Authorities can’t force people to unlock their biometrically secured phones or other devices, a federal judge in California ruled Thursday.
“The Government may not compel or otherwise utilize fingers, thumbs, facial recognition, optical/iris, or any other biometric feature to unlock electronic devices,” Magistrate Judge Kandis A. Westmore wrote in an opinion for the U.S. District Court for Northern California.
An attempt by law enforcement authorities in Oakland, California, to force two suspected extortionists to unlock their mobile phones with biometrics violated Fifth Amendment protections against self-incrimination, Westmore found.
Passcodes used to unlock devices already are protected by the Fifth Amendment, which prevents the government from forcing people to testify against themselves, she explained.
“Biometric features serve the same purpose of a passcode, which is to secure the owner’s content, pragmatically rendering them functionally equivalent,” Westmore wrote. “It follows, however, that if a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device.”
More Than Physical Evidence
While compelling someone to give up their fingerprints or DNA to law enforcement is an accepted practice, Westmore argued they’re not the same as compelling someone to unlock a phone with a biometric security feature.
“Requiring someone to affix their finger or thumb to a digital device is fundamentally different than requiring a suspect to submit to fingerprinting,” she wrote.
“A finger or thumb scan used to unlock a device indicates that the device belongs to a particular individual. In other words, the act concedes that the phone was in the possession and control of the suspect, and authenticates ownership or access to the phone and all of its digital contents,” Westmore noted.
“The act of unlocking a phone with a finger or thumb scan far exceeds the ‘physical evidence’ created when a suspect submits to fingerprinting to merely compare his fingerprints to existing physical evidence (another fingerprint) found at a crime scene, because there is no comparison or witness corroboration required to confirm a positive match,” she wrote.
“Instead, a successful finger or thumb scan confirms ownership or control of the device, and, unlike fingerprints, the authentication of its contents cannot be reasonably refuted,” Westmore found.
Step Forward for Privacy Rights
The protection of personal phone data and control over biometric information are two of the most important emerging privacy issues in the criminal justice system, said Alan Butler, senior counsel with the Electronic Privacy Information Center, a civil liberties advocacy group in Washington, D.C.
“The decision from the Northern District of California is an important step forward for constitutional privacy rights,” he told TechNewsWorld.
“The judge rightly recognized that traditional constitutional principles must be adapted as technology changes in order to preserve privacy and other rights ensured by the Fourth and Fifth Amendments,” Butler said.
“Law enforcement officials are charged with upholding the Constitution and cannot act contrary to its limitations, so there cannot be any legitimate law enforcement activity that violates these important Constitutional rights,” he maintained. “The government must use legitimate means subject to proper judicial oversight if they want to obtain evidence for an investigation.”
Think Outside the Phone
Although Westmore rejected law enforcement’s reasoning for forcing suspects to unlock their phones by using a part of their anatomy, she wasn’t insensitive to law enforcement’s position.
“While the Court sympathizes with the Government’s interest in accessing the contents of any electronic devices it might lawfully seize, there are other ways that the Government might access the content that do not trample on the Fifth Amendment,” she wrote.
In the case before the court, Facebook Messenger was used in a suspected extortion attempt. Law enforcement officials could have obtained the information they wanted from Facebook under the federal Stored Communications Act or through a warrant based on probable cause, Westmore suggested.
“While it may be more expedient to circumvent Facebook, and attempt to gain access by infringing on the Fifth Amendment’s privilege against self-incrimination, it is an abuse of power and is unconstitutional,” she wrote.
“Law enforcement is creative and diligent,” said Justin Kay, an attorney in the Chicago law office of Drinker Biddle & Reath.
“Law enforcement will find a way to get in even when they can’t get in through cooperation,” he told TechNewsWorld.
Although Westmore’s opinion doesn’t have the weight of a higher court decision, it could be very influential.
“Defendants and potential defendants are going to be citing this,” Kay said, “and other courts will invoke its reasoning.”
For the most part, the issue of passwords and unlocking electronic devices has been kicking around lower federal courts and state courts — but that could change.
“As the judge in this case acknowledges, there have been other decisions concerning compelled disclosure of passwords, and this decision is consistent with many earlier judgments,” EPIC’s Butler observed.
“However, this issue does come up more frequently each year, given the widespread use of mobile devices with biometric locks,” he observed. “So I would expect that courts of appeals — and eventually the U.S. Supreme Court — will weigh in on this in the near future.”
The reason the courts have had to take an aggressive stance on electronic device privacy is that lawmakers have failed to address the problem.
“Our legislative system is not keeping up with the rate of technological change,” said French Caldwell, CFO of The Analyst Syndicate, an IT research and analysis group based in Washington, D.C.
“The courts are saying, ‘We can’t wait for the legislature to sort all this out,’ so they’re being forced into a position of creating new law because there’s no law on this,” he told TechNewsWorld.
The issue eventually will land before the Supreme Court, Caldwell said, and “it’s going to take a long time before it gets to the Supreme Court, which gives legislators time to act.”
Aside from protecting citizens’ rights, there may be a security lesson to be learned from Westmore’s decision.
“Biometric authentication is just one layer in what should be multifactor authentication,” said Drinker Biddle’s Kay. “The technology should be used with a passcode. It should be used to make sure that the person inputting the passcode is the person that should be inputting the passcode.”