Recent Virginia Case Carries Major Implications for Fingerprint Passcodes and Self-Incrimination

This article was originally published in the Spring 2015 issue of the Virginia Bar Association YLC Docket Call.

The ever-evolving technological landscape constantly elicits new and interesting questions of law. Privacy and data security are areas of contention and confusion for many. Why?  Because privacy limits are unclear because the reach of technology outpacing the evolution of the law. As cell phones have advanced, they have become essential to everyday life and are no longer merely phone used to make and receive calls. Cell phones are minicomputers filled with personal, and mostly private, information including calendars, alarm clocks, books, videos and photos. People store everything from grocery lists to banking information in phones. How do the laws that govern phones solely to make and receive calls apply to these new multifaceted devices? Courts and lawmakers are slowly answering that question.

In Reily v. California, the Supreme Court shed some light on privacy limits regarding cell phones.[1] The Court held that the police generally may not, without a warrant, search digital information on a cellphone seized from an individual who has been arrested. The Court characterized cell phones as minicomputers filled with massive amounts of private information, which distinguished them from the traditional items that can be seized from an arrestee’s person, such as a wallet. This ruling is a necessary stride towards deciphering how the Fourth Amendment applies in this digital age but leaves a lot of unanswered questions.

After obtaining a warrant to search a phone how will officers access the contents? Can officers compel the accused to provide one’s passcode or fingerprint? Existing laws do not apply smoothly and presents an interesting question: Is producing one’s passcode or fingerprint to allow access to digital information on a smartphone testimonial communication subject to the Fifth Amendment privilege against self-incrimination?[2] This was the question answered in the Virginia case Commonwealth of Virginia v. Baust.[3]

In Commonwealth of Virginia v. Baust, the defendant David Baust was indicted on charges of assault.[4] The victim alleged that video of the assault was on Baust’s smartphone.[5] The police obtained and executed a search warrant, retrieving (among other items) the smart phone.[6] However, the phone was “locked” and could only be entered using a passcode or fingerprint.[7] The court decided to review each method of entry separately under the Fifth Amendment and arrived at two different conclusions.

The court held that fingerprints and passcodes are different in the eyes of law because of the testimonial nature of providing a passcode, which violates the accused’s right not to incriminate him or herself. The Judge explained that Baust could not be compelled to provide his passcode to access the smartphone, but could be compelled to produce his fingerprint to access the phone.[8] Producing the passcode would require the defendant to divulge knowledge—information from his own mind, placing it in the testimonial realm.[9] However, he concluded that a personal fingerprint does not require any similar knowledge—it is equivalent to a key that fits into a lock.[10]

This legal distinction will have a major impact on smartphone users, especially as providers market the increased security of these alternate access mechanisms. Your fingerprint is advertised as a more secure method for accessing tour phone but presents vulnerability if ever compelled to provide access to your phone. The legal differences may not be clear to users, as the passcode and the fingerprint are functionally equivalent. Should they really be distinguished under the law? Is there a distinction between telling police a passcode and typing in the passcode so that police may gain access to a phone? By typing the code, the individual does not have to provide any knowledge (testimony) directly to the police, although still providing access to data that is potentially criminally incriminating. Is the outcome or the means more important, because although not a verbal testimony providing a fingerprint or writing a passcode may lead to criminally incriminating information?

This decision raises a lot of questions and determining privacy rights in our technology will only get more complex as technology continues to evolve. The court is being charged to assess the functional and technological implications of new technology and create laws with those perspectives in mind. This is a difficult balance. Consistency will also be important to citizens as they seek to protect themselves within the bounds of these laws.

Most immediately, in Virginia, you should protect your phone using a passcode, not your fingerprint.

 

 

[1] 134 S. Ct. 2473, 2477 (2014).

[2] Commonwealth of Virginia v. Baust, No. CR14-1439, at 2 (Va. 2d Cir. Ct. Oct. 28, 2014).

[3] Id. at 1.

[4] Id.

[5] Id.

[6] Id.

[7] Id.

[8] Id. at 4.

[9] Id. at 5.

[10] Id.

iPhone Touch ID hacked already??

YAY! iPhones are more secure…. or are they? The new iPhone 5s touts a security feature currently unheard of in the mobile phone space, finger print access or Touch ID. Will this added security feature make the iPhone a leader in mobile security?The Chaos Computer Club – a Germany-based group of computer hackers – claims to have fooled Apple’s Touch ID fingerprint technology, which debuts on the new iPhone 5s. The YouTube video demonstrating the trick is entitled “hacking iphone 5S touchID” (and is  being reported by some organizations similarly although not quite “hacking”). Do consumers really have anything to worry about?

From 9to5mac.com
From 9to5mac.com

In a blog post describing the procedure, Chaos Computer Club says:

A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

The one minute video shows someone using their index finger to register Touch ID on a newly set-up iPhone 5s. Once the setup has been completed, they then apply a tape to their middle finger which, presumably, contains a transfer of the index fingerprint. That unlocks the phone.

The process is tedious and a bit complex for the average person so this isn’t a procedure that someone is likely to casually reproduce just for the sake of unlocking your phone. ​

Frank Rieger, spokesperson for the CCC explained saying, ​‘We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token.​’

Apple maintains its fingerprint lock technology “provides a very high level of security,” and the iPhone maker’s website says there is a one in 50,000 chance of two fingerprints being alike.

Apple says the fingerprint lock is just for convenience, and that a passcode should be used to provide additional security.

​Beyond someone taking your phone long enough to hack it there are additional concerns. Lets start with law enforcement. ​A suspect’s smart phone is a potential wealth of information, but a suspect cannot be compelled to disclose the passcode. Fingerprints, however, may be taken against a suspect’s will or on file with the police department. How will this access to the ability to unlock the phone be used to bypass regulations on access to passcodes?

Most of us aren’t hiding illegal information on our phones or leaving our phones alone long enough to have our fingerprints copied and our phones unlocked. However, the iPhone has only been out for less than a week…  How will this further develop? What additional concerns will be uncovered? Does this make you nervous? Or is this just as secure as the simple easily decipherable 4-digit passcode of iPhones past? Will bad actors be able to hack your phone and access a copy of your fingerprint and use for their purposes?

​If you are concerned about security I suggest that you use both Touch ID and a passcode to secure your iPhone.​