Starting with the iPhone 5, more of Apple’s new devices might soon come with fingerprint readers, which could revolutionize the importance and popularity of fingerprint readers. Apple seems to have gotten things right. First is their security policy, Apple said they do not send fingerprints to the government or the NSA. “We only can store it”. Second, it takes five different fingers; either five of yours, or five different people.
This article is my opinion, and not legal advice. I am a judgment broker, and am not a lawyer. If you ever need any legal advice or a strategy to use, please contact a lawyer.
What makes Apple’s fingerprint technology “safe” is that it is not storing images, instead it stores a “hash table”, which gives a number generated by your fingerprint, and is presumably relatively unique to you. (I think it is possible for two people to have almost the same fingerprints.) There may be some people that would generate the same hash number, however it is highly unlikely that somebody else would also have your phone.
Currently, the iPhone 5’s fingerprint reader may have the legal effect of eliminating your rights to the Fifth Amendment, that guarantees “no person shall be compelled in any criminal case to be a witness against themselves”. Recent court cases have stated that memory-based passwords, PINs, and thoughts in your brain; are protected by the Fifth Amendment.
The Supreme Court has made it clear that the Fifth Amendment broadly applies not only during a criminal prosecution, but also to any other proceeding “civil or criminal, formal or informal”, where answers might tend to incriminate us. It comes from English law dating back to the 1600s, when it was used to protect people from being tortured by inquisitors, to force them to divulge information that could be used against them.
The Supreme Court says if the police demand that you give them the key to a lockbox, and that lockbox happens to contain incriminating evidence; turning over the key is not testimonial. It is simply a physical act, so that is okay because it is not information.
The constitutional protection of the Fifth Amendment, which guarantees that “no person shall be compelled in any criminal case to be a witness against himself”; may not apply when it comes to biometric-based fingerprints. Fingerprints are things that reflect who we are, compared to memory-based passwords and PINs (things we remember and know).
The Supreme Court has stated the government cannot take your thoughts, however they can take your blood. They can take DNA samples. They can take voice samples and handwriting samples. They can take your fingerprints, or they can tell you to put your finger on a button; and that is all okay.
For the Fifth privilege to apply, the government must try to compel a person to make a “testimonial” statement that would tend to incriminate him or her. When a person has a valid privilege against self-incrimination, nobody (not even a judge) can force them to give that information to the government.
Biometric authentication is big news, ever since Apple introduced its newest iPhone, which will let users unlock their device with a fingerprint. Given Apple’s industry-leading position, this might catch on fast. Some even argue that Apple’s move will displace authenticators based on what a user knows (such as passwords and PIN numbers). A communication is “testimonial” only when it reveals the contents of your mind. The government generally can collect biometrics such as fingerprints, DNA samples, or voice samples. This is because the courts have decided that this kind of evidence does not reveal anything you know; it is not a testimonial.
If the police demand that you give them the key to a lockbox that happens to contain incriminating evidence, turning over the key would not be a testimonial, if it is just a physical act that does not reveal anything you know.
If the police try to force you to divulge the combination to a wall safe, your response would reveal the contents of your mind, and so the Fifth Amendment would apply. (If you have written down the combination on a piece of paper and the police demand that you give it to them, that may be a different story.) To invoke Fifth Amendment protection, there is a difference between things we have or are, and the things we know.
The important feature of PINs and passwords is that they are generally something we know. These memory-based authenticators are the type of thing that benefits from strong Fifth Amendment protection, should the government try to make us turn them over against our will.
Last year, a federal appeals court held that a man could not be forced to decrypt data. If we move toward authentication systems based solely on physical tokens or biometrics; things we have or things we are, rather than things we remember; the government could demand that we produce them without implicating anything we know. This would make it less likely that a valid privilege against self-incrimination would apply.
Biometric authentication may make it easier for everyday users to protect the data on their phones. As wonderful as technological innovation is, it sometimes creates unintended legal consequences. If Apple’s move leads us to abandon knowledge-based authentication altogether, we risk undermining the legal rights we currently enjoy under the Fifth Amendment.
An easy fix for Apple would be to give users the option to unlock their phones with a fingerprint, plus something the user knows. I think fingerprints with simple authentication is the answer. This would also be easier and more secure than trying to remember a long password.