
Cops can force your finger onto an iPhone to see if it unlocks, says judge - kofejnik
https://www.theregister.co.uk/2019/04/24/judge_forced_fingertoiphone_unlock/
======
hprotagonist
Not that this is a good solution, but it is a semi-practical countermeasure:
mashing the power button 5 times on an iPhone disables all biometrics
immediately, starts an audible siren countdown, and calls 911 if not
dismissed. Holding power + volume up for a few seconds disables biometrics
silently. I long ago enabled the "10 failed logins in a row deletes the phone"
toggle.

edit: There are two ways to disable biometrics for post-iPhoneX models, which
are described above. Pre iPhoneX, there is no panic-mode-with-a-siren, but 5
clicks of the power button will disable biometrics.

I routinely do this before i go through the TSA complimentary-preflight-
massage line, when i'm within about 50 miles of the mexico border, and
whenever i'm pulled over at a traffic stop.

and i'm not even doing anything particularly interesting.

At least this case involved An Actual Warrant. It's not the best, but it's a
whole lot better than the no-warrant scenario.

~~~
athenot
> I long ago enabled the "10 failed logins in a row deletes the phone" toggle.

Unfortunately this is not adviseable if you have small children. A relative of
mine saw her phone get wiped after letting my toddler fiddle with it for a few
minutes.

~~~
RandallBrown
This happened to a coworker of mine once. The feature was turned on by our IT
department after he set up his work email on the device so he didn't really
know about it.

He came to work one day pretty upset about Apple's "Delete your iPad when your
kid plays with it" feature.

~~~
mieseratte
> The feature was turned on by our IT department after he set up his work
> email on the device so he didn't really know about it.

Perhaps don't let children fiddle with your work devices? That just sounds
like an accident waiting to happen.

~~~
athenot
I have a strict policy to not let my kids play with phones. (Books and toys
are plenty fine.) And I don't let my phone hang around and used as a passive
toy (in locked mode) either. Yet more than once my phone has been "found" and
the max password attempt has been triggered. It happens really easily despite
my efforts.

Now in the grand scheme of things, this is just an annoyance as I can restore
the phone from up-to-date backups. If someone is concerned enough, they could
also toggle the wipe feature on/off based on their travels and live with the
risk of an accidental wipe knowing that things can be restored.

~~~
derekp7
This can happen from carrying it in your pocket. Moisture (sweat) from your
leg can cause random inputs on the touch screen.

~~~
xvector
Solution is to put the phone in your pocket facing outwards. Also prevents
turning on the camera or flashlight with your leg.

------
dsfyu404ed
>Specifically, Judge Judith Dein, of the federal district court of
Massachusetts, gave agents from the Bureau of Alcohol, Tobacco, Firearms and
Explosives (ATF) the right to press Robert Brito-Pina's fingers on any iPhone
found in his apartment in Boston. The bloke was suspected to be trafficking
guns, hence the application for a search warrant

Yesterday in the thread about the MA state police getting told they need a
warrant for real time location date I said that MA judges will consider
politics when reading the law. This is exactly what I mean. MA really doesn't
like guns (this is a statement of fact, I'm not going to get into a discussion
of whether that hate is justified). It's no surprise that a MA judge allowed
the state to go after someone accused of a firearms related crime. Had this
been the DEA asking for a warrant for a drug trafficker's phone the judge
would likely have ruled the other way.

>Jacobsen notes that gun traffickers "often use cellular telephones to acquire
or sell illegal guns" and that they are "normally maintained for reasonably
long periods of time because they are expensive, can often be subject to long-
term contracts that contain substantial penalties for early termination, can
store large amounts of information, and do not easily wear out." He also notes
that even when people buy a new phone, they will typically transfer the
contents of their old phone onto it.

What BS. People who make their living trafficking in illegal things use
burners for their business. Everyone with a brain knows this. The ATF know
they are not likely to find anything on that phone they don't already know.
The ATF is just looking to set a precedent and they picked a forum likely to
let them set that precedent.

FYI the second page of this article includes a pretty good summary of relevant
case law to date.

~~~
bradyd
You are confusing the state and federal judges. The new MA law doesn't apply
to federal agencies and this was a federal judge not a state judge and the ATF
is a federal agency.

~~~
dsfyu404ed
>You are confusing the state and federal judges.

Districts and states more or less align. You're not going to get a judge who's
worked their career in Arkansas appointed to a federal position in MA unless
there's some edge case political shenanigans going on. For all practical
purposes this guy is an MA, or at least New England judge.

>The new MA law doesn't apply to federal agencies and this was a federal judge
not a state judge

There is no new MA law relevant here. I'm simply contrasting this with the
ruling discussed yesterday.

------
typenil
I wish that phone manufacturers would respond to this by allowing you to set
one of your fingers as a biometric kill switch.

If you scan your index finger - biometrics disabled. Middle finger gets you
in. Then these forced unlockings would go nowhere pretty fast.

~~~
AWildC182
Don't even need software for this. Just tell them all but one of your fingers
will wipe the flash but they get to figure out which one it is!

~~~
darkarmani
> but they get to figure out which one it is!

Ah! They can't force you to tell them something you know. Next we will have
the equivalent of port knocking using a sequence of fingers.

~~~
PascLeRasc
[https://xkcd.com/538/](https://xkcd.com/538/)

------
GeekyBear
This is one of those issues where Federal judges in different states have
ruled differently, so eventually the Supreme Court will have to weigh in on
the issue.

For instance:

>A US judge last week denied police a warrant to unlock a number of devices
using biometrics identifiers like fingerprints and faces, extending more
privacy to device owners than previous recent cases.

The order comes from Northern California Federal District Judge Kandis
Westmore in response to a request by the government to search and seize the
devices found at a premises in Oakland, California, connected to two suspects.

The judge… made clear that she believes device owners should not have to
testify against themselves, in accordance with US Fifth Amendment protection.

"Even if probable cause exists to seize devices located during a lawful search
based on a reasonable belief that they belong to a suspect, probable cause
does not permit the Government to compel a suspect to waive rights otherwise
afforded by the Constitution, including the Fifth Amendment right against
self-incrimination," she wrote in her order.

[https://www.theregister.co.uk/2019/01/14/biometric_device_ac...](https://www.theregister.co.uk/2019/01/14/biometric_device_access/)

~~~
hannasanarion
These two cases are very different.

In one case the police have a suspect in custody and strong evidence that they
were engaged in illegal arms dealing, and are looking for specific additional
evidence.

In the other, the police are basically going on a hunch, with suspects not in
custody, and seeking to search the phones of a broad group of people for a
broad array of evidence that they don't have good reason to believe exists.

It's not as simple as "Can search phone? YES or NO" if the cops were asking to
search filing cabinets, the rulings would be the same.

------
SigmundA
This doesn't seem surprising to me considering Forced fingerprinting,
photographing and measuring has been part of the law for some time and held up
in the supreme court. Even forced DNA samples and I believe blood samples are
allowed.

My understanding is that those things are not considered testimony unlike
forced password production.

A related distinction is made between being forced to surrender a key to a
safe vs the combination to the safe. One is physical the other is testimony.

------
mLuby
Basically, biometrics aren't protected like knowledge (a password) is. Fine,
sometimes the old ways are best.

Here's hoping the next big feature for iOS and Android is a panic passcode
that unlocks a totally banal version of the OS. That's the one of two places I
see this ending, the other being always-on government (possibly corporate)
spying embedded.

~~~
skocznymroczny
Well, alternatively the officer could ask you if you used the 'panic
passcode'. If you say you did, they'll ask you to put in the real passcode. If
you say you didn't, they can withhold your phone and if they find out you did,
they can arrest you for lying.

~~~
kofejnik
yes, but you can't be forced to provide an answer to this

~~~
logfromblammo
If you can be prosecuted for lying, you don't have to answer the question--
basic right against self-incrimination.

------
gmoore
Though it appears that most of the conversation here is about the Apple OS -
many of us are using Android. The only "emergency" action I know of on Android
is to simply turn your phone off if you can. When it reboots - the password is
required before bio-metrics are re-enabled.

~~~
plttn
On Pixels at least there's an optional lockdown button in the power menu.
Disables all biometrics/smart lock, hides all notifications on lock screen,
and more importantly doesn't say anything like "locked manually".

~~~
nichos
Which is good, but you have to unlock it first to get that screen to come up.
It would be nice if holding the power button down, or like others have said,
using certain fingers, would put it in lockdown mode.

~~~
helper
The option comes up for me on the lock screen.

------
kevin_b_er
This was to be expected for years. The court could always force you to do
something just not reveal what you know.

Of the 3 factors, something you have, something you are, and something you
know, only "something you know" is protected from warrant. They can seize your
2 factor key, they can use your fingerprint, they can use your face. They
can't force you to tell a password.

This is why fundamentally killing passwords is a bad idea, because of rulings
like this.

~~~
snarf21
I mostly agree with you but there is no reason you can't have a strong
passcode on your phone that protects your accounts using something other than
passwords.

------
lamby
Whilst I applaud and appreciate the sentiment behind the various technological
workarounds suggested here (killswitches, canaries, extra levels of security,
etc.) do bear in mind that the legal/justice system is not an algorithm that
works and operates like code. There are no clever tricks.

~~~
deadbunny
But there are.

In the US you have a constitutional right to not incriminate yourself and
judges have ruled that extends to giving law enforcement pins/passwords.

Biometrics have not received the same status.

------
jrs95
And we will complain about this here on Hacker News and the American public
still won't give a flying fuck...I wonder if our "democracy" will stop being
such a disappointment in our lifetimes. And I say it in quotes not because I
have any opposition to democracy but because our "representatives" and
unelected members of government regularly act against our interests. The
system is broken.

~~~
kilo_bravo_3
There is no difference between a cop pressing a finger against a fingerprint
reader to unlock a phone to gather evidence, and a cop pressing a finger
against an inkpad (or scanner) to collect a fingerprint to compare to one
found on an object or surface found at a crime scene.

If law enforcement suspects your fingerprints are on a crowbar found at the
scene of a bank robbery, they tell a judge, present their evidence, and get a
court order for you to press your finger on a fingerprint scanner.

If law enforcement suspects your fingerprint will unlock your phone and your
phone as evidence of a crime on it, they tell a judge, present their evidence,
and get a court order for you to press your finger on a fingerprint reader.

Nothing is broken.

~~~
jrs95
It’s not just your phone, and a warrant isn’t always needed thanks to this
precedent. Police are able to search without a warrant under many
circumstances. For example, they could pull you over, give their dog a command
to “hit” on your car, claim the dog smells drugs to search your vehicle, and
force anyone in the vehicle to unlock their phones if they’re using biometric
security.

~~~
kofejnik
I don't think it works like that in a traffic stop without a warrant

------
PopeDotNinja
And that is the reason I use a pin code.

~~~
cf498
Its not just police being able to force to unlock your device. The idea of
possession alone for security authentication is generally very problematic.
Its only introduced out of convenience, which is generally not a good sign
when it comes to security. Opsec unfortunately is and remains rather
difficult.

------
salawat
So, when do we get an interpretive dance based unlock?

I'd almost be okay with it if I had the satisfaction of knowing some poor
bastard out there had a job that basically boiled down to trying to figure out
how the user would dance with a cellphone.

Bonus points in that security minded people would get some much needed
exercise.

------
njharman
Only after judge signs warrant.

That, ignoring that warrant signing might be rubber stamp in some courts cause
that is a different issue, is an ok compromise between privacy and enforcing
laws.

------
codewritinfool
Just don't use biometrics to unlock your phone. It seems silly to me to
discuss ways to disable the biometrics on-demand.

It still reduces to something you can be compelled to produce (your finger)
vs. something you must remember (your passphrase). Now, you might end up
spending time in jail to help your memory, so there's that to think about too.

I'll stick with the passcode. It places the ball into my court automatically.

------
brandeded
"siri, fuck the po-lice" <\-- attention word to erase all fingerprint
credentials even when phone is locked.

~~~
ninkendo
"Hey siri, whose phone is this?" already does this.

------
dumbfounder
Or if they have a newer iPhone they just hold it near their face. They don't
even need to touch the person. It means someone can take your phone while you
are sleeping and unlock it as well. Glad my kids don't realize this yet.

~~~
jfk13
In theory, that's not supposed to work, as FaceID has an "attention check" to
make sure your eyes are open and looking at the phone. I don't know how robust
this is, but perhaps your kids could do some tests?

~~~
dumbfounder
Seems to be true, yet I can unlock with my sunglasses on. So my kids will hold
the phone up in front of my face, poke me to wake me up, and then run.

~~~
mi100hael
I believe it's still checking for attention. The sunglasses probably aren't
enough to completely obscure your eyes from the camera.

------
craftinator
Not if I cut off all of my fingers! Take that, Coppers!

~~~
justbaker
huh-hah! I've already scalded off all my fingerprints!

------
judge2020
At what point does Apple put in an option along the lines of "insta-lock if
the face detected is definitely not yours"?

------
bitbang
That's cool, so long as they don't mark it with chalk.

------
batoure
This is why I use my big toe

------
vectorEQ
do it with the siren and call 911 :D now you have 2 officers forcing you do
use your appliances :D

in my country, police take what they want. they just do, and you can buck up
and fuck off if u don't like it. and to be honest, thats how police should be.
that being said, they don't randomly beat people up so much :D so perhaps our
people are still a bit more forthcoming to them

------
golergka
People who refuse all government intrusion on privacy, including search
warrants, regardless of circumstances, altogether, have logically consistent
position. People who accept that government can overrule any privacy that you
might have for the purposes of investigation also have logically consistent
position.

But people who, on one hand, don't have any problem with things like search
warrants to go through suspect's home, but at the same time treat any
intrusion to suspect's digital privacy as a violation - this viewpoint I find
very weird and contradictory.

~~~
DannyBee
"this viewpoint I find very weird and contradictory"

There are very few things at the intersection of society and justice (like law
is) that are logically consistent.

This is by design, because people are not logically consistent in how they
operate (provably so, in fact). Maybe in a few million years depending on how
we evolve.

But for now, I'm not sure why you would expect anything else.

This is similar to the old saying of "in nature, the optimum is rarely at the
extremes"

The extremes tend to be the most logically consistent positions.

