Why iFingerprinting Makes You Legally Unsafe

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today is a lawyer in Bethesda, Md., specializing in privacy and security law.

The new iPhone 5s's biometric fingerprint scanner can actually put consumers (or merchants, for that matter) in a worse position legally than the previous four-digit PIN. In fact, the biometric can open the contents of a consumer's phone and any linked payment systems, accounts or systems—including contacts, email and documents—less legally protected than the simple passcode. This is because the law may treat the biometric (something you are) differently from a password (something you know).

To that extent, the best approach (and the less convenient one) for people wanting to protect not only their phones but anything linked to them, is to use both the biometric and a passcode. Knowing how lazy most people are, and the fact that the whole point of the biometric iPhone is to make things easier, I doubt that will happen.

By now everyone in the world knows what the U.S. Constitution's Fifth Amendment says—or at least what they think it says. "You have the right to remain silent... If you give up that right, anything you say may be used against you in a court of law." Actually, these words appear nowhere in the Constitution, but were a construct of the U.S. Supreme Court in Miranda v. Arizona. The Constitution actually provides that, "No person shall be...compelled in any criminal case to be a witness against himself..."

In interpreting this provision, the Supreme Court has held that people do not have the right not to incriminate themselves—they incriminate themselves all the time. The right protected under the Fifth Amendment is not a right not to be compelled to incriminate, but rather a testimonial right—a right not to be compelled "to be a witness." Thus, a drunk driver can be compelled to take a blood alcohol test, even though the results may be incriminating.

The Fifth Amendment doesn't mean everything people think it means. If you have created incriminating documents or records, the Fifth Amendment does not protect the contents of records you have not been compelled to create. Thus, if you keep a diary (or a calendar on the iPhone) which is incriminating, the cops can compel its production because they didn't compel its creation.

Same is true with other potential evidence on the iPhone—GPS location data, contents of communications, pictures, postings, etc. Compelling the production of incriminating information is not the same as compelling the creation of such information. The Fifth Amendment, as a testimonial privilege, mostly protects the latter.

Mostly, but not completely.

In many cases, production is incriminating. Suppose the government subpoenaed "all guns used by you on Oct. 26, 1881, at the OK Corral to kill or wound Wyatt Earp..." or words to that effect. While the gun itself (incriminating as it may be) is not protected by the Fifth Amendment (the government could easily get a search warrant without violating self-incrimination), the production of the gun in these circumstances admits a bunch of things.

First, it testimonially admits ownership, possession, custody, control and an ability to produce the gun. It also admits the existence of the gun. It may also admit that the gun is authentic. And, in the context of the demand, it admits that there was a gunfight at the OK Corral, and the weapon was used, and used by me, and used to kill Earp, etc. Those parts are all incriminating under the Fifth Amendment, and the government can't compel production.

So can the government, consistent with the Fifth Amendment, compel a person to decrypt an encrypted file or drive? Can the government compel a person to produce a physical key to a locked safe? If police find a key on the person, can they compel that person to tell them where the safe that the key fits is located? Can they compel a person to use a biometric to "unlock" a locked or encrypted file? The answer is...it depends.Recognizing that the "act of production" is frequently incriminating, the Supreme Court has held that the government cannot compel a person (by the way, not true for corporations) to produce something unless the government agrees to immunize the act of production. As a practical matter, this means that the government must use independent means to establish authenticity, existence, control, possession, and anything else that production proves. It's the so-called "manna from heaven" argument. The government must treat the decrypted file, document or device as if it fell from heaven.

However, it makes a difference how you are forced to unlock something—even if you are granted so-called "act of production" immunity. In some cases (like the OK Corral) the production is so intimately involved in an incriminating testimonial act that even if the unlocked or undisclosed item falls from heaven like manna, it still cannot be compelled. The same would likely be true if we found a key and compelled the possessor to "testify" about the lock it opens (and therefore the contents of the safe or drawer.)

In the context of encrypted hard drives searched at the border, courts have been split as to whether the government can compel the traveler to enter a password or provide a decrypted copy of the contents of the drive. Those that have ruled against such compelled decryption on Fifth Amendment grounds have relied on the testimonial nature of speaking (or being compelled to produce) a password.

As any cryptologist will tell you, authentication (and therefore to some extent security) can be pegged to (1) something you know; (2) something you have; and (3) something you are. In this context, that's a password, a key and a fingerprint, respectively. Compelled production of the password—even with act of production immunity—may not be permitted, at least under some interpretations of the law. Compelled production of a physical key on the other hand is less likely to be considered "testimonial." So what about the biometric?

Remember that we are using the biometric to make the contents of the iPhone and associated accounts more secure, not less. Right?

Yet we compel people to produce biometric information all the time. The government can, consistent with the Fifth Amendment (and without any act of production immunity) compel people to give voice exemplars, handwriting exemplars, fingerprints, appear in lineups, give blood or DNA samples or other biometric identifiers—and then use this information to incriminate them. The Supreme Court has repeatedly held that there is no Fifth Amendment right to refuse these tests.

So, it may be that a person has a right not to unlock their iPhone with a password if asked by the cops, but no right to refuse to swipe their finger across the sensor. So the technology designed to protect privacy may actually have the exact opposite effect.

What is worse, because of the perceived security inherent in the biometric, there are likely to be many more accounts and access controls associated with the unlocked phone. By swiping into the iPhone, you can get access to your Apple Password file without additional authentication. Thus, compelled access to the phone provides compelled access to the passport. And the bank account. And payment card numbers. And e-mail accounts. And the PayPal, Google Docs, Dropbox, Facebook, iTunes, Twitter, and all other accounts. One swipe to rule them all.

So the government (not just the US government, by the way—think of being compelled to give access to your iPhone by Beijing or Pyongyang or Tehran—can force you to grant access to everything with just one swipe. Much less likely that the government could compel a person to provide the passwords to each and every one of these accounts. Possible. Less likely.

So the technology designed to protect privacy may have exactly the opposite effect. So next time you are asked to decrypt a file and provide access to a device, don't do it. Just give them the finger.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.