So, how long before this judge is branded an enemy of the people for a bad decision and lots of tlas comes with losely worded warrents (assuming he's not 100 miles from an airport) instead if asking for one?
US judge halts mass fingerprint harvesting by cops to unlock iPhones
An Illinois judge has rejected a warrant sought by the US government to force everyone in a given location to apply his or her fingerprints to any Apple electronic device investigators happen to find there, a ruling contrary to a similar warrant request granted last year by a judge in California. Under current law, the …
COMMENTS
-
Thursday 23rd February 2017 01:28 GMT vir
Isn't there a reasonably high (in this case, nontrivial) rate of fingerprint "collision", for lack of a better term? I can see someone getting stuffed away for a while because their fingerprint just happened to be close enough to someone else's to unlock a trove of illicit smut.
"Open and shut case. Of course he said it wasn't his. All those accounts and profiles under someone else's name? Aliases. Clever aliases."
-
Thursday 23rd February 2017 06:58 GMT Voland's right hand
At reader level yes
This is the difference between a fingerprint digitization used by a lame fingerprint scanner and fingerprint as such.
The collision rate of fingerprints, if memory serves me right, 1:10^9. So it is for all practical purposes unique. The collision rate after it has been digitized by a scanner in the class used by Apple and on PCs is probably many orders of magnitude higher. How much - no idea.
-
Thursday 23rd February 2017 09:01 GMT Doctor_Wibble
Re: At reader level yes
> The collision rate of fingerprints, if memory serves me right, 1:10^9.
Is that not the claimed rate for DNA? I'm reasonably sure we don't have enough fingerprints in various databases to approximate this, and has anyone actually tried a serious collision test? Add 'reasonable doubt' to the infallible fingerprints and you have a whole stack of cases to appeal.
>So it is for all practical purposes unique.
For a gadget, maybe, but this is court territory. Reasonable doubt, especially when viewed in the light of the Birthday Paradox, which will get you 99.9% chance of a collision in a random sample of just 117540 with 'one in a billion', yet only a 95% chance of a correct match, given an initial sample and a database of 50 million different records.
Probably ought to re-post the calcs somewhere, the hosting I used has disappeared in the 10 years since then...
-
Thursday 23rd February 2017 10:28 GMT Anonymous Coward
Re: At reader level yes
The collision rate of fingerprints, if memory serves me right, 1:10^9. So it is for all practical purposes unique. The collision rate after it has been digitized by a scanner in the class used by Apple and on PCs is probably many orders of magnitude higher. How much - no idea.
You may add to that that the resolution of the scanners used in law enforcement for validation isn't that hot either - unlike TV series, especially incomplete prints often give multiple hits, which is why the best evidence is always a couple of fingers, not just one.
In any case, I stopped using fingerprints for access to devices with critical data (most of that is now dual password, one of which is usually OTP based). For a start, any serious FP reader should be a wipe-motion one so you don't leave a usable print right there where it can do the most harm, but you're also leaving prints behind on shiny surfaces. Judged by what you leave when touching things, your safest fingers to use are your pinkies :). There are very good FP reader units around, but they cost substantially more which makes them less likely to be used in mass-produced goods.
Sorry if it's TMI - I spent far too much time researching biometrics at one point in my life. It's fascinating stuff - if you want something to worry about, worry about facial recognition..
-
Thursday 23rd February 2017 21:49 GMT Adam 1
Re: At reader level yes
Wrt to the collision rate of fingerprints, that is a side issue. It actually becomes worse in some cases. Some occupations are notorious for using chemical compounds that effectively eat away the prints so for those people the templates have a lot less points of interest and so collisions become possible. Most APIs won't let such people record a template. But the templates are basically a set of angles and distance measurements. No two scans of the same finger would ever result in the same measurements any more than taking two photos from a tripod could create a byte wise identical bitmap. The question is never "are they a match" (hint: infinite FRR). It is always "are they acceptably close". That's where the complex math starts because you are expecting features in a similar location to distort in a similar way, and some features are missing altogether because of sloppy scans.
-
-
Thursday 23rd February 2017 08:02 GMT Adam 1
Most biometric APIs I have played with allow you to trade off your false accept rate (FAR) vs false reject rate (FRR). FAR and FRR are opposite sides of the same coin. You can't improve one without making the other worse. There are usually two broad use cases.
1. The person claims an identity and this is a second factor where they prove it. (Well technically they only prove they have your finger/iris/hand but you need to understand your threat model)
2. Out of a large number of candidates, decide which identity has presented their digit.
With 1, you can tolerate a much higher FAR (it's the FRR that makes usability suck). With 2, you need a very small FAR but that does require a nicer template and a nicer scan than 1
If you take a mobile phone use case, it's actually much closer to 1. You want it to unlock even with the vaguest of touches in any orientation and with any light level. You could tolerate a 1:10000 FAR quite easily. For blame purposes, you want FAR to be 1:10s of millions+.
-
-
-
Thursday 23rd February 2017 01:54 GMT tfewster
Weasel words
> the distinction being that a fingerprint is not testimonial whereas a passcode is.
The law is an ass. If a fingerprint is being used _as_ a passcode, then it's a passcode. And as it's tied to an individual, it could be (false) self-incrimination. Unlike a key on my keyring that unlocks a safe - there could be many copies of that key, and it might have been borrowed without my knowledge.
-
Thursday 23rd February 2017 02:26 GMT P. Lee
Re: Weasel words
I think the problem is the scope of the request.
This would appear to be a one-time prosecution device. No-one involved in this type of crime is going to use their fingerprint for unlocking in the future.
However, rejecting the request does stop the government from abusing the system when they want to trawl for fingerprints.
-
Thursday 23rd February 2017 11:44 GMT Indolent Wretch
Re: Weasel words
Surely simple logic would dictate that if the police are in the circumstance where they would be justified in taking the persons fingerprints they are also justified in trying to unlock a smart phone with them.
If they aren't in those circumstances then no-go.
And given collision rates it would seem some case law is in order to decide whether or not your finger unlocking a phone proves it was your finger used to lock it. More so if they are checking a great many people against a phone. I wonder in any large block or campus how many people are capable of unlocking how many phones that aren't theirs with their fingers.
-
Friday 24th February 2017 07:20 GMT Old Handle
Re: Weasel words
I can think of some legitimate reasons for the distinction, for instance with a password, it's possible you forgot it or they've got the wrong guy and you never even knew it. But you can't forget your fingerprints and if it turns out yours isn't the right finger, that would been you're off the hook, rather up the creek.
That said, I totally agree with the judge that this kind of fingerprint dragnet is over the line.
-
-
Thursday 23rd February 2017 03:03 GMT HappyBlue
Give them the middle finger
If you are forced to try a finger to open a phone, do they specify which finger?
If you have set up fingerprint recognition on your phone using your index finger, are you within your rights to present your middle finger?
On the other hand (excuse the pun), if you set up your phone to unlock with your ring finger and you allow the feds to borrow your middle finger to attempt to unlock, is that considered following the requests? Will they force you to try all fingers and toes, just in case??
-
-
Thursday 23rd February 2017 17:02 GMT Anonymous Coward
Re: Give them the middle finger
This would be a good reason to use some odd finger, like your left ring finger, to unlock your phone. They might want you to present your thumbs and index fingers, but it would be unlikely they'd make everyone try all ten fingers.
Though if you are thinking about it down to this level it would seem to be much easier to just use a password. The problem is that unless you want to type in your password every time you pick up your phone (i.e. no grace period if you just put it down 30 seconds ago) you're going to be typing it all the damn time.
I keep saying Apple should provide something that works like the old unlock did - have a user settable timeout after which a password is required. But instead of leaving it unlocked if it has been locked for less than the timeout, simply require Touch ID due to the timeout. That timeout currently defaults to 48 hours, with no way to change it.
IMHO if you are a criminal and the police are about to arrest you, hold down the home and sleep/wake button simultaneously for a few seconds and it'll force reset the phone. When it comes back up it will require a passcode. The trick will be not having the cops think you are going for a gun and shooting you, of course...
-
Sunday 26th February 2017 12:19 GMT Kiwi
Re: Give them the middle finger
This would be a good reason to use some odd finger, like your left ring finger, to unlock your phone. They might want you to present your thumbs and index fingers, but it would be unlikely they'd make everyone try all ten fingers.
Other ways that might work (not seen the reader or even the phone so I don't know how they're built) - use your finger upside down (so if it's one of those little reader bars and normal use would have you swipe from top to bottom, swipe from bottom to top instead), and if you can try using say the side of your hand rather than a finger or to.
Or get really creative and use other body parts.. "Er, sorry officer, I need to enter a bathroom stall to unlock my phone, it'd be indecent of my to unlock it out here"... (Or you could try licking it.. How unique is someone's tongue print?)
-
-
-
-
-
-
-
Thursday 1st June 2017 00:57 GMT Agamemnon
Re: I doubt most of us nerds are any good at resisting torture.
Upvote because: I'm 6'4", extreme sportsman (read: I do stupidly dangerous shit), stunningly high pain threshold, and a general dislike for people making me do things against my will/the letter OR spirit of The Law.
Moving along, anyone that actually uses an FP reader is, in the view of my Work Functions, an idiot. I've got a 12 Char passcode on my phone. It is somewhat inconvenient unlocking it everytime I'd like to use it...my inconvenience is SECONDARY to protecting the data on my device(s) BECAUSE, much of that data isn't mine, it's my customers'. If I'm not groovy with folk trucking through MY bits, I'm MUCH more aggressive about data that isn't mine, but in my care. I can hammer out those 12 characters in less than two seconds, dead exhusted leaving the CoLo, and then after a few pints (Lagged and Laggered) because: PRACTICE.
-
-
-
Thursday 23rd February 2017 09:01 GMT Rich 11
About a dozen years ago my then-boss was excited to get a brand new laptop, complete with fingerprint sensor. "Look at this, Rich11," he enthused. "This is much better than your AD password policy, a lot more secure!" "Really?" I said, pulling out my pocket knife and opening up the blade.
I always did enjoy watching comprehension dawn on his face. The opportunities were frequent.
-
-
Thursday 23rd February 2017 04:40 GMT Anonymous Coward
Available now: Fake-i-Finger [C]
Don't use your own fingers.
Cheap and disposable, Fake-i-Finger [C] opens your device using a randomised 'finger print' on a handy prosthetic digit.
Caught by the G-Men?
Throw away (or destroy) your Fake-i-Finger [C] and let them use your analog meat-indexes.
Fool them every time.
Replacement fingers just $2.95
-
Thursday 23rd February 2017 07:54 GMT kmac499
Re: Available now: Fake-i-Finger [C]
Tut-Tut
Be very careful with your Fake-i-Finger [C], as this is not a genuine Apple i-Finger, useage may invalidate your warranty. This will result in Apple forcibly giving you the genuine i-Finger for the remarkably good value price of $295.00
(Bonus Feature: The genuine i-Finger comes packed in a Latex sleeve with a slippy protective coating can't think why??)
-
-
Friday 24th February 2017 16:59 GMT W4YBO
Re: American Revolution
Why, that's part of the purpose behind our public education system. To not teach the history that would make life inconvenient for all levels of government.
An aside: My Nexus 6P running Android 7.1.1 only gives five tries to the fingerprint reader before requiring the password. Blow the password ten times, and it does a factory reset. Also requires password on restart.
-
-
Thursday 23rd February 2017 09:44 GMT tiggity
Pointless, bring on the bears
I'm guessing any suspect phone may have a few of the users fingerprints on it..
Quite easy to lift (I'm assuming police resources stretch beyond gummy bears) and try them on the sensor.
So a bit of effort should get police into fingerprint protected phone without needing to compel suspects to use their fingers.
-
Thursday 23rd February 2017 12:00 GMT Anonymous Coward
Thus?
From the article:
"the government is seeking the authority to seize any individual at the subject premises and force the application of their [sic] fingerprints as directed by government agents."
I do not understand why there is a sic in there. The use of "their" in conjunction with "anybody" ("any individual" in this case) is abundantly established and semantically correct even if there would appear to be a grammatical dissonance.
-
Thursday 23rd February 2017 23:35 GMT fraunthall
US Magistrate Reigns in Cops trying to force mass fingerprint seizure re iphone
First of all, it is extremely likely that a Magistrate's decision carries little precidential weight or force affecting other courts across the country, so it probably won't have any major effect or scope, so it's real value is primarily persuasive.
The more interesting question is why UK geeks have gotten their knickers in a knot over this. The state of effective civil rights protection in the UK is much, much worse than it is in the U.S. and other places that have a history of judicial independence AND court decisions protecting civil rights encroachments by cops and other arms of the State. The UK essentially has no constitutional protections against abuses of power and its people are at the mercy of courts that have no true boundaries set by a constitution designed to prevent state abuses of its powers. The almost blanket coverage of spy cameras in the UK is an example of this. The situation in this regard is much worse in most of Europe, particularly Germany and France, which are, in my view, little better than fascist states.
-
Friday 24th February 2017 13:33 GMT Toni the terrible
Re: US Magistrate Reigns in Cops trying to force mass fingerprint seizure re iphone
Possibly they got their knickers in a twist because they dont like seeing the land of the free getting to be worse than the UK?
- by the by you reminded me to get a set of CCTV devices to scan the area around my house...
-
-
Sunday 26th February 2017 10:40 GMT Kiwi
What the hell?
First they elect CMIC, with the only other realistic option being that thing that was almost replaced by Ms Lewinsky in Bill's Knob Polishing Shoppe, and now we have a judge upholding constitutional law, and in a sensible manner to boot?
WTF is happening to this world?
Oh, and El Reg...
But in this case, the judge wrote in his order, "the government is seeking the authority to seize any individual at the subject premises and force the application of their [sic] fingerprints as directed by government agents."
Tsk tsk.. You should know better.. "Their" in this case is perfectly correct, no need for the "[sic]" (unless I've badly missed something?)