In security and privacy circles today, no good deed goes unpunished. Consider Apple\u2019s recent privacy initiative. Under its new encryption policy, Apple can\u2019t divulge confidential information about its customers\u2019 data, because only the consumer\u2019s credentials can unlock the data \u2014 and those credentials are completely under the control of the customer. For added security, Apple layered biometric authentication (fingerprint) on top, so that people wouldn\u2019t have to type their passwords\/PINs in public, exposing themselves to the dangers of shoulder-surfing.A\u00a0funny thing happened, though, as that policy ran into law enforcement and the courts. You\u2019ve got the director of the FBI railing against smartphone encryption, claiming that it puts us all at greater risk from terrorists. And a circuit court judge in Virginia has ruled that although police cannot force suspects to reveal their passwords\/PINs, they can be forced to apply their fingers to their iPhones and open them, against their will. There is a lot of legal history \u2014 a.k.a. precedent \u2014 for this, but an absolute absence of logic or rationale. When a fingerprint becomes a password\/PIN, it must be treated as such.Part of this history involves the traditions of the police, who have long been able to forcibly require suspects to dig their fingerprints into a police station inkpad. To them, the fingerprint reader on an iPhone feels the same. But in the IT world, the fingerprint used to unlock an iPhone is not a fingerprint so much as it is merely data reflecting a biometric scan \u2014 just another way of authenticating. In other words, it\u2019s a password that\u2019s neither spoken nor typed.But Judge Steve C. Frucci equated submitting to an iPhone biometric scan to \u201cproviding a DNA or handwriting sample or an actual key, which the law permits,\u201d according to The Virginian-Pilot. The Pilot further reported that Frucci wrote in his opinion that a \u201cpass code, though, requires the defendant to divulge knowledge, which the law protects against.\u201d (Just as an aside, I have to wonder when Virginia judicial authorities are going to start putting their decisions and rulings online. I mean, when you\u2019re technologically outpaced by a branch of the U.S. government, it\u2019s a sad day.)But consider this scenario. I have a physical key that opens a physical deadbolt on the front door of my house. Because certain family members (who I will not name; they know who they are) have a tendency to forget or lose their house keys, I\u2019ve debated changing the lock to accommodate a PIN keypad.Now, according to this weird legal distinction, I could be forced to give my key to the police, but not my lock\u2019s PIN. But hold on. Just as the iPhone\u2019s finger scan is simply a digital version of a password\/PIN, that deadbolt\u2019s PIN is simply a digital alternative to my physical key. On what possible rationale should law enforcement treat the two differently?This ruling smells of what has come to be known as civil service thinking. That pejorative term refers to someone blindly following the rules with no knowledge or understanding of the original intent. Without understanding why a rule was put in place, a manager can\u2019t make proper decisions as to when it\u2019s OK to overrule the regulation.The reason for the distinction that Frucci cited in his ruling goes back many years and is based on the idea that people cannot be forced into saying things that are self-incriminating. Police can easily seize physical items, but forcing a suspect to tell them something against the suspect\u2019s interest is much thornier. A simple demand to see a lawyer is supposed to end such questioning.Mark Rasch, a former U.S. Justice Department prosecutor who specializes in technology issues, says court decisions on these distinctions \u2014 which all are based on the Fifth Amendment right against self-incrimination \u2014 are all over the map. He cited one judge who agreed that he couldn\u2019t force the suspect to reveal an encryption key, but he did order that suspect to unencrypt the files and show them to law enforcement.That\u2019s impressively absurd. When law enforcement wants someone\u2019s password, it\u2019s a pretty safe bet that what they really want is the data that the password unlocks. And citizens aren\u2019t all that concerned about the privacy of their passwords except for their usefulness in keeping data away from prying eyes.\u201cCourts are essentially wrong distinguishing between various methods of encryption and decryption,\u201d said Rasch. \u201cThey are all, at their core, a mechanism for protecting the privacy and security of data. Indeed, a person encrypting a drive with a biometric would have cause to believe that this was more secure, and that they had a greater expectation of privacy in the biometric than they do in a simple four-digit PIN.\u00a0To say that announcing the numbers \u20182580\u2019 as a password is testimonial incrimination, but handing over a complex PGP key, or causing a complicated mathematical calculation based upon a biometric is not testimonial misses the point. The purpose of the Fifth Amendment is not simply to protect utterances. It is fundamentally a conception of privacy that there are certain things the government simply cannot do, no matter how much it wants to. It\u2019s both a zone of privacy, a concept of individual rights, and the idea of fundamental fairness that is embedded in the right against self-incrimination. The right should be read broadly \u2014 not an absolute, but a broad right \u2014 to protect against unnecessary encroachment.\u201dHe then illustrated his point with this example: \u201cThe best way to think of it is to imagine that the governments of Iran, North Korea, Syria or Cuba seize the contents of your encrypted drive. The local gendarme wants you to decrypt the drive for them. Should you have to do it? If your gut reaction is no \u2014 believe me, you will have a gut reaction \u2014 then we should consider allowing the same rights here.\u201dBy making the distinction between a physical artifact and knowledge, Frucci seems to have let slip away the really simple question at issue: Does law enforcement have the right to see the contents of that phone? The judge must weigh the information sought, the crime involved and the privacy issues at stake. If the judge thinks law enforcement does have that right, the form of the password used should make no difference.Somehow, he let that fingerprint mean something it doesn\u2019t. No one at this point is questioning the right of the police to force the people they book at the station to provide their fingerprints. But that situation has nothing in common with being forced to use your fingerprint to unlock your phone for the police. In the latter case, you\u2019re not really providing your fingerprint; you\u2019re providing your PIN, that \u201cknowledge\u201d that, were it a string of numbers, would be kept in your head instead of at the tip of your finger. Most privacy advocates would find appalling the idea of injecting a suspect with sodium pentothal \u2014 the so-called truth serum \u2014 to get a confession or, in this case, a password. It\u2019s forcing a person to do something that he would never willingly consent to doing. How is that different from three police officers holding a suspect down and forcing his finger to be scanned by his iPhone?As a journalist, I am especially bothered by this decision. Journalists have a duty to keep the identity of confidential sources a secret and not to reveal confidential information. I have been subpoenaed twice in state courts and once in a federal court to testify about what sources told me for various stories. I legally beat all of those subpoenas and never had to reveal anything. But the notes I was protecting were printouts that I kept locked away in a safe and undisclosed place. This all happened years ago, before the age of the smartphone. What if it happened today and my notes were on my iPhone? There wouldn\u2019t even be a need for a subpoena if the police could force me to open my phone with my finger and then testify to what they saw.I recognize, too, that such fears aren\u2019t the exclusive domain of journalists. A criminal defense attorney could have confidential client emails and documents on her phone. If she is stopped for some minor infraction, and her phone can be unlocked with her fingerprint, a lot of very sensitive material that\u2019s irrelevant to her infraction could become visible to eyes that shouldn\u2019t see that stuff.By the way, I do think there are times when law enforcement should get access to a suspect\u2019s phone. Terrorism and child kidnapping come to mind \u2014 cases where lives are at stake. But you can allow for that without a blanket ruling saying that a fingerprint lock-out is worthless.What I\u2019d like to see is for the law to catch up with the 21st century. Meanwhile, if you are locking your phone with your fingerprint, you might want to add a PIN to that as well.Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at firstname.lastname@example.org and he can be followed at twitter.com\/eschuman. Look for his column every other Tuesday.