A search warrant executed earlier this year gave authorities the power to force occupants of a Los Angeles-area house to unlock devices with their fingerprints, casting doubt on biometric defenses.
See Also: IoT is Happening Now: Are You Prepared?
Forbes first reported on a memorandum dated May 9 drafted by federal prosecutors in support of the search warrant. It asked a federal court for permission to allow law enforcement agents to depress the fingers of anyone in this house to unlock devices, an action that prosecutors argued does not violate the U.S. Constitution.
"At issue are the Fourth Amendment, which prohibits unreasonable search and seizure, and the Fifth Amendment, which is the right against self-incrimination."
The warrant is significant, as there have only been a few cases that have tackled whether it is legal for the government to collect fingerprints as part of a search warrant. At issue are the Fourth Amendment, which prohibits unreasonable search and seizure, and the Fifth Amendment, which is the right against self-incrimination.
The search warrant also shows how law enforcement is trying to counter the technology industry's implementation of stronger defenses against hackers and government surveillance, which have made law enforcement investigations more difficult.
Hands Up, Show Us Your Fingers
The outcome of why the government wanted access to the house and its occupants' fingerprints is unclear. Forbes contacted someone at the house, in Lancaster, Calif., who said the warrant was indeed served, but no one at the house had been accused of a crime.
Forbes posted a redacted version of the search warrant that obscures the address to which it was served. The memorandum is available in online federal court records, but the original version does not help in figuring out whether charges were filed, and the search warrant itself is unavailable.
But that the warrant was served shows some federal judges are receptive to this way of unlocking devices, which may serve as a warning that fingerprints should not be relied upon as a foolproof security method.
The memorandum argues that the Fifth Amendment does not apply to fingerprints because it only covers "communicative evidence," such as court testimony. A 1966 Supreme Court case, Schmerber v. California, found that the compelled display of identifiable physical characteristics does not violate the law.
"The fact that a successful unlocking of the devices could also demonstrate a connection between the person and the device thus does not make the requested fingerprints testimonial, any more than does a warrant's authorization to seize a person's keys," the memorandum contends.
In regards to the Fourth Amendment, taking biological data, such as blood or fingerprints, is allowed as long as the collection is done within the scope of a warrant and that an individual has not been illegally detained, the memorandum shows.
The memorandum also cited a 2014 legal case where a Virginia circuit court judge ruled that police could force someone to unlock a phone with their fingerprint, but not turn over a passcode. A passcode is knowledge, but a fingerprint is the same as providing a DNA or a handwriting sample, The Virginian-Pilot reported.
The U.S. government has expressed frustration with measures manufacturers such as Apple have taken to make devices more secure. The movement for stronger security largely gained steam after former National Security Agency contractor Edward Snowden leaked documents in June 2013 that showed the bulk collection of data from technology companies (see How Did Snowden Breach NSA Systems?).
Apple and applications such as Signal have sought to remove themselves as pivot points for law enforcement if users take precautions. The general idea is to not store decryption keys in centralized servers, instead leaving them in the possession of users.
While Apple must turn over information stored in its iCloud backup service if served with a valid warrant, user can elect not to store anything with Apple. In addition, Apple has sought to make its iPhone a self-contained vault. The company fiercely fought a court order earlier this year that required it to create a special version of iOS in order to access the iPhone 5c of San Bernardino shooter Syed Rizwan Farook (see FBI Versus Apple: A Lose-Lose Situation).
That forced law enforcement to look to other means to break into strongly encrypted devices. In the case of Farook, the FBI later dropped the case, saying it purchased a technological means - largely believed to be a zero-day vulnerability - so it could access his phone.
If compelling people to surrender their fingerprints withstands legal tests, it's still only a limited tool. Apple devices still require a passcode if a device has been turned off and on or if it has been idle for 48 hours. Devices that have Android 6.0 or later have similar security features, but older Android devices can vary according to manufacturer and may not have secure implementations, according to Russian password cracking specialists Elcomsoft. The best advice would be to avoid fingerprint readers if you expect the police to come knocking.