back to article Cops told: No, you can't have a warrant to force a big bunch of people to unlock their phones by fingerprint, face scans

A US judge last week denied police a warrant to unlock a number of devices using biometrics identifiers like fingerprints and faces, extending more privacy to device owners than previous recent cases. The order comes from Northern California Federal District Judge Kandis Westmore in response to a request by the government to …

  1. elDog Silver badge

    So does this also invalidate all facial recognition installed everywhere?

    Of course, US only at this point for this ruling. Altho UK has been in the lead along with China, USSR, etc.

    If the US 5th Amendment against self-incrimination applies to phone-based facial recognition it seems that the gov't couldn't use it to id me when I enter the brothel/church/whatever.

    1. JohnFen Silver badge

      Re: So does this also invalidate all facial recognition installed everywhere?

      I doubt it. I suspect the relevant distinction is who owns the device in question. If you appear on a surveillance camera that isn't yours, there is no fifth amendment issue (you aren't being asked to incriminate yourself), and there is no fourth amendment issue (the camera isn't your property).

      Also, in regards to the fifth amendment, the prohibition is against forcing you to unlock it, not against obtaining the footage. If your phone isn't locked, then this ruling doesn't apply. This ruling wouldn't apply to third party cameras for the exact same reason -- you aren't being asked to unlock it.

    2. Mark 85 Silver badge

      Re: So does this also invalidate all facial recognition installed everywhere?

      I'm probably mistaken but I recall something where photos of the phone owner could be used. So, would this be in violation of the court order?

      1. Danny 14 Silver badge

        Re: So does this also invalidate all facial recognition installed everywhere?

        UK in the lead? Maybe in the use of not needing a court order. The UK will use RIPA to say you refused to unlock your phone, thats up to 5 years in the pokey (more than running someone over and killing them with a car).

        No warrant needed AND not even under arrest.

        1. BebopWeBop Silver badge
          Headmaster

          Re: So does this also invalidate all facial recognition installed everywhere?

          I don't think it s RIPA - and the UK police can force (on pain of imprisonment) you to reveal your password. BUT that does require a court order.

          1. localzuk

            Re: So does this also invalidate all facial recognition installed everywhere?

            It very much is RIPA. The police can compel you to hand over passwords and encryption keys. Refusal to do so is a max 5 year sentence. Look at Section 49, RIPA 2000.

        2. James 51 Silver badge

          Re: So does this also invalidate all facial recognition installed everywhere?

          Let's not forget the rinse and repeat aspect of this 'crime'. If after four years and six months you're asked to unlock it again and can't/won't, that's another five years. In the future it wont' be the mysterious appearance of bags full of powder that get people locked up/justify police actions. It will be a usb key with encrypted files.

          1. LucreLout Silver badge

            Re: So does this also invalidate all facial recognition installed everywhere?

            Let's not forget the rinse and repeat aspect of this 'crime'. If after four years and six months you're asked to unlock it again and can't/won't, that's another five years.

            I understand the theoretical aspect of what you're saying, but has this ever actually happened? I'm genuinely interested to know if repeatedly refusing to unlock the same data/device can lead to what amounts to indefinite detention IN PRACTICE?

            (emphasis because thats they key bit I'm interested in rather than to yell it at you)

            1. James 51 Silver badge
              Black Helicopters

              Re: So does this also invalidate all facial recognition installed everywhere?

              The law hasn't been in effect long enough for rinse and repeat but if you look at the history of seven day detention in northern Ireland, or what happened with the Birmingham six or even Hillsborough or the undercover investigation into Stephen Lawrence’s family, that’s one hell of a power for the police to have. The best way to approach such things is power will always be abused. The person in the post today might be good and honourable but there’s sooner or later, there is going to be someone untrustworthy in that position.

        3. Cynic_999 Silver badge

          Re: So does this also invalidate all facial recognition installed everywhere?

          "

          No warrant needed AND not even under arrest.

          "

          Rubbish. The police must first get permission to issue you with a written notice detailing what they require you to disclose & a reasonable time limit. If you do not then disclose you could be charged with an offense, at which point it will go to trial and a court will decide whether you are guilty and if so what sentence to impose.

          Police will often lie and *say* that you must disclose as soon as a police officer asks, but that is a load of cobblers.

    3. Black Betty

      Re: So does this also invalidate all facial recognition installed everywhere?

      My take on this sort of technology is that it should be OK to use it to compare individual faces against a shortlist of suspect faces (ie known soccer hooligans) for targeted action (ie. prevent entry to a stadium), but not to compile a list of every attendee to be cross referenced with purchasers of road flares and vuvuzelas.

      1. Prst. V.Jeltz Silver badge

        Re: So does this also invalidate all facial recognition installed everywhere?

        maybe i didnt read it right , but this is nothing to do with facial recognition in public spaces , but about unlocking phones and decrypting files!

    4. MachDiamond Silver badge

      Re: So does this also invalidate all facial recognition installed everywhere?

      I'm sure the bordello is keeping track. Visit information can be worth a pile of gold bars this high in the right circumstances such as in Washington, DC. Politicians screw everybody at once during their day job and then get more individual after hours.

  2. jake Silver badge

    About fucking time.

    I hope SCotUS agrees, eventually. Time will tell ...

  3. DeeCee

    why it is so bad if a suspect is forced to unlock their device with a warrant? whats next you wont open your safe, house/car door because of that?

    digital documents should be viewed as physical, if there is a reasonable way to do it and working safety mechanisms to protect from abuse then there should be ways for law enforcement to search devices.

    1. lglethal Silver badge
      Go

      The specific problem in this case was that whilst the cops have two suspects, the fuzz wanted the right to look at EVERY device in the building including those not related to the suspect. That is ridiculous overeach and the judge quite rightly shut it down.

      As for your comment about not opening your safe, you are under no obligation to open your safe just because police ask. If police want to open a safe, they need a warrnat and then to call in the relevant authority in opening the device (a locksmith, etc). Why should it be any different for a phone?

    2. ratfox Silver badge

      Law is a funny thing. If I remember correctly, if you have a safe with a key, the police can force you to give up the key; but if the safe has a combination, they cannot force you to reveal the combination, because that would be forcing you to testify against yourself, which is forbidden by the fifth amendment...

      1. Anonymous Coward
        Anonymous Coward

        And if the key is hidden?

        Is revealing the location testimonial?

        BTW, it's in my pocket, but don't tell them that.

      2. Robert Helpmann?? Silver badge
        Childcatcher

        If I remember correctly, if you have a safe with a key, the police can force you to give up the key; but if the safe has a combination, they cannot force you to reveal the combination...

        Which feeds directly to my statement that biometrics should only be used to establish ID and not provide authentication for access and is at best used as part of 2FA. Fingerprint readers and facial recognition are indeed like a physical key in that they provide some security, but only against the casual interloper. If you want to have a shot at keeping out the unwanted, they are simply not enough against a more determined attempt.

    3. Cuddles Silver badge

      "digital documents should be viewed as physical, if there is a reasonable way to do it and working safety mechanisms to protect from abuse then there should be ways for law enforcement to search devices."

      If you'd read the article, you might have noticed this is the entire point of the ruling. Physical things already are protected - police need a warrant to search specific things, they can't just blindly demand everyone in an area open everything and let them search it. Yet that's exactly what they wanted to do in this case, and so the judge said exactly what you claim to want them to say - it's fine for the police to get a warrant to access specific, relevant devices, but not for them to demand blanket access to every device owned by anyone who happens to be nearby.

      1. DeeCee

        search was too wide, but my comment was about password(and, in this case, fingerprint) counting as testifying against himself instead of being just a key to open something.

        "Where in the past judges have drawn a distinction between forcing a person to reveal a known password and the act of applying a person's finger to a sensor, Judge Westmore sees no difference in this instance. "In this context, biometric features serve the same purpose of a passcode, which is to secure the owner's content, pragmatically rendering them functionally equivalent," she wrote."

        1. Eddy Ito Silver badge

          but she made clear that she believes device owners should not have to testify against themselves
          I don't think the safe analogy is correct. If you don't open a safe the police will just get a safe cracker to open it anyway but you won't have to cough up an encryption key should all the documents in the safe be encrypted. The big difference is that electronic devices make it easy to encrypt/decrypt your documents and access to the encryption key is via your password, finger, face, etc.

          We need to stop looking at the $device as a safe and see it for what it is, an encryption tool that also happens to have document storage. It's no different than having an encrypted note in your pocket so when the police asks "what does that say?" you're free to plead the fifth.

          1. Prst. V.Jeltz Silver badge

            I don't think the safe analogy is correct.

            I think it is correct. The only difference you have pointed out is that one is a lot harder to crack than the other.

            1. Eddy Ito Silver badge

              Perhaps I wasn't clear. There are two aspects, there is 1) the storage box and 2) the encryption. A safe is just a storage box that is difficult to open. That difficulty is the only security it provides. Any documents inside that are not encrypted rely on the security of a difficult to open ~500 kg box that is bolted to the floor. If it isn't secured in place then it offers no protection at all, except maybe to fire, which is the main difference from a mobile electronic device. An additional layer of security can be obtained by encrypting the documents inside. The key/combination to the safe is protected by the 5th amendment as is the encryption key to the documents so there are potentially two layers of security.

              Mobile electronic devices don't have two layers. They rely only on access to the encryption key provided by the password, finger, etc. Yes, for the pedants, one could employ a separate lock to see the file system and encrypt the individual documents on the device or lockout the i/o or other contrived method to more closely match the safe paradigm but then it quickly becomes impractical since the device gets so difficult to access it then offers no benefit to it being mobile. After all, safes are largely safe because they aren't mobile.

              Besides, at some point it becomes pixies on the head of a pin supported by encryption turtles all the way down and where do you draw the 5A line? It only makes sense to draw the line at the beginning or not have a line at all because an arbitrary line will always be arbitrary.

              1. Prst. V.Jeltz Silver badge

                "Perhaps I wasn't clear."

                You got that right buddy :) Your second attempt makes your point clear as mud - you are still just pointing out differences in convenience and difficulty level.

                Step back , look slightly bigger picture , the two things are exactly the same - They both make it difficult for other people to read your documents without you giving them the "key"

                1. Eddy Ito Silver badge

                  What can I say, I took the explanation out of the safe and presented it to you but you still don't understand it even though it isn't encrypted.

      2. Prst. V.Jeltz Silver badge

        but not for them to demand blanket access to every device owned by anyone who happens to be nearby.

        right. So always keep your drugs and cash in yo mommas safe in her room , not the one in your own bedroom? got it.

        Better still get a safe that belongs to someone in a different country.

    4. PeterKr

      Meta-Information

      If the police ask you whether you have control/access to a device, you can plead the fifth. If they ask you for passwords, you no longer have that right. This seems inconsistent to many people.

      1. Alan Brown Silver badge

        Re: Meta-Information

        "you can plead the fifth"

        One of the "traps" of "pleading the fifth" is that it's a trapdoor effect - you CANNOT talk about that subject again EVER within earshot of ANYBODY - most importantly you cannot bring up anything related to that material in another court case, but even boasting about it in a bar and then telling what you wouldn't say in court is sufficient to invalidate the protection.

        If you do and the court gets wind of it, you can be hauled back into court and compelled to talk.

        US constitutional and criminal law can be a minefield.

        1. Graham Dawson

          Re: Meta-Information

          No you can't. At best that would be considered hearsay and not admissable as evidence.

    5. This post has been deleted by its author

  4. Voland's right hand Silver badge

    An example of why some things should always go in front of a judge

    The moment you get the government (any government) to decide the standards of evidence rule of law goes out of the window.

    Unfortunately for every action like this one by this judge there are 20 done by the government to unwind the effect elsewhere.

    1. Alistair Silver badge
      Windows

      Re: An example of why some things should always go in front of a judge

      @Voland:

      I'd be inclined to agree. The frequency and depth of damage are accounted for as ROI for the current 'ruling' class. We can only hope it keeps getting more expensive for those to happen. And that there are one or two judges about that decide that the bargain isn't worth the sleepless nights.

    2. muhfugen

      Re: An example of why some things should always go in front of a judge

      I hate to break it to you, but the judiciary is a branch of government.

  5. steviebuk Silver badge

    So..

    ...if this is allowed under the 5th amendment, surely you don't have to give up passwords as well as wouldn't that just be the same as incriminating yourself?

    1. Anonymous Coward
      Anonymous Coward

      Re: So..

      I'm going to only use incriminating passphrases for extra legal protection. Something like "I shot the sheriff." Surely there has been a sheriff shot somewhere.

      1. Locky Silver badge
        Joke

        Re: So..

        As I understand it you're fine, as long as you didn't shoot the deputy

  6. Anonymous Coward
    Anonymous Coward

    Biometrics

    Another justification why biometrics should be used for identification (username), but not for authentication (password).

    1. Ken Hagan Gold badge

      Re: Biometrics

      Bio metrics shouldn't be used for identification either. They are easily copied. They prove nothing.

  7. JeffyPoooh Silver badge
    Pint

    3D mugshots and 3D printers

    The police are allowed to take pictures of those arrested; so they could quite easily take 3D (stereoscopic) images.

    Then, load the file into their coming-soon 3D Colour printer and print out the phone owner's face in 3D. Use that to unlock the phone.

    Any unlock requirement for live eyeballs might need a bit more thought. Perhaps high resolution LCD screens inserted into the mask.

    1. Prst. V.Jeltz Silver badge

      Re: 3D mugshots and 3D printers

      i dont think its anything like that difficult - just wave the phone in front of the mugshots they took....

  8. PacketPusher
    Megaphone

    Self incrimination?

    I am a firm believer in the 5th amendment, but this is a stretch. If this is self incrimination, then so is providing breath for a breathalyzer, DNA, Urine, and Blood. Even finger prints would be considered self incrimination by this standard. The warrant was rightly denied as too broad, but if they apply again narrowed to just the suspects, then I think it should be approved.

    1. GrumpyKiwi Silver badge

      Re: Self incrimination?

      I believe one of the more major problems with the Judge's assertion that the 5th covers this, is that it has been repeatedly ruled (all the way to the Supremes) that the 5th is a right that you have to assert - i.e. when Plod asks you to unlock your phone, you THEN get to assert your 5th rights and it's then decided by a judge as to whether this is the case (or not).

      The judge can't pre-emptively claim 5th Rights for all the people affected by the warrant.

  9. Stevie Silver badge

    Bah!

    Anecdotal evidence is that a basketball with a bloody handprint on it will unlock the majority of "face recognition" locked devices.

    I suggests the 5-0 try a selection of Mr Potato Heads, teddy bears and the mug shots of the suspects themselves in front of the phones in question.

    Somewhere there's an Ursula K Le Guin wastebasket with The Word for Crap That Doesn't Work is Biometrics typed on a screwed-up wad of paper.

  10. MachDiamond Silver badge

    Multi-factor

    I've always seen biometric authentication as a lazy way to access your device. Ease of access is the reciprocal of security. The other downside is if you die or are in hospital, nobody else can get into your device such as a spouse, close friend or family member via a sealed envelope you have left with codes inside for that purpose.

    The one thing I suggested before was to have a facial recognition system where you get access if both eyes are open and your device wipes itself if you have one eye closed. You could even have it set to only wipe a certain folder leaving your more mundane data in place to make it appear you have complied fully with a police/court request. Fingerprints could be the same way. Use your middle finger for normal access and your index finger for access that gets rid of incriminating folders since using an index finger is most common, it won't look odd if you do it that way. The best thing is to just not put things on your phone that will get you in trouble. The filth could walk up behind you while you are buried neck deep in you device and just snatch it from you while it's unlocked and keep it active manually or through one of their clever little devices.

  11. Rajesh Kanungo

    Does it apply to US ports?

    I know that the US Customs/border have a lot of leeway (a polite way to say that they ignore the Constitution). Would the legal types be able to say if this ruling could be applicable at the US border/Airport/etc. ?

    At some point or the other I fully expect them to copy my laptop drive and my phone not because I have super secret documents but because they can.

    1. Anonymous Coward
      Anonymous Coward

      Re: Does it apply to US ports?

      The US border (a.k.a. 'Constitution-Free Zone') extends 100 miles inland from the, er, ah, border.

      Reportedly the vast majority of Americans live in this zone.

      I believe that the same rule should be applied 100 miles form any airport too.

      1. ITS Retired

        Re: Does it apply to US ports?

        Why have a Constitution then? Just have everyone give up all their constitutionally guaranteed Rights and be done with it.

        1. jake Silver badge

          Re: Does it apply to US ports?

          Good point, because as we all know everything you read on TehIntraWebTubes is 100% factual and with zero hyperbole.

  12. Weathermom

    With this ruling, the Judge is saying that all technology protected by biomarkers is protected. Does that include computers that have retina scanners? That’s a huge loophole for pedophiles to jump through. This is a pretty slippery slope we could be headed down if there aren’t clarifications made pretty quickly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019