Civil libertarians and security experts say a Department of Justice search warrant goes too far in seeking fingerprint data to crack open smartphones.

The warrant in question would allow law enforcement to search a Lancaster, Calif., residence for an undisclosed number of smartphones. The warrant would also force anyone in the home to use their fingerprints unlock a phone if it uses a mechanism similar to Apple’s Touch ID biometric technology. Experts say the warrant is one of a growing number that overreach when it comes to the government’s attempt to circumvent encryption locks used by Apple and other smartphone makers.

According to a May 9, California court filing, the DoJ sought “authorization to depress the fingerprints and thumbprints of every person who is located at the SUBJECT PREMISES during the execution of the search and who is reasonably believed by law enforcement to be the user of a fingerprint sensor-enabled device that is located at the SUBJECT PREMISES and falls within the scope of the warrant.”

“Obviously as a private citizen I’m outraged by this, as it goes far beyond what I think anyone would consider reasonable, or even legal,” said Jonathan Zdziarski, a leading independent security researcher and forensics expert.

“The information obtained by seizing even one device is already significantly more than any lawful warrant would be able to cover as relevant to a case. So to seize the data on everyone’s device is ridiculously out of scope of what most people would believe the law does or should allow,” Zdziarski said.

The court filing, first spotted and reported by Forbes, does not include the actual search warrant. The procedural court document argues: “While the government does not know ahead of time the identity of every digital device or fingerprint (or indeed, every other piece of evidence) that it will find in the search, it has demonstrated probable cause that evidence may exist at the search location, and needs the ability to gain access to those devices and maintain that access to search them. For that reason, the warrant authorizes the seizure of passwords, encryption keys, and other access devices that may be necessary to access the device.'”

For legal scholars the issues pertinent to this case come down to the Fourth Amendment, the right against unreasonable searches and seizures, and the Fifth Amendment, which protects individuals from being forced to incriminate themselves.

“I don’t think there is much argument, assuming there was probable cause, that law enforcement has a right to search and seize materials while acting out a search warrant,” said Susan Hennessey, a Brookings Institution fellow and former National Security Agency lawyer. The issue that is unclear is whether forcing someone to give access to a locked phone with a fingerprint is in violation of the Fifth Amendment, said Hennessey.

Several cases around the country are bringing this issue to a head, Hennessey said. If this were a rape case, probable cause could compel a suspect to provide fingerprints to establish guilt, she said. But in this case a fingerprint is being sought to unlock a phone – not as material evidence – in substitute of a password.

In past cases involving court orders where a suspect has been asked to provide a password to unlock a phone, or digital device, the suspect has been able to refuse and plead the Fifth Amendment, on the grounds they don’t want to incriminate themselves. But in this case it’s unclear if the DoJ is looking for specific files or broader information.

“Based on the limited information available in this case, there is a lot of reason to be concerned about what’s going on,” said Alex Abdo, senior staff attorney with the American Civil Liberties Union. “One of the main reasons is the government is attempting to get the authority to unlock an indefinite number of phones on a premises. That seems unconstitutional.”

But the underlying issue, Abdo said, is when can the government force you to turn over your fingerprint to open your phone?

“This is not law enforcement requesting a fingerprint to identifying someone,” Abdo said. “This is a fingerprint that is being used to open up a treasure trove of information. This is a question that has not been resolved by the highest courts in the country and the lower courts are sorting it out.”

Abdo said there have been exceptions to forcing a suspect to unlock their phone, such as when law enforcement is specifically looking for a document. “The argument in those cases is that law enforcement knows the documents they are after and they are demanding the document – not the password.” In those cases the warrants were limited in scope and law enforcement has had success in obtaining those password protected and encrypted documents.

Ed McAndrew, a former federal cybercrime prosecutor and partner at law firm Ballard Spahr, said not enough is known about this case to draw any solid conclusions as to if constitutional rights have been violated.

“The way this document is written it would conceivably satisfy Fourth Amendment concerns,” McAndrew said. “But it’s not enough to say you are going to search a residence, and therefore you should be able to search every single device in that residence and compel the decryption of those devices. You have to show probable cause that the particular devices contain evidence of a crime.”

McAndrew and Hennessey both say cases like these are fertile grounds for further litigation. “This case isn’t just about how reasonable these types of searchers are, but rather the invasiveness of the search technique. Does that invasiveness render the search unreasonable?” asks McAndrews.

Hennessey said it’s unclear, in this case, if law enforcement even knows how many phones are being sought, how many use Touch ID technology and who controls the phones in question.

“There are certainly other cases that are exploring the government’s attempts to obtain biometric data – including fingerprints. We would expect to see more of those cases because the technology is becoming more common,” Hennessey said.

“I would expect to see this issue popping up in a lot of different district and state courts. It’s not improbable that this is the type of legal issue in which different courts will have different conclusions and it might ultimately need to be settled by the Supreme Court,” she said.

Categories: Cryptography, Government, Mobile Security, Privacy

Comments (2)

  1. The Phisher King
    1

    Similar things have been happening at US borders since 2011.
    In theory, DHS personnel cannot compel you to either decrypt your device or even provide them a password to unlock it, but they can and will detain you for as long as they are able to in an attempt to force you to comply.
    Unreasonable search and seizure? Incriminating yourself? Pfft – that ship sailed at least five years ago.
    The answer – store all the good stuff with a non-US cloud provider and keep nothing on any of your personal devices.

  2. msLeasha
    2

    I realize this article is a few months old, but I am wondering what type of information/documents we are talking about here. What business are these people involved in? I am a rather naive, no-name here who knows nothing about cyber crime. I am a paralegal interested in current laws regarding what police can and can’t search for, but I can only imagine dramatic, “Bourne Identity” type situations when I think about what law enforcement could be looking for here. Thanks in advance for any responses.

Comments are closed.