RSN Fundraising Banner
FB Share
Email This Page
add comment
Print

Hofmann reports: "While there’s a great deal of discussion around the pros and cons of fingerprint authentication - from the hackability of the technique to the reliability of readers - no one’s focusing on the legal effects of moving from PINs to fingerprints."

File photo, an Apple company building. (photo: file)
File photo, an Apple company building. (photo: file)


Apple's Fingerprint ID May Mean You Can't 'Take the Fifth'

By Marcia Hofmann, Wired Magazine

15 September 13

 

here's a lot of talk around biometric authentication since Apple introduced its newest iPhone, which will let users unlock their device with a fingerprint. Given Apple's industry-leading position, it's probably not a far stretch to expect this kind of authentication to take off. Some even argue that Apple's move is a death knell for authenticators based on what a user knows (like passwords and PIN numbers).

While there's a great deal of discussion around the pros and cons of fingerprint authentication - from the hackability of the technique to the reliability of readers - no one's focusing on the legal effects of moving from PINs to fingerprints.

Because the constitutional protection of the Fifth Amendment, which guarantees that "no person shall be compelled in any criminal case to be a witness against himself," may not apply when it comes to biometric-based fingerprints (things that reflect who we are) as opposed to memory-based passwords and PINs (things we need to know and remember).

The privilege against self-incrimination is an important check on the government's ability to collect evidence directly from a witness. The Supreme Court has made it clear that the Fifth Amendment broadly applies not only during a criminal prosecution, but also to any other proceeding "civil or criminal, formal or informal," where answers might tend to incriminate us. It's a constitutional guarantee deeply rooted in English law dating back to the 1600s, when it was used to protect people from being tortured by inquisitors to force them to divulge information that could be used against them.

For the privilege to apply, however, the government must try to compel a person to make a "testimonial" statement that would tend to incriminate him or her. When a person has a valid privilege against self-incrimination, nobody - not even a judge - can force the witness to give that information to the government.

But a communication is "testimonial" only when it reveals the contents of your mind. We can't invoke the privilege against self-incrimination to prevent the government from collecting biometrics like fingerprints, DNA samples, or voice exemplars. Why? Because the courts have decided that this evidence doesn't reveal anything you know. It's not testimonial.

Take this hypothetical example coined by the Supreme Court: If the police demand that you give them the key to a lockbox that happens to contain incriminating evidence, turning over the key wouldn't be testimonial if it's just a physical act that doesn't reveal anything you know.

However, if the police try to force you to divulge the combination to a wall safe, your response would reveal the contents of your mind - and so would implicate the Fifth Amendment. (If you've written down the combination on a piece of paper and the police demand that you give it to them, that may be a different story.)

The important feature about PINs and passwords is that they're generally something we know (unless we forget them, of course). These memory-based authenticators are the type of fact that benefit from strong Fifth Amendment protection should the government try to make us turn them over against our will. Indeed, last year a federal appeals court held that a man could not be forced by the government to decrypt data.

But if we move toward authentication systems based solely on physical tokens or biometrics - things we have or things we are, rather than things we remember - the government could demand that we produce them without implicating anything we know. Which would make it less likely that a valid privilege against self-incrimination would apply.

Biometric authentication may make it easier for normal, everyday users to protect the data on their phones. But as wonderful as technological innovation is, it sometimes creates unintended consequences - including legal ones. If Apple's move leads us to abandon knowledge-based authentication altogether, we risk inadvertently undermining the legal rights we currently enjoy under the Fifth Amendment.

Here's an easy fix: give users the option to unlock their phones with a fingerprint plus something the user knows.


e-max.it: your social media marketing partner
 

Comments   

A note of caution regarding our comment sections:

For months a stream of media reports have warned of coordinated propaganda efforts targeting political websites based in the U.S., particularly in the run-up to the 2016 presidential election.

We too were alarmed at the patterns we were, and still are, seeing. It is clear that the provocateurs are far more savvy, disciplined, and purposeful than anything we have ever experienced before.

It is also clear that we still have elements of the same activity in our article discussion forums at this time.

We have hosted and encouraged reader expression since the turn of the century. The comments of our readers are the most vibrant, best-used interactive feature at Reader Supported News. Accordingly, we are strongly resistant to interrupting those services.

It is, however, important to note that in all likelihood hardened operatives are attempting to shape the dialog our community seeks to engage in.

Adapt and overcome.

Marc Ash
Founder, Reader Supported News

 
+9 # Nominae 2013-09-15 14:25
Dear Ms. Hofman -

Thank you so much for this practical and *stunningly* important information.

I seriously doubt that most people, including many Members Of The Bar were aware of these 5th Amendment vagaries.

If the *Government* tried to legislate the use of biometrics, blood would flow.

However, *Apple* could implement the old idea of installing RFID chips in every citizen as being "cool", and the lemmings would camp out in front of the Apple Stores all over the country in order to be the first kid on their block with the new Apple RFID chip embedded in their skin, teeth or eyeballs.

Given Apple's "hand-in-glove" relationship with the NSA, the rest is just obvious, and appallingly easy to accomplish.
 
 
0 # 666 2013-09-16 13:01
quoting "The Supreme Court has made it clear that the Fifth Amendment broadly applies not only during a criminal prosecution, but also to any other proceeding "civil or criminal, formal or informal," where answers might tend to incriminate us."

-- well, it's not that broad, you can't--for example--take the 5th amendment in a grand jury proceding
 
 
+7 # James38 2013-09-15 14:28
Sure, your easy fix "solves" the problem, but it isn't the simplest.

Give us the additional option of using the pin only. That way, if we prefer having our phone accessible to a friend, spouse, partner, etc, we can do so.

If the fingerprint access is activated, nobody else can open your device.

I can easily see a problem with fingerprint access that is far more likely than all the legal rights issues.

You leave your phone at home. Ooops, you need a number from the memory. You call home, and ask .... ohmygawd. Nobody can help you.

That is enough for me to refuse to buy a phone that does not have a choice of access modes other than fingerprint.
 
 
-1 # brux 2013-09-15 21:02
I really do not see that your example is applicable.

As to no one else being able to open your device is a programmable option - I do not have to authenticate anything on my iPhone right not to open it up, and surely would not if I did not want to on a future iPhone 5s.
 
 
0 # Rick Levy 2013-09-15 21:14
When the Founding Fathers wrote the Constitution, they could not have foreseen the technology that might wind up clashing with the Bill of Rights.
 

THE NEW STREAMLINED RSN LOGIN PROCESS: Register once, then login and you are ready to comment. All you need is a Username and a Password of your choosing and you are free to comment whenever you like! Welcome to the Reader Supported News community.

RSNRSN