You lock up your phone so other people can’t access it. But how you lock your phone is an important factor in whether law enforcement can compel you to unlock it. Apple’s year-old Face ID system is no exception. On Sunday, Forbes reported the first known example of law enforcement anywhere using a suspect’s face to unlock a phone during an investigation.
The question of whether cops can force someone to unlock their phone in the US for a search hinges on Fifth Amendment protections against self-incrimination—that no one “shall be compelled in any criminal case to be a witness against” themselves. Privacy advocates argue that this extends to the act of unlocking a phone or generally decrypting data on a device. But while that line of thinking has succeeded as a defense against having to produce a passcode, it works less reliably in the context of Touch ID or other biometrics. Something you know, like a passcode, is easier to view as testimonial—legally speaking, a statement made by a witness—than something you have, like a physical attribute.
“Big picture, a warrant is required for the search of a device except in certain circumstances at the border,” says Greg Nojeim, director of the Freedom, Security and Technology Project at the Center for Democracy & Technology. In the newly reported Face ID case, police did have a warrant to compel 28-year-old Grant Michalski of Ohio to unlock his smartphone, and Michalski has gone on to face child pornography charges.
“The next question is whether a person has a right against self-incrimination in providing the tool that law enforcement would use to search the device—a password or a fingerprint or a face,” Nojeim says. “For the issue about whether you can be compelled to provide your fingerprint or your face, so far the courts are ruling that fingerprints and faces are not testimonial, and therefore there isn’t a Fifth Amendment violation. In terms of whether compelled disclosure of a password is a violation of the Fifth Amendment, the majority of courts are saying it is.”
“You should understand that you do have the power to withhold your passwords from law enforcement.”
Which means that in Michalski’s case, the seemingly remarkable instance of unlocking a suspect’s iPhone by pointing it at his face was likely entirely straightforward for police. “It’s not at all surprising to me that this happened. In fact, it seems as though Face ID opens up less invasive ways for police officers who have authority to access data on a phone,” says Ahmed Ghappour, an associate law professor at Boston University who specializes in cybersecurity and criminal law. “There might be less intrusion and physical coercion with forcing a faceprint versus a fingerprint.”
Until a definitive court decision, though, if you’re at all concerned about compelled unlocking of your phone, you’re better off using a strong six-digit passcode than your fingerprint or face. Just don’t count on that to protect you in all situations, because there are case by case circumstances that can impact the chance of a successful Fifth Amendment defense.
A crucial caveat to Fifth Amendment protections in general is something called the “foregone conclusion” doctrine, which essentially says that if prosecutors already know a piece of information, that information is not protected by the Fifth Amendment, because it can independently be proven true. This means that testifying to confirm it is not self-incriminating. US courts have issued mixed decisions on how to interpret applying the foregone conclusion doctrine to compelling a person to produce a passcode.
Regardless of how law enforcement might get in, though, legal analysts agree on one thing: If a person’s device isn’t locked to begin with, there’s no barrier at all to getting access, legal or otherwise. So you might as well slap a passcode on there. “There’s a large number of people who don’t protect their information at all by putting a password or other protection before law enforcement or a thief could get it,” CDT’s Nojeim says. “That’s still very common, and people need to pay more attention to securing data as much as they can.”
Read the full article at Wired