Police have requested a lab-rendered 3D set of replicated fingerprints from a dead man in order to attempt to unlock his phone and try to figure out who killed him.
Police didn’t need to do anything quite so ghoulish as to cast a corpse’s fingers.
The deceased had previously been arrested, so police already had scans of all his 10 fingers. They gave the fingerprints to the lab to use in fabricating replicas.
As Fusion reports, Michigan State University computer science professor Anil Jain got a visit last month from investigators looking for his help to unlock the phone.
Jain’s research typically focuses on making biometric authentication technologies tougher to hack, be they facial recognition programs, fingerprint scanners or tattoo matching programs.
But in this case, law enforcement wanted Jain to do the opposite: to come up with fake fingerprints that could bypass a phone’s authentication system. Without fingerprints or his passcode, they won’t be able to get at any information that might be on his phone and that might lead to identifying the murderer.
The investigation is ongoing, so Jain and his PhD student, Sunpreet Arora, weren’t at liberty to share details.
One important detail they couldn’t share: the make of the dead man’s phone.
People who’ve read Fusion’s story have been pointing out that Apple recently changed the way iOS manages fingerprint logins. iOS, as well as some other newer model phones, now requires a passcode if you haven’t used fingerprint unlock in a given period of time.
That means that if the dead man was using an iPhone, police might jump the fingerprint hurdle using a 3D replica only to come up against a passcode question. This could all be moot, of course, given that we don’t know what kind of phone they’re trying to unlock.
We’ve seen multiple sets of researchers fool fingerprint scanners with replicas: the Chaos Computer Club did it to the iPhone 5s with a dummy fingerprint made out of wood glue.
Another group used the same method on the Samsung Galaxy S5. Yet more researchers did it to a Samsung Galaxy S6 and a Huawei Honor 7 using just paper and ink.
But it’s one thing to fool an electro-optical scanner, which works similar to your office scanner: bright lights illuminate peaks and valleys of a print, and a CCD device captures a black and white image. Having a convincing image, or a glue model, can trick this basic type of fingerprint authentication technology.
It’s another thing entirely to fool the more sensitive capacitance fingerprint scanning technology, which relies on tiny electrical circuits to be closed in order to work.
Skin has enough conductivity to close those circuits, but a 3D model of a finger doesn’t, regardless of how convincing it looks.
According to Fusion, to get around that lack of conductivity, Arora coated the 3D printed fingers with a thin layer of metallic particles.
Arora is still working on the fake fingerprints, refining the technology and testing how it works before he gives law enforcement the full set of 10 fake digits they requested. As of Thursday, he told Fusion that the prints would be ready in a few weeks.
That’s when they should get an answer to the question of whether replicas of a dead man’s fingerprints can unlock a phone.
But we don’t yet have a definitive answer regarding the ongoing legal question of when it’s OK to compel people to unlock their gadgets with biometrics.
Of course, the dead can’t sue, so Fifth Amendment protections against self-incrimination don’t come into play in this case, as they would were he alive.
The forced use of a live person’s fingerprints to unlock an iPhone played out in Los Angeles in May, when authorities got a search warrant to compel a gang member’s girlfriend to press her finger to unlock an iPhone.
Ever since Apple introduced Touch ID, many privacy and legal experts have been saying that biometric information such as fingerprints are like our DNA samples or our voice imprints: they’re simply a part of us. They don’t reveal anything that we know, meaning that they don’t count as testimony against ourselves.
Therefore, the prevailing thinking has gone, forcing suspects to press their fingers to get into a phone doesn’t breach their Fifth Amendment rights against forced self-incrimination.
In contrast, passcodes have been viewed as “something we know.” As such, forcing people to hand over passwords would constitute forced, unconstitutional self-incrimination.
In September, a federal district court in Eastern Pennsylvania confirmed this Fifth Amendment protection for passcodes in an insider trading case between the Securities and Exchange Commission and two ex-employees of credit card company Capital One.
Still, passcode protection hasn’t been a foolproof shelter for all suspects who refuse to hand them over.
In April, a 17-year veteran and former sergeant of the Philadelphia Police Department suspected of – but not formally charged with – possession of child abuse images was found in contempt of an order to decrypt two hard drives.
The “John Doe” had already been imprisoned for 7 months in Philadelphia’s Federal Detention Center on charges of contempt.
He’ll stay locked up indefinitely until he decrypts the drive, the court ordered, saying that he “[carries] the keys to his prison in his own pocket.”
Matt
“Therefore, the prevailing thinking has gone, forcing suspects to press their fingers to get into a phone doesn’t breach their Fifth Amendment rights against forced self-incrimination.”
Cite your source, please.
Paul Ducklin
One US court says the codes themselves (the actual digits you recall from your brain and type in) are “fifthable”:
https://nakedsecurity.sophos.com/2015/09/25/smartphone-passcodes-are-protected-by-the-fifth-amendment-says-us-court/
Another court agrees, but says that fingerprints just aren’t protected in the same way. They’re not “testimony”:
https://nakedsecurity.sophos.com/2014/11/03/police-can-demand-fingerprints-but-not-passcodes-to-unlock-phones-rules-judge/
Here’s a real-world judgment on this basis:
issue:\\https://nakedsecurity.sophos.com/2016/05/02/la-judge-forces-woman-to-unlock-iphone-with-fingerprint/
For more background, try:
https://nakedsecurity.sophos.com/?s=fifth+amendment
Mahhn
If he’s still in the morgue, just visit him to use his finger….
Mark
It’s an interesting one though.
If allegedly propping open a sedated person’s eyelid for a photo can lead to a misdemeanor battery charge (https://nakedsecurity.sophos.com/2016/07/22/selfie-war-paramedics-accused-of-taking-photos-with-unconscious-patients/) then wouldn’t the same apply to forcing someone to touch a smartphone?
Opaque Oracle
I should think so. For both better and worse, though, lots of things that would be misdemeanor battery for a private citizen turn into “reasonable use of force” with a court order behind them.
Paul Ducklin
I suspect the word “force” was metaphorical. The court can order it, and you will be in contempt if you decline…no constitutional protection that allows you to refuse to *answer*, because you aren’t speaking. (Metaphorically.)
Anonymous
A better way to phrase it is the court can compel a person to comply.
Paul Ducklin
Well, they can’t *make* you do it if you are determined not to…but they can punish you (e.g. with incarceration) if you do not.
The same sort of sanction exists if you are required my law to undergo a blood or breath alcohol test after a traffic accident, but won’t do so. You’ll be charged for refusing, probably with a potential penalty equal to or greater than taking the test and failing. Otherwise no one would ever take it…
Dave
U.S. courts get it wrong at least as often as they get it right, IMO. The Supreme’s CU decision being the huge, glow-in-the-dark Prime Example. Unfortunately, they’re more or less protected from being dragged from their beds and hauled off to a public flogging, more’s the pity.
Dave, Master Curmudgeon