Did you know the US legal system makes a distinction between something you have and something you know?
If you lock a safe with a key, the authorities can obtain authorization to take the key (something you have) and open it. However, if you locked the safe using a combination (something you know), that information is protected under your Fifth Amendment right to avoid self-incrimination.
What that means is thats something you have, a key, can be taken and used against you. While something you know, a combination, can ultimately be compelled by a judge. Even then, you have rights -- and a decision -- to comply or not.
The concepts of something you have, and something you know are core components of the three factors of authentication: something you know (passwords and PIN codes), something you have (tokens or devices), or something you are (biometric of some sort).
Biometrics isn’t new. For the last two decades (maybe longer) biometrics are held out as the answer to the “problems with passwords” and other authentication schemes. However, the introduction of TouchID on Apple iPhones and iPads makes the potential of biometrics as the basis for more “friendly” solutions possible.
Now the courts have weighed in on the third factor. And what a Virginia judge just ruled should cause you to rethink the value of passwords.
What happened and what the judge ruled
The police obtained a warrant for the cellphone (among other things) of a man indicted in an on-going criminal case. Unable to access the device, the police asked the court to compel the man to unlock the device by fingerprint (biometric) or PIN code (sometimes called a password).
Because the government had obtained a lawfully executed search warrant, Baust could not challenge the government’s request on Fourth Amendment grounds. Instead, Baust argued that the request violates the Fifth Amendment, which provides that no person “shall be compelled in any criminal case to be a witness against himself.” Courts have long held that this privilege protects a criminal defendant from being forced to provide the government with “evidence of a testimonial or communicative nature.”
Virginia Circuit Court Judge Steven C. Frucci rejected the government’s request to compel Baust to provide his passcode, holding that providing his passcode would be testimonial because it would force Baust to “disclose the contents of his own mind.” This conclusion is in line with a 2010 ruling by a Michigan federal court that forcing the defendant to produce a passcode is “the extortion of information from the accused.”
But Judge Frucci allowed the government to compel Baust to provide his fingerprint. He concluded that the fingerprint, “like a key . . . does not require Defendant to communicate any knowledge at all.”
Shaking your head?
I think the Judge got this right - especially in the light of how the courts have interpreted the 4th and 5th amendments.
Tuma pointed out that if we view the ruling from a “data security and privacy law perspective, this case makes no sense because whether it is a passcode or biometric security restriction that is being used to access the device, the device and the data are still being accessed, so it is a distinction without a difference.”
Reminding us this is a criminal case, he explained that “From a criminal procedure and constitutional law perspective, the courts do recognize a difference between compelling a defendant to provide something he has, like a fingerprint or a key versus communicating something he knows, like a passcode. In this case, the court approached this from the latter view.”
The effect of this ruling, for now, is that neither biometrics or “something you have” require the communication of knowledge -- which is protected.
Considerations and possible implications
As this report made the rounds, I noticed a common confusion between the concept of authentication versus the specific factors of authentication. I even read an account where the author conflated a biometric (something you are) with a PIN (something you know). The complaint was that the courts “just don’t understand.”
Therein lies the rub. A fingerprint is not the same as a PIN.
Does this ruling spell the end of biometrics as a viable option?
Probably not (nor should it).
It does, however, signal an opportunity to consider and discuss the factors of authentication when designing or selecting authentication systems.
In the meantime, consider the implications of the word: compel. With a password, you have a choice. With no current manner to extract something you know from your mind, that means that you can choose to defy a court order to reveal what you know. It likely comes with a penalty, but that’s your choice.
This ruling puts an emphasis on implementation
That got me wondering how the ability to “take” and use my biometric to unlock my phone or other device would play out in terms of password managers and other information currently protected by the TouchID system.
I noticed that both the Apple and 1Password implementations still require passwords and PIN codes at defined and perhaps even random intervals. For example, when restarted, TouchID cannot be used until after the PIN code is entered (one of several events that trigger a PIN/Password requirement).
What happens when the system is protected by both a PIN/Password and a biometric -- when the system has locked out the biometric in favor of the PIN?
Tuma points out that “in this case the issue was raised about the possibility that the PIN could be required in addition to the biometric and this article says the judge did not compel the giving of the passcode so, if the biometric did not work, the phone would remain locked under the ruling.”
Passwords for the win?
Tuma suggests “courts are gaining a better understanding of more subtle data security and data privacy issues, I do not expect this case to be the final word on the subject and I suspect we will see more cases exploring the issues dealing with biometrics and this area of law will evolve.”
What is clear from this ruling is that while password bashing may be popular, it is prudent to stop. Instead, consider:
Ultimately, this is an opportunity for us. We need to consider authentication as a system. We consider expected and unexpected uses. Consider it as a system. Find a way to improve it better.