Recent Virginia Case Carries Major Implications for Fingerprint Passcodes and Self-Incrimination

This article was originally published in the Spring 2015 issue of the Virginia Bar Association YLC Docket Call.

The ever-evolving technological landscape constantly elicits new and interesting questions of law. Privacy and data security are areas of contention and confusion for many. Why?  Because privacy limits are unclear because the reach of technology outpacing the evolution of the law. As cell phones have advanced, they have become essential to everyday life and are no longer merely phone used to make and receive calls. Cell phones are minicomputers filled with personal, and mostly private, information including calendars, alarm clocks, books, videos and photos. People store everything from grocery lists to banking information in phones. How do the laws that govern phones solely to make and receive calls apply to these new multifaceted devices? Courts and lawmakers are slowly answering that question.

In Reily v. California, the Supreme Court shed some light on privacy limits regarding cell phones.[1] The Court held that the police generally may not, without a warrant, search digital information on a cellphone seized from an individual who has been arrested. The Court characterized cell phones as minicomputers filled with massive amounts of private information, which distinguished them from the traditional items that can be seized from an arrestee’s person, such as a wallet. This ruling is a necessary stride towards deciphering how the Fourth Amendment applies in this digital age but leaves a lot of unanswered questions.

After obtaining a warrant to search a phone how will officers access the contents? Can officers compel the accused to provide one’s passcode or fingerprint? Existing laws do not apply smoothly and presents an interesting question: Is producing one’s passcode or fingerprint to allow access to digital information on a smartphone testimonial communication subject to the Fifth Amendment privilege against self-incrimination?[2] This was the question answered in the Virginia case Commonwealth of Virginia v. Baust.[3]

In Commonwealth of Virginia v. Baust, the defendant David Baust was indicted on charges of assault.[4] The victim alleged that video of the assault was on Baust’s smartphone.[5] The police obtained and executed a search warrant, retrieving (among other items) the smart phone.[6] However, the phone was “locked” and could only be entered using a passcode or fingerprint.[7] The court decided to review each method of entry separately under the Fifth Amendment and arrived at two different conclusions.

The court held that fingerprints and passcodes are different in the eyes of law because of the testimonial nature of providing a passcode, which violates the accused’s right not to incriminate him or herself. The Judge explained that Baust could not be compelled to provide his passcode to access the smartphone, but could be compelled to produce his fingerprint to access the phone.[8] Producing the passcode would require the defendant to divulge knowledge—information from his own mind, placing it in the testimonial realm.[9] However, he concluded that a personal fingerprint does not require any similar knowledge—it is equivalent to a key that fits into a lock.[10]

This legal distinction will have a major impact on smartphone users, especially as providers market the increased security of these alternate access mechanisms. Your fingerprint is advertised as a more secure method for accessing tour phone but presents vulnerability if ever compelled to provide access to your phone. The legal differences may not be clear to users, as the passcode and the fingerprint are functionally equivalent. Should they really be distinguished under the law? Is there a distinction between telling police a passcode and typing in the passcode so that police may gain access to a phone? By typing the code, the individual does not have to provide any knowledge (testimony) directly to the police, although still providing access to data that is potentially criminally incriminating. Is the outcome or the means more important, because although not a verbal testimony providing a fingerprint or writing a passcode may lead to criminally incriminating information?

This decision raises a lot of questions and determining privacy rights in our technology will only get more complex as technology continues to evolve. The court is being charged to assess the functional and technological implications of new technology and create laws with those perspectives in mind. This is a difficult balance. Consistency will also be important to citizens as they seek to protect themselves within the bounds of these laws.

Most immediately, in Virginia, you should protect your phone using a passcode, not your fingerprint.

 

 

[1] 134 S. Ct. 2473, 2477 (2014).

[2] Commonwealth of Virginia v. Baust, No. CR14-1439, at 2 (Va. 2d Cir. Ct. Oct. 28, 2014).

[3] Id. at 1.

[4] Id.

[5] Id.

[6] Id.

[7] Id.

[8] Id. at 4.

[9] Id. at 5.

[10] Id.

Millions of Gmail Usernames & Passwords Leaked! How do you protect yourself?

This morning Freedom Hacker reported that 5 million gmail usernames and passwords had been dumped on reddit’s netsec section linking to the another website hosting the leaked gmail accounts. They caution against checking if your password is secure because it appears scams are already appearing or Reddit users are getting ready for the scams to come.
According to one security firm the data is old and likely sourced from multiple data breaches. “The security of our users is of paramount importance to us,” a Google representative said Wednesday via email. “We have no evidence that our systems have been compromised, but whenever we become aware that an account has been compromised, we take steps to help our users secure their accounts.”

It is highly recommended you change your email password regardless and turn on a form of two-factor authentication to heighten security and prevent any possible future attacks.

Here are some other tips to protect your accounts and private data:

  • Do no use the same password or variations of the same password for your accounts
  • Change your account passwords frequently.
  • Always check you bank accounts and other financial accounts fro fraudulent charges.
  • Review your credit report for fraud at least annually.
  • Have two-factor authentication whenever possible.
  • The longer the password is, the exponentially more difficult it becomes to crack.
  • To help remember the password, use it immediately. Then log in and out several times the first day.
  • Do not provide your password or other private data when solicited via email or phone, this could be a social engineering attempt. Most reputable companies will not ask for this information via email and financial institutions NEVER do. If they claim there is an issue with your account do not click on the link provided go to the company’s main website and access your account from there.
  • Report attacks and social engineering attempts to the company being impersonated.
  • NEVER give your password to anyone!

Please go and change your gmail password and if you have not changed your other passwords in a while use this as an opportunity to do so!

Stay safe & smart!