You can be compelled to provide fingerprints based on a warrant; I'm unsurprised (and not particularly bothered) that you can be compelled to use them on your own device. If you care about security, don't use a fingerprint alone; at most, only use it as a second factor for two-factor authentication. More generally, don't use anything that removes your ability to make a choice under duress, in whichever direction you see fit, based on what you're protecting and what you're being threatened with.
I find the ongoing case of someone being jailed indefinitely for refusing to supply a passphrase far more concerning than someone being compelled to supply a fingerprint.
The person who is being held indefinitely for not giving up his password is really frightening. They should either let him go or charge him with contempt of course/obstruction and issue time served!
Even if you /know/ you don't have anything illegal on any of my encrypted devices, it's better to take a contempt of court charge than give up a password...because of what they might /find/ or possible things unrelated to an investigation that they can link to a crime (or what they can then plant).
Contempt is a terrifying charge, because under current law, you can be jailed indefinitely for the same contempt charge for as long as you refuse to cooperate with whatever the court thinks you should cooperate with. There's no upper bound there. So that wouldn't solve the problem.
Contempt is a weird power in general, especially when it's used for reasons like "disrespecting the judge." If I am disrespectful to the governor of my state, or if I'm disrespectful to a police officer, or if I'm disrespectful to a fireman or a bailiff or a legislator or a district attorney or a teacher or the President, that is a thing that I can legally do. But for some reason it's not outrageous for a judge to send me to jail because I showed them insufficient respect.
"Contempt of court" isn't supposed to refer to contempt of the judge, though. It's supposed to refer to contempt for the mechanism of a trial: not respecting the time or the (legally-required) duties of anyone there, basically making it impossible to go on with the work of the court system. A lawyer attempting to "filibuster" a jury into agreeing with them, for example, would be in contempt of court for wasting the jurors' time.
The "contempt of court" charge basically serves as a court-private time-out box to send people to whenever they can't handle being in court, until they learn to stop, erm, "blocking the cooperative event queue from pumping messages."
It's not that the charge has to be indefinite—but it has to be capable of sticking as long as the trial's progress is halted. The charge should definitely cease to apply if the trial manages to resume through some other route—and especially if it manages to conclude.
Remember, "contempt of court" isn't about malfeasance, either. Experts who lie on the stand are not in contempt. Lawyers who introduce non-cross-examined evidence are not in contempt. Random audience members getting up and saying things during court are not in contempt. It's only when one of these things causes the trial mechanism to grind to a halt, and then the person refuses to yield to let the trial resume, that they are in contempt. It's a process-control mechanism, and in that respect, it's quite necessary.
(That's not to say it can't be abused—especially in smaller courts in non-jury trials. But it has a well-defined good usage, and can't really be redefined without losing that usage.)
But for some reason it's not outrageous for a judge to send me to jail because I showed them insufficient respect.
The rights of protest and speech cannot be the same in courts, even to the same degree as a place like congress or the offices of the executive. (And in those last two cases, the right of speech is also curtailed.) Otherwise, the courts wouldn't be able to function, particularly in the case of an adversarial court system.
As an analogy, years ago I was part of a small alliance in Eve that consistently won battles. But as we were winning, the server would crash and the devs would come in and roll-back the damage we had done.
The courts have a hard enough time as it is functioning. I am involved in a case against an assailant, and I learned that it's very typical for defense attorneys to purposely drag out cases to maximize victim fatigue. The defense attorney somehow has surgery scheduled on the hearing dates. A legal system is very complicated. It's likely to have more loopholes than a software system has bugs. And it's probably a lot harder and more time consuming to fix those.
How else can the court enforce that it is the final decision on disputes other than this? It is unfair, but seems like the logical place for unfairness to reside in such a system.
> How else can the court enforce that it is the final decision on disputes other than this? It is unfair, but seems like the logical place for unfairness to reside in such a system.
Why would there need to be any place for unfairness to reside in a system?
Contempt in this case would be impossible after a couple days, when the iPhone will refuse to accept the fingerprint and instead require the passphrase. She is no longer capable of fulfilling the court's demand (use your fingerprint to unlock the phone) at that point.
You know how you can "sudo" and type your password (if you have an account with sudo privileges) and then for a few minutes afterward you don't have to type your password when you use sudo?
Think of Touch ID like that: the passcode is still the thing that unlocks the phone, but once it's been entered you can use Touch ID for a little while, in much the same way that sudo can remember you've recently proved yourself to it. After 48 hours, after a certain number of failed Touch ID attempts, or after any restart of the phone, though, Touch ID stops being available and the phone goes back to only being unlockable via the passcode (Touch ID will only become available after the next time the passcode is entered).
You don't have to leave the phone untouched for 48 hours. Even if you touch it you still need the passcode every 48 hours. TouchID only works for 48 hours past the last passcode login.
Just as a point of reference, Android has a feature by which you can register locations at which a PIN is not required. I've registered my home (which is not super secure, since GPS resolution means it works anywhere in my apartment building), and I have to input the PIN every morning because the interval resets every 4 hours.
basch what happens is, at a minimum, the iPhone requires your PIN or passcode every 48 hours to unlock. In between, you can use your finger as many times as you want. So the 48 hour timer should fire as soon as immediately after someone gets posession of your phone, but no more than 48 hours afterward.
Contempt is only supposed to be for when someone's action brings the mechanism of a trial to a halt. Refusing to do an action that the court thinks it's allowed to compel you to do is an example.
Say she waits two days. The phone won't be unlocked with a fingerprint now; it requires a passcode, and the court can't compel someone to provide a passcode in the same way that it can compel them to provide fingerprints.
Contempt wouldn't be a valid charge anymore, at that point. If the judge won't recognize that, the prisoner/suspect could appeal.
The above is my understanding of the theory of how it works. Maybe I'm wrong. Maybe it works differently in practice.
Probably a ridiculous thought experiment, but I know folks have done similar things before, what if she cut off her thumb and disposed of it in such a way that it was irretrievable? Or something less permanent like dipping her thumb in acid to destroy the fingerprint surface - which would take weeks to heal. Would would the court do then?
It sounds to me like fingerprint authentication is not something a criminal should use if they don't want to get caught. Apparently a passcode is protected under the Fifth Amendment but not a fingerprint. [1]
But it's ridiculous really. All that a criminal needs to do is restart their phone to prevent their fingerprint from being used. And there are good reasons for doing so other than to escape incrimination! And that can be done from the lock screen... Imagine the criminal held down the power off button for three seconds then swiped, is that a crime? Perhaps that falls under spoliation of evidence, but then again how is not giving a passcode not considered spoliation?
Apple should require a user configurable timeout for requiring of a passcode. I'm sure it normally takes more than two hours to interview and charge someone.
> what if she cut off her thumb and disposed of it in such a way that it was irretrievable?
A contempt charge wouldn't hold any more (probably), but there's probably another charge that would apply, like spoliation of evidence [sorry, realized that you mentioned that charge further down in your comment].
> It sounds to me like fingerprint authentication is not something a criminal should use if they don't want to get caught.
True.
> Imagine the criminal held down the power off button for three seconds then swiped, is that a crime?
It's also not normally a crime for her to mutilate her thumb or for me to wave a knife around if I believe I'm alone and don't intend to harm anyone. Motive and context matter.
> but then again how is not giving a passcode not considered spoliation?
The act of making the fingerprint unusable would be the spoliation, I suppose. Not giving the passcode would be protected under the 5th.
>what if she cut off her thumb and disposed of it in such a way that it was irretrievable? Or something less permanent like dipping her thumb in acid to destroy the fingerprint surface
Sounds like intent to harm oneself, which gets one locked up in the loony bin until one demonstrates oneself to be of sound mind.
That's a problem for me. Charge and prosecute them or let them go. Indefinite detention without a fair and speedy trial is unquestionably unconstitutional.
The contempt power is in the Judiciary Act of 1789, so it's hard to say that the founding generation would have considered it unconstitutional.
Moreover, what exactly would she be tried for? Do we need a trial to establish that she has in fact continued to disobey the judge's order to unlock the phone?
Yes, we probably would need a trial in that instance.
The courts really don't get to hold someone indefinitely without charging them with something.
Contempt is generally used as a quick and dirty hack for someone disobeying the procedures of the court. Not providing a fingerprint to unlock evidence is WAY beyond that scope and probably should require a hearing and trial.
Now, she could be detained while that hearing is proceeding, but that's different that just being jailed for contempt.
She was arrested based on probable cause that she had committed identity theft. The search warrant is the process by which evidence needed to support formal charges.
If that order is lawful, then it probably has a chargeable crime behind it. If it doesn't, then there should be limit.
Compelling someone to open a phone with a fingerprint is far from settled law. It should be litigated properly as part of the trial rather than with a "contempt" charge.
In this instance, it is the court that is attempting to end run an unsettled area of the law using "contempt".
Well imagine a criminal is holding a piece of your property or even a person and not revealing where that is. Do you think it's reasonable to hold them for 30 days and then let them go and say "ah well I guess you can return that/them if you want cuz you did your time."
You can be charged with both. I hope you never have to deal with someone who flaunts the courts in your face. You'll be glad the system works the way it does, if anyone bothers to enforce the law.
So do you think it's reasonable that contempt of court can carry a life sentence without even being convicted by a jury of your peers? Is contempt of court a worse crime than assault or manslaughter?
You have the right to not divulge information from your mind that would incriminate yourself. In the US this is called the 5th amendment.
There's no jury because it's regarding acts that occurred in court, so it's simply not meaningful to have a jury decide the facts of the case when they happened right in front of the judge, who does not need anyone to figure out the veracity of what they just personally witnessed.
The alternative is that people have a right to stop the courts from functioning. Our interests in not having courts that can be easily thwarted probably does outweigh our interests in any single conviction.
It's only forever if you refuse to comply for that long. It is coercive. The justice system does not, because it cannot, ask you to comply. It forces you to comply and it does not take no for an answer or it would not function.
As GP said, that's not true in general. Immunity is offered when the prosecution believes your testimony will result in further arrests or in prevention of future crimes. That circumstance is exceedingly rare outside of episodes of "24".
They can't be charged with contempt over that. Compelling them to do so is forcing them to self-incriminate themselves.
Self incrimination protections are there for a good reason. If the person is on trial, then they haven't pleaded guilty - they say they haven't done what they are accused of. If they are in fact innocent, if the court decided to enforce them into provide this information and jailed them for contempt, it would literally be indefinite because they are innocent and cannot provide information on what they don't know!
I guess that's why a key or fingerprint is allowed - it is definitely something that can be used one way or the other. If they key doesn't work, it doesn't work. Same with a fingerprint.
But a passcode - it is not definitive. The defendant may say they don't know it as someone changed it on them. They then type in a wrong code: how are you going to disprove that?
Would you mind terribly quoting the law that requires me to submit to the physical act of unlocking my phone? Since it's not a two-factor system, it is equivalent to a passphrase, which (IIRC) has been upheld to be a form of testimony, and therefore the fifth amendment SHOULD allow the suspect to refuse to "utter their fingerprint", so to speak.
In any case, if the fingerprint isn't the same "testimony" as a passphrase, the suspect is not in violation of the law after 48 hours has elapsed, since "uttering their fingerprint" (as I'm choosing to style it) after 48 hours wouldn't unlock the phone any more anyway.
Providing a fingerprint isn't considered testimony, and the law doesn't currently make an exception for a fingerprint used as the equivalent of a passphrase. The fifth amendment protects knowledge, but not physical constructs like a fingerprint or DNA swab[1].
So, you can be compelled to provide a fingerprint, and the use that the fingerprint is put to is outside the scope of 5th amendment protections.
It's gonna get really interesting if/when neuroscience advances to the point where we can just read a passcode out of someone's brainwaves. I don't see any legal difference between the fingerprint case and the brain-scan case (both are measuring a physical aspect of the person) but it's going to completely bypass the fifth amendment.
Merriam-Webster defines "testimony" as "something that someone says especially in a court of law while formally promising to tell the truth." The Supreme Court has interpreted this very broadly, to include anything that requires accessing information from the mind. That's why some courts have held that passwords are testimonial. But to read it to include touching your thumb to a fingerprint sensor obliterates any meaning the word has.
The reason the courts find the production of passwords to be testimonial is that they are used to access potentially incriminating evidence the specific existence of which the prosecution is not already aware of.
Further, the Supreme Court Justice Clarence Thomas (with Scalia joining) said that the 5th amendment applies to, "compelled production not just of incriminating testimony, but of any incriminating evidence." https://www.law.cornell.edu/supct/html/99-166.ZC.html
The courts' definition of "witness" is what's relevant in addition to "testimony". Is your smartphone a privileged "witness"? I would think that to be the ultimate decision that needs to be made by the Supreme Court, and one that may in fact hinge on what person is next appointed to the Supreme Court.
You've described the state of the law as it is, but surely that doesn't address the issue of the law as it should be. I think that it is possible to be an intelligent but non-technical person and (EDIT: forgot the word 'not') realise that, all technical issues aside, the "something you know" and "something you have" parts of a password are on completely different legal footing; and I think that it is reasonable even for a technical person to wonder whether it should be so.
EDIT: I know that complaints about downvotes are not welcome, and it's quite possible that I'm wrong in what I say, but I'd like to be told how rather than just downvoted! My comment was meant to be a constructive contribution.
EDIT 2: Wow, these many replies help a lot! Thanks!
"Something you have" isn't part of a password, its an alternative, non-password factor; passwords are always "something you know".
There is a trend to use biometrics in place of passwords, which is a convenience feature which compromises security, even though it is often misrepresented as a security feature. (Using biometrics as a second factor helps security, but there is a big difference between "and" and "or" security measures.)
I agree with the comments below: a fingerprint is a username, not a password. I don't have a problem with compelling the provision of identification given an appropriate warrant; I do have a problem with compelling the provision of information held only in someone's head, with or without a warrant.
But it's not being used as a username, it's being used as a password. (Or rather, a username and a password.)
It's hacking to bypass even a trivial password, so similarly it should be unreasonable to compel disclosure of even a trivial password...
They don't need your usename - your phone assumes it's you and only asks for the password... The fingerprint that they're seeking is not a username, it's a crappy password.
"You've described the state of the law as it is, but surely that doesn't address the issue of the law as it should be."
Fingerprints and other things like them are 100% non-testimonial. The fifth amendment does not cover non-testimonial evidence (because it only covers being a witness against yourself).
This has been law since the amendment was enacted, was the purpose of it, etc.
So I suspect if you want the law to be something else, your problem isn't even with the courts or judges, it's with the founders :)
Not true. There is an adage that the government can force you to produce the key to a lock, but not the combination to a safe.
It just so happens that, today, the government can compel you to perform a physical gesture that, by proxy, happens to be used as a key on a device that normally accepts a combination. If it's been 48 hours since your finger was last applied to the Touch ID sensor on an iPhone, that "key" doesn't work any more. So, until the fingerprint is accepted by the courts as a "combination" (effectively, that's how the "common man" sees it, and which the courts treat as testimony-by-proxy) rather than a physical gesture (not testimony at all, and currently easily compelled), the only defense one has (if using Touch ID) is to stall for 48 hours.
> but I'd like to be told how rather than just downvoted!
It's probably in the tone of your comment, which (though it isn't the case) implies that there's something wrong with the laws.
I'd edit and rephrase in your position, especially since your criticism isn't of the law but is rather of the education of users. To your point: if users of devices could be educated in-device about the security of different identification and authentication schemes, the user could take better ownership of the security of said user's device.
> It's probably in the tone of your comment, which (though it isn't the case) implies that there's something wrong with the laws.
Rather than endorsing or decrying the law, I meant only to suggest that a simple, factual description of the state of the law, while non-controversial, also doesn't address the question of whether the law is appropriate. I am not at all sure that it is; but I am also a naïf in these matters, which is why I appreciate the many users who responded to my request for clarification.
> I'd edit and rephrase in your position, especially since your criticism isn't of the law but is rather of the education of users. To your point: if users of devices could be educated in-device about the security of different identification and authentication schemes, the user could take better ownership of the security of said user's device.
Indeed, I think that the point you make (and generously attribute to me) is a good one orthogonal to any questions of the law; whether the law is good or bad in any particular sense, it is as it is, and will be so enforced, and users should be educated as far as possible about this when choosing whether and how to secure their devices.
> Courts are not (and should not be) interested in "the law as it should be." They are to interpret the law as it is written.
I agree, but then neither are we the courts; and it is precisely the role of the commons to discuss the law as it should be, so that the legislative branch can, hopefully, enshrine that communal wisdom in the law as it is.
The OP states their opinion a couple of times, so surely that doesn't address the issue of the law as it should be. isn't a very good reply to what they said.
Thank you for the explanation. Aside from saying once that he was not bothered by this state of things, I took the poster to be mainly explaining the consequences of the law (don't act as if your fingerprint is as secure as your password) rather than specifically endorsing it.
I definitely wasn't just giving the current state of the law; I was offering the opinion that out of the pile of problems we do have with government overreach, surveillance, and lack of understanding of technology, this case seems perfectly reasonable and not worth worrying about.
I'm not bothered by the compelled production of a fingerprint, given the due process of a warrant; I don't see any obvious reason why someone should expect otherwise from the law, nor any right or reasonable expectation this violates, and I don't think the law needs to change in that area.
(I do see other issues associated with fingerprints, such as the retention of fingerprints from non-criminals cleared of all charges, but I don't see an issue that applies to this case.)
I am bothered by (attempted) compelled production of a passphrase. And I see those as significantly different cases.
You can be compelled to provide fingerprints based on a warrant; I'm unsurprised (and not particularly bothered) that you can be compelled to use them on your own device.
I thought that fingerprints were to be provided to:
1) establish biometric proof of identity
2) establish the presence of a person in a particular place
3) establish a person handled a particular object
Or does the law establish that the authorities can use fingerprints for evidence in any fashion? Could they use a scan of a fingerprint to etch a fake-fingerprint latex sheet to open your locked device?
I'm not sure where you're getting this list from. But, I think that #3 would be relevant in this case, as the person would have needed to handle the device to register their fingerprint.
Sorry, I guess I just read your phrasing to have more authoritative intent than you were going for. As I (also not a lawyer) understand it, there's nothing in particular that limits how intermediate/circumstantial pieces of evidence can be used/combined to find more evidence as long as each piece of evidence in the chain was acquired legally.
Providing a fingerprint (identification) is different from imprinting your finger to unlock a device. It's been upheld in the past that passwords/passphrases used to unlock encrypted content are considered to be testimony (because it leads to the acquisition and collection of possibly protected "testimony"), and thus protected by the fifth amendment.
In my opinion, there is no reason to see imprinting your finger on a sensor used to unlock your phone as anything other than an equivalent form of "testimony", and it should enjoy fifth amendment protection. I don't think it will be long before this exact definition finds its way to the U.S. Supreme Court.
Passwords have been interpreted to be testimonial because they require someone to tell authorities information in their mind. That is already a huge stretch of the 5th amendment. The purpose of the 5th amendment is not to prevent the collection of evidence. It is to mitigate the dangers of coerced confessions, which allow people to be easily convicted without evidence. It was never intended to be a general-purpose limitation on being compelled to cooperate in you own prosecution.
> Passwords have been interpreted to be testimonial because they require someone to tell authorities information in their mind.
That's not true. They've been interpreted to be testimonial because they are a part of a chain of events that results in the production of incriminating evidence that the prosecution isn't otherwise independently aware of. If the prosecution can't say "he has plans for the bomb on his laptop, I saw a photo of a detonator before he closed the lid", they can't force you to disclose the password to go looking for it.
On what basis? spdustin cites United States v. Hubbell elsewhere in this thread, but I don't think that case establishes that a defendant cannot be compelled to do anything that would be "part of a chain of events that results in the production of incriminating evidence that the prosecution isn't otherwise independently aware of."
Hubbell suggests that "being forced to surrender the key to a strongbox" does not violate the Fifth Amendment. Under spdustin's generalization, the strongbox hypothetical would violate the Fifth Amendment.
Hubbell is based on the idea that providing documents responsive to a subpoena is itself a testimonial act, because it is "necessary for [the Defendant] to make extensive use of 'the contents of his own mind' in identifying the hundreds of documents responsive to the requests on the subpoena." I don't see how the purely physical act of unlocking the phone is similar.
Honestly, given the circuit splits that exist here i think neither of us is going to convince the other. So i'll simply retract my "right", and move on :)
My understanding is that the "testimony" would be in the text of the password: compelling someone to reveal the password could be self-incriminating if _the password itself_ led them to additional evidence (e.g. a password of "I hid the revolver in the Conservatory"). [1]
I can't think of a case involving a fingerprint where there's a similar risk since the fingerprint is arbitrary data.
The case law thus far has stated that compelling the decryption of a data storage device really hinges on this: What evidence is known by the prosecution to exist? In several cases, when the defendant makes known that incriminating evidence exists, or when the prosecution is independently aware of the existence of incriminating evidence (they saw the screen before you locked it, and testified that what they saw was evidence of a crime), the defendant was rightfully forced to decrypt the storage device.
However, when the prosecution has no specific knowledge that the evidence they seek exists, US courts have ruled that the defendant cannot be compelled to decrypt the storage device, since doing so would be forcing the defendant to reveal that incriminating evidence actually exists.
Applying your fingerprint to an iPhone is an act that, without argument, decrypts data on an encrypted storage media, as the act of applying your finger to the sensor instructs the device to retrieve the actual cryptographic information necessary (your passcode/passphrase, plus other hardware-specific data) to access the cleartext of the data.
The more and more I think about this, the more confidant I am that a fingerprint, while "something you have", forces you to disclose, by proxy, "something you know" to your phone.
I guess the question then is twofold: If you have a combination safe that may contain incriminatory evidence, and a safety deposit box that contains only the combination to your safe, can the courts compel you to give them the key to the safety deposit box? And if so, should they be able to?
The issue there is that if you aren't really being plausibly deniable (using the fake login), then the court will realise this. For instance, if they know you were using that laptop 1 day ago, but the timestamps on the instance you unlock are all from 2 months ago, they may deduce you are pulling this stunt.
> You can be compelled to provide fingerprints based on a warrant; I'm unsurprised (and not particularly bothered) that you can be compelled to use them on your own device.
Always remember: your fingerprint is identification. You can be forced to identify yourself to law enforcement. Do not make it your password. Your password is something you know, not something you are.
I wholeheartedly agree. This is the same to all biometric data(fingerprints, retina scans). They should only be used to identification NOT AUTHENTICATION!
If you turn off your iPhone, you can't use it again without entering your password, and you would have to do that consciously. On the other hand, your phone could otherwise be unlocked with just your fingerprint.
"iPhone requires your passcode after restarting" vs "Touch ID requires your passcode when iPhone restarts"
Also, if Touch ID is disabled then putting a finger on the sensor does nothing, but if it's enabled it shows the passcode screen with the above message
Edit: with Touch ID enabled, if you slide to the lock screen without touching the sensor, it says "iPhone requires your passcode after restarting" but the title says "Touch ID or Enter Passcode"
And risk being charged with obstruction. Like perjury, it's naturally difficult to prove, but one should be aware of the risks before moving down that course.
No, I mean, disable Touch ID before any potential situation where the phone might be seized for any reason, not after a judge had ordered you to unlock the phone with a thumbprint.
The moment you believe the phone is going to be seized by law enforcement and you act accordingly to make it more difficult or impossible to retrieve data from it, you are guilty of spoliation / tampering of evidence. This is the same set of laws that makes it illegal to shred papers before law enforcement can get to them. Locking or erasing your phone is simply the digital equivalent.
Couldn't you also apply this argument to everything? The client turned on full disk encryption 5 years before this arrest because he wanted to make it difficult for anybody (including law enforcement) to read the content of the disk.
I think you could just argue that you didn't want the disturbed and/or wanted to save some battery.
> Couldn't you also apply this argument to everything? The client turned on full disk encryption 5 years before this arrest because he wanted to make it difficult for anybody (including law enforcement) to read the content of the disk.
No. The difference is that the action is taken to obstruct a specific investigation. Generally protecting information without regard to a specific investigation is not obstruction. Same as shredding papers years before they become relevant to an investigation is also not obstruction.
> I think you could just argue that you didn't want the disturbed and/or wanted to save some battery.
Like perjury, proving obstruction may be difficult. That doesn't make it any less illegal.
> The court's ruling noted that FBI forensic examiners were unable to get past TrueCrypt's encryption (and therefore were unable to access the data) unless Doe either decrypted the drives or gave the FBI the password, and the court then ruled that Doe's Fifth Amendment right to remain silent legally prevented the Government from making him or her do so.
So it seems like the law is a bit ambiguous on this front.
I think the idea of using fingerprints, retina scans, face recognition, etc. as an access token is a fascinating instance of how culture influences technology.
These things are very poor candidates for access control because you need fuzzy statistical/ML/AI/CV recognition techniques (which means you have to worry about false positives and false negatives), and it's basically impossible to re-issue credentials in case of a compromise (changing someone's fingerprints or facial characteristics would require performing plastic surgery on the user!)
But because of movies and TV, everyone "knows" that in the future we're supposed to have our technology unlocked by our fingerprints, so that's what drives people to buy and vendors to implement, regardless of how absurdly impractical it is if you actually stop to think about it for five seconds.
> But because of movies and TV, everyone "knows" that in the future we're supposed to have our technology unlocked by our fingerprints, so that's what drives people to buy and vendors to implement
I, for one, would love fingerprint unlock on my phone. And it's not for any crazy sci-fi expectation -- I just don't see any other method of unlocking my phone which could be as quick and convenient as that. Facial unlock is another possibility, but what concerns me about that is how easily someone could produce a picture of my face.
I don't think it makes that point well at all. It says that (kinda) but doesn't support the idea with any form of reasoning. In fact, it's a relatively minor point and not really the main point of the video at all.
If you had access to my phone you could learn a great many things about me (most of them banal) but there are many many many thoughts in my head that don't exist on my phone in any form.
Continued nerd insistence of your point is little more than fetishization of technology. There's a reason Obama used that word at sxsw. It connotes a level of obsession and overfocus that is, quite frankly, pretty creepy.
While it would not be cost-free against law enforcement (as they could charge with contempt/destruction of evidence and so on) I hope as this sort of thing happens more often it pushes Apple to respond with a native coercion code system rather then requiring a jailbreak. Security has been improving at a nice clip in the last 5 years after significant stagnation, and bringing coercion codes to the general public seems like the next straight forward, logical improvement. Apple seems to already have the basic system level infrastructure in place since they store and register each of the five fingerprints separately and fire off appropriate different system events, which is why a jailbroken device can have an imperfect but reasonably effective one. Apple though could make it more user friendly, and have it be not just for Touch ID but also using a PIN.
While law enforcement gets the most press, this is and growing threat from non-state actors as well as mobile devices become ever larger gateways to the public's private lives and finances. Apple would do everyone a service by blazing the trail here and sooner (iOS 10) rather then later.
This... makes sense. You can be compelled to produce your fingerprints, or a physical key, or really anything physical with a warrant. It's the issue of producing KNOWLEDGE from your mind alone that is really the issue most of us care about, or at least, it's a newer issue.
Maybe, but you get five tries before you get locked out, so even if your lawyer pleaded successfully with that, the judge could reasonably order that you try with, say, all the fingers of your right hand, or maybe both thumbs and index fingers, without forcing you to disclose that knowledge.
Yes, you are locked out after 5 incorrect prints. At that point, you need to use your passcode to unlock your phone.
That said, even if they guess that you're most likely to use your thumb, there is still a chance you can't unlock the device, especially on pre-6S devices, since the sensor is a lot more finnicky.
Chance. It'll stop accepting them after 5 attempts according to other posters in this thread. Combine that with the fact you don't know if it read properly or not you really don't have good odds that you'll succeed.
Touch ID is disabled when an iPhone initially powers on. So, if you want to prevent law enforcement compelling you to decrypt using your fingerprint, hold down the power button and then slide right to power off the phone. Now they need your password.
This, and other comments to the effect of purposely messing up your fingerprint to force PIN/password entry, are all technically effective. However, if you perform any of these actions after an encounter with law enforcement or the legal system has already started, it strikes me that your actions could be interpreted as destruction of evidence. IANAL, though.
Even using a PIN over a fingerprint is enough to piss off the FBI by making it more difficult to get in. If you're unlocking your iDevice with Touch ID only, you should consider your device insecure against even undetermined law enforcement.
It would be obstruction, not destruction. The evidence still exists, but you took steps to prevent law enforcement access to it. Destruction would be some sort of kill signal to the phone when they ask you to unlock it.
Your comment is purposefully obtuse and meaningless. Obstruction via exercising your 4th amendment right in the US is legal, because that's what being a right means. Refusing to comply with a court order to unlock your phone is still illegal.
PIN Code is also required when you fail to authenticate with Touch ID five times. So one could use the wrong finger a few times and that would solve the problem ;).
There should also be a timer that puts the phones into require-password mode. So after a few hours they'll need more than a fingerprint.
Maybe you should also have the option of setting up a "coercion fingerprint(s)", which if used to authenticate would put the phone into require-passcode mode. Then, if the court compels you to unlock your phone with your fingerprint, you can put yourself back into 5th amendment territory.
Actually, in that last case, you might already be protected. If 9 if your fingers will force your phone to require a passcode, and only one will unlock it. Could the courts/police force you to disclose which finger is the one that unlocks? I'd imagine you could put them in a situation where they have to chose which finger you use (or manipulate your hand themselves) to perform the unlock action, and in that case they'd only have a 1/10 chance of actually getting what they want.
I shut off my device before every security checkpoint (i.e., airports) or whenever I get pulled over. Only takes a 5 seconds - inconvenience is worth it.
This was a search warrant issued at the time of her arrest (within less than an hour according to the article). The woman subsequently pled 'no contest' to the charges and unlocked her phone.
In short, this doesn't mean this is a settled issue - none of this has been tested in court.
Legal niceties take much longer than this. Once 48hrs is passed your fingerprint is useless to unlock the phone. At that point there is nothing they can do since they cannot demand you give them the code. A finger is part of your body, the passcode is only in your head.
In general, one of the only reasons you won't be forced to type in your password is if the act of proving you have the password is somehow incriminating (IE there is a dispute over ownership, etc).
Hold the phone (heh): Touch ID is disabled after 24 hours, how in the world did they get a warrant to do this within that time frame? It says in the article that the phone was seized on Feb. 25.
The warrant was issued when she was arrested - it would not be at all unusual for police to get warrants for things discovered during an arrest, nor would it be unusual for them to be prepared to request one.
Curious, what would happen if you purposefully damage your fingerprint? Say by forcing a burn on your finger using a stove top or car cigarette lighter.
That's a pretty painful option compared to just handling rough objects. I've rendered touchID almost entirely ineffective just by grip taping a skateboard.
The answer to your question though is that, at least on the phone's side, it would require your passcode to login
Well, that would hurt, and you would have to permanently damage the entire fingerprint-- as only a small section of the scanned print is really needed to make a match.
IANAL: but I would imagine a sour faced judge could call it contempt or maybe destruction of evidence depending on the circumstances?
The purpose of the right against self-incrimination is to prevent forced confessions and torture. With that in mind, it makes sense to draw a line between compelling someone to provide their fingerprint or DNA and forcing someone to divulge something they know. When the state has the right to make someone talk, how does it go about it? Also, it's impossible to know whether someone actually knows the passcode to a device, so someone could end up imprisoned indefinitely just for forgetting a password.
Once they can read minds, what then? And this isn't just science fiction; I've read reports that a persons inner monologue is soon to be accessible because when you talk in your head, it causes ever so slight commands to be sent to the voice box, which in turn reacts slightly. Not enough to produce sound or even be noticeable to a person, but which technology is being developed to pick up on.
A judge can have you force fed, put into a straitjacket and spitguard, or have people put their fingers up your asshole and vagina. The idea that they can't get you to touch a piece of plastic is absurd. I'd be surprised if they wouldn't sedate you in order to do it. As someone who has been anally probed by the state, I find it pleasantly surprising that they even think they need a warrant to force you to put your finger wherever they want.
Do passwords really need to be simplified? Do we invariably have to envision the future as a place where we wave our arms around beams of light and gently touch secret symbols to make things work? Isn't that just a juvenile fantasy of being a magician? Was Excalibur the first touch ID?
Edit: the question is a legal trap to kept from being held in contempt. After 2 or 3 scans, the device demands a password. By asking which finger, they have a 20% chance of getting right finger.
No, they have 5 tries, and most people use at least 2 fingers (I use 3) so you can unlock it with both hands.
Furthermore, most people use at least their thumb. So if the judge said use your left and right thumb, the chance of succeeding would be a lot higher (statistically speaking). If you use, let's say, your pinky finger, the chance of a judge guessing the right fingerprint is even lower because he will try out the most obvious choices before that.
I think what's interesting is they're forcing her to verify that it is in fact her phone or that she had access to it. Now, in the case of a phone it likely wouldn't be hard to prove that other ways, but what if it was an otherwise unidentifiable device? It would force her to effectively testify she owned it when the police might otherwise not be able to prove that.
Mine won't accept my right thumb after a day or so. (other fingers seem to be ok though) Probably due to diabetes and the way my medical condition causes clubbing of the fingers (I just re-add that thumb over and over)
If she ate a bunch of salt and swelled up a bit, it might have the same affect. Providing the finger scan isn't the same as promising it unlocks.
This doesn't seem that remarkable. It's one thing if you have the combination to a safe and won't give it up; the police will have to get into the safe some other way. On the other hand, if it locks with a physical key which you happen to keep on your belt, I doubt any court would think twice before ordering you to hand it over.
The Constitutional right to not incriminate oneself was originally intended to prevent the government from engaging in Star Chamber-style interrogations, i. e. using physical force to extract information from a person. This case frankly doesn't seem any different from such forcible extraction.
Don't the cops already have her fingerprints? This is partly why biometric authentication is useless. You're supposed to change passwords frequently. How do you change your fingerprints? Who chooses a password the cops already know, and anyone else who knows you has access to?
As with most duress mechanisms, one would have to judge whether using it was better or worse than not -- I suppose ideally one would have two, one of which simply reenabled the passcode and would have some deniability (this is effectively already possible by using a nonstandard finger, unless LE has witnessed previous successful unlocks and can identify the finger which should be used), and one which initiated a wipe of the phone.
For me, the ongoing question that needs to be addressed by the court is this: Is the content of your smartphone considered to be documentary evidence (something you have) or testimony (something you know). I know I'm mixing definitions of the something you have/know combination, but it's a difference without a distinction, IMHO.
I tell my phone, either directly or indirectly, all sorts of things that I would not otherwise document. Locations I've visited, for example. That's something that, unless I've been surveilled, only I know. By unlocking the phone, have I allowed access to documentary evidence, or have I allowed access to an extension of my mind?
Is a smartphone a privileged companion? Like an attorney, or a doctor, or a partner? The spousal communications privilege in the US protects the personal conversations I have with my wife from being disclosed via compelled testimony. If she tells me that she committed a crime, or vice-versa, the recipient of that communication cannot be compelled to testify against the utterer.
Further, spousal testimonial privilege means that she could not be compelled to describe her observations if they may incriminate me.
We have similar affordances in the US for communications with legal counsel, or with medical personnel.
I'm going to go one step further and say that 95% of you, dear readers, tell or otherwise provide secrets to your phone that, if you somehow had to communicate to an actual person, you'd only be willing to tell your spouse, your doctor or your lawyer. To me, that makes my smartphone a privileged confidant. And because it routinely collects information that I do not directly provide it, even though I'm capable of observing and remembering it myself, it acts like (and I treat it like) an extension of my mind. An augmentation that increases the capacity of my own brain's memory.
I'm not in the habit of committing crimes, though I (like most of you) have committed some infractions in the past (speeding, "TP-ing" a house, a bounced check - ahh, the indiscretions of youth). But the knowledge in my head and the communications I have with privileged recipients may, if taken out of context, be used as documentary evidence supporting any number of charges against me.
For example, the fact that I went to Home Depot four times in one week over a year ago could support the charge that I had assembled some device that was later used in a violent crime. That's a scary place to be, isn't it? To know that you did nothing wrong, and yet the vague memories you have of visiting Home Depot last year have potentially been documented more thoroughly by your phone. Is the common man supposed to assume that a smartphone they bought just so their kids can FaceTime with their grandmother 1,500 miles away is silently surveilling them, and can be forced to disclose all manner of information about them?
It's a new world, and the laws of the land are old. Legislation moves at a snails pace already, but compared to the rapidity of technological advancement, the law moves like the pitch drop experiment.
I don't think you understand the legal justification behind the 5th amendment. It has nothing to do with the contents of your mind being private. It is a protection against forced confessions via torture.
A long time ago it used to be common to torture people until the admitted to committing a crime that they did not commit just to stop getting tortured. By making this sort of testimony inadmissible it removes the incentive to torture.
The various restrictions against law enforcement whether it be the 5th amendment or anything else all exist for specific reasons. They aren't just there to make law enforcement's job harder and as a general privacy protections. Extending these rules beyond the justification for their existence (as you attempt to do in your comment) isn't supported by legal precedent.
From a legislative perspective, that's the outcome I'd most want: people's private smartphones are privileged, full stop. Otherwise, it becomes yet another thing we have to worry about.
I find the ongoing case of someone being jailed indefinitely for refusing to supply a passphrase far more concerning than someone being compelled to supply a fingerprint.