THE STRATEGIC LAWYER + + + politics.::. get the jist.::

Legal Implications of Fingerprint Scans

(image: public domain--if this is noted as public domain in error, please email me and I will take it down)

(image: public domain–if this is noted as public domain in error, please email me and I will take it down)

In the wake of the newest iPhone announcemement–namely, that it will contain a biometric fingerprint scan that has been integrated into the “home” button in an admittedly slick design–Wired recently published this interesting speculation about the potential legal implications in the US of fingerprint scanning on phones. The crux of the issue is that the nature of the fifth amendment in the US, which protects against self-incrimination, has to do with knowledge, rather than being. Whereas passwords are part of what you know, fingerprints are part of who you are.

And so the argument goes that just like other biometrics (like the collection of footprints and fingerprints in compiling forensic data and evidence), the fingerprint scan could be usable, in order to unlock a phone that has been seized as evidence, whereas under the same circumstances, a detainee would not be compelled (under the 5th) to reveal a password that would perform the same function of unlocking the device. Of course, it would also depend on the jurisdiction’s law around what kind of warrants are required in order to search an individual’s phone.

Still, it’s an interesting point that could have potential implications in Canada as well. I’m not sure of the specifics of the current law around accessing smartphones and personal devices, as I don’t  practice criminal law. I believe I recently read an article reporting that police are allowed to read through unlocked phones and devices or ones that are not password protected, and can do so on fairly light grounds–either reasonable suspicion or probable cause or somesuch. If that is indeed the case, and if in Canada we make a similar distinction between knowledge (stuff you know and can choose not to disclose) and being (biometrics, essentially), then it seems likely that we’ll have a similar set of consequences here.

The other issues with biometrics, of course, are that once they are cracked or copied (and it certainly isn’t difficult to collect fingerprint data, if someone really wants to do so) there’s no way to order a replacement or get a reset. Essentially with biometrics, you get hacked, rather than just your password or code.

And of course, knowing what we know, courtesy of Mr. Snowden, about the NSA, we can be sure that with the innovation of the “higher security” fingerprint id scanning on the iphone, all that data is getting stored somewhere, in the hard drive equivalent of the warehouse at the end of Raiders of the Lost Ark, available to search and compile as necessary.


6 comments on “Legal Implications of Fingerprint Scans

  1. Cooper Lord
    September 15, 2013

    This is an interesting take on a relatively new technology for mobile computing. Apple wasn’t the first one to enter the fingerprint scanning game for mobile devices, however. Dell laptops came out with a fingerprint scanner in 2007, and the Motorola Atrix cell phone had one in 2011. But Apple’s market share will make this concern a much bigger deal going forward.

    In the States, the Fifth Amendment ensures that an individual “shall [not] be compelled in any criminal case to be a witness against himself.” This has been read to serve as a general right to protect against self-incrimination. But the exceptions have largely swallowed the rule.

    Case law has shown the power of the government to compel an individual to give incriminating evidence against himself. The crux of the matter comes down to whether the evidence is “testimonial or communicative” in nature. If it is, the Fifth Amendment protects the individual. But much of the time, it does not. Following is a short list of the actions a government can compel an individual to do against his will.

    Stand in a lineup: US v. Wade 388 U.S. 218 (1967)
    Give handwriting exemplars: Gilbert v. California, 388 U.S. 263 (1967)
    Give blood samples: Schmerber v. California 384 U.S. 757 (1966)
    Move around courtroom: State v. Clark, 156 Wash, 543, 287 Pac. 18 (1930)
    And, most importantly to this discussion, to give fingerprints: United States v. Kelly, 55 Fed. (2d) 67 (1932)

    In U.S. v. Kelly, the Circuit Court of Appeals stated that there existed a “general right of the authorities charged with the enforcement of the criminal law to employ fingerprinting as an appropriate means to identify criminals and detect crime.”

    Now, as you rightly point out, the government would not be able to force someone to reveal their own password. But then again, that would be “testimonial or communicative” in nature. A fingerprint would not.

    All that being said, this discussion may be largely academic. I’m not a forensic scientist, but I suspect it would not be unduly difficult for an expert to hack a suspect’s iPhone 5s, with or without their fingerprint to provide access. Since either method would require a search warrant, it would probably be easier for police to search a cell phone the usual way: send it to the forensic lab.

    • Susan
      September 15, 2013

      Thanks for commenting, Cooper! I appreciate your thoughts.

      It’s true that the finger print scan thing has existed in a number of laptops already (I think my work laptop has a fingerprint authentication option as well). The ones I’ve seen there, however, have been strictly optional, where the new iPhone will have it nested into the home button, such that the data could theoretically be collected even if you do not enable the authentication. That, to me, is the new step, and the one that is potentially concerning, for two reasons: 1) people will assume it’s secure, when it really isn’t, necessarily and 2) given what we’re hearing about back doors and gag orders & equivalents, it’s quite possible something could be, or is being, done with that information.

      I am inferring (feel free to clarify) that this is the side of the matter on which you’re commenting re the already extant right of the authorities to collect fingerprints. I think my issue here is that yes, there is that right, but from my understanding–affirmed by your quote from Kelly–that would seem to be narrowed to the context of identifying criminals and crime, so there’d need to be some basic standard of probable cause etc. before that information could be collected. And I’m concerned that given the whole NSA business, this would just be more data (often pulled in from beyond the US jurisdiction, as in the case of Canadian users) collected without permission, and that has nothing to do with the commission of any crime, but which is there and available if any suspicions arise. I would have said that’s paranoid, except it seems like we’re also getting broad hints that (to paraphrase Fight Club) “the first rule about NSA back doors that collect and store incidental data generated by tech users is that you don’t talk about NSA back doors to access…etc.”

      Ah, so the standard that I was calling “knowledge” is “testimonial or communicative”. Good to know!

      Great breakdown of some of the exceptions that have been carved out re the fifth–fascinating. Thanks also for clarifying re the requirement of a warrant. I wasn’t sure if that would be required in US jurisdictions for such matters. I think in Canada it would be, so long as the phone is locked. As I say, I think I saw a recent case which found that if the phone is not locked, police do not need a warrant to conduct a basic search.

      I suppose what I’m concerned about, and which for me is a grey area of knowledge in my mind, is allowable protocols (I’m talking US now, since those are the cases you mentioned): though a person can invoke the “testimonial or communicative” protection to avoid revealing passwords, if we’ve got cases in which people are compelled to *do* things, like give blood samples, etc. then based on the current way the law has shaped and is shaping, would one of those things validly be “place your finger on the biometric scanner on your phone”? This would bypass a forensics requirement and be a rather quick and dirty workaround, if allowed. Or is that just farfetched, because that’s different to the types of “doing” actions in the cases listed above? I suppose I visualized a dystopian 1984 scenario in which police can say, “fine, you’re taking the fifth–no prob. We can however, require you to put your index finger here on your phone’s home button.”

      Most of the examples of “doing” exceptions you’ve cited seem procedural in nature–we need the guy to walk across the court/give fingerprints/etc and he won’t–the only potentially substantive one is the handwriting, which I could see going either way (testimonial vs routine sample collection). So maybe the scenario above isn’t a concern, because that would more likely be deemed substantive, and impinging on the purposive intent of the whole requirement for a warrant in the first place…? I’d be interested in your thoughts.

      Well. That was a longer comment than I intended.

  2. Cooper Lord
    September 15, 2013

    I suppose the general privacy concerns are concerning, but my expertise is in criminal law. I ran across this article that may assuage your fears:

  3. Noah Kovacs
    September 16, 2013

    This is a very interesting issue that has come up with the announcement of the new iPhone. I never had a issue with the fingerprint “scan” on my laptop because I could control when it was used and if the info ever left, but with the iPhone always being connected and able to upload that info at anytime is kind of a scary thought. It will be interesting to see how things unfold with the release of this new phone.

    • Susan
      September 17, 2013

      Noah, thanks for stopping by and leaving a comment!

      I agree re the laptop scans. I simply don’t use the fingerprint scan on my laptop–it’s ultimately an optional security feature. But with the new iphone, it is so integrated that you can’t avoid using the scan. I too am very curious–about whether there’s uptake, regardless of such concerns; whether it will ultimately emerge that, as with all the other denials from providers like Google et al., there actually is precise information tracking after all; and whether people will ultimately care or change their habits if such information does emerge.

  4. Susan
    September 22, 2013

    Ah yes: the 5s was available Friday, so here we are on Sunday, with the first hack of the “higher security” fingerprint scanner:

    So the data can still be collected (not that they’d tells us they’re not storing it /it’s only in the aggregate /it’s only local /it’s immediately discarded, when they’re actually doing none of the above. After all, that’s never happened before) just through regular use, but you’ll still need to have a passcode if you actually want some measure of security on your device.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


This entry was posted on September 13, 2013 by in Constitutional Rights, Privacy, Rights, Tech, The Administrative State and tagged , , .
%d bloggers like this: