may not necessarily have been used successfully, as there is a limited window available to use a fingerprint before Touch ID demands a passcode is used.
A January court filing in California denied a warrant as it risked running "afoul of the Fourth and Fifth Amendments," as well as for being "overbroad" in targeting any devices at a crime scene, rather than ones owned by the suspect.
A 2016 case had a woman forced to use Touch ID on an iPhone confiscated from a property owned by an Armenian Power gang member, in prison at the time for unrelated charges. The fingers of corpses have also been used on iPhones to try and unlock them, though with limited success.
Face ID has also been the subject of warrants, including one in August 2018 where the FBI wanted to unlock an iPhone X as part of a child abuse investigation in Columbus. Face ID's security policies has also led to a warning to police form a forensic firm warning not to look at the display of an iPhone X or other Face ID-equipped device, to avoid accidentally attempting an unlock that would almost certainly fail.
Biometric unlock refusal ruling in Idaho by Mike Wuerthele on Scribd
Comments
Though it would need system level access, having an app with a 'deadman's switch' might also work. Failure to check in with the switch (not necessarily the phone) would wipe it unless the app were accessed within a specified time frame. It could be initiated with a 'self-destruct' finger print or Siri shortcut. Getting that level of access would be the sticking point.
Having said that, I’m very glad the judge followed the law and disallowed the forcing of biometrics. As for those who use biometrics but have concerns, Apple (don’t know about Android, but I expect same) has a method to quickly disable biometric entry (rapid pressing of home button five times — same as calling emergency services), which prevents abuse of Face or Touch ID. Perhaps there is a Siri Shortcut that could be created to easily/quickly put a phone in “lost mode” before the cops (or robbers) take it from you.
Face ID and Touch ID are incredibly useful but everyone who uses them should know the disabling shortcut, at the very least.
There’s no “we can prove what you would have testified about anyway” exception to the 5th amendment.
You can’t legislate away constitutional rights, so no.
Creating a a mechanism as described above would not be obstruction of justice, just as it isn’t illegal to manufacture paper shredders. Using it after a crime was committed to knowingly conceal evidence of that crime could be.
And you too are missing my point. A biometric is effectively a password if one finger unlocks and nine other fingers wipe. It's not a great password, since there's a one in ten chance the police could unlock it, but most police would refrain from trying even with 50-50 odds, because they would be destroying evidence.
Even if you are right, I never said YOU had to do the wiping. It's the police who won't use your fingerprints if they are worried the wrong fingerprint would wipe it.
You have 7000 posts so I respect that, but I guess even 7000 doesn't make you infallible. We already have passwords for protecting phones, and there currently is no back door legislation. So adding a different password, namely which finger to unlock and which to wipe, won't make anyone change the law. And by the way, you can't refuse to give them the key to a safe deposit box (so now that's two errors from a 7000 poster). You can however refuse to give them a combination. And I think you're missing the point that search and seizure can NEVER apply to what's in your head. Is that three errors then? Off topic, may I please quote John Malkovich, "It's my HEAD, Schwartz, it's my HEAD."
No, sigh, why is everybody wrong. Courts have generally accepted that telling the government a password or encryption key is “testimony". If any court or grand jury attempts to compel you to reveal a password you will get free legal support from the EFF. Not only are you wrong about giving up passwords, but you're missing the point. It's not any US law that matters, it's what the US constitution says. The constitution is neither federal nor state law. It is "the constitution" (and states must have their own constitution but the federal one trumps theirs.) I don't care about what any judge says about any law. I don't even care what any lower court judge says about the constitution. The final words comes from the US Supreme Court, and that's all that really matters. But you aren't alone. I have the same problem explaining these things to Canadians, where we share many of the same components of your constitution, worded differently.
Of course, you must agree that all warrants and laws are irrelevant to this issue if the US constitution, as interpreted by the US Supreme Court, declares the handing over of biometrics to be against the amendment protecting citizens from unreasonable search and seizure (I mean: providing incriminating evidence). The courts have said if you are dead you no longer have that protection, so some police have tried using dead fingers on iPhones but have failed to gain access. They didn't get in trouble for doing that. But using biometrics on a living human being, that's a line that the courts seem to be prohibiting as this story indicates.
Congratulations - there is a small possibility that you are right about obstruction; I'm not sure. But even if you are right, it's very unlikely that any jury in America would convict anyone of that crime since there's no way the prosecutor could know "beyond a reasonable doubt" that there was anything inculpatory on the phone you zeroized. The jury would not convict. They would consider it prosecutorial overreach. The prosecutor couldn't prove that there was evidence on the phone unless he already had it.