Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Cellphones The Courts United States

Cops Can Force Suspect To Unlock Phone With Thumbprint, US Court Rules (arstechnica.com) 146

An anonymous reader quotes a report from Ars Technica: The US Constitution's Fifth Amendment protection against self-incrimination does not prohibit police officers from forcing a suspect to unlock a phone with a thumbprint scan, a federal appeals court ruled yesterday. The ruling does not apply to all cases in which biometrics are used to unlock an electronic device but is a significant decision in an unsettled area of the law. The US Court of Appeals for the 9th Circuit had to grapple with the question of "whether the compelled use of Payne's thumb to unlock his phone was testimonial," the ruling (PDF) in United States v. Jeremy Travis Payne said. "To date, neither the Supreme Court nor any of our sister circuits have addressed whether the compelled use of a biometric to unlock an electronic device is testimonial."

A three-judge panel at the 9th Circuit ruled unanimously against Payne, affirming a US District Court's denial of Payne's motion to suppress evidence. Payne was a California parolee who was arrested by California Highway Patrol (CHP) after a 2021 traffic stop and charged with possession with intent to distribute fentanyl, fluorofentanyl, and cocaine. There was a dispute in District Court over whether a CHP officer "forcibly used Payne's thumb to unlock the phone." But for the purposes of Payne's appeal, the government "accepted the defendant's version of the facts, i.e., 'that defendant's thumbprint was compelled.'" Payne's Fifth Amendment claim "rests entirely on whether the use of his thumb implicitly related certain facts to officers such that he can avail himself of the privilege against self-incrimination," the ruling said. Judges rejected his claim, holding "that the compelled use of Payne's thumb to unlock his phone (which he had already identified for the officers) required no cognitive exertion, placing it firmly in the same category as a blood draw or fingerprint taken at booking." "When Officer Coddington used Payne's thumb to unlock his phone -- which he could have accomplished even if Payne had been unconscious -- he did not intrude on the contents of Payne's mind," the court also said.

This discussion has been archived. No new comments can be posted.

Cops Can Force Suspect To Unlock Phone With Thumbprint, US Court Rules

Comments Filter:
  • by rsilvergun ( 571051 ) on Thursday April 18, 2024 @06:20PM (#64406362)
    if it ain't in your head they can use it.
    • There have been plenty of examples of people using various materials to fake a thumb and then add someone's print to it and unlock phones. They could easily get someone to manufacture devices that do this.

      Because the authorities don't even need to attack the constitution to unlock phones with thumbprints I can only guess they are doing it because it pleases them to dimish our rights.

      • Re: (Score:3, Insightful)

        You have no such right.
        You have a right against self-incrimination. You do not have a right to obstruct justice.
        • by ls671 ( 1122017 )

          Indeed, I would never force anybody to do anything, it's against my religion. So, I just cut their thumb off to access their phones.
          -agent William Bumbray https://www.infocrimemontreal.... [infocrimemontreal.ca]

          • by saloomy ( 2817221 ) on Friday April 19, 2024 @01:24AM (#64406880)
            Why you should (if you own an iPhone) lock it with 5 clicks when doing things like going thru security lines or getting pulled over. Always. It requires the pin to enable touch or Face ID.
            • On android it is called lockdown mode and can be activated from the power button long press menu

          • You are gonna have to more specific about what they did, that link is not very forthcoming.

            • by ls671 ( 1122017 )

              He didn't do anything wrong, it was just an old meme joke. William Bumbray used to make messages on TV aired during commercial breaks aimed mostly at kids, the "kids, don't do drugs" style so it has become folklore.

                 

        • Re: (Score:2, Insightful)

          by dnaumov ( 453672 )

          You have no such right.

          You have a right against self-incrimination. You do not have a right to obstruct justice.

          What a bright idea. Lets just beat you up until you confess, right? You don't get to obstruct justice!

          • That's literally what the 5th amendment was written to prevent- compelled confession: "nor shall be compelled in any criminal case to be a witness against himself"
            You're trying to equate preventing police from obtaining evidence with compelled confession. That's either disingenuous, or stupid. I'll give you the benefit of the doubt and call it the latter.
            • by mspohr ( 589790 )

              Unreasonable search and seizure... you need a search warrant.

              • Correct.
                Which is the 4th amendment, not the 5th, and is also not being argued by anyone, or "the troglodyte judges"

                The police concluded that they did not need the warrant, because defendant was a parolee.
                Court agreed, as caselaw has determined long long ago, that parolees are not free citizens, they're just those out of prison early.
          • I'm pretty sure assault is still illegal, even for a cop. Although with qualified immunity it is possible that no one will be held responsible for the assault.

        • by mspohr ( 589790 )

          Without a search warrant?

          • Of course not. You are protected against unreasonable search and seizure. A warrant would absolutely be required, just as it is for the police to collect your blood.
            • I was thinking the same as, but I RFAd and read the case. Under Rodriguez v. United States, 575 U.S. 348 (2015), the Court ruled that a search warrant was required. However, he was a parolee, and as a part of his parole, he was subject to warrantless searches. His condition of parole included :

              "You shall surrender any digital/electronic device and provide a pass key/code to unlock the device to any law enforcement officer for inspection other than what is visible on the display screen.

              This includes any d

        • My brain obstructs it just fine

          • Correct- and that's protected.
            Nothing physical that can be collected is.
        • By definition a right against self-incrimination is a right to obstruct justice.

          If you are actually guilty of a crime, and the only evidence that will convict you is in your head, then by willfully withholding that evidence in your head you are actively obstructing justice.

          Future /. article: The Fifth Amendment ruled irrelevant by The Supreme Court after invention of computerized forced memory (insert....er) extraction device.
      • by ledow ( 319597 )

        I have nothing worth hiding, but I have an even simpler method:

        Don't put incriminating things on your phone.
        Don't use biometrics AT ALL. Literally just turn them off.

        My bank app tries to remind me every 6 months or so and I just dismiss it. Google also seems to think that I can "pay" with a biometric as an option whenever I buy an app or book on their apps... which is interesting because I've literally never given them one. Selecting the option wants me to enroll a fingerprint using my Google password.

    • by AmiMoJo ( 196126 ) on Friday April 19, 2024 @04:20AM (#64407012) Homepage Journal

      PROTIP for Android users, and I think iPhones have something similar.

      Press the power button 5 times rapidly to enable "emergency mode" or whatever they call it. Biometric unlock will be disabled and you will have to enter your password/PIN to access the device again.

      You can configure what else it does. I think the default is to call the emergency services, so you might want to disable that. You can have it record video and text people too.

      • Emergency mode doesn't disable the biometric lock on my Oneplus.

        • by AmiMoJo ( 196126 )

          Did you let the countdown hit zero? Try setting it to record an emergency video. Once it starts it usually asks for your password to stop the recording. Otherwise it must be a OnePlus thing.

      • Press the power button 5 times rapidly to enable "emergency mode" or whatever they call it. Biometric unlock will be disabled and you will have to enter your password/PIN to access the device again.

        I don't think this is true. If you enable emergency mode video recording you have to enter your PIN to end the recording, but biometrics will still unlock the lockscreen. While the recording is going, hit the power button to activate the lockscreen, which will be unlockable with biometrics. You can also swipe up from the bottom (assuming gesture navigation) and switch to other apps. The device is not locked and not in lockdown mode while in emergency mode.

        What you can do is press power and volume up to

    • Nobody read the court judgement either.

      This is about a parolee who's condition of parole was that he must allow law enforcement to gain access to his phone whenever they want. This is not a normal person doing normal things, this is a parolee who agreed to allow law enforcement into his phone as condition of his parole.

      The word "parole" is mentioned 99 times in the judgement. This is strictly about whether or not a parolee must allow law enforcement to access their devices.

      https://cdn.ca9.uscourts.gov [uscourts.gov]
      • Not quite that strict.
        The judgement discussed the 4th amendment implications.
        The police argued it was allowed because the parole allowed them to violate the defendant's 4th amendment rights- the court agreed.
        However, that does confirm that only the 4th amendment stands between them and compelling you to provide biometrics. (i.e., a warrant)

        Which shouldn't come as a surprise to anyone, but strangely enough, it is, because most of the people on here have no fucking idea what the 5th amendment actually is
  • by davide marney ( 231845 ) on Thursday April 18, 2024 @06:24PM (#64406372) Journal

    They can have my smartphone when they pry it from my cold, dead fingers. Oh. Wait.

  • by Rinnon ( 1474161 ) on Thursday April 18, 2024 @06:26PM (#64406378)
    I've long held that the use of biometrics to replace passwords is a mistake. The classic "username" and "password" combo provides two pieces of information in order to verify identify: who you are, and something you know. A thumbprint, or an iris scan, more accurately represents who you are than something you know; so using those to replace your username would make sense... but using them to replace your password seems like a bad idea.
    • I could see using "Who you are" AND "Something you know" together but I wouldn't think using "Who you are" as the password would be a good idea either. This article just highlights one of the reasons.

      People are very lax on security though, so what do you expect.

    • It may not have gone up higher in the courts but rulings from decades ago already properly handled this stuff. If it's public info you broadcast lacking the reasonable expectation of privacy then it's totally fair game. You broadcast your fingerprints all over the place and it's been used for centuries so the idea you somehow own rights to them to prevent their use is nearly beyond academic ..venturing into the impractically absurd.
      The same "reasonable expectation" measure applies to most stuff. Biometric

      • The 5th Amendment isn't about public vs private stuff. It's because at the time it was common to torture people until they confess. Passwords are an interesting case because they can't be a false confession; but confessing that you know the password is confessing that you have access to the account, but the stuff protected by the password is physical evidence and not a confession. There's been cases of people being compelled to share their password after admitting they know it. And biometrics are physical e

        • The Fourth Amendment is more relevant here and was part of the rulings I read about decades ago on these matters. Fingerprints were totally fair game before computers; no court order required and DNA shouldn't require one (but does if taken off your person while taking a fingerprint off your person is different.)

    • A thumbprint, or an iris scan, more accurately represents who you are than something you know

      Years ago a slashdot comment noted that those things are something you have, like a key or fob. But they are starkly inferior, because they can be copied/faked with sufficient tech and effort, cannot be hidden, and cannot be "rekeyed."

      The last two points are probably what make it attractive to those who would force it as a means of control for them, under the guise of security for you.

    • Re: (Score:3, Informative)

      by NotRobot ( 8887973 )

      I've long held that the use of biometrics to replace passwords is a mistake. The classic "username" and "password" combo provides two pieces of information in order to verify identify: who you are, and something you know.

      While I 100% agree with your overall sentiment, your terminology is slightly off.

      By definition, the three main method categories used to authenticate a user are:
      who you are = Attributes of the user, in practical terms mainly biometrics: face, fingerprints, voice, etc.
      what you know = Something known by the user, including user ids, passwords, PIN codes, host addresses, etc.
      what you have = Something the user has, such as a token generator, a smart card, etc. Also, this should be something that cannot be trivi

    • by tlhIngan ( 30335 )

      I've long held that the use of biometrics to replace passwords is a mistake. The classic "username" and "password" combo provides two pieces of information in order to verify identify: who you are, and something you know. A thumbprint, or an iris scan, more accurately represents who you are than something you know; so using those to replace your username would make sense... but using them to replace your password seems like a bad idea.

      Except that the truth is far worse. The reason phones use biometrics is b

    • by rastos1 ( 601318 )

      I've long held that the use of biometrics to replace passwords is a mistake.

      That would be because biometrics is "identification" and that alone is not not enough for "authorization/authentification".

    • I don't think username is by any way who you are. There are two scenarios: 1. list of users on the device is public (default on Android, Windows, etc.), where anyone know your username, so is not something you are and 2. list of users on the device is secret, so it simply a second password, something you know.

    • by Tom ( 822 )

      The classic "username" and "password" combo provides two pieces of information in order to verify identify: who you are, and something you know.

      Actually, it doesn't. Nothing in the username field has anything to do with identity. I can enter whatever I want there, or where it is an e-mail I can just enter whatever I want followed by @gmail.com once I've registered that as my e-mail account.

      These are not two differen things. There's no actual difference between "username+password" and "password1+password2".

      but using them to replace your password seems like a bad idea.

      Only because passwords are such a stupid idea.

      I want my biometric devices to have a distress function. Like "if I try to log in with THIS finger,

    • I've long held that the use of biometrics to replace passwords is a mistake.

      For what? Who I am is more relevant than what I know for the vast majority of transactions I have. Phones have functions to lock out biometrics, simply rebooting the phone would trigger a password requirement on every mobile I've used recently. I can't face unlock or thumb unlock a freshly started phone. On the iPhone you can simply press power + volume for 2 seconds and it will disable touch/face ID until the next time you enter your passcode.

      On the flip side biometrics are quick and easy and more than suf

    • by AmiMoJo ( 196126 )

      It depends on your threat model.

      For most people, a fingerprint is a decent way to unlock their phone. It's fast and good enough for banks to trust it with payments. It can easily be disabled in an emergency situation (press the power button 5 times rapidly). Thieves aren't equipped to lift your print and unlock your device, and will just sell it on or break it down for parts.

      For fingerprint unlock to be an issue you would have to consider a threat actor who can get your device before you have a chance to di

    • I've long held that the use of biometrics to replace passwords is a mistake.

      It works fine as a second factor. As a primary and only factor, biometrics (who knew that biometrics wasn't a word? When did Mozilla decide this?) is not really a lock at all.

  • by Subgenius ( 95662 ) on Thursday April 18, 2024 @06:42PM (#64406402) Homepage

    consumer or IOT devices? Feel free to scan my thumb or face. NONE of my devices are biometric locked, despite tons of companies wanting to setup that for 'ease of use.' Sorry, I'll keep my 18 to 24 digit passwords and not turn them over.

    • by Dan East ( 318230 ) on Thursday April 18, 2024 @07:40PM (#64406496) Journal

      Sorry, I'll keep my 18 to 24 digit passwords and not turn them over.

      Must be quite entertaining to watch you unlock your phone hundreds of times a day.

      • by orzetto ( 545509 )

        It could actually be a good way to deal with compulsive smartphone use.

  • by GameboyRMH ( 1153867 ) <<moc.liamg> <ta> <hmryobemag>> on Thursday April 18, 2024 @06:51PM (#64406410) Journal

    Biometrics: Credentials that can be stolen off your body, can't be hashed, and can never be reset...and stealing them off your body can be legal too.

    • >"Biometrics: Credentials that can be stolen off your body"

      If DNA or fingerprints, they are "credentials" that can be stolen off anything you have touched or been around, and for a loooong time. They are pretty bad overall methods for confirming who you are if you care about abuse or security. And in the case of DNA, it *really* invades privacy, by its nature.

      If you must use biometrics, the only reasonable one I have seen so far is deep vein palm scan. You are not leaving that data all over the place,

  • Just as well as I use my left nipple for unlocking.

    • Now if he had used his nipple, would him having to tell them which body part unlocks the phone be protected by self incrimination?

      Also he was a parolee? Way to bury the main problem of repeat offenders and the current penal system simply not working.
  • by gnasher719 ( 869701 ) on Thursday April 18, 2024 @07:16PM (#64406446)
    It's the same thing. The cops are allowed to open your safe. If you claim you don't have the key, or you forgot the combination, then they are allowed to break it open with force, assuming they have a valid warrant.

    The only case where you are safe is when the information that you know the passcode is in itself incriminating.

    An unknown person X hit Y over the head with their MacBook and killed them. The MacBook is locked with a password. The fact alone that you know the password means it's your MacBook and you are the murderer. Then they can't force you to unlock it, or can't use the fact that you know the password as evidence against you.

    Or you bought a used hard drive on eBay. It's password locked. The police claims there is CP on it. You claim you don't know the password, you intended to reformat and use the drive. The fact that you know the password is evidence against you which cannot be used.
  • Disables biometric authentication on an iPhone.

    • >"Disables biometric authentication on an iPhone."

      And on Android starts an emergency services call.

      So on Android, simply turn off the phone. Any reboot always requires the non-biometric unlock.

      Or go into settings and choose "show lockdown option" which puts a button on your lockscreen (and power button menu) that instantly disables all biometrics and lockscreen notifications.

    • by ledow ( 319597 )

      Not storing incriminating evidence on a cloud-controlled mass-market consumer piece of technology is probably a good idea too if you want to avoid such things coming to light.

      • Yeah, that would seem obvious.

        I'm not worried about what the cops could find on my phone - for me, it's just the principle of the thing.

  • Forcing to unlock or decrypt your devices is compelling to testify against yourself.
    • by schwit1 ( 797399 )

      Yes. The spirit of the 5th amendment is that no one should be compelled to aid in their own prosecution.

      • While I agree with you, the point is there is a major difference between self incrimination and legally obtainable evidence. Dont give them access and you wont have a problem.
    • No, it is not.
      Trying to keep physical evidence from the police is not testimony.
      • by sinij ( 911942 )
        Accessing your phone is about accessing data on your phone, therefore it is about data. As much was established with passwords, but for some reason biometric unlock is different? It is only different to the corrupt or ignorant judge that does not believe that compelling testimony is a problem. What next, torture until you confess?
        • Stored data is physical evidence.
          Passwords are different because they're in your head. They're something you can know (and forget).
          Only constitutional protections against unreasonable search and seizure protect you from access to physical data.

          5th amendment protects against compelled confession. It does not protect you from the collection of physical evidence, including your biometrics (or even your blood in the case of DUIs and such)
  • by msauve ( 701917 ) on Thursday April 18, 2024 @07:47PM (#64406506)
    I use a toeprint to unlock my phone. If they force me to use a finger (pick one, any one), it will lock out after 3 tries and then will only unlock with something I know.

    It does take more time when paying with "touch", the cashiers look at me like I'm not doing it right.
  • Ideally, you want encrypted storage that unlocks with a long and complex password. And an alternate password accesses a benign alternate storage or starts a digital shredder.

    You may be threatened with force to unlock, but it'll be your choice to do so (or deal with the price of not doing so).

  • by PPH ( 736903 ) on Thursday April 18, 2024 @08:41PM (#64406558)

    ... unlocks it. Right thumb wipes the storage. The cops came at me holding my phone. I tried to stuff my right hand in my pocket. They grabbed it and put my thumb on the scanner.

    I tried to assist them by keeping my right thumb away from the phone.

    • ... unlocks it. Right thumb wipes the storage.

      Which is an absolutely brilliant idea until you're distracted, rushed, or under the influence of alcohol/drugs. Then it's "Whoops, hope you have a recent backup!"

    • by Tom ( 822 )

      which phone has that feature? I've been asking for biometrics distress features for a really, really long time.

      • Indeed, biometric distress is frustratingly lacking. Especially now that many people wear continuous biometric sensors like Apple watch. Sense distress and don't allow unlock of the phone except with an exceptionally long code.
    • Most phones have a function to quickly disable biometrics with a simple key press. Remember to hold those buttons down when you hand over your phone and you're safe. No need to put your data at risk of you confusing left and right while out drinking.

    • Welcome to a new charge, destruction of evidence.

  • How many will there have to be? When was the last time the government sent you a copy of all the laws you are supposed follow?

    The glass will overflow and when it does, watch out.

  • Keep phone backed up to a localized computer with airgap. If stopped, restore to factory settings.
  • I'm European so maybe I don't get it all. How unlocking a phone to see documents in it differs from unlocking a door to see document in the place? This is a private space, even though a digital one. Shouldn't a warrant be required?
    • by ledow ( 319597 )

      At the point of arrest, are you suggesting that the police couldn't open a locked door that they suspect has evidence behind it?

      That they'd have to arrest the guy, take him away, go to court, get a warrant, in order to open the boiler cupboard?

      No, it doesn't work like that. Reasonable suspicion of a crime has rules too, and those allow such actions. It's always "unreasonable" search that's the problem.

      Otherwise criminals would put cheap tiny padlocks on everything they own, including their phone, and make

      • Yes, that's precisely what happens in the US. If you suspect there is evidence behind a door, locked or otherwise, you need to get a warrant. It's that simple. There typically isn't a burden of getting a warrant for every single door, but the person getting the warrant must be able to articulate what they plan to search, where they plan to search, and why they plan to search. The are a few exceptions, and you should try to avoid them because they are always challenged:

        https://www.law.cornell.edu/co... [cornell.edu]

  • by n2hightech ( 1170183 ) on Friday April 19, 2024 @05:58AM (#64407104)
    Why would anyone use fingerprints or iris scans to unlock anything? It's like walking around with your password on a sticky note posted to your forehead. Or dropping sticky notes with your password on everything you touch. I have never enabled the fingerprint scanner on my phone and never will. Even the mythbusters showed they can be hacked or like in 007 movie just kill the guy and take out his eyeball. It's a false sense of security. Biometrics are great for identifying an uncooperative person but good old long passwords are more secure. Adding a human scale delay of a few seconds into every attempt and some attention to side channel attack mitigation makes passwords near perfect security.
  • Wrong decision, probably because of bad defendant case. This is often how bad decisions are made. They argued the 5th,.. but this case is a 4th amendment case.

    "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated,"

    Secure in papers and effects (phone is effects).

    Secure in their persons, who does the thumb belong to?

  • Most cops are too stupid to figure that out... LOLZ

    • If I'm going to use biometrics only, I want to use a combination of them. Right thumb, left pointer, right iris - something where I have to know a pattern in addition to being me.

  • They can't require you to tell them your passcode. But you can always be... unofficially encouraged to do so.
  • I guess we'll all go back to passwords now.

  • They searched his phone without a warrant?

After all is said and done, a hell of a lot more is said than done.

Working...