MENU

Reason.com

Free Minds & Free Markets

DOJ Uses Vague Court Request to Try to Demand People Unlock Any Fingerprint-Locked Phones

Amid debate over encryption access, feds try to just sneak right through.

FingerprintCredit: CPOA / photo on flickrFun fact about fingerprint lock "Touch ID" system on iPhones or iPads: If its owner hasn't unlocked his or her device in the past 48 hours, it reverts back to a passcode system. This means if a phone gets, for example, seized by authorities of some sort and locked away, there's a window through which they can physically make its owner unlock it before they have to get a numerical passcode.

That may explain why, in a federal warrant uncovered by Forbes' Thomas Fox-Brewster, the Department of Justice attempted to get a judge's permission to attempt to force people to unlock any Touch ID-locked phones at the scene of the search itself.

This was a search of a home in Lancaster, California, last May, and while Fox-Brewster wasn't able to get his hands on the warrant itself, he was able to track down a very particular and concerning request. The Department of Justice wanted:

"authorization to depress the fingerprints and thumbprints of every person who is located at the SUBJECT PREMISES during the execution of the search and who is reasonably believed by law enforcement to be the user of a fingerprint sensor-enabled device that is located at the SUBJECT PREMISES and falls within the scope of the warrant."

To simplify, the Department of Justice wanted to force anybody on scene with a fingerprint-locked phone or tablet to open it then and right there so they could review the contents.

There's two issues here: One, can authorities force somebody to provide a thumbprint to unlock a phone; two, even if they can, can the authorities just demand access to every device connected to a search scene without any proof it's connected to any crime?

For the first question, so far judges have been inclined to allow authorities to provide a thumbprint and do not believe this violates Fifth Amendment protections against self-incrimination. At least that's how things stand so far.

As for the second question, based on the vagueness of the memo, legal scholars were not impressed:

"They want the ability to get a warrant on the assumption that they will learn more after they have a warrant," said Marina Medvin of Medvin Law. "Essentially, they are seeking to have the ability to convince people to comply by providing their fingerprints to law enforcement under the color of law – because of the fact that they already have a warrant. They want to leverage this warrant to induce compliance by people they decide are suspects later on. This would be an unbelievably audacious abuse of power if it were permitted."

Jennifer Lynch, senior staff attorney at the Electronic Frontier Foundation (EFF), added: "It's not enough for a government to just say we have a warrant to search this house and therefore this person should unlock their phone. The government needs to say specifically what information they expect to find on the phone, how that relates to criminal activity and I would argue they need to set up a way to access only the information that is relevant to the investigation.

But we don't know exactly what was in the warrant so we don't know how specific the request was. Forbes tracked down the recipients of the warrant to determine that it was indeed served, but they wouldn't say much other than to say that nobody there had been accused of involvement in a crime.

Assuming they're telling the truth, the Justice Department's behavior is even more of a concern, because they used the vaguest possible justifications to try to access private data on devices that may have had absolutely no connection with any sort of crime. And we don't know how many times the Department of Justice (or another law enforcement agency) has attempted this method. Or even whether they succeeded. But it does make it clear that the federal government is going to quietly do whatever they can to get around private data security unless they're told otherwise by judges.

Read the memo over at Forbes here.

Photo Credit: Credit: CPOA / photo on flickr

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • Mr. Dyslexic||

    WHAT THE FUCK!?

  • Jayburd||

    Frilly pink things make my things get hot.

  • Bubba Jones||

    Yes, as soon as the flash bang goes off, be sure to frantically stick your hands in your pocket and pull out something the same 2D size as a J-Frame.

    No, thanks.

  • Uncle Jay||

    RE: DOJ Uses Vague Court Request to Try to Demand People Unlock Any Fingerprint-Locked Phones
    Amid debate over encryption access, feds try to just sneak right through.

    Hey, the government is doing this for their own good...and for the good of the politically connected.
    The State would never do anything that would that infringe on the rights of the little people.
    US history has shown that time and again.
    You just need a little faith in those enslaving us all.

  • Hugh Akston||

    So what happens if you withhold your thumb in spite of this order?

  • Jayburd||

    Men in black cut it off.

  • Diane Reynolds (Paul.)||

    I wonder if for those of us who (unfortunately) have our fingerprints in a government database, if there's a Mission-Impossible-ey way of using that file fingerprint to unlock the phone.

    I suppose some sort of scotch tape and/or glue would be involved.

  • BYODB||

    Yeah, it's a pretty shitty finger print scanner so it should be possible with even a small amount of white devilry.

    I've been thinking about this for a while since I bought a phone that can do this (Android). On one hand, it's invaluable while driving when I want to change the song on Pandora. On the other, it's a pretty simple matter to be physically overpowered and forced to open your device.

    I'll have to find the setting mentioned above where the devices requires a passcode on boot. That sounds like the best blend.

  • Bubba Jones||

    You can skip a song without unlocking the phone.

  • ||

    I suppose some sort of scotch tape and/or glue would be involved.

    As far back as 2002, I can recall fingerprints being scanned in, lithographically printed onto diy-PCBs, and then cast in gelatin or latex for an 80+% success rate at < $10 and ~30 min. worth of work.

    Apparently, even handing someone a gummy bear was sufficient for a decent success rate. My understanding is that, subsequently, detection of actual finger artifacts other than the prints has gotten more robust in high-end devices. However, the lithography and more optical based methods of cracking the phone can/should still be able to overcome sufficiently advanced recognition.

  • ||

    Haven't the police/government been lifting peoples' fingerprints on the assumption of finding more information about them for at least a century?

    Not that I agree with the practice, just wondering why we expect this one to go any differently or, even if it does, why the cops still can't detain everyone for 24 hrs. and/or lift the prints off of public property the old fashioned way.

  • ||

    Because a "lifted" fingerprint can't be used to unlock a phone, AFAIK. This is requiring people to potentially incriminate themselves. Including people who just happen to be at an address where a warrant is executed. Remember that warrants are not always issued for the correct addresses. Etc, etc.

  • ||

    My understanding that even with the best readers and sophisticated/learned anti-spoofing algorithms, you either routinely lock your legitimate users out of their devices or incur a successful spoof rate in the 20-30% range from even relatively simplistic (e.g. gelatin-based) spoofing methods.

  • Crusty Juggler||

    Assuming they're telling the truth

    Ha!

  • Pro Libertate||

    Are they in the law enforcement business, anymore? I thought they were a PAC now.

  • Diane Reynolds (Paul.)||

    Look, I appreciate you being back more than anyone, but if you're going to be back, be back, 'cause I can't take the emotional rollercoaster any more.

  • Pro Libertate||

    Too busy for a full return. Besides, the Urkobold forbids it.

  • Diane Reynolds (Paul.)||

    I wouldn't know because I don't have the golden ticket.

  • Jake Stone||

    Really really simple, people. Don't break any laws, don't associate with unsavory characters, and then when they search your phone/tablet/laptop/house you can breathe easy.

    What's so hard to understand about that?

  • JWM||

    Were you being sarcastic Jake Stone?

    Right-the old stupid-"well if you haven't done anything wrong, you don't have anything to hide" argument.

    Please, privacy is a human right and one of those inalienable rights referred to in the Constitution.

    Or as Bill Burr and others have said-"when I go to the bathroom, everybody knows what I'm doing in there, but, I still close the door."

    So yea, my wife and I use the fingerprint id on our phones. And if we're every arrested or worse "detained" they're not getting any passwords from us.

  • Longtobefree||

    If you live in the wonderful land of America, and have any level of personal cleanliness as part of your makeup, and kitchen facilities with food, I know that you have bomb making material present in your dwelling. So you have broken the law and have a lot to fear. If you have small food storage bags and a stapler, or (God forbid) a razor/pocketknife, you have drug paraphernalia sufficient to be arrested for dealing. So you have broken the law and have a lot to fear. To say nothing of having actual cash; you know, the stuff only criminals use for business, that needs to be forfeit to the local constabulary, because it is related to the crimes listed above. So you have broken the law and have a lot to fear. Now quit resisting.

  • kbolino||

    Also, don't be an attorney, a client of an attorney, a wife, a husband, a doctor, a patient of a doctor, a trustee, a fiduciary, ...

  • Jake Stone||

    Oh sure, more libertarians who want to smoke weed at their house. Put down the bong hipsters and you'll be fine. Geez

  • Juice||

    Fun fact about fingerprint lock "Touch ID" system on iPhones or iPads: If its owner hasn't unlocked his or her device in the past 48 hours, it reverts back to a passcode system.

    So...basically defeating its entire purpose.

  • Griffin3||

    On android, there should be a firmware variation that let's you unlock with one fingerprint, and wipes the phone when given another fingerprint, while still presenting the home screen. Winter coding project, anyone?

  • Mike!||

    You don't have to use your fingerprint, you can use a knuckle or just about any other part of your body. Some dude even demonstrated it works with a nipple. If asked to unlock, simply claim it doesn't work or you don't use it in the first place.

  • ||

    There's an old trick/axiom that people only look so far as what they're looking for. If you generate a human corpse, bury it unusually deep and below an animal corpse. Dogs and officers both will only dig so far as to find the animal corpse and go on about their business.

    Passcode the whole device and keep a cache of obviously adult porn under the fingerprint reader's lock while storing the passwords to the Swiss Bank Accounts that keep your child sex trafficking prostitution network afloat encrypted and under password on your SD card (or, you know, not on your person at all).

  • Longtobefree||

    Use the duress code to "unlock" the phone when coerced by any level of "authority". You know, the one that does a factory reset and then reassigns the code to four random digits.
    Unless you actually believe this part: "and falls within the scope of the warrant."
    Since they cannot possibly now there is a fingerprint enabled device on the premises, no device can fall within the scope of the warrant.

  • Bubba Jones||

    Hmmm. I have a duress code on my house alarm. Don't see one on the iPhone... searching...

  • np||

    I have been saying that biometric security poses a danger to the user. Of course people would think you're a tinfoil nutter for saying that. Nonetheless this law enforcement action demonstrates what is known in the industry as rubber-hose cryptanalysis. And unlike passwords, you cant change your fingerprint or iris. Biometrics is essentially a way the state can travk people and provides a backdoor through your body

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online