Skip to content
Naked Security Naked Security

Feds got search warrant demanding anyone’s fingerprints to open phones

Legal experts call it an unprecedented demand.

After the dragged-out legal battles with Apple over unlocking the iPhones of a terrorist and a methamphetamine dealer, the Feds must have had it up to HERE with legal wranglings over searching suspects’ phones.

Now, it looks like they’ve got a new trick up their sleeves. Forbes recently came across an application for a search warrant in which the Department of Justice (DOJ) sought permission to enter a residence and force anyone inside – or in the immediate vicinity of – the place to use their finger or thumbprints to get into their mobile devices.

The move is believed to be an unprecedented attempt to bypass the security of mobile devices, be they Apple’s iPhones or devices from other manufacturers that also use such biometric factors in authenticating sign-in.

In the US, courts have drawn a sharp distinction between invading suspects’ minds by demanding passcodes and demanding access to their bodies by compelling them to unlock devices with their finger- or thumb-prints.

Case in point: in May 2014, a Virginia judge ruled that police could demand fingerprints but not passcodes to unlock phones.

The distinction might seem academic: after all, both passcodes and fingerprints lead to an unlocked device, and both means of authentication give law enforcement access to whatever evidence unlocked devices might reveal.

But the way it’s been hashed out in courts is this: passcodes, which are knowledge stored in our heads, are protected by the Fifth Amendment, which prohibits forced self-incrimination.

But as privacy and legal experts have been saying ever since Apple introduced Touch ID, biometric information such as fingerprints are like our DNA samples or our voice imprints: they don’t reveal anything that we know, meaning they don’t count as testimony against ourselves.

In the warrant application, which is dated 9 May 2016, the DOJ sought to search a property in Lancaster, California.

The specifics of what it was after:

…authorization to depress the fingerprints and thumbprints of every person who is located at the SUBJECT PREMISES during the execution of the search and who is reasonably believed by law enforcement to be the user of a fingerprint sensor-enabled device that is located at the SUBJECT PREMISES and falls within the scope of the warrant.

The search wasn’t just for fingerprints, of course, but also for any devices that agents might find.

From the memorandum, filed by US attorney for the Central District of California Eileen Decker:

While the government does not know ahead of time the identity of every digital device or fingerprint (or indeed, every other piece of evidence) that it will find in the search, it has demonstrated probable cause that evidence may exist at the search location, and needs the ability to gain access to those devices and maintain that access to search them.

For that reason, the warrant authorizes the seizure of ‘passwords, encryption keys, and other access devices that may be necessary to access the device.’

Legal experts were shocked at the broad scope of the proposed search.

Forbes quoted Marina Medvin, of Medvin Law:

They want the ability to get a warrant on the assumption that they will learn more after they have a warrant.

Essentially, they are seeking to have the ability to convince people to comply by providing their fingerprints to law enforcement under the color of law – because of the fact that they already have a warrant.

They want to leverage this warrant to induce compliance by people they decide are suspects later on. This would be an unbelievably audacious abuse of power if it were permitted.

Jennifer Lynch, senior staff attorney at the Electronic Frontier Foundation (EFF), had this to say:

It’s not enough for a government to just say, ‘We have a warrant to search this house and therefore this person should unlock their phone.’ The government needs to say specifically what information they expect to find on the phone, how that relates to criminal activity and I would argue they need to set up a way to access only the information that is relevant to the investigation.

The warrant has to be particular in how it describes the place to be searched and the thing to be seized and limited in scope. That’s why if a government suspects criminal activity to be happening on a property and there are 50 apartments in that property they have to specify which apartment and why and what they expect to find there.

The courts have, in fact, recently forced people to try to use their fingerprints to unlock devices.

One of the earliest known cases was in May, when police got a search warrant from a Los Angeles judge to compel an alleged Armenian gang member’s girlfriend to press her finger to unlock his phone.

Another case was that of an an alleged online pimp named Martavious Keys who was later indicted on one count of sex trafficking of children.

In spite of the compelled swiping, in neither of those cases was it successful in unlocking the phones, possibly because after 48 hours, a phone requires a passcode in addition to a finger swipe.

But Michigan police had more luck in July, when they requested a lab-rendered 3D set of replicated fingerprints from a dead man in order to attempt to unlock his phone and try to figure out who killed him.

A university team led by Dr. Anil Jain succeeded in unlocking the dead man’s Samsung Galaxy S6.

He told Forbes that the techniques he employed – 3D printed fingers coated with a thin layer of metallic particles in order to fool sensitive capacitance fingerprint scanning technology – also worked on an iPhone 6 and a Samsung S7.

The mass-fingerprint roundup request was granted, and the Lancaster residence was searched.

Forbes managed to speak with a resident of the property, who said that police “should have never come to my house.”

I did not know about [the search warrant] till it was served… my family and I are trying to let this pass over because it was embarrassing to us and should’ve never happened.

The person said that neither they nor any relatives living at the address had ever been accused of being part of any crime, but he or she declined to offer more information.

1 Comment

Great article. Is really shows that the change from passwords to biometrics really is the final hurdle authorities need to overcome to obliterate what we call our right to privacy. For all those who want an end to passwords – be careful what you wish for.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?