

Judge Rules Suspect Can Be Required to Unlock Phone with Fingerprint - dustinfarris
http://m.wsj.com/articles/BL-DGB-38641

======
serf
[http://www.tomsguide.com/us/iphone-fingerprint-scanner-
test,...](http://www.tomsguide.com/us/iphone-fingerprint-scanner-
test,news-17587.html)

"One of the contest's organizers, Washington D.C.-based security researcher
Nick de Petrillo, scanned his penis with TouchID and then used it to unlock
his phone. He announced his success on Twitter on Saturday (Sept. 21) and
fellow security researcher Andrew Ruef replied "Now no one will ever, ever
steal your phone. [Is this] the secret to the correct use of TouchID?" "

Future HN headline: "Judge Rules Suspect Can Be Required to Unlock Phone with
Penis"

~~~
baddox
Police have been known to commit deliberate, lengthy, unabashed sexual assault
and rape in the supposed pursuit of justice, so I'd probably just stick to
using my fingerprint.

Here's one example: [http://www.cnn.com/2014/01/16/justice/new-mexico-search-
sett...](http://www.cnn.com/2014/01/16/justice/new-mexico-search-settlement/)

------
suprgeek
If he still wants to ensure that the Cops should actually have to do more work
despite this decision, then there are four possible outs:

\- If Touch ID hasn't been used in 48 hours, you'll need to enter your
passcode or password to re-enable it.

\- If your iPhone has been rebooted or reset, you'll need to enter your
passcode or password to re-enable it.

\- If a fingerprint isn't recognized 5 times in a row, you'll need to enter
your passcode or password to re-enable it.

\- If a remote lock has been sent via Find my iPhone, you'll need to enter
your passcode or password to re-enable it.

Remote lock - or delay for 48 hours - or - give the wrong finger 5 times in a
row - or get the phone reset/Rebooted

(careful of contempt of court - there few things more unstoppable than a
pissed-off Judge with contempt powers)

~~~
downandout
Jailbreak your device and make an app that enables the passcode requirement
whenever the GPS says the phone has been inside of a known police station/FBI
office. It would be incredibly easy to create the database of locations and
keep it updated.

~~~
mcovey
Or even easier than maintaining such a database, just allow users to whitelist
certain locations they frequent, with a training mode to easily set it up:
start recording, go about a normal day, stop recording and save.

------
DigitalSea
It was bound to happen. You can view the fingerprint reader on the iPhone and
other phones like the Samsung Galaxy S5 which feature fingerprint readers as
having made it easier for law enforcement to get into your phone.

I would not be surprised if the fingerprint scans the police take from you
down at the station or the ones you give up when entering a US airport when
travelling from another country could be used to open up a fingerprint
protected phone in the near future.

No matter what anyone says, the fingerprint reader is convenience, not extra
security.

~~~
higherpurpose
I know this decision was "expected", however, I can't help but get the feeling
that in an "ideal society", where governments wouldn't abuse their powers, and
people's rights would be much more "reasonable" (in a good way), the
government would _not_ be able to _force_ you to put your finger on something.

After all we have so many laws that offer similar type of protections already,
such as a wife not having to testify against her husband. At some point the
society decided that it's the "right thing" to do.

Perhaps the society can decide that having the government force you to unlock
your devices with your finger is _unacceptable_.

~~~
rayiner
> After all we have so many laws that offer similar type of protections
> already, such as a wife not having to testify against her husband. At some
> point the society decided that it's the "right thing" to do.

To put it in context: spousal privilege is rooted deeply in religious
tradition going back hundreds if not thousands of years. It fell naturally out
of a belief that people already had (the indivisible marital unit). That's
what it takes to overcome the default presumption that "the public has the
right to every man's evidence." Now, the fact that something has been the case
for probably 800 years doesn't mean it can't be changed, but does suggest that
if people really had a problem with it, they would have taken issue with it by
now.

~~~
dllthomas
_" Now, the fact that something has been the case for probably 800 years
doesn't mean it can't be changed, but does suggest that if people really had a
problem with it, they would have taken issue with it by now."_

I think it certainly does suggest that, but it's worth noting that what we
really have a problem with shifts over time. Whether that's going to be
relevant here, I can't say...

------
rayiner
Not surprising if you think about the law. The historical bent of the Anglo-
American legal system is that courts have very expansive powers to facilitate
the collection of evidence. The 5th amendment is a specific limitation to this
power, which prohibits compelling a person to serve as witness against
himself. Taken literally this is a very specific limit, but has been construed
expansively. But a physical action like unlocking a phone with a fingerprint
is not testimonial at all.

~~~
rdtsc
Set password as a confession of a crime -- "I am the Zodiac Killer". Wonder if
5th will still apply in that case.

Presumably they can force the person to type the password themselves and
guarantee to not look or record they keystrokes. If they refuse, keep them in
jail for contempt of court indefinitely.

~~~
tedunangst
> Set password as a confession of a crime

Where did this silly meme come from? Sure, great, they can't use your
"confession" to prosecute you for being the zodiac killer. They don't give a
shit. They're going to prosecute you for the crimes for which evidence exists
on your phone and leave the confession out of it.

~~~
rdtsc
> Where did this silly meme come from?

Playing the same legal "semantics" that DOJ is playing with respect to
torture, privacy and other legal issues.

~~~
tedunangst
Oh, right. Best of luck.

~~~
rdtsc
Well, sitting here on my chair talking about constitutional legalities, on a
discussion forum, I'll need all the luck I can get ;-)

~~~
andreyf
I think you misunderstood - by the "expansive" interpretation, forcing you to
divulge any password, be it a confession or not, would violate your 5th
amendment right against self-incrimination.

------
mirkules
One thing that nobody has mentioned yet is that generally speaking, when you
are booked, your possessions are confiscated (including your phone) and your
fingerprints are taken. It is very trivial to transform even a latent
fingerprint and fool even high-end devices (using play-dough, for example)
into authenticating.

Therefore, cops would technically not even need you to be physically present
to unlock your phone. Chances are, your thumbs or index fingers are the ones
used to unlock your device, so if I were a cop, that's what I'd try first.

I'm not sure though how this would stand up on legal grounds. Anyone?

------
DevX101
Fingerprints are usernames, not passwords

[http://blog.dustinkirkland.com/2013/10/fingerprints-are-
user...](http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-
not.html)

~~~
colinbartlett
I am really tired of this argument.

Biometric information is a means to verify identification. A username and a
password is also a means to verify identification. A fingerprint is no more a
username than a password is a username. In the case of a username/password
it's the combination that's required to verify the identity.

~~~
kerkeslager
> Biometric information is a means to verify identification. A username and a
> password is also a means to verify identification. A fingerprint is no more
> a username than a password is a username. In the case of a username/password
> it's the combination that's required to verify the identity.

Is it really? I think if I send you an email at
colinbartlett@whateversitehostsyouremail.com I've verified your identity as
much as I need with only your username.

A username and password is a case of identification (username) and
authentication (password). Authentication is _proof_. When you have
authenticated identification (like a username and password) it's proof that
the person is why they say they are.

The reason people conflate identification with authentication is that we
typically use the two together. But there are lots of cases where we only care
about one or the other.

For example, many systems (such as routers) implement administrative tasks
with an administrative password. You don't care who performed the task, you
only care that they had permission to do it. That's authentication without
identification.

Similarly, there are plenty of cases where you don't care about
authentication, you only care about identification. For example, anyone can
send you an email. On many systems you can send people messages anonymously:
there's no authentication necessary, no proof of anything necessary to be
allowed to send the message. The only thing necessary is the identity of the
receiver. That's identification without authentication.

Fingerprints are identification. They are used as authentication because the
difficulty of collecting the identification gives a small barrier to
falsifying authentication, but they're pretty terrible for that purpose. You
leave your fingerprints all over the place: it's like if you just went around
writing your bank PIN everywhere. There are already proofs of concepts of
people constructing fingerprints from polymers; this is a simple case of
privilege escalation, where gaining one level of privilege allows you access
to a higher level of privilege. Given that most people give everyone access to
their fingerprints that's a pretty low point to allow escalation from.

------
andreyf
> Baust will head to the police station on Monday morning [to comply with the
> ruling], but [his lawyer] believes police still may be unable to unlock the
> phone because it should require a password [demanding which is
> unconstitutional], in addition to a fingerprint, once it has been shut off.

Am I naive for thinking these technicalities are really silly? Is not the goal
here to establish whether accessing and searching one's phone is fair game at
some point in an investigation / trial?

~~~
ipsin
This is not "some point in an investigation / trial", this is a specific
point. They have a warrant.

I'm not a big fan of "compelled evidence" (gathering DNA, blood or
fingerprints from a suspect), but the courts have been saying it's ok, and
that's the approach they're taking here.

They just can't (so far, in the US) compel you to actually produce testimonial
evidence like passwords, passcodes, etc.

------
deadgrey19
"providing fingerprints and other biometric information is considered outside
the protection"

Is it just me, or is there a contradiction here? I'm happy to provide you with
a finger print (in ink), but that in itself is not enough to unlock the phone.
You need my live hand attached to my live finger.

I think the problem here is that it is an oversimplification to call it a
"finger print".

~~~
kyboren
DNA tests are done by cotton swab of your 'live' cheek. Should they only be
done on 'dead' dandruff? In any case, it should be pretty easy to recreate a
sufficiently-convincing fake finger given an ink fingerprint.

But that all misses the point. The only reason passwords get special treatment
is that an order to compel production of a password is an order to testify
against oneself. For example, unless the defendant already admits to knowing
the password, the fact that the defendent _knew_ the password after production
would be obviously prejudicial. It would be tantamount to requiring the
defendent to testify, "yes, it was me".

In other words, compulsory production of information whose existence and
location is not a foregone conclusion probably falls foul of the Fifth
Amendment. Compulsory production of your finger does not require you to
provide any information other than information that clearly exists _about
you_.

(IANAL)

------
remarkEon
Anyone find a link to the actual ruling? I'm sort of tired of seeing these ad
hoc write ups. I need to see what the judge actually wrote.

~~~
deancollinsyc
...and if this applies to laptops etc. (which I assume it does).

------
emergentcypher
Having your fingerprint as the key is no different than having a physical key.
Which the police can steal and use. It's not in your head, so there is no 5th
amendment protection for self-incrimination. I only see it being useful as an
additional factor in multi-factor auth.

------
dkopi
"But providing fingerprints and other biometric information is considered
outside the protection of the Fifth Amendment, the judge said."

Which is why 2 factor authentication is so important.

------
pseudometa
"Broccoletti believes police still may be unable to unlock the phone because
it should require a password, in addition to a fingerprint, once it has been
shut off."

What a great ending to the story.

------
jaunkst
I suspect that future idealologies of what is considered to being an extension
of ones personal being will be challenged.

------
orbitingpluto
So now having eczema qualifies you to be in contempt of court?

------
edwhitesell
I'm surprised it took this long to come to a legal decision.

A fingerprint is a means to identify someone, not a security mechanism (like a
password).

~~~
001sky
Biomentric security is not a "security mechanism"?

This seems pedantic and absurd. A password or a username is no different than
any other proxy variable to verify identity and authorizations.

The bigger question is about the implications of "authorized user access"
schemata, more generally.

For example, what happens when technology allows intrusive searches of the
human brain/memory?

Who is an authorized user and what is a viable way to protect against
"unreasonable searches" of the human mind? Obviously the concept of a
"password" is anachronistic.

~~~
kybernetyk
> Biomentric security is not a "security mechanism"?

"Biometric security" is authentication - not authorization.

~~~
001sky
Any "authorizarion code"\--such as a password or a secret handshake--is an
(ex-post) proxy for an (ex-ante) authorization.

~~~
Natsu
It's quite possible to authorize without authenticating and vice versa, though
it's a bit uncommon. They're separate concepts for a reason, though.

------
blazespin
Just use the wrong finger.

~~~
jemfinch
Just go to jail for contempt.

~~~
higherpurpose
I think I saw Matthew Green propose a solution for this: Apple could allow you
to use a different finger to force the phone to prompt for a password. In
theory you shouldn't get jailed for contempt over this since you'd be doing it
much earlier than being in Court in front of a judge - like when you see the
cops coming.

~~~
asadotzler
Not necessary. Just power off when you see the cops coming.

