Ninth Circuit: 5th Amendment Doesn’t Cover Compelled Production Of Fingerprints To Unlock A Phone
from the passcodes-ftw dept
As case law continues to be developed, it continues to look as though the best way to hold onto your Fifth Amendment rights is to secure your devices with a passcode.
There’s no solid consensus at this point, and the Supreme Court has yet to set precedent, but unless law enforcement really screws up while linking an arrestee to a seized device, most courts appear to feel that producing a fingerprint to unlock a phone is pretty much the same thing as producing a fingerprint when being booked. It’s “non-testimonial” — a biometric marker that not only can be used to identify you, but used against you to give law enforcement easy access to an encrypted device.
That’s the decision the Ninth Circuit Appeals Court has reached. The decision [PDF] handed down earlier this month says the Constitution simply does not apply here.
The panel held that the CHP officers did not violate Payne’s Fifth Amendment privilege against self-incrimination when they compelled him to unlock his cell phone using his fingerprint. Payne established that the communication at issue was compelled and incriminating. The panel held, however, that the compelled use of a biometric to unlock an electronic device was not testimonial because it required no cognitive exertion, placing it in the same category as a blood draw or a fingerprint taken at booking, and merely provided the CHP with access to a source of potential information. Accordingly, the Fifth Amendment did not apply.
Now, there are a couple of details to this case that may make this a little less open-and-shut than it initially appears. The defendant, Jeremy Payne, was a parolee subject to certain search conditions, which limited his Fourth Amendment protections. A special search condition required Payne to surrender any electronic devices and their passcodes when asked by law enforcement. It did not, however, require him to unlock them using a biometric identifier.
However, the court said it’s pretty much the same thing in this case: he was required to unlock devices, which meant the compelled application of his fingerprint to the phone when stopped by CHP officers followed the spirit of the search conditions, if not the actual letter. It also held that this warrantless search of Payne’s phone during a traffic stop did not violate the Riley decision because — at least according to the Ninth Circuit — Riley’s warrant requirement does not apply to parole searches.
Given this, there’s still a chance the Ninth Circuit could decide compelled production of biometric markers does violate the Fifth Amendment in other cases where parole search conditions aren’t involved. But it would take a very specific set of details to obtain this ruling and, like this one, the ruling would not generally apply to compelled fingerprint production, since it’s clear the court here feels it’s no different than compelling fingerprint production during the booking process.
If Payne decides to appeal this, the Supreme Court could decide to set precedent on this issue. But even if this is appealed, it seems unlikely the nation’s top court would find this set of details broad enough to feel comfortable establishing precedent that could possibly affect all Americans, not just those subject to special search conditions while on parole.
So, while this decision certainly doesn’t work out for Jeremy Payne, it’s narrow enough that compelled production of fingerprints is still a question open enough it may be reconsidered by this same court at some point in the future. But from what we’ve seen so far while following this issue, the best way to retain your Fifth Amendment rights is to secure devices with passwords/passcodes rather than some part of your body.
Filed Under: 5th amendment, 9th circuit, compelled production, fingerprints, jeremy payne
Comments on “Ninth Circuit: 5th Amendment Doesn’t Cover Compelled Production Of Fingerprints To Unlock A Phone”
My bank is going to start requiring biometrics to use their mobile banking app.
I just will not use it, a d only use the website after they start requiring biometrics on the mobile app.
It had been known for a long time you can be compelled to unlock your phone if you have a biomteric unlock.
Biometrics are fine as account IDs.
Biometrics should never be used as account passwords.
Re: Different passwords everywhere!
If someone steals your (non-biometric) password, they have access to the accounts you’ve created that use that password.
If someone steals your biometric password, well, you’re screwed in ever using that biometric again.
Of course, if they steal your biometric (as in “Greetings, Warden Smithers!”), you’ve got worse problems to worry about. Honestly, don’t tempt people to go this route.
And as the subject line says, it’s difficult to have different passwords if they’re based on the same biometric.
Re: Biometrics as IDs
The problem is, I don’t think Apple or Android allows biometrics to be used alongside a password. It’s one or the other to sign in, not both.
My devices have the capability for bio, all disabled. I just live with being annoyed when my phone, allegedly smart-unlocked because I’m at home, requires me to (randomly, I assume) sign in for the fifth time in as many minutes.
Re: Re:
Same here. You can easily get my biometrics from my fingerprint or thumbprint after knocking me out (for example), but it’s a much harder task to get my passcode from my brain when I’m unconscious.
Re:
No. Biometrics are NOT fine as IDs, which is why I’ve banned their use company-wide. They’re immutable (absent surgery and similar actions) and immutable IDs are a worst practice in security.
If your phone supports it, you should also turn on “booby trap” mode where if they try to brute force it the phone will wipe itself and reset after too many failed attempts
Also your phone cannot be set up again without your Google password. Your phone becomes nothing more an expensive paperweight on a cops desk.
Using this mode does not break the law anywhere in Canada, Mexico, or the USA
Re:
Of course: Circumstances may result in you being compelled to provide your google account credentials to the same extent you could be compelled to unlock your phone with a password.
However, boobytrapping your phone is of limited value. It will stop the low tech crook… er cops, but not the high tech ones. The high tech ones image your phone, and can revert to a stored image to continue cracking. This is why you don’t rely on just a 6 or 8 digit password.
Re: Re:
There’s quite a lot of value in things that stop the low-tech crooks. Depending on who you are, that may be all that you need (or a risk you’re willing to accept).
Re: Re:
This also wipes the phone before resetting so anything that was there is GONE and cannot be recovered. This booby trap mode also does a secure wipe so what was there is gone for good and can never be recovered
I think the problem facing us is that fingerprints have a long history as an identifier, but up until the advent of biometric authentication (eg. unlocking a phone with a fingerprint) they didn’t establish ownership of whatever they appeared on. That took additional work by the police to establish, eg. that not only were the defendant’s fingerprints on the murder weapon but that either there were no other (even unidentifiable) fingerprints on it or nobody but the defendant could have had access to the murder weapon at the time of the crime. Biometric authentication changes this. Since only the owner of the phone could have set it to unlock using the fingerprint in question, the mere fact that the phone unlocks when presented with the suspect’s fingerprint establishes that the suspect owns the phone and the information residing on it and it establishes that the suspect placed the information there (since you’d need the phone unlocked to put anything on it and only the suspect could have unlocked it). Moreover, the police couldn’t have shown those things based on any other source since all other methods of identifying the phone don’t establish that the suspect had access to it when the data was placed on it (even if you establish that the IMEI and IMSI belong to the suspect’s account, he could have lost or damaged the phone before that and you can’t prove otherwise just from that).
I’m afraid the only way to attack the forced production of fingerprints is going to be to find an example of physical objects whose mere possession is taken as identifying the suspect as the owner of whatever they open and that the courts have ruled the suspect can’t be compelled to produce.
A warrant should be required for all smartphone searches.
It really is weird how security features are only one-way. For instance, how it’s legal to DRM content so it can’t be copied / distributed legally, but it’s illegal to remove or bypass DRM in order to copy / distribute content for legal purposes.
Similarly, police can engage in searches so long as they aren’t blocked by some kind of security device. I’d equate poking through someone’s unlocked phone with walking through the unlocked front door of their house: A law enforcement officer shouldn’t be allowed to do that without explicit opt-in consent from the owner.
So if an officer finds a phone, and pokes around past the lock screen, evidence from that phone should be inadmissible in any case. Should be.
Once a warrant is in place, fifth amendment protections should apply to all capacities to open a security system. We know law enforcement can sometimes bypass passwords (and currently, they do often without a warrant). When it comes to biometrics, if the owner doesn’t want to unlock the phone, they should not be compelled on same grounds of compelled confession, since the point of the fifth amendment is to protect people from self incrimination.
But then law enforcement in the United States is not about serving the public or enforcing the law.
Re:
Bypassing passwords is what booby trap mode is made to prevent from hapoening
Too many failed password attempts and your phone gets totally wiped and then reset.
What was there is gone and can never recovered meaning anything in the way of evidence they might want is toast
If your has booby trap mode, use it.
This is so they cannot muscle you into any plea agreement
With malware and stuff like that people have been burned for what they did not know was there
That is why my online radio station had a policy of wiping and reinstalling on any station owned devices before international travel
We did not break any laws in any country doing this before travelling
Re: Re:
We’re questioning the behavior of cops at the source and examining the extents of our Constitutional rights. We’re not asking for advice on how to defeat the attempts of law enforcement to access our devices, which you are happy to give endlessly for some reason.
Re: Re: Re:
I am out giving information
Information is first amendment protected speech
One clown in Usenet newsgroups thought otherwise 16 years ago when I posted information on how people living in Australia could avoid a US connecting city going between Australia and Cuba saying what flights to take
This guy was some Cuban exile who did not like my giving out that information
This was advice on how USA/Australia dual nationals (and there are more of them than you think) could travel to Cuba on their Australian passports and avoid the US travel ban going through either Tahiti or South America
That information was first amendment protected speechb in the United States and not criminally prosecutable in the United States
Information is protected by the first amendment
Re: Re: Re:
Best I can figure they’re either getting paid to say the same tripe over and over(and over) again or it’s a particularly strange obsession of theirs that drives them to do so.
The law against bypassing from only applies to those who distribute them.
That is why the “commercial or private financial gain” requirement isvin there
That is the end user is not committing a crime and why, 20 years ago, I was not committing any crime by recording drm protected tracks to cassettes to play in my car
.
Because I was not distributing them I was not committing any crime
Recording tracks onto cassettes to play in my car was not for any kind of “financial gain” and therefore dud not meet the requirements fur felony prosecution
Re:
Re:
Are you a nonprofit library, archive, or educational institution gaining access to commercially available copyrighted works solely in order to make a good faith determination of whether to acquire copies of such works? No? Then no DMCA exception for you, crime inducing troll.
Re: Re:
The “commercial or private financual gain” requirement is why personal use is legal and why I did not commit any crime plgggung a tape recorder intot computer and recording tracks onto cassettes fur use in the car
Since it was not for “commercial or private financial gain” the criminal statutrs did not apply
Congress put that in there so that it would not make so many criminals the jails could not hold them all
I will admit that cracks are harder since the websites fall under the commercial or financial gain requirement by selling ads
Gotta pay for that server somehow
Another reason such have disappeared is the proliferation of ad blockers, a necessary evil these days.
Banming ad blockers is not enforceable as the vendors of business level filtering software are not in.thr United States and are therefore not subject to American laws.
I have to find some way to bypass the anti piracy protection on the mp3 player app that pings the developer’s server because of jamming going on
Because of some states banning abortion travel I can say at least one clinic is using jamnets because when I drive in the general area where the clinic is my cellular data connection quits
With the fact that some states might make pregnant submit to ankle bracelet tracking clinics are already on it
The clinics are breaking no laws in California using those jammers for that purpose.
Until either Congress scotus tells the states to knock it off I will just have to live with clinics deploying jammers to jam tracking devices like ankle bracelets
There is nothing I can do about it since abortion clinics are breaking any law in California using those jammer
I just have to plany route to avoid where abortion clinics are so in do not get jammed as there is no law in California against jamming data.
While I am am pro life as they come I do not believe thatvstatea have the right to ban travel to a state or country where it is legal
Re: Re: Re:
The carve out specifically names types of institutions, meaning the exemption doesn’t extend to individuals, actually. But trust a crime inducing troll like you to not get that, so I will repeat: the limited exemptions in the DMCA do not apply to individuals, so there is no ‘personal use’ exemption, dipshit.
Google = Evil
Relying on Google (password or whatever) for any type of security is the height of folly. The only thing Google can be trusted to do is to give any and all information they have about anyone and everyone to any law enforcement agency whenever they ask for it.
Google’s prime directive is omnipresent surveillance of everyone and everything they do, and as long as they keep TPTB happy by providing them with an end-run around the 4th Amendment, Google will not only be allowed to continue this practice, but will be encouraged and enabled to continue and expand their surveillance and reporting activities.
Re:
If either bobby trap mode wipes your phone or you do a “hard” reset, the phone will not let you set it up again until you log back on to your Google account
Booby trap mode or hard reset bricks your phone until you log into your Google account again