Judge: No, feds can’t nab all Apple devices and try everyone’s … – Ars Technica

Posted: February 24, 2017 at 6:04 pm

GLENN CHAPMAN/AFP/Getty Images

This prosecution, nearly all of which remains sealed, is one of a small but growing number of criminal cases that pit modern smartphone encryption against both the Fourth Amendment protection against unreasonable search and seizure, and also the Fifth Amendment right to avoidself-incrimination. According to the judges opinion, quoting from a still-sealed government filing, "forced fingerprinting" is part of a broader government strategy, likely to combat the prevalence of encrypted devices.

Last year, federal investigators sought a similar permission to force residents of two houses in Southern California to fingerprint-unlock a seized phone in a case that also remains sealed. In those cases, and likely in the Illinois case as well, the prosecutors' legal analysis states that there is no Fifth Amendment implication at play. Under the Constitution, defendants cannot be compelled to provide self-incriminating testimony (what you know). However, traditionally, giving a fingerprint (what you are) for the purposes of identification or matching to an unknown fingerprint found at a crime scene has been allowed. It wasnt until relatively recently, however, that fingerprints could be used to unlock a smartphone.

However, unlike the California warrant applications, this case doesnt involve one particular seized device to check to see if anyones fingerprint unlocks it. Rather, authorities seem to be using the particular fact that most modern Apple iPhones and iPads can be unlocked and decrypted if Touch ID is enabled. While some Android devices also have a similar fingerprint scanning function, the warrant application (which remains sealed) apparently only sought out Apple devices. (Under both operating systems, the fingerprint unlock stops working after your phone has been unlocked for 48 hours.)

As the judge, who is both a former federal prosecutor and a former FBI special agent,wrote:

The request is made without any specific facts as to who is involved in the criminal conduct linked to the subject premises, or specific facts as to what particular Apple-branded encrypted device is being employed (if any).

First, the Court finds that the warrant does not establish sufficient probable cause to compel any person who happens to be at the subject premises at the time of the search to give his fingerprint to unlock an unspecified Apple electronic device.

This Court agrees that the context in which fingerprints are taken, and not the fingerprints themselves, can raise concerns under the Fourth Amendment. In the instant case, the government is seeking the authority to seize any individual at the subject premises and force the application of their fingerprints as directed by government agents. Based on the facts presented in the application, the Court does not believe such Fourth Amendment intrusions are justified based on the facts articulated.

Neither the Department of Justice nor the FBI immediately responded to Ars request for comment. Prosecutors could seek to appeal the opinion to a more senior judge.

"As I read the opinion, the government relies on old fingerprinting cases to argue that the Fourth and Fifth Amendments dont stand in the way of what they are seeking to do here," Abraham Rein, a Philadelphia-based tech lawyer, told Ars by e-mail.

"But (as the court points out) there is a big difference between using a fingerprint to identify a person and using one to gain access to a potentially vast trove of data about them and possibly about innocent third parties, too. The old fingerprinting cases arent really good analogs for this new situation. Same is true with old cases about using keys to unlock lockshere, were not talking about a key but about part of a persons body."

Orin Kerr, a well-known privacy and tech law expert and a professor at George Washington University, told Ars that the judge had largely reached the right result, but only on Fourth Amendment, and specifically not Fifth Amendment grounds.

"I just think that it's really clear that [fingerprints are] not testimonialbecause youre not using your brain," he said. "It cant be testimonial if you can cut their finger off."

Similarly, Paul Rosenzweig, an attorney and former Homeland Security official, argued that its essentially impossible for a fingerprint, even a digital fingerprint, to have any Fifth Amendment implications.

"We could have gone down the road of saying that providing physical evidence is testimony against yourself," he said. "But we long ago made the decision that the Fifth Amendment applied to testimony, and testimony meant only oral utterances or other things that conveyed a message. For this distinction lies at the core of Breathalyzer tests. If we roll that back, Breathalyzer tests go out the window. Blowing your air would be testifying against yourself."

Riana Pfefferkorn, one of the lawyers who first found this judicial opinion and publicized it on Twitter, told Ars that part of the problem with these types of cases is that this cutting edge of judicial analysis is largely happening "outside the public eye."

"In many instances, there may be little or no legal analysis by the court when it approves a request for a search warrant or other court order," she wrote. "Examples like this may be the tip of an iceberg. I hope that more judges will join this Illinois judge in not only conducting a thorough legal analysis of novel requests for gathering electronic evidence, but also publishing those opinions publicly."

Yet another lawyer suggested that cases like this would push companies like Apple to harden their devices even further: rather than allow a simple fingerprint to unlock a phone, future versions of its software will likely require a fingerprint or other biometric in combination with a traditional passcode.

"I think we will see authentication systems evolve with these kinds of mass searches (not to mention border searches and the like) as a new part of the threat model of unauthorized access," Blake Reid, a law professor at the University of Colorado, told Ars. "An additional risk of what the government is doing here is creating incentives for manufacturers to design authentication systems that are less susceptible from a technical and architectural perspective to these types of searches."

Go here to read the rest:
Judge: No, feds can't nab all Apple devices and try everyone's ... - Ars Technica

Related Posts