Suspect must use finger to unlock phone, as debate shifts over device privacy

4 Comments

Credit: Apple via 9-to-5 mac

Not long ago, police could search a cell phone whenever they liked. The Supreme Court, however, put a stop to that this summer with a 9-0 ruling that requires cops to get a warrant before they can access the trove of evidence — contacts, photos, videos and more — that now resides in every person’s pocket.

For police, though, that warrant rule is now one of two obstacles standing in the way of a search. The other is the new prevalence of passcodes, which most people use to lock their phones, and which are harder to get around than ever before thanks to expanded encryption. The result is a new controversy over when cell phone users must assist the police.

It goes like this: the Fourth, the Fifth

Recent legal battles over cell phone searches have focused (correctly) on the Fourth Amendment, which is how the U.S. Constitution protects people against unreasonable search and seizure — specifically, by requiring cops to get a warrant for performing most type of searches. In light of the Supreme Court’s recent ruling, however, that question has been largely put to rest.

Now the debate is turning instead to the Fifth Amendment, which protects suspects from having to testify against themselves. While the historical right to “plead the Fifth” is well understood (it prevented soldiers from getting a confession by beating someone up), its role when it comes to cell phones is less obvious.

But as it turns out, it’s the Fifth Amendment that’s central to answering the question of whether cops, provided they have a valid warrant, can force a suspect to unlock a phone — and whether the act of unlocking is an illegal form of coerced evidence.

A court ruling in Virginia directly addressed that question last week, and the answer is unusual: if the phone has a “touch-to-unlock” feature, suspects must use their finger or thumb to unlock the device (or otherwise provide a fingerprint that will let police do so) but, thanks to the Firth Amendment, they can’t be compelled to turn over the phone’s passcode too.

For now, the effect of the ruling will be limited since only a handful of newer cell phone models, such as the iPhone 6 and the Galaxy S 5, have the touch ID feature. But it could soon have broad implications at a time when device makers of all stripes are moving to biometric authentication systems.

News of the ruling was first published last week by the Virginia Pilot, but now the ruling itself is now available. The decision, and related commentary by legal bloggers, provides more details about the distinction between the two types of unlocking, and how it relates to the larger debate over encryption.

What is “extortion of information?”

The Virginia court case is about videos on a man’s cell phone that allegedly show him beating and having sex with [RAPING?] a woman. The police used a warrant to seize the phone but could not view the videos since the cell phone was locked by a US constitutionpasscode, and the man refused to unlock it.

In ordering the man to provide a thumbprint, the court said giving a print was no different than other physical acts that police routinely require:

“Even though the act may provide incriminating evidence, a criminal suspect may be compelled to put on a shirt, to provide a blood sample or handwriting exemplar, or to make a recording of his voice,” wrote the court, citing a Supreme Court case from 2000 (my emphasis).

It turns out, though, that such actions are legally distinct from those that force a suspect to “disclose the contents of his own mind” by, for instance, telling the police a secret password. Requiring such disclosure, the court noted, amounts to “extortion of information” that basically requires a person to testify against himself in violation of the Fifth Amendment.

The Virginia man will have to provide a fingerprint or go to jail for contempt of court, but will not have to have to tell the police the passcode.

Legal scholars so far have applauded this decision and the distinction it draws between physical actions and “contents of [the] mind.” But for future police investigations, the “fingerprint versus passcode” code could just make things more complicated than ever.

Power of passcodes

The “fingerprint” rule appears to give the police the upper hand when it comes to unlocking phones, but that’s hardly the case. As Ars Technica notes, a suspect who sees the police approach could simply hit “reset” on the device, an action that requires the phone to be then unlocked by a passcode rather than a fingerprint. Worse, from a police perspective, is that some phones also require the passcode if a phone hasn’t been unlocked within 48 hours — which means that, in some cases, it may be too late to access the phone even if the cops have a print.

All of this suggests that, even as fingerprint-enabled devices become the norm, the old password-protected rules are likely to provide a bulwark for civil liberties all the same. And those protections are set to be even stronger in light of Apple and Google’s recent decision to encrypt devices in such a way that even the companies themselves can’t comply with a court order to unlock them.

This raises the question of what police will do if more and more mobile phones become impossible to access. Leaving aside Cellebrite and other secret cracking tools reportedly used by the likes of the FBI, one workaround for everyday cops could come in the form of a different type of legal order: one that requires the suspect not to disclose the passcode, but to enter it himself.

According to law professor Orin Kerr, writing for the Volokh Conspiracy, this gets around the Fifth Amendment problem:

Because the passcode itself could be incriminating, the smart way to limit the Fifth Amendment problem is for the government to ask for an order compelling the target to enter in the passcode rather than to divulge it to the police. That way, the government gets the unlocked phone but never gets the passcode. If the defendant has to enter in the passcode rather than tell it to the police, the testimonial aspect of complying would only be admitting knowledge of the passcode, which would very likely be a foregone conclusion in a case where the phone is used heavily by that person.

This “solution” will likely prove appealing to the law enforcement community, but it’s unclear if everyone will accept it. A primary obstacle is that “compelling the target to enter in the password” appears akin to the sort of forced decryption that courts have already likened to illegal self-incrimination. Indeed, civil libertarians like the EFF’s Marcia Hoffman appear to suggest that Kerr’s prosed work-around would be unconstitutional.

Likewise, Kerr’s suggestion is hard to reconcile with other court decisions, cited by the Virginia ruling, that draw a distinction between requiring a suspect to turn over a key (legal) versus opening a wall safe (a Fifth Amendment violation). How is entering the combination for a passcode different from that for a wall safe?

For now, it’s worth keeping in mind that the decision from Virginia is just a state court ruling that carries no larger precedent. But the dilemma it explores makes clear that the legal debate over cell phone privacy is far from over — and that it has merely shifted one line further down the U.S. Constitution.

Fingerprint Unlock Ruling

4 Comments

Chuck Bond

All that is needed to eliminate this question of the sanctity of fingerprint secured phones (and to prevent clever 7 year old children from applying their sleeping parents finger to the Touch ID), is a slight addition to the iOS button logistics. From a locked phone, make a quick two or three presses on volume buttons reset Touch ID to a “just powered on” condition. This will require the passcode to be entered rendering the fingerprint question moot,

Joe Belkin

Two things. On an iPhone, after you tap on the home button to activate it, if you hold your finger on the Touch ID it unlocks the phone BUT if you press again, it launches the code typescreen so it seems difficult for a cop to force you to touch the home button but NOT press it twice – so you can refuse to type in your code then AND/OR if you have 10 FAILS ERASES THIS PHONE active, then you just need to attempt to access it incorrectly 10 times – whether via the wrong fimger or a bad passcode typing. So if you really know what you are doing, you’re covered.

stuartlynne

The decision also apparently does not address the fact that only the phones owner knows WHICH finger(s) will work. So the court is still requiring disclosure of some information or knowledge only known to the suspect.

This is important because use of the incorrect finger print will (after a small number of tries, e.g. 5 for iPhone) disable the use of finger prints to unlock.

So while the court could compel the use of a finger, only the suspect knows which finger. And that then requires his special knowledge.

Jeff John Roberts

That’s an interesting point, stuartlynne. I wonder if that would actually work in practice — a suspect thwarting the order by applying the wrong fingers — and what the fall out would be (would that be contempt? Or would, as you suggest, a demand for the “right” finger cross over into the “internal mind”?)

Comments are closed.