Hacker News new | past | comments | ask | show | jobs | submit login
Court orders US Capitol rioter to unlock his laptop ‘with his face’ (techcrunch.com)
46 points by justinc8687 86 days ago | hide | past | favorite | 80 comments

My first thought is "why isn't this prohibited by the Fifth Amendment," and it seems that the court order actually answers that question already:

"With respect to the Fifth Amendment, Reffitt's entering his password in to the Subject Device does not violate his privilege against self-incrimination, because his act of production would not be testimonial, since the only potentially testimonial component implicit in his act of producing the unlocked/unencrypted device is a foregone conclusion."

In somewhat more detail, this is permissible because the act of unlocking his laptop does nothing that can be seen as incriminating himself:

* The laptop is already known to exist, and known to be owned by the user.

* What is being sought on the laptop [a video the defendant recorded at the event] is already known and admitted to exist, and it is known that the files in question are (at least were at one point in the past) on the laptop.

* The video in question was prepared prior to the search warrant and investigation, so it's not a Fifth Amendment violation to produce it unless the production itself is potentially incriminating (see https://en.wikipedia.org/wiki/United_States_v._Hubbell). But as mentioned above, the ability to produce the information isn't protected anymore, since there's no question that the individual could produce it.

This feels like it ought to be a violation of the Fifth Amendment, but it seems that it's pretty long-standing precedent that there's really nothing here that would violate the Fifth Amendment. Were this password-protected, or even a locked box in a safe, there would similarly be no Fifth Amendment violation, and the biometric aspect of the request doesn't (nor should it) change the analysis meaningfully.

Both sides of any litigation are obligated to produce all relevant materials in response to subpeonas from each other. This is what the discovery phase is all about. The protection against unlocking someone's phone, laptop, etc. prevents the other side of the litigation from rifling through someone's device and going on a fishing expedition -- especially until the defendant can consult an attorney. Blatant fishing expeditions are not allowed. It does not allow people to hide evidence that is specifically requested as a part of a court ordered subpeona. Basically, if the other side requests a piece of information, you can't legally withold that evidence from the court. If the court discovers such behaivor they can sanction the non-compliant party (financial penalties for instance), issuing a negative inferrence (i.e. we'll just assume the worst about the material and make that a part of our decision), all the way up to issuing a default ruling (i.e. you lose). Trying to hide evidence is the quickest way to piss off a judge and you definitely don't want to do that. Judges do not take kindly to anyone who challenges the court's authority.

I'm curious, would it be a violation if they instead invoked the Fifth Amendment to protect other contents of the laptop not acknowledged to exist?

Prosecutors can deal with that by giving immunity. They can either give "transactional immunity" or "use immunity".

Transactional immunity, commonly known as total or blanket immunity, protects you from future prosecution for any crimes related to your testimony.

Use immunity prevents the use of your testimony or any evidence derived from that testimony against you. You can still be prosecuted for the underlying crimes if they only use evidence that they got some other way.

For example, suppose your testimony shows you are fencing stolen goods, and that comes as a complete surprise to prosecutors. With transactional immunity you could never be prosecuted for your past fencing.

With use immunity they would essentially have to ignore that they now know you are a fence. But suppose later they catch a thief, and offer the thief a plea bargain if the thief tells them how the thief is getting the goods fenced--and that thief names you. Prosecutors can then come after you for that.

I was thinking along this lines, but then he would have to declare that there is something on that encrypted drive that is unrelated but still could be used to incriminate him. That seems like an unwise declaration to make.

I don't see the practical difference between forcing someone to show self-incriminating evidence and forcing someone to unlock a box in possession of authorities that contains self-incriminating evidence.

The phenomena of compelling biometrics for unlocking devices doesn't seem to be a new problem. They present a convenience factor, but from a security standpoint there's issues with others being able to compel their usage, spoofing, and not being able to change your biometrics (not within reasonable constraints anyway).

I love Apple’s approach to this: You can force the phone to ask for a password, even if Face ID is enabled, by rapidly pressing power button a couple of times. Face ID will be disabled until next unlock, so that you can not be forced to unlock the phone with your face.

The rate at which law enforcement attempts to chip away at Constitutional Rights to pursue agendas is frightening. Perhaps it's always been this way, and I've only recently started to notice it.

Which Constitutional right is being chipped away?

The test for whether something is protected by the 5th has generally been "is it testimony, or is it something that just is?"

Fingerprints, other biometrics, and physical keys are all things that just are. No testimony involved. Not protected. The government can compel you to provide them.

Passcodes and combinations are something you know. They're protected.

I'm certainly open to changing the law to protect biometrics, but I don't see anything in the reporting on this case that indicates it's any different than preceding cases in the last 10 years that dealt with fingerprints.

> Fingerprints, other biometrics, and physical keys are all things that just are

For nontrivial biometrics (and facial locking may not usually meet this) the act of unlocking is testimonial (as it demonstrates both the specific action and your knowledge thereof) as much as a password is. A command to “unlock this device with <biometric method>” is different than a command to simply provide, say, a fingerprint.

What about an order to "place your right thumb on this little circle", where the "little circle" just so happens to be the phone they seized from you?

You're not revealing any knowledge about the specific action—they're directing you to do it.

For the face scenario, an order to look directly at the camera is similar. You're not testifying that this laptop is indeed yours, or that you have access. The laptop is going to respond to your stare however it was already configured to do so.

> What about an order to "place your right thumb on this little circle", where the "little circle" just so happens to be the phone they seized from you?

Right, it doesn't, for instance, reveal that as a combination of quirks of the sensor and how I trained it, it only unlocks with my left index finger at a slight angle and a particular rolling motion, and moreover, doesn't reveal that I know that to be the case.

Yup. If you're concerned about being compelled to place a finger on the sensor, it seems a good countermeasure would be to train it on your non-dominant hand's pinky. And set a low failure count before the device demands a password instead.

I agree that if the demand was, "place whatever finger will unlock this device—in the orientation required—in this little circle," then that would be compelled witnessing against oneself.

It's testimonial that you are the device owner but that usually is not incriminating so wouldn't run into 5th Amendment problems. If for some reason it was incriminating prosecutors could avoid 5th problems by granting you immunity.

Unless you are in the probably quite unusual situation where all they are trying to get you for is owning the device I don't think the act of unlocking is going to work well as something to hang your 5th hopes upon.

I'm not grasping the difference between fingerprint scan and facial scan. Both have been ruled as acceptable and not covered by the 5th.

Are you arguing that fingerprint unlock and facial unlock should both be protected? I'm open to that argument, but I'm not seeing how they are any more testimonial than providing a fingerprint (or DNA sample) for matching other evidence?

> Both have been ruled as acceptable and not covered by the 5th.

As the article states, and some quick research would reveal, this is largely dependent upon which state, and which federal jurisdiction, the court is in. A final word has not been given on the matter and each court is allowed to interpret it as it chooses. As such, it has been ruled both for and against.

In this case, the argument in the ruling is that there is no question that the defendant owns the laptop, so the act of proving that it's his account doesn't incriminate (since it's not establishing any fact not already known).

Right for privacy is not a right to obstruct justice.

A distressing response. The 5th Amendment is pretty clear that the right to not self-incriminate paramount, and does not mention obstruction of justice in any clause. The issue seems to be subjective views on what self-incrimination is and that it's viewed as a grey area, and that makes me uneasy.

The fifth amendment reads:

> No person ... shall be compelled in any criminal case to be a witness against himself

If you could compel someone to testify against themself, that would surely expedite justice. But we've decided that's not actually just.

We're certainly compelled to have evidence collected from our stuff. You aren't compelled to say where to look, but you are compelled to let them look.

Unlock this computer vs tell me your password. The password could contain "I did the murder and I buried the body under the bus stop" which is clearly testimony, but unlocking and changing the password to something the government asks you to seems well within range

That’s some spicy doublespeak you’ve got there.

No, but really. For instance, in germany there are super strict policies regrding privacy on your workplace - i.e your employer cannot spy/monitor your activities under veil of security or productivity. That said, if you are a systematic slacker the employer may use some of that said spying to prove that you are slacker in exceptional (and well founded) cases and court will accept that evidence.

Seems like a working system for me. Employers still are not allowed to spy, slackers still can get punished, no apocalypse, no slippery slopes.

We're not talking about Germany. The parent article is clearly speaking about a situation within the United States.

Lesson: typing passwords isn't such an inconvenience after all.

friendly reminder: biometrics are NOT COVERED under the fifth amendment. if courts can force you to surrender your blood in a DUI case, they can absolutely force you to use your fingers face toes and other body parts to unlock your laptop phone and PC.

use a strong passphrase, 15 characters or longer.

In the state I live the police can not force you to give up blood in a DUI case.

What they can do is take away your license for a year if you refuse.

Since you don't have a constitutional right to drive or a driver's license they can do this without running afoul of the state or federal constitution.

A subtle difference but then the law is filled with such subtleties.

You are not wrong though, as far as we know now bio-metrics are not protected. But I think this is just until some ruling comes down from a superior court and sets a precedence one way or another. I'm sad to say I won't be surprised whichever way it turns out though.

On one side this is a bit of karma, the rioters had their own interpretation of the constitution , now the government is using their interpretation. All jokes aside, no matter the mental gymnastics, 5th amendment etc, this is just bad and contributes to the erosion of civil rights. Say, you have some darknet drug marketplace admin account on a laptop, and the police suspects that, forcing you to unlock the machine is of course forcing you to self incriminate. Especially if you compare this to a street dealer, the non virtual dark web drug marketplace. Only the seller knows the deals of the past and where money and supply are stashed. Nobody can force him legally to disclose any of that. Meanwhile , the laptop guy, by unlocking the laptop will hand them on a silver plate: past transactions and sales, delivery addresses, vendor data.

Both commit the same exact crime, one can't be forced to disclose a thing, the other can?

You can try to sugarcoat this in any way you like, if this is not defended against, this will come back to bite many regular people, probably even some who support it. Think of divorce cases, the lawyers are very creative, rest assured they will exploit this as much they can.

If said street guy without the laptop kept paper records in a locked safe then those records would be subject to a search warrant and admissible as evidence.

Don't get me wrong, I don't necessarily disagree with you and I'm not sure I like the fact that the safe's contents are fair game.

But my understanding is that is how it currently works. So I have a hard time seeing a difference between records kept in a safe and records kept on a laptop.

I am not American but I wonder why this is an issue. I can understand refusing to do so when passing through customs but this person was accused of a crime. Shouldn't law enforcement be allowed to check inside the laptop for evidence of his involvement? I mean if the government comes in and arrest me at my home they are allowed by warrant to enter my home. Why should a laptop be any different?

The 5h Amendment protects US citizens from providing self-incriminating testimony. That's an absolute (in theory).

The question then becomes "what is testimony?"

Historically, the courts have ruled that physical things are NOT testimony. So, a court can demand you proceed a physical key to a safe. And now a fingerprint or facial scan.

On the other side, courts have ruled combinations, passcodes, and passwords (things you know) are testimony and are protected by the 5th.

I'm not sure of all courts have ruled the same way on fingerprints and facial scans, but if you consider them closer to a physical key than a secret code, then the current ruling makes sense.

Personally, I'm have mixed feelings about it. I could be swayed either way with a solid argument. So far, I lean slightly towards biometrics are closer to physical keys, but only just barely.

not an american but there is a concept of self incrimination. the idea is a person is not going to be forced to give evidence against himself. like no court can force an accused to say "say i have killed him, then convict him because he said that himself" or as it stands in india,

"The Indian Constitution provides immunity to an accused against self-incrimination under Article 20(3) – ‘No person accused of an offence shall be compelled to be a witness against himself’. It is based on the legal maxim “nemo teneteur prodre accussare seipsum”, which means “No man is obliged to be a witness against himself.”"

A pesky little thing called The Fifth Amendment.

So what is the distinction between the following scenarios:

1. Checking to see if your fingerprint matches the pattern left on the stolen painting.

2. Checking to see if your DNA matches the DNA left under the victim's fingernails.

3. Checking to see if your face matches the face pattern stored on the laptop recovered during a search of your premises.

4. Checking to see if your fingerprint matches the pattern left in the Secure Enclave of the phone that was located near the scene of the crime via phone company records and GPS.

These scenarios are all slightly different. I'm not saying this is or is not a 5th Amendment issue. Would really like to get a legal argument on the important distinction between #1/2 and #3/4.

I thinks it's likely that you could "check to see if your fingerprint matches the one in your phone". But that is totally different than using your fingerprint to unlock the device and then take information off the device to prosecute you. However, it has been found a few times that biometrics aren't really protected. But in many cases a password can be. Because you can't be compelled to incriminate yourself with your own testimony per the 5th amendment.

None of those involve self-incrimination, so I don't think any of them are protected under the 5th amendment. They're all just comparing physical evidence to the suspect's physical traits.

Makes me want to disable the facial login for my iphone

If you ever need to, press the on/off button on your iPhone 5x in a row in quick succession. This will disable Face ID (or Touch ID on older models) and require you to unlock the phone with your PIN or passphrase. It also acts as a shortcut to Medical ID and Emergency SOS.

Does this mean if you cannot speak or type, and thus use your face as password, you have no protection against this type of self incrimination

How did you enter the data into the machine if you cannot interact with it?

Eye movement like Hawking, which is actually a form of typing though

I guess you could use eye movement as a password then.

I guess facial recognition systems should allow for a "distress" face that will lock the device being authenticated down further.

Yes, clear violation of a legal order, but it's in the same spirit as TrueCrypt's "hidden volume" feature.

On an iPhone and some other devices you have attention detection your eyes have to be open for it to work.

The question here is still how the court would actually see this.

Some people only have one eye. Perhaps you could just always squint one closed whenever you unlock your phone, after testing that your unsquinted face won't open it.

I don't use Windows Hello -- is there a setting that requires entry of a password instead of biometrics after a period of time or after a restart?

My MBP requires the password to unlock touchID after a while, fwiw

Yes, you simply turn off windows hello or any other biometrics in settings, and the other alternatives suggested to you will be a password and a few others.

I don't mean entirely -- I mean conditionally. Like iOS and MacOS does. If you don't unlock them for a period or time, or after a restart (and a couple of other conditions), they will ask for a password even when you have biometric login enabled.

Oh, my bad, I completely misunderstood the original question. The macOS comparison makes perfect sense.

As far as I am aware, there is no easy way to make it happen. Maybe my googling skills are poor, but I wasn't able to find anything relevant to this, no matter what kind of queries I was trying. All I've found was just a bunch of complaints about Windows Hello either not working at all or something related.

I think there's an AD policy that can do this, but there isn't a user-visible option to do it, in the settings "Windows Hello Face" is either on or off.

Arrested three weeks after the riot. What’s the chance he left anything incriminating on his laptop by that point?

Under they assumption they're guilty:

If they had remorse? Very little.

If they believed the big lies and/or felt a superiority complex? Seems likely to me.

I'll note that with the pretext of the individual being guilty I've already disqualified someone smart enough to not commit nor record evidence of having committed a crime.

Biometrics has always been considered less secure. just more evidence of this. Making a mold of someone's face/print can thwart biometrics.

Biometrics are not passwords, they are usernames. You can change passwords.

We're at a point where this old saw needs to be retired.

Yes, if a system is storing your biometric data remotely, then it can't be changed and it's a username, not a password.

But modern biometrics don't work that way, at all. The biometrics is stored client-side (hopefully securely and considerable effort is made to realize that hope), and it is used to access a private key which signs a challenge.

The biometric can be revoked, the private key can be revoked, all of these things can be changed by the user.

So let's say someone busts my fingerprint out of the TouchID secure enclave. That's not great (nor is it easy!), but they don't have an ability to generate a private key with it which Apple will recognize: that requires my password.

So I can generate a fresh key, confirm it with my password, and now my copy of the biometric works and theirs doesn't.

Edit: "courts or police can compel your fingerprint but not your password" is a completely different argument, and the solution is a way to rapidly lock out biometric authentication so that the password is a hard requirement. It also doesn't apply in a number of jurisdictions.

As a practical matter, actors who are unwilling to reach for the rubber hose can't get a password, while a fingerprint just requires the willingness to manhandle someone without injuring them, and that much is basically universal.

They are authentication and authorization just like a username/password set. I don't see the Supreme Court allowing this if they won't allow compulsion of releasing a password. Right against self incrimination. Should be interesting though.

"A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity."


There is nothing secret about your biometrics. Especially not while you are in detention.

No but compelling you to use your biometrics to self incriminate is something else altogether.

Imagine their password was written on a bracelet. Plainly visible to the public, easily recreated from photos, and 0% secret. The cops wouldn't even need a court order to read it. That is what biometrics are. They are the sticky note next to the monitor with a password written on it.

The state doesn't need your cooperation to type in a password that is plainly visible though. That's where the self incrimination comes in.

The Supreme Court has repeatedly punted the issue down to state courts. What do you think is different this time?

They'll eventually have to rule on it because the state courts are split, when that is, who knows. It's certainly a 5th amendment case, so they'll have to address it eventually, perhaps they are waiting on the right case? I dunno.

What appellate courts have ruled in favor or biometrics being protected?

That would potentially upend decades of case law - the government can compel somebody to produce a physical key (which now includes fingerprints and other biometrics) but cannot compel production of a passcode/combination.

>What appellate courts have ruled in favor or biometrics being protected?

This article talks about a case in the 11th circuit in 2012 and another in the Pennsylvania Supreme Court, Commonwealth v. Davis. Apparently the only time you can compel someone to give their password (which biometrics serve the same purpose) is if the state already knows what's on there. It's called "foregone conclusion exception."

Yet if the government can show that it already knows of the existence and the suspect’s possession of the documents at issue—i.e., that these matters are a “foregone conclusion” and thus that the factual assertions implicit in the act of production add “little or nothing to the sum total of the Government’s information”—then “no Fifth Amendment right is touched because the ‘question is not of testimony but of surrender.’”


i think the difference is compelled speech - you don't have to 'say' your biometric user/pass combo

> Right against self incrimination.

You can be forced to submit to fingerprinting, which could also be incriminating.

That's a good point, but those fingerprints aren't used to open say, a biometric safe. They are used to compare with fingerprints found at the scene of a crime.

Here's some interesting copy on similar cases.


Quoting: "Reffitt’s lawyer told CNN ...that the laptop is now unlocked."

they are both a username and a password as a single entity, they identify the user and verify said user

> they are both a username and a password as a single entity

And should your username ever also be your password?

Sometimes it is fine, depending on the particular application. I often use a single token to identify myself to office buildings, my car, my house, etc. Even my bank is okay with it, although that is more debatable.

It shouldn't be, but it shouldn't be disallowed.

Biometrics make good identifiers. They make horrible authenticators.

I guess facial recognition is beyond printing a picture of his face?

Yes. Modern facial recognition systems (not sure which specific one his laptop used though, so what I am saying below might not apply to this specific case in the OP) use 3D mapping to get not just a flat image, but try to reconstruct the shape of your head/face. That's why when you try to set up FaceID on an iPhone, it asks you to turn your head in a circle a few times, so that the system is able to get all the necessary sides and angles of your head to create the internal 3d model.

Other people can most likely still unlock your device if they make a perfectly molded silicone mask of your head+face or something else similarly complex, but a photo of your face printed on a piece of paper wouldn't work.

Windows Hello sensors use infrared, not visible light spectrum. Printed photos reproduce a visible light representation that you can see, but it is not visible to the infrared sensor in the computer. See the left examples:


Sometimes, but it depends on the vendor. Generally a picture of someone is enough to recognize them. So, if the system is just a monocular RGB image capture, then there needs to be another layer to the system to address when a biometric is spoofed with something like a picture.

This is not quite in the spirit of the law. Americans should disable any biometric password.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact