[Infowarrior] - Judge: No, feds can’t nab all Apple devices and try everyone’s fingerprints

[Richard Forno]

Judge: No, feds can’t nab all Apple devices and try everyone’s fingerprints

"Such Fourth Amendment intrusions are [not] justified based on the facts articulated."

Cyrus Farivar - 2/23/2017, 3:45 AM

https://arstechnica.com/tech-policy/2017/02/judge-no-feds-cant-nab-all-apple-devices-and-try-everyones-fingerprints/

To beat crypto, feds have tried to force fingerprint unlocking in 2 cases
A federal magistrate judge in Chicago recently denied the government’s attempt to force people in a particular building to depress their fingerprints in an attempt to open any seized Apple devices as part of a child pornography investigation.

This prosecution, nearly all of which remains sealed, is one of a small but growing number of criminal cases that pit modern smartphone encryption against both the Fourth Amendment protection against unreasonable search and seizure, and also the Fifth Amendment right to avoid self-incrimination. According to the judge’s opinion, quoting from a still-sealed government filing, "forced fingerprinting" is part of a broader government strategy, likely to combat the prevalence of encrypted devices.

Last year, federal investigators sought a similar permission to force residents of two houses in Southern California to fingerprint-unlock a seized phone in a case that also remains sealed. In those cases, and likely in the Illinois case as well, the prosecutors' legal analysis states that there is no Fifth Amendment implication at play. Under the Constitution, defendants cannot be compelled to provide self-incriminating testimony (“what you know”). However, traditionally, giving a fingerprint (“what you are”) for the purposes of identification or matching to an unknown fingerprint found at a crime scene has been allowed. It wasn’t until relatively recently, however, that fingerprints could be used to unlock a smartphone.

In a 14-page opinion and order, which was published on February 16 but only began to circulate amongst privacy lawyers and legal scholars on Twitter on Wednesday, Judge M. David Weisman wrote that while investigators did have probable cause to search a particular home, "these limitations do impact the ability of the government to seek the extraordinary authority related to compelling individuals to provide their fingerprints to unlock an Apple electronic device."

However, unlike the California warrant applications, this case doesn’t involve one particular seized device to check to see if anyone’s fingerprint unlocks it. Rather, authorities seem to be using the particular fact that most modern Apple iPhones and iPads can be unlocked and decrypted if Touch ID is enabled. While some Android devices also have a similar fingerprint scanning function, the warrant application (which remains sealed) apparently only sought out Apple devices. (Under both operating systems, the fingerprint unlock stops working after your phone has been unlocked for 48 hours.)

As the judge, who is both a former federal prosecutor and a former FBI special agent, wrote:

The request is made without any specific facts as to who is involved in the criminal conduct linked to the subject premises, or specific facts as to what particular Apple-branded encrypted device is being employed (if any).

First, the Court finds that the warrant does not establish sufficient probable cause to compel any person who happens to be at the subject premises at the time of the search to give his fingerprint to unlock an unspecified Apple electronic device.

…

This Court agrees that the context in which fingerprints are taken, and not the fingerprints themselves, can raise concerns under the Fourth Amendment. In the instant case, the government is seeking the authority to seize any individual at the subject premises and force the application of their fingerprints as directed by government agents. Based on the facts presented in the application, the Court does not believe such Fourth Amendment intrusions are justified based on the facts articulated.

Neither the Department of Justice nor the FBI immediately responded to Ars’ request for comment. Prosecutors could seek to appeal the opinion to a more senior judge.

Gov't may be shooting itself in the foot with novel legal theory

Ars spoke with several lawyers about this case, most of whom largely agreed with the judge’s ruling.
"As I read the opinion, the government relies on old fingerprinting cases to argue that the Fourth and Fifth Amendments don’t stand in the way of what they are seeking to do here," Abraham Rein, a Philadelphia-based tech lawyer told Ars by e-mail.

"But (as the court points out) there is a big difference between using a fingerprint to identify a person and using one to gain access to a potentially vast trove of data about them, and possibly about innocent third parties too. The old fingerprinting cases aren’t really good analogs for this new situation. Same is true with old cases about using keys to unlock locks—here, we’re not talking about a key but about part of a person’s body."

Orin Kerr, a well-known privacy and tech law expert, and a professor at George Washington University, told Ars that the judge had largely reached the right result, but only on Fourth Amendment, and specifically not Fifth Amendment grounds.

"I just think that it's really clear that that [fingerprints are] not testimonial—because you’re not using your brain," he said. "It can’t be testimonial if you can cut their finger off."

Similarly, Paul Rosenzweig, an attorney and former Homeland Security official, argued that it’s essentially impossible for a fingerprint, even a digital fingerprint, to have any Fifth Amendment implications.

"We could have gone down the road of saying that providing physical evidence is testimony against yourself," he said. "But we long ago made the decision that the Fifth Amendment applied to testimony and testimony meant only oral utterances or other things that conveyed a message. For this distinction lies at the core of Breathalyzer tests. If we roll that back, Breathalyzer tests go out the window. Blowing your air would be testifying against yourself."

Riana Pfefferkorn, one of the lawyers who first found this judicial opinion and publicized it on Twitter, told Ars that part of the problem with these types of cases is that this cutting edge of judicial analysis is largely happening "outside the public eye."

"In many instances, there may be little or no legal analysis by the court when it approves a request for a search warrant or other court order," she wrote. "Examples like this may be the tip of an iceberg. I hope that more judges will join this Illinois judge in not only conducting a thorough legal analysis of novel requests for gathering electronic evidence, but also publishing those opinions publicly."

Yet another lawyer suggested that cases like this would push companies like Apple to harden their devices even further: rather than allow a simple fingerprint to unlock a phone, future versions of its software will likely require a fingerprint or other biometric in combination with a traditional passcode.

"I think we will see authentication systems evolve with these kinds of mass searches (not to mention border searches and the like) as a new part of the threat model of unauthorized access," Blake Reid, a law professor at the University of Colorado told Ars. "An additional risk of what the government is doing here is creating incentives for manufacturers to design authentication systems that are less susceptible from a technical and architectural perspective to these types of searches."

Cyrus Farivar Cyrus is the Senior Business Editor at Ars Technica, and is also a radio producer and author. His first book, The Internet of Elsewhere, was published in April 2011.