Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy The Courts Iphone

Feds Can't Force You To Unlock Your iPhone With Finger Or Face, Judge Rules (forbes.com) 172

A California judge has ruled that American cops can't force people to unlock a mobile phone with their face or finger. The ruling goes further to protect people's private lives from government searches than any before and is being hailed as a potentially landmark decision. From a report: Previously, U.S. judges had ruled that police were allowed to force unlock devices like Apple's iPhone with biometrics, such as fingerprints, faces or irises. That was despite the fact feds weren't permitted to force a suspect to divulge a passcode. But according to a ruling uncovered by Forbes, all logins are equal. The order came from the U.S. District Court for the Northern District of California in the denial of a search warrant for an unspecified property in Oakland. The warrant was filed as part of an investigation into a Facebook extortion crime, in which a victim was asked to pay up or have an "embarassing" video of them publicly released. The cops had some suspects in mind and wanted to raid their property. In doing so, the feds also wanted to open up any phone on the premises via facial recognition, a fingerprint or an iris.
This discussion has been archived. No new comments can be posted.

Feds Can't Force You To Unlock Your iPhone With Finger Or Face, Judge Rules

Comments Filter:
  • I can't imagine... (Score:3, Insightful)

    by cayenne8 ( 626475 ) on Monday January 14, 2019 @04:03PM (#57961536) Homepage Journal
    ...why anyone would want to use biometric passcodes to unlock anything so private as a cell phone is today.

    I know, most people don't seem to value privacy, but if you have any at all, doing biometric should be a no go from the start.

    • Re: (Score:2, Insightful)

      by Pascoea ( 968200 )

      ...why anyone would want to use biometric passcodes to unlock anything so private as a cell phone is today. I know, most people don't seem to value privacy, but if you have any at all, doing biometric should be a no go from the start.

      Because I don't want to type in a password every time I look at my phone. I don't keep anything in the general storage that I don't want someone else to see. That "stuff" gets relegated an encrypted actual password protected "storage locker".

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Because I don't want to type in a password every time I look at my phone. I don't keep anything in the general storage that I don't want someone else to see.

        If you don't care about the data behind the biometric lock, and the data you do care about is behind a different lock, why use biometrics at all? I am seriously asking here and genuinely am curious why.

        • by sjames ( 1099 )

          I do that too, and it's just to keep people honest. It also makes it impossible for someone to successfully claim that they had no idea they weren't supposed to access the phone.

        • by Pascoea ( 968200 )
          Company policy requires that password protect my phone.
        • An overall better solution, in my opinion, would be to have a strong passcode for accessing the phone when turning it on, then an easy one like biometrics for unlocking.

          I admit that at first, I did not see a need for 2 systems.

          But it has bothered me for a while now that they continue to insist on just one access system, both for initial access to the phone, and for the lock screen.
    • Using a biometric system allows me to keep a 15+ character passcode on my phone without meaningfully impacting my day. It means my phone is immune to casual (or even some non-casual) break-ins, but is still very useful and accessible to me. (Particularly now that I have an iPhone XR; it never FEELS locked to me because the transition is so seamless.)

      If someone swipes my phone or I lose it, I have no fear that my data will be taken. If someone has kidnapped me and threatens me, they'll have my data whether it's protected by a password or biometrics.

      I'm FAR more worried about persistent data tracking around the web and the amount of data that filters through google and facebook than my biometrics being the weak point in my security.

      Ultimately, all security is a tradeoff between security and convenience. My phone is a device that I want to be convenient, and that means I trade a tiny bit of security for it.

      • This. The most likely case that a normal person will need their phone secure is if they lose it or have it stolen by a pickpocket. Security in this case requires a decently strong passcode. The problem biometrics solves is that a passcode strong enough to resist an attack on a lost or stolen phone is inconvenient to enter and is easily shoulder-surfed. If you are the target of a motivated attack, it would be be far easier to just observe you putting in a passcode than to lift your fingerprint in suffici

        • > That still could be taken at gunpoint, but I would argue that is actually an advantage, since I certainly don't have access to any data that is comparable in worth to my life.

          Or even comparable in worth to my eye, thumb, etc. While many biometric scanners claim not to work with amputated body parts, I suspect they'd work just fine so long as the part was was kept alive with synthetic blood of the right color and temperature. Plus, I don't trust all thieves to know how difficult the procedure actually

    • No kidding.

      We're sorry for the inconvenience, can we get you something to drink while you wait?
      (Takes the cup or can/bottle from you later, lifts the print(s), uses them to unlock your phone)

      Or just plain old intimidation to coerce you into complying. The average person is enough of a wimp, doesn't know their rights, and crumbles in the face of stern-speaking authority figures, that just 'demanding' it is enough for most, just to get the angry guy with a gun and a badge to stop yelling at them.

      • Considering how many people are beaten or killed by cops on the flimsiest of pretenses, sometimes even while officially in custody, without any consequences for the cop, that I'm not completely certain that "knowing your rights" is actually adequate defense against an "angry guy with a gun and a badge"

        • I'll probably never find out but in case I do here's what I have to say about that: https://slashdot.org/comments.... [slashdot.org]
        • by dcw3 ( 649211 )

          Considering how many people are beaten or killed by cops on the flimsiest of pretenses, sometimes even while officially in custody, without any consequences for the cop, that I'm not completely certain that "knowing your rights" is actually adequate defense against an "angry guy with a gun and a badge"

          Since your chances of that are much lower than winning the lottery (unless you purposely do something to attract their attention), it's not worth your time and effort to even think about it.

    • Well personally *I* can't imagine why you can't imagine it. The vast portion of people aren't worried about APTs. Well over 99% of the time there is no danger that someone is going to try to gather your biometrics in order to access your phone, and even less chance when you factor in likelihood of success. In almost every case the threat is a thief, a family member, an unscrupulous or "prankster" co-worker, or someone else who lacks the time, access to your person, and / or skill set to break bion biometric
    • by tlhIngan ( 30335 )

      ...why anyone would want to use biometric passcodes to unlock anything so private as a cell phone is today.

      I know, most people don't seem to value privacy, but if you have any at all, doing biometric should be a no go from the start.

      Because passwords are inconvenient. You unlock your phone dozens or hundreds of times a day. It was discovered a PIN (a simple 4 digit PIN) made it so inconvenient that people wouldn't bother. Sure they set it up, but after a few days of constant entry, they disable it. This lea

    • by Kjella ( 173770 )

      ...why anyone would want to use biometric passcodes to unlock anything so private as a cell phone is today. I know, most people don't seem to value privacy, but if you have any at all, doing biometric should be a no go from the start.

      It's good enough if it's simply lost. It's a lot easier to shoulder surf a PIN than to create a convincing enough replica of my fingerprint. If you really want access to my phone just rob me, I'll tell you the PIN as it's not worth dying over. There's no need for shears and gory scenarios and it'll unlock the phone forever and after reboots too so it's better than my finger. I suppose I could be dead or incapacitated, but why go to drugs, battery or murder if a simple threat will get you all you want? So t

      • by mark-t ( 151149 )

        If you really want access to my phone just rob me, I'll tell you the PIN as it's not worth dying over.

        That being the case, one also has to ask if it is worth killing over if one isn't going to get it in the first place?

        If not, then it still makes no sense to divulge the PIN.

        If so, then it gets a bit dicier. although I still wouldn't, personally

        While I have no death wish specifically, if I'm dead, I don't have to live with the consequences of that, by definition, while conversely, a person who kills

        • Well, in general it's a bad practice to make threats you don't intend to follow though on. And vanishingly few people consistently behave rationally.

          And while a person facing imminent *certain* death should anticipate no particular problems at all (and in fact it seems common for such people to experience preternatural calm and often life-changing clarity - at least according to those whose lives were spared by chance) Facing imminent *potential* death on the other hand leaves you facing the very large pr

          • Plus, if they kill me I won't care that they didn't profit, so what exactly is the motive to invite that?

          • by mark-t ( 151149 )

            Facing imminent *potential* death on the other hand leaves you facing the very large problem of "not being killed"

            Not really... your choice in the matter is wholly illusionary. The choice to kill or not is theirs, and any impression that you have an influence on their decision simply by doing what they ask is nothing but a coincidence. I will not pretend to be responsible for a decision that someone else has imposed upon themselves just because they've somehow put themselves in a corner of feeling like th

            • You never have control over anything but your own actions, but those actions influence the probable actions of the people around you. You could be hit at any moment by a careless driver - but that doesn't mean you just ignore your own part and go wandering in traffic at night wearing black clothes. Heck, that's the entire point of wearing bright orange hiking gear during hunting season.

              Or, you know, maybe they don't actually kill you. There's a pretty good chance a bullet wound just causes serious pain o

    • For the people who check their phone 300 times a day, biometry saves them over half an hour a day. That seems a very reasonable tradeoff.

    • ...why anyone would want to use biometric passcodes to unlock anything so private as a cell phone is today.

      Because for nearly everyone in the world the biggest security risk is losing their phone and hoping that whoever finds it doesn't have automatic access to your Facebook account.

      If you work for the CIA then you may have a differing opinion on that. Personally if you want my phone you can have it. Just don't delete any of the dickpicks. I'll even give you my passcode: 000000

  • by OffTheLip ( 636691 ) on Monday January 14, 2019 @04:04PM (#57961540)
    obligatory: https://www.xkcd.com/538/ [xkcd.com]
  • It's going to be really hard not to look at your iPhone if they hold it up quickly.
    • Or use the finger prints that they had no choice but to have taken when they booked you.

      • by captaindomon ( 870655 ) on Monday January 14, 2019 @04:44PM (#57961874)
        Yep and then in both of these cases the evidence will be thrown out of court. The point isn't to stop the police from being physically able to do something, it's to take away the incentive. If using the fingerprints they gathered when they booked you to unlock your phone results in the whole case being thrown out of court for lack of admissible evidence, and a civil counter-suit quickly filed by the person who was arrested, the police are going to stop doing that. Quickly. As someone once said on this board, it's the Judicial version of "Judge Hulk SMASH."
        • Yep and then in both of these cases the evidence will be thrown out of court.

          Cops will just say you gave it up voluntarily. Then it's your word against theirs (unless the phone recorded it). Happy hunting for your lost rights.

          civil counter-suit quickly filed by the person

          Uh huh, Yeah, we all got plenty of money for that.

        • Re: (Score:3, Informative)

          by sexconker ( 1179573 )

          Cops will just lie. Best case they force you to unlock it, find out what you're doing, then get at that from some other angle, such as an "anonymous tip". Parallel construction.

          If you're not lucky, they'll beat you and force you to unlock it, then it's your word against 3 seasoned cops saying you unlocked the device voluntarily then reached for one of the cops's gun.

          • In this case, there is literally no good way to secure your phone. If the police are going to beat you, they'll beat you until you give them your password, too. At least your phone was a more convenient object to have the whole time that you weren't under arrest for something so heinous that the police decided you were worth the risks of depriving you of your rights.

        • Except not really if the evidence that they see on your phone merely sends them in the direction to obtain it through other means. Take your address book or snap contact list for instance. It's not evidence on it's own, but now they have a list of people to go to to obtain evidence.

          If they can't unlock and use it anyway there's no reason not to go through it.

  • by Riceballsan ( 816702 ) on Monday January 14, 2019 @04:06PM (#57961556)
    If I'm not misunderstanding, the police can still search the phone, if they can find a way in. This seems to say they can't force you to put your finger on your phone, but it doesn't sound like they can't try to figure out the code on phones they are able to bring into evidence. Unless I'm mistaken, that still seems like they can take your phone, run your prints... and I'm sure in a few years they could easily have a device to quickly 3d print the fingerprints onto some form of glove or something.
    • Unless I'm mistaken, that still seems like they can take your phone, run your prints... and I'm sure in a few years they could easily have a device to quickly 3d print the fingerprints onto some form of glove or something.

      Well, that still won't do them any good, if you do NOT use a biometric passcode, such as a fingerprint.

      They can try your prints all day long if you set a nice, complex passcode you have to type in.

    • I'm sure in a few years they could easily have a device to quickly 3d print the fingerprints onto some form of glove or something.

      The Mythbusters did this a few years ago using a photocopy of a fingerprint stuck to their finger as well as using other methods. Perhaps the scanner technology is more sophisticated now, but I'm sure it can be still bypassed by less than casual attempts.

    • by AHuxley ( 892839 )
      Software that can be found around the world will get in.
      Make the user click a link to push malware down.
      Once the police have the smartphone other products can be used to extract data.
    • by dissy ( 172727 )

      If I'm not misunderstanding, the police can still search the phone, if they can find a way in.

      From the second link above to the document by the judge, it seems the issue is the police requested a warrant for the phones of the two suspects, and it was both granted and forcing them to unlock the phones is fine.
      But the cops also requested a warrant to force every person also found in those homes that had nothing to do with the case nor were suspects, and the judge said no to both the warrant and said the cops can't force the unrelated people to do anything.

      Which to anyone with common sense this is how

  • what if you had an I want my lawyer = auto wipe setup on your phone?

    • I like to play survival video games. And I like to put traps in and around my bases.

      9 times out of 10, the person who ends up getting killed by my traps is me.

      This would not be a good solution for me.

  • Ignoring that fact that you should NEVER save sensitive or incriminating information on your personal mobiles devices, without employing some form of encrypted volume, this is a home run!
  • by davidwr ( 791652 ) on Monday January 14, 2019 @04:25PM (#57961722) Homepage Journal

    If the police put you under surveillance, it's likely they will see you unlock your phone at least a few times.

    If they can catch you doing it from different angles, they can probably figure out what the passcode is.

    Once they do that, execute the warrant, seize the phone, unlock the phone, then declare victory.

    • $5 hammer is a lot cheaper and easier though. What, you want the enforcers to have to actually work for their results?

  • Now (Score:4, Interesting)

    by RickyShade ( 5419186 ) on Monday January 14, 2019 @04:27PM (#57961742)

    Now let's find a sane judge who will stand with the constitution and declare Civil Asset Forfeiture to be unconstitutional as it most certainly is.

  • You are just asking for extraordinary rendition, aren't you?

  • I am very much in favor of privacy and protecting your data, but I cannot see how a finger print, iris, facial, or other bio-metric unlocking method can be considered protected by the 4th Amendment. How is this different than a physical key you've been ordered to surrender? Only passwords / keys in your mind should be protected. I really don't expect this decision to withstand appeal. Never thought I'd be arguing *for* the cops, but really, this should be obvious.

    • How is this different than a physical key you've been ordered to surrender?

      It's not, if the order comes from a judge through due process.

      Police are not judges, and a police demand is not due process.

    • I am very much in favor of privacy and protecting your data, but I cannot see how a finger print, iris, facial, or other bio-metric unlocking method can be considered protected by the 4th Amendment.

      That's because it isn't. It's protected by the Fifth Amendment.

  • by Headw1nd ( 829599 ) on Monday January 14, 2019 @04:51PM (#57961922)

    I seriously doubt this is going to survive appeal. Providing your fingers and face, for fingerprints and lineups respectively, is already considered non-testimonial and well accepted. That providing these to unlock a phone is objectively the same as a passcode is irrelevant, a physical key such as a dongle would have the same purpose and it seems to be established that you could be compelled to hand it over to the police. In fact it seems in this case that the law is specifically unconcerned with the objective, and only concerned about the means.

    This does invalidate an earlier comment I made concerning using 3D sculpting to fool face recognition, I guess the government might need to look into it now. If this leads to a ridiculous chain where you cannot be compelled to look at your phone to unlock it, but you can be compelled to have your face 3D scanned so that a copy can be made and used to unlock your phone, then I will be disappointed but not surprised.

    • I don't follow your line of thinking AT ALL.

      being fingerprinted and photo'd for booking is NOT the same as invading your whole life, which tends to be stored on your phone, these days.

      • "Invading your whole life" is what a warrant is for. In this situation I am assuming a warrant has been issued to search the phone, thus we are only really discussing providing access.
  • they can pry it from my cold dead hands.

  • by nehumanuscrede ( 624750 ) on Monday January 14, 2019 @05:19PM (#57962114)

    Instead of the either / or aspect, why not the option to require both a biometric AND a passcode / pin ?
    If the biometric AND the pin / passcode match you get access. If either fail, you don't.

    What problems would arise from such a setup ?

  • That created a paradox: How could a passcode be treated differently to a finger or face, when any of the three could be used to unlock a device and expose a user’s private life?

    Paradox? That's an asinine statement. They are treated differently BECAUSE they are in fact different.

    A word/phrase passcode is something that you have to say. Between that and the possibility that you don't know or don't remember the password, it made perfect sense to deny jailing people for not giving out their password.

    You fingerprint and face are just... there. Cops take mug shots. Cops take fingerprints. Hell, cops can take DNA samples. Because they are just there and don't require you to in

    • Completely agree. I have no idea what the basis for this ruling is.

      From what the article says, the judge is suggesting that because both a passcode and biometric key can be used to the same ends, they should both be treated the same, which is utterly nonsensical. That's no different than saying that if you have a combination lock with a backup key, the cops can't compel you to turn over the backup key because they can't compel you to turn over the combination number. But a number is nothing like a physical

  • The feds/police will still do it but if you complain they will say you were asked and complied. No force needed. Your word against theirs. Judge probably knows the cops on a first name basis. Who do you think he believes?

  • ...because typing my 14 character pin every time I want to unlock is pretty excessive, since I lock my phone every time I turn it away from me.

    If I ever need to turn my phone over to the police, I'll simply reboot it. Biometrics are disabled until you log in normally, so they can force mo to stick my finger on it all they like, it won't help.

  • They don't really need your biometric passport to unlock your phone, they have other ways to get to the data.

Time is the most valuable thing a man can spend. -- Theophrastus

Working...