April 25, 2017

You may have Five Fingers, but You can’t take the Fifth

BY :     April 25, 2017

Technology is a very interesting thing. In many cases, technological advances make our lives easier and more productive without introducing complex legal or philosophical questions.

But in some cases, a new technology raises an issue of law or morality that’s particularly thorny–and sometimes unpredictable, but of great import.

There’s a precedent of long-standing in the United States legal system–enshrined in the Fifth Amendment to the US Constitution–that prevents compelling a criminal suspect from providing testimony against themselves. This process–often called “taking the Fifth” when used by a defendant in a criminal case–is a foundational aspect of the US legal system. It stems from a desire to prevent the use of processes by the prosecutorial arm of the legal system that would be viewed as “stepping over the line” in compelling testimony from the suspect.

One can argue about whether this legal protection serves society’s interest in preventing the use of “undue pressure” to gain a criminal conviction, while still providing sufficient prosecutorial leeway to convict the guilty.

Making that argument is not the point of this diary–it’s to observe that a technological development has placed this right in jeopardy in a way that many people are unaware of.

US courts have held for some time that a criminal suspect cannot be compelled to provide information that would allow access to possibly self-incriminating information. As an example, if someone suspected of theft and law enforcement believes the stolen item is locked inside a bank safe deposit box, the suspect cannot be compelled to provide the combination to the lockbox. Law enforcement representatives must request a court order to have the box drilled open–a process which, itself, has some built-in protections against misuse.

This is how the standard against self-incrimination works.

Similarly, if a criminal suspect is believed to have stored relevant information to an investigation on their smartphone, which is secured with a PIN, the police cannot compel the suspect to provide the PIN. Doing so would be “doing the police’s work for them”, and would be a violation of Fifth Amendment protections, the courts have held.

But along comes fingerprint sensors on our phones–and the ability to control access to those devices with the press of a finger on a button.

As a technologist, your might be forgiven to think that the same Fifth Amendment protections apply to the use of your fingerprint to unlock the device by law enforcement. Whether providing a PIN or allowing your finger to be used, unlocking the phone by any means would be a violation of self-incrimination rights, correct? Why does the mechanism for the unlock, if “tied to” the suspect, matter?

In two cases relevant to this issue, the courts have seen things differently.

In October of 2014, a Virginia judge ruled that while police could not compel a suspect to provide a PIN to unlock his phone, they could force the suspect to place his finger on the sensor to unlock the phone.

Similarly–and more importantly, in a federal court–a judge ruled in February of 2016 that a suspect in a federal criminal case could be similarly compelled to use her fingerprint to unlock her smartphone.

The iPhone belonged to Paytsar Bkhchadzhyan, the 29-year-old girlfriend of a man accused of being a member of an Armenian gang, according to Matt Hamilton and Richard Winton of the LA Times. She was sentenced in February for one count of identity theft, and just 45 minutes later, a federal judge signed a warrant authorizing law-enforcement officers to place her finger or thumb on the Touch ID sensor of her iPhone. It’s not clear what prosecutors are searching for on her phone. The Atlantic

How can this be? Doesn’t the Fifth Amendment protect compelled self-incriminating testimony?

Apparently, the courts see things a bit differently than you or I might.

From the same Atlantic article:

The Fifth Amendment, which protects people from incriminating themselves during legal proceedings, prevents the government from compelling someone to turn over a memorized PIN or passcode. But fingerprints, like other biometric indicators—DNA, handwriting samples, your likeness—have long been considered fair game, because they don’t reveal anything in your mind.

Now, it’s not clear if this approach to gaining access to information relevant to a law enforcement investigation will stand up if challenged, but so far no such challenge has been mounted.

In the case that it does remain as the law, what is a security conscious smartphone user to do? After all, while PINS are “safer” in the sense that you cannot be forced to provide them to law enforcement, they are somewhat less convenient to use. Fingerprint unlocking is a nice technological solution to the problem of trading convenience (short PINs, for instance) for security. But now, it appears, it’s not secure against government intrusion.

(As a side note–the argument that “if you have nothing to hide, why does this bother you?” doesn’t strike me a sufficiently protective of government overreach. If you were the subject–incorrectly–of a government search warrant, would you really want law enforcement officials to be able to see everything on your smartphone?)

A fingerprint and a long passcode provides a good balance between convenience and security—or it did, until courts began compelling fingerprint unlocks, said Chris Soghoian, the chief technologist at the American Civil Liberties Union.

If you see this as a problem, what can you do?

Really, there are only two solutions:

  • Don’t use the finger print sensor–rely on a long passcode.
  • Turn off the fingerprint sensor if the need arises.

The former solution is not to my liking, personally. I prefer, I suppose, the second one. Something happens, I restart my iPhone and now a PIN is required to unlock it.

Bottom line, though, is that this is merely one example of how new uses of technology drive our legal and social systems in directions we cannot predict. At the very least, we need to know, as informed citizens, what the outcome of such changes are likely to be and how they affect us personally.

[This blog focuses on a situation that may be unique to the United States, but the issue might be of interest to those in countries with similar legal systems.]

Richard Fall

About

I am currently the National Solution Architect, Digital Platforms and IoT for Sogeti, working from the Des Moines, Iowa office. My interests lie in the areas of micro-services, SaaS, and IoT systems.

More on Richard Fall.

Related Posts

Your email address will not be published. Required fields are marked *

5 + 3 =


    *Opinions expressed on this blog reflect the writer’s views and not the position of the Sogeti Group