Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Crime Iphone Your Rights Online Apple

The Government Wants Your Fingerprint To Unlock Phones (dailygazette.com) 224

schwit1 quotes this report from the Daily Gazette: "As the world watched the FBI spar with Apple this winter in an attempt to hack into a San Bernardino shooter's iPhone, federal officials were quietly waging a different encryption battle in a Los Angeles courtroom. There, authorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone that had been seized from a Glendale home. The phone contained Apple's fingerprint identification system for unlocking, and prosecutors wanted access to the data inside it.

It marked a rare time that prosecutors have demanded a person provide a fingerprint to open a computer, but experts expect such cases to become more common as cracking digital security becomes a larger part of law enforcement work. The Glendale case and others like it are forcing courts to address a basic question: How far can the government go to obtain biometric markers such as fingerprints and hair?"

This discussion has been archived. No new comments can be posted.

The Government Wants Your Fingerprint To Unlock Phones

Comments Filter:
  • The harder a government tries, the faster a market for hard-to-crack devices will grow.
    • And how's that working out for you?

      I mean technically Apple didn't lose in Court, but the government actually got more then it wanted in terms of access to your damn phone because the hack it's using today is not tied to a single iPhone 5c.

    • I have outwitted them. My fingerprint will not help them. I don't lock my phone. And it doesn't have a fingerprint reader. <nelson>ha ha</nelson> :-)
      • by wwphx ( 225607 )
        Myself, my finger will open Amazon, iBooks, a secure storage app, and one of my bank accounts: but not my phone. For that, I have to enter a passcode.

        Mythbusters did an excellent episode where they defeated many home security devices, including a finger print reader. As I understand it, later models of iPhones actually read a capillary signature, so theoretically a severed fingertip wouldn't do it. But I wonder if some of the Mythbuster techniques would work.

        I'd like to see a survey of those using
        • One place I worked at had one of those fingerprint readers on the time clock. I never used it after demonstrating that it would not read my fingerprint most of the time even with multiple tries and went back to my time sheet.
  • Duress print (Score:5, Interesting)

    by Anonymous Coward on Sunday May 01, 2016 @06:21PM (#52025027)

    New option: set a finger to use which will cause the device to wipe. (I can think of an appropriate digit to use).

    • That won't help you. Unless the "wipe" included fake usage and history, that's tampering with evidence and a crime all its own. And if your fake data doesn't match call record metadata, that will still be easy to prove as tampering.

      • Re: (Score:2, Interesting)

        by Anonymous Coward
        Then do nothing, and let them press your finger to the device. Don't even offer a specific finger, let them pick. It is not your job to inform them that doing so will wipe the device.
      • That won't help you. Unless the "wipe" included fake usage and history, that's tampering with evidence and a crime all its own.

        I think you have a good point that wiping a locked device might be construed as tampering with evidence. But what if it just reencrypted it a second time, maybe even with a random password but one you just don't know ?

        IANAL but you didn't erase anything, it was locked before and now it is still locked. Maybe even do it so they could brute force in 10-20 years time?

        Conveniently after the statute of limitations has run out.

        • Re: Duress print (Score:5, Informative)

          by AK Marc ( 707885 ) on Sunday May 01, 2016 @07:15PM (#52025275)
          Converting the data to an unusable form would be treated like shredding, which is illegal, and well tested to be illegal, if you do so after you know the material shredded was needed for an investigation or lawsuit.
          • Re: Duress print (Score:5, Interesting)

            by climb_no_fear ( 572210 ) on Sunday May 01, 2016 @07:30PM (#52025343)

            Converting the data to an unusable form ....

            You said it yourself: "Converting". But it was unusable before (ie., encrypted) and is still encrypted. Hence, no meaningful conversion took place.

            How about this: You could set up the system to unpack itself but with an algorithm that takes 20 years. It was locked before and now it is decrypting itself. You were asked to open it and you did.

            All good things take time...

            • by AK Marc ( 707885 )
              So if your notes were written in code, shredding them would be legal? There's no legal argument for that. Destroying things related to an investigation is illegal, regardless of what form they were in before.
          • Re: Duress print (Score:4, Informative)

            by TheCarp ( 96830 ) <(ten.tenaprac) (ta) (cjs)> on Monday May 02, 2016 @07:42AM (#52027171) Homepage

            > if you do so after you know the material shredded was needed for an investigation or lawsuit.

            This. As a budding young sysadmin this was always one of the first things that came up as why we really need a data retention policy. The last position you want to be in when a lawsuit arrives is having just erased data with no clear policy as to why you did it.

            Its not even entirely about whats true or what can be discovered but what can be proven to the satisfaction of men, and that is always going to be a larger set. Best to have a policy and stick to it.

        • So changing all the data on the phone (even if it could be decrypted to the same) is not tampering? Might as well just have it delete the private key instead (which is how remote wipe / too many guesses wipe works).

        • Dude,

          Stop watching movies.

          You've just committed multiple felonies relating to obstructing an investigation. Moreover the reaction of Courts to "you can't prove that, the evidence is gone," is typically to assume the evidence was the most damning evidence possible.

          • by cfalcon ( 779563 )

            While you may be held in contempt or face other charges if you deliberately take an action to destroy evidence, I've never heard of "beyond a reasonable doubt" being interpreted as "or, you know, if they destroyed evidence". Much of this also depends on the specifics of the case as well.

            The overall topic- that you can be compelled to use your finger to unlock a phone- isn't even new. This has already been found in older cases. It's a very solid reason to use good crypto- you can be compelled to unlock wi

            • Print + Password every time.

            • Thye standard doesn't change.

              But if you destroy evidence, the cops can tell that to a Jury. Generally they have to, because it would be quite unusual to have separate trials for the destruction of evidence charge and the charge that started the investigation.

              So the Jury goes into that room, where the course of your life will be determined, and yes they are technically using the same standard as always (Reasonable Doubt). But your side has a huge credibility problem because you destroyed evidence.

              Yeah, you c

      • I'm pretty sure destroying evidence has a less harsh penalty than murder or copyright infringement these days.

        • by fnj ( 64210 )

          I'm pretty sure destroying evidence has a less harsh penalty than murder or copyright infringement these days.

          ... or insulting that verminous prick, Recep Tayyip Erdoan.

      • by dgatwood ( 11270 )

        That won't help you. Unless the "wipe" included fake usage and history, that's tampering with evidence and a crime all its own. And if your fake data doesn't match call record metadata, that will still be easy to prove as tampering.

        This is a great example of why all phones should allow multiple user accounts. If you configure different accounts with different fingerprints, your private stuff could be in your left-handed account, and you could have a generic account with some minimal history and no access t

      • If providing the wrong finger leads to tampering with evidence (an act of my own doing), then providing the correct finger and thus the evidence is incriminating myself, which *should* be covered under the Fifth Amendment. I say should, because I don't have faith in our legal system to give a crap about the Fifth, or any other Right, these days...

        • So if caught with the finger on a paper shredder power button, pressing ON is not tampering? Certainly being forced to press the OFF button is not a violation of Fifth Amendment.

          The only clause of the Fifth that applies is this:

          nor shall be compelled in any criminal case to be a witness against himself

          The term "self-incrimination" is shorthand, but it's not really accurate for every interpretation. Putting your finger on the phone to unlock is not an act of testimony.

    • Not really sure that's necessary. As this is an iPhone, TouchID is disabled if the device is rebooted, 48 hours pass, or their are five incorrect attempts at fingerprint scanning.

      That is, they're far more likely to burn through the 5 attempts than they are to hit the duress finger.

    • "They" are going to back up the original enciphered data first, of course. File that idea under completely pointless.
      • by jonwil ( 467024 )

        If keys and other important data are stored in memory on the CPU chip (which is how Apple does it on the latest iPhones I believe) its not possible to "back up the encrypted data" in that way.

  • Smell my finger! Now pull it. Wouldn't matter anyway. My phone demands a password every XX hours no matter what.

  • I would assume not so far as to deny someone's 5th-amendment privilege to decline to self-incriminate. But IANAL.

    • by Anonymous Coward on Sunday May 01, 2016 @07:24PM (#52025315)

      I think you have a bit of a misinterpretation of the fifth amendment.

      The explicit text related to self-incrimination is:

      "...nor shall be compelled in any criminal case to be a witness against himself; ..."

      which is generally interpreted as:

      "The Fifth Amendment protects criminal defendants from having to testify if they may incriminate themselves through the testimony. A witness may 'plead the Fifth' and not answer if the witness believes answering the question may be self-incriminatory."

      So, the fifth amendment specifically applies to testimony.

      So while you can't be compelled to provide authorities with your decryption key for instance, we have recently seen here [slashdot.org] that you can be ordered to perform the decryption itself and be held in contempt of court for not doing so.

      • by borgasm ( 547139 )

        What if you made the passphrase answer a statement that you were guilty of doing something? Then, since you can't be forced to testify against yourself, you can't divulge the passphrase since it is itself self-incriminatory.

        I should have gone to law school.

        • by pellik ( 193063 )

          So while you can't be compelled to provide authorities with your decryption key for instance, we have recently seen here [slashdot.org] that you can be ordered to perform the decryption itself and be held in contempt of court for not doing so.

      • by pellik ( 193063 )
        This case is so insidious that I really hope it gets more traction on slashdot or other media sites.
        The slashdot summary didn't do it justice, either. The court is holding someone who claims to have forgotten his password indefinitely until such a time that he produces his password.
        If the police search your house, and deep in your basement find a computer hard drive from 6 years ago that you've completely forgotten about, and have no recollection of the passphrase to unlock, do you deserve indefinite det
    • Nope. The Fifth Amendment applies to shit you say, not shit you are:

      nor shall be compelled in any criminal case to be a witness against himself

      You can refuse to turn over passwords all you want, and they can't make you. But your finger? They need to get the proper papers filed with the Courts, but they can borrow that for five minutes.

      You could argue that the finger is something testimony like, but the rules lawyers that actually run the legal system have centuries of tradition defining "witness" as being "testimonial" in nature, which means that if the info you're divulging is an

  • by EEPROMS ( 889169 ) on Sunday May 01, 2016 @06:27PM (#52025061)
    If this starts happening people will just use a multi layer logins ie a sequence of fingers prints instead of just one or a fingerprint and a pass sequence. Also regarding terrorists, they just use burner phones for no more than a day or two now and use cryptic key words that mean nothing to your average key word search engine.
    • Re: (Score:3, Interesting)

      by m0hawk ( 3030287 )

      Or just using a long password held only in the brain. A lot less complicated than multiple layers of security, works right now and is "safe enough" for most people.

      For example, a police officer that doesn't respect your rights and asks to see the device contents without a warrant, because you were filming or were using your device in a manner they didn't like.

      One drawback is the time it takes entering a long password when you need your device quickly or need to check it often.Although, Android does have a f

    • by AmiMoJo ( 196126 )

      Current phones have already solved this problem. Can you set both Android and iOS to require a password/PIN after a certain amount of time, rather than just a fingerprint. You should set it to something short so that the police don't have time to get a warrant.

      Android also has a number of Dead Man's Switch apps, which will automatically wipe the phone after a certain period of inactivity. How this affects you legally depends on the jurisdiction I guess. Is failure to act to prevent the destruction of eviden

  • This is a PSA completely unrelated to the article and for educational purposes only.
    You can painlessley sand off your fingerprints in about 3 minutes. What are they going to do if you literally do not have fingerprints? Okay so you can't unlock your phone normally either then anyway but I think Slashdot people are smart enough to not use pathetic attempts at biometrics.
    • The government can just wait for your prints to regrow (while you are held in custody)

      If the pattern is still there, just sanded, they could take high resolution photos of your fingers and extract the pattern using software. Or use prints they took from you previously.

      They can then make a finger simulator from your print information, enough to trick the sensor on the iphone.

      Also, if your prints are sanded, how are you unlocking the phone normally...

      Sanding your prints in response to a warrant is obviously

      • by dgatwood ( 11270 ) on Sunday May 01, 2016 @09:23PM (#52025725) Homepage Journal

        The government can just wait for your prints to regrow (while you are held in custody)

        That approach won't work. The device won't take fingerprints after 48 hours. In fact, if the person simply refuses to submit to use of their fingers to unlock the device, they might get held in contempt, but after 48 hours, they can submit to the use of their fingers, and they're no longer in contempt, but it won't be of any value to the government.

  • If you're government worker, you need to turn in your fingerprints every year anyway. I'm not sure if the government has the capability to pull my fingerprint records and be able to spoof the fingerprint sensor on my iPhone. Not that I have anything sensitive on iPhone.
  • So I guess I am screwed. But there is hope for everyone else.

    Ugh.

  • See this Slashdot article from October 2014: Virginia Court: LEOs Can Force You To Provide Fingerprint To Unlock Your Phone [slashdot.org]. And that's not the first.

    (IANAL.) The idea is that forcing you to reveal something you know (passcode, etc) is testifying and thus could be self-incrimination and not constitutional, but that forcing you to provide something about yourself is totally kosher. The analogy is being compelled to give up a key or DNA vs a safe combination - the former is searchable, the latter is not. Fingerprints are routinely taken upon arrest, even if the person is released without charges. Physical descriptions or stuff on/about you is not testifying. The argument to make here is a fourth amendment one about being "secure in ones papers" - but they have a warrant so that doesn't do any good anyway.

    What it comes down to is the fifth amendment is a very important, but very circumscribed, right - not a get out of jail free card. Which shouldn't have been a surprise, really, otherwise the police would never be able to prosecute much of anything.

    • by Jason Levine ( 196982 ) on Sunday May 01, 2016 @08:04PM (#52025463) Homepage

      Fingerprints are routinely taken upon arrest, even if the person is released without charges.

      I've always wondered why people would think that fingerprints are a highly secured method of authentication. You leave the things around everywhere you go and you can't change them if they are compromised. Imagine if you dropped little strips of paper with your password (that could never be changed) written on it everywhere you went. How long would your "highly secured" password last if someone decided they wanted into your account? Especially if that person was the government?

      Heck, if the government has your phone, chances are they have your fingerprint on your phone (or have access to somewhere you've been that you've left your fingerprints). Even if they don't have you in custody (and thus didn't fingerprint you), they can use those fingerprints to gain access to your phone.

      • by tlhIngan ( 30335 )

        I've always wondered why people would think that fingerprints are a highly secured method of authentication. You leave the things around everywhere you go and you can't change them if they are compromised. Imagine if you dropped little strips of paper with your password (that could never be changed) written on it everywhere you went. How long would your "highly secured" password last if someone decided they wanted into your account? Especially if that person was the government?

        And that's why Apple disables

      • I always thought Randall should do a followup to this XKCD comic [xkcd.com] with "hold him down and swipe his finger on his phone to unlock it."
    • by pellik ( 193063 )
      (IANAL. Either) The courts had indicated in a dissent that they may oppose forcing someone to turn over the combination to a safe. They set no precedent, and made no ruling to uphold that statement. Furthermore, the court is different now.
  • by FrankSchwab ( 675585 ) on Sunday May 01, 2016 @06:56PM (#52025185) Journal

    They got a warrant. None of my other "persons, houses, papers, and effects" are secure against a warrant, so why should my phone be?

    You may not think that there are other situations where the State could require my cooperation to investigate my alleged crimes, and yet those situations exist commonly. Fingerprints or DNA, for example, are coerced confessions from my body to be used by the state against me - and there's a long history (sometimes sordid) of their acceptance and use. They are coerced cooperation - try not giving fingerprints or DNA and see how far you get.

    The only significant issue I see is that the coerced cooperation required to open my phone, opens a huge window into my private business that doesn't have much of a parallel pre-cellphone. But that isn't much different than a search warrant for my house - the warrant must be specific, but that doesn't mean that the police who search my house won't investigate every document, container, and closet that may (or may not) be covered by the warrant.

    • People say that they've got more info on their cell then they would have in their House, but I really don't see that.

      There's some areas that's true, but much of that is stuff they can get from Cell towers anyway. The rest tends to be app data -- Tinder/Grindr/type-apps could be quite revealing, but Candy Crush ain't. And there's stuff in your house that nobody could figure out from your mobile.

      For example, do you share a bed with your wife? Are there tampon cartridges in the trash, and how fresh are they? W

  • don't remember password, type wrong 3 times (adjustable) - oh, sorry, device wipes... have to be quick though with typing...
    No finger print sensing BS.

  • by Dunbal ( 464142 ) * on Sunday May 01, 2016 @07:15PM (#52025271)

    How far can the government go to obtain biometric markers such as fingerprints and hair?

    They can go as far as just taking you around the back of the courthouse and shooting you. Of course those governments don't tend to be popular, but it happens. It all depends how much power the people give the government, until a critical mass is reached where the government no longer needs the people and can just give itself power. Guess which phase the US is in today.

  • The government can compel you to give over certain things that you posses, and the use of fingerprints is so old that there is no question that they can do with that pretty much what they want.

    What is protected is your right not to give testimony against yourself. A password is covered. A fingerprint is not. Facial recognition would not be covered either. Remember that before using those whiz-bang new features.

    • In at least one well-known case, it was held that a subpoena for the contents of a phone (protected by a password) to be used or provided depends on one factual question. The same question that applies to documents locked in an old-fashioned safe that has a combination.

      If there is a question about whether or not the phone belongs to the defendant, providing the password would be admitting ownership. That would be testimony, which is protected by the 5th.

      On the other hand, if the defendant admits it's his p

  • ... because the "key," analogy fails.

    When police knock on our door with a warrant, the warrant specifies what they are looking for.

    Recall the example of overreach in the case where an individual is suspected of stealing a TV and LEO looks in desk drawers and cubbyholes.

    Officers are not allowed to toss your house, looking for a TV.

    A smart device contains information that is private to other, unknown, persons .

    I may have photos of you. I may have emails from you. I may have text messages from you, and I may

    • Citizens should have a place to store shit without LEO getting its fucking hands on it.

      If it's not a smart device, then where is it?

      Besides your brain? Under US Law the only place you are allowed to protect information from ignore a valid warrant is your brain. That's the entire point of warrants.

      That a country would try that is what I refer to as an Interesting Constitutional Theory.

      "Interesting" as in it's impossible by definition. Some have lacked the clout to get info they wanted, or the technical skills; but if you set up a government that can't even verify the info it's citizens tell it is true then it's gonna be mighty tricky to

  • Why go all the trouble to get a warrant etc, when reading out publicly available hi-res photographs from surveillance cameras showing the finger of the target would be more than enough to print a fine replica of the fingerprint on a 3D printer, to be applied / pressed on the fingerprint sensor by some FBI agent at a later time? C'mon, image data processing has come a long way to read your fingerprints from most photos with a decent enough lighting and resolution. Transferring that to the sensor is trivial f
    • From a law enforcement point of view a warrant is pretty much free.

      The cop tells a Judge "I need that warrant," if the cop has probable cause to search the limited area he is asking for the Judge is duty-bound to grant the warrant. Since the Judicial branch is not part of the cop's budget you have to figure a half-hour of a low-0ranking FBI Agent's time.

      The shit you're talking about would require a really good photographer, a stake-out, and a lot of time to get precisely the right angle.

  • seems like a good reason to use some other form of unlock than fingerpirnts

  • Honestly, fingerprint dusting is so easy that I'm surprised it's so supposedly "secure". I mean, the phone is covered with fingerprints. Dust for them and construct fakes and voila, there's your phone. Which is why we should all push for Iris scanners on our phones instead.
    • Ever tried it?

      If you watch the CCC video of breaking into the iPhone, you'll notice a pristine front cover glass, with a very carefully placed fingerprint. And they're experts at this.

      Give it a try sometime. It's quite educational.

  • ...since the terrorist phone case and how easy it would be to force someone to unlock a bio-locked phone. What I'd like to see is Apple/whatever Android phones have that level of biometrics to either require a passcode or self-destruct if the wrong registered print is used to try and unlock it.

  • Can't an app be made that simply does not store any of this history and evidence on the phone ? It's not as if I can't get information from a distant server when I want it most of the time. The phone could otherwise hold music and other innocuous content.
  • ... devices can evaluate the state of mind of the person using whatever pass code is required to ordinarily access it, and then failing to allow such access if what would otherwise be the correct pass is provided while under any kind of duress?
  • If your fingerprint does anything more than let you answer a call or rear a text message, you're doing it wrong.

    Fingerprints are not secure, unless you always wear gloves you're leaving the key to unlock your phone on the phone itself.

  • So the next step will be to have distress fingers, i.e. if I use my left thumb, the phone will lock up and I need to enter my code, TouchID will not work by itself anymore.

    Problem solved. Apple, you listening? Wait, you don't have to. Any expert in security knows about canaries and distress signals, so you're probably working on it already, right?

  • The problem with biometrics are they are fixed. So once they are stolen, you are screwed. Duplicating a fingerprint is easy. Iris scans are probably simple enough to defeat given the right equipment. Even some future DNA scan could be defeated, in theory. Keep in mind, no matter what form of security is used, it has to be digitized in some way. That is a crack in security.

  • by jIyajbe ( 662197 ) on Monday May 02, 2016 @01:34AM (#52026321)

    (Yes, this is a serious, non-sarcastic post.)

    Yikes, that scenario had never occurred to me. I just turned TouchID off on all my devices. Entering my (>4 character) passcode isn't really that hard.

    This sort of story is why I like Slashdot. This was interesting and useful. Thanks to the submitter and the editor.

  • Sigh (Score:5, Insightful)

    by ledow ( 319597 ) on Monday May 02, 2016 @04:32AM (#52026765) Homepage

    Fingerprints are not passwords. If you use them that way, you're an idiot.

    At best, fingerprints are shortcuts for your USERNAME. You can use them in systems like that - school library and dining hall systems are perfect, you're not interested in "security", you're just interested in determining the correct child to a certain degree of accuracy quickly.

    Your password should still be something that only you know.

    People using fingerprints for passwords are deliberately making their machines less secure.

  • The US Government wants to force people of interest to use their fingerprints to unlock phones

    FTFY. Fixed the stupid capitalisation too.

Don't sweat it -- it's only ones and zeros. -- P. Skelly

Working...