Touch ID is more of a convenience than a security feature, and the FBI made that perfectly clear by obtaining a court order forcing a suspect to put their finger on the touch sensor and unlock their iPhone. The order shows courts still view our finger prints as physical evidence even when they serve as biometric keys to unlock devices and decrypt data.
Warrant let FBI use suspect's finger to unlock iPhone
Paytsar Bkhchadzhyan was arrested in late February, and only 45 minutes later FBI agents had a warrant in hand compelling her to place her finger on her iPhone's Touch ID sensor to unlock the device. Considering how quickly the warrant was obtained, the FBI probably assumed before the arrest and seizing the iPhone that Ms. Bkhchadzhyan's fingerprint would be the best way to gain access to her encrypted data.
U.S. courts have long held that our fingerprints are evidence and can be collected without a warrant. Compelling someone to provide their fingerprint as a means to unlock something, however, is more controversial, although in this case FBI agents didn't have any issues obtaining the order.
The argument supporting fingerprint unlock orders says they're akin to physical keys, which suspects can be compelled to provide through a warrant. Handing over a key isn't self incriminating, according to the courts, and as such providing a fingerprint to unlock a smartphone would fall under the same umbrella.
The other side of the argument is that when our fingerprints are used as biometric tools to unlock something they should be treated as if they're passcodes we've memorized but haven't written down. Courts can't compel someone to give up their device passcode because that would qualify as self incrimination. In the case of Touch ID, the implication is that any device your fingerprint unlocks is under your control, and a court forcing you to do so would go against the Fifth Amendment's delf incrimination protections.
University of Dayton law professor Susan Brenner told the Los Angeles Times, "By showing you opened the phone, you showed that you have control over it. It's the same as if she went home and pulled out paper documents — she's produced it."
Stanford Law School Center for Internet and Society director of privacy Albert Gidari disagrees and sees biometric unlock tools differently. He said, "Unlike disclosing passcodes, you are not compelled to speak or say what's 'in your mind' to law enforcement. 'Put your finger here' is not testimonial or self-incriminating."
Next up: The FBI doesn't like being in the dark
The FBI doesn't like being in the dark
Part of the issue for law enforcement is that our smartphones can encrypt data, making is substantially more difficult to access. Unlike a search warrant for a home or office where documents and other forms of evidence can be found and seized, encrypted data is worthless to a criminal investigation without the a mechanism to convert it into a readable format.
That was at the crux of the FBI's recent investigation in the contents of an iPhone seized after last December's mass shooting in San Bernardino where 14 people where killed and 22 others injured. In that case, law enforcement recovered the phone from one of the suspects after he was killed in a shootout with police.
FBI doesn't like being in the dark where encrypted data is involved
Since no one knew the iPhone's passcode, the FBI obtained a court order compelling Apple to create a hackable version of iOS. Apple didn't comply, saying the FBI was overstepping its legal authority. The FBI eventually dropped the fight after finding a third party willing to sell a tool capable of unlocking the device.
The Bkhchadzhyan case shows the FBI can work around the encryption issue—at least when their suspect is still alive—and that our fingerprints don't make for a very secure encryption key. The Mac Observer's Dave Hamilton has often said Touch ID is a convenience, not security, feature, and he's right.
While Touch ID will keep the casual snoop out of your iPhone, it isn't enough to protect your personal data from serious hackers, criminals, or the government. The Bkhchadzhyan case shows law enforcement can obtain warrants quickly enough to take advantage of Touch ID before its 48-hour non-use lock kicks in.
Touch ID automatically disables itself if you haven't used your iPhone or iPad in 48 hours, requiring the actual passcode to regain access to the device. The same applies if your device has been shut off or the the battery dies. That would render a court order compelling someone place their finger on a Touch ID sensor useless since the feature stays disabled until the passcode is typed in, which is protected by the Fifth Amendment because suspects can't be forced to divulge information that could be self incriminating.
With the Bkhchadzhyan warrant in the bag, it's a safe bet we'll start seeing more security-conscious technology users taking more steps to protect their personal data even though they may have nothing to hide. Turning off your iPhone before going through an airport security checkpoint to disable Touch ID, for example, may become a bigger thing in the wake of this case.
The Bkhchadzhyan won't make its way to the Supreme Court because she plead no contest, bringing an end to the possibility of a higher court ruling on biometric passcode protections. Until some future case is contested, expect to see the FBI and other law enforcement agencies go for similar warrants and doing their part to drive home the fact that Touch ID and other fingerprint passcode systems are conveniences, not strong security measures. Maybe it's time for Apple to let us use our fingerprint along with a passcode for device unlock and decryption.