Are fingerprints PINs or physical artifacts?

A judge’s ruling that a person can be forced to open his phone with his fingerprint ignores the fact that the fingerprint scan is just a substitute PIN, which can’t be required by law enforcement

fingerprint detail on male finger
Credit: Frettie, via Wikipedia, CC BY 3.0

In security and privacy circles today, no good deed goes unpunished. Consider Apple’s recent privacy initiative. Under its new encryption policy, Apple can’t divulge confidential information about its customers’ data, because only the consumer’s credentials can unlock the data — and those credentials are completely under the control of the customer. For added security, Apple layered biometric authentication (fingerprint) on top, so that people wouldn’t have to type their passwords/PINs in public, exposing themselves to the dangers of shoulder-surfing.

A funny thing happened, though, as that policy ran into law enforcement and the courts. You’ve got the director of the FBI railing against smartphone encryption, claiming that it puts us all at greater risk from terrorists. And a circuit court judge in Virginia has ruled that although police cannot force suspects to reveal their passwords/PINs, they can be forced to apply their fingers to their iPhones and open them, against their will. There is a lot of legal history — a.k.a. precedent — for this, but an absolute absence of logic or rationale. When a fingerprint becomes a password/PIN, it must be treated as such.

Part of this history involves the traditions of the police, who have long been able to forcibly require suspects to dig their fingerprints into a police station inkpad. To them, the fingerprint reader on an iPhone feels the same. But in the IT world, the fingerprint used to unlock an iPhone is not a fingerprint so much as it is merely data reflecting a biometric scan — just another way of authenticating. In other words, it’s a password that’s neither spoken nor typed.

But Judge Steve C. Frucci equated submitting to an iPhone biometric scan to “providing a DNA or handwriting sample or an actual key, which the law permits,” according to The Virginian-Pilot. The Pilot further reported that Frucci wrote in his opinion that a “pass code, though, requires the defendant to divulge knowledge, which the law protects against.” (Just as an aside, I have to wonder when Virginia judicial authorities are going to start putting their decisions and rulings online. I mean, when you’re technologically outpaced by a branch of the U.S. government, it’s a sad day.)

But consider this scenario. I have a physical key that opens a physical deadbolt on the front door of my house. Because certain family members (who I will not name; they know who they are) have a tendency to forget or lose their house keys, I’ve debated changing the lock to accommodate a PIN keypad.

Now, according to this weird legal distinction, I could be forced to give my key to the police, but not my lock’s PIN. But hold on. Just as the iPhone’s finger scan is simply a digital version of a password/PIN, that deadbolt’s PIN is simply a digital alternative to my physical key. On what possible rationale should law enforcement treat the two differently?

This ruling smells of what has come to be known as civil service thinking. That pejorative term refers to someone blindly following the rules with no knowledge or understanding of the original intent. Without understanding why a rule was put in place, a manager can’t make proper decisions as to when it’s OK to overrule the regulation.

The reason for the distinction that Frucci cited in his ruling goes back many years and is based on the idea that people cannot be forced into saying things that are self-incriminating. Police can easily seize physical items, but forcing a suspect to tell them something against the suspect’s interest is much thornier. A simple demand to see a lawyer is supposed to end such questioning.

Mark Rasch, a former U.S. Justice Department prosecutor who specializes in technology issues, says court decisions on these distinctions — which all are based on the Fifth Amendment right against self-incrimination — are all over the map. He cited one judge who agreed that he couldn’t force the suspect to reveal an encryption key, but he did order that suspect to unencrypt the files and show them to law enforcement.

That’s impressively absurd. When law enforcement wants someone’s password, it’s a pretty safe bet that what they really want is the data that the password unlocks. And citizens aren’t all that concerned about the privacy of their passwords except for their usefulness in keeping data away from prying eyes.

“Courts are essentially wrong distinguishing between various methods of encryption and decryption,” said Rasch. “They are all, at their core, a mechanism for protecting the privacy and security of data. Indeed, a person encrypting a drive with a biometric would have cause to believe that this was more secure, and that they had a greater expectation of privacy in the biometric than they do in a simple four-digit PIN. To say that announcing the numbers ‘2580’ as a password is testimonial incrimination, but handing over a complex PGP key, or causing a complicated mathematical calculation based upon a biometric is not testimonial misses the point. The purpose of the Fifth Amendment is not simply to protect utterances. It is fundamentally a conception of privacy that there are certain things the government simply cannot do, no matter how much it wants to. It’s both a zone of privacy, a concept of individual rights, and the idea of fundamental fairness that is embedded in the right against self-incrimination. The right should be read broadly — not an absolute, but a broad right — to protect against unnecessary encroachment.”

He then illustrated his point with this example: “The best way to think of it is to imagine that the governments of Iran, North Korea, Syria or Cuba seize the contents of your encrypted drive. The local gendarme wants you to decrypt the drive for them. Should you have to do it? If your gut reaction is no — believe me, you will have a gut reaction — then we should consider allowing the same rights here.”

By making the distinction between a physical artifact and knowledge, Frucci seems to have let slip away the really simple question at issue: Does law enforcement have the right to see the contents of that phone? The judge must weigh the information sought, the crime involved and the privacy issues at stake. If the judge thinks law enforcement does have that right, the form of the password used should make no difference.

Somehow, he let that fingerprint mean something it doesn’t. No one at this point is questioning the right of the police to force the people they book at the station to provide their fingerprints. But that situation has nothing in common with being forced to use your fingerprint to unlock your phone for the police. In the latter case, you’re not really providing your fingerprint; you’re providing your PIN, that “knowledge” that, were it a string of numbers, would be kept in your head instead of at the tip of your finger. Most privacy advocates would find appalling the idea of injecting a suspect with sodium pentothal — the so-called truth serum — to get a confession or, in this case, a password. It’s forcing a person to do something that he would never willingly consent to doing. How is that different from three police officers holding a suspect down and forcing his finger to be scanned by his iPhone?

As a journalist, I am especially bothered by this decision. Journalists have a duty to keep the identity of confidential sources a secret and not to reveal confidential information. I have been subpoenaed twice in state courts and once in a federal court to testify about what sources told me for various stories. I legally beat all of those subpoenas and never had to reveal anything. But the notes I was protecting were printouts that I kept locked away in a safe and undisclosed place. This all happened years ago, before the age of the smartphone. What if it happened today and my notes were on my iPhone? There wouldn’t even be a need for a subpoena if the police could force me to open my phone with my finger and then testify to what they saw.

I recognize, too, that such fears aren’t the exclusive domain of journalists. A criminal defense attorney could have confidential client emails and documents on her phone. If she is stopped for some minor infraction, and her phone can be unlocked with her fingerprint, a lot of very sensitive material that’s irrelevant to her infraction could become visible to eyes that shouldn’t see that stuff.

By the way, I do think there are times when law enforcement should get access to a suspect’s phone. Terrorism and child kidnapping come to mind — cases where lives are at stake. But you can allow for that without a blanket ruling saying that a fingerprint lock-out is worthless.

What I’d like to see is for the law to catch up with the 21st century. Meanwhile, if you are locking your phone with your fingerprint, you might want to add a PIN to that as well.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman. Look for his column every other Tuesday.

This story, "Are fingerprints PINs or physical artifacts?" was originally published by Computerworld.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.