You’re arrested and your phone is held up to your face to be unlocked by the arresting officer, then sent to a forensics lab. Dystopian future or one where FaceID collides with weak self-incrimination protections for biometrics? This talk will explain how your 4th and 5th Amendment rights interact with advances in biometric technology. Along the way it will offer design suggestions for creators of mobile devices and tips to end users.
2. I am a lawyer.
I’m not your lawyer.
None of this is legal advice.
Flickr: jasmic
3. Wendy Knox Everette
@wendyck
Information Security Counsel, First Info Tech Services
ZwillGen Fellow 2016-2017
GMU Law 2016, National Security Law Concentration
Software developer, Amazon.com 2009-2013
Previously: Meetup, Google, Amazon.com
5. The right of the people to
be secure in their persons,
houses, papers, and
effects, against
unreasonable searches
and seizures, shall not be
violated, and no Warrants
shall issue, but upon
probable cause, supported
by Oath or affirmation, and
particularly describing the
place to be searched, and
the persons or things to be
seized.
13. No person shall be held to answer for a capital, or otherwise
infamous crime, unless on a presentment or indictment of a
Grand Jury, except in cases arising in the land or naval
forces, or in the Militia, when in actual service in time of War
or public danger; nor shall any person be subject for the
same offence to be twice put in jeopardy of life or limb; nor
shall be compelled in any criminal case to be a witness
against himself, nor be deprived of life, liberty, or property,
without due process of law; nor shall private property be
taken for public use, without just compensation.
16. Not compelled self-
incrimination because
the government had
already demonstrated
that it knew of the
existence of the
computer files & it
knew that Fricosu was
the only user of the
laptop
17. Doe v. US
Can you be required to assist in gathering evidence?
18. Doe v. US
Because the consent directive here is not testimonial in
nature, compelling petitioner to sign it does not violate
his Fifth Amendment privilege against self-incrimination
19. Holt v. US
compelled “exhibition of the body’s characteristics” isn’t testimonial under the 5th Amendment
27. Doe v. United States, 487 U.S. 201
(1988)
“In order to be testimonial,” the court
wrote, “an accused’s communication
must itself, explicitly or implicitly, relate
a factual assertion or disclose
information.”
28. "The Supreme Court has also long held that a
suspect can be required to give his fingerprints….For
devices that use the owner’s touch to unlock, the
department may seek to obtain fingerprints to unlock
a cell phone seized within the scope of a court-
authorized search warrant if the court finds there is
probable cause to obtain the fingerprints."
- Peter Carr, DOJ Spokesman to Ars Technica
30. Difference between using
a fingerprint to identify a
person and using one to
gain access to all their
digital data
31. "You can expect to see more cases where authorities are
thwarted by encryption, and the result is you’ll see more
requests that suspects decrypt phones themselves"
"And by requests, I mean demands. As in,
you do it or you’ll be held in contempt of
court."
- Hanni Fakhoury, EFF
32. If the police
don’t know the
phone is yours
Or don’t know
what’s inside
Can you be
required to
unlock it?
34. “The government submits this supplemental authority in
support of its application for a search warrant which seeks
authorization to depress the fingerprints and thumbprints of
every person who is located at the SUBJECT PREMISES
during the execution of the search and who is reasonably
believed by law enforcement to be a user of a fingerprint
sensor-enabled device that is located at the SUBJECT
PREMISES and falls within the scope of the warrant. The
government seeks this authority because those fingerprints,
when authorized by the user of the device, can unlock the
device.”
The civil rights we’ll be discussing today are all in the Bill of Rights and give you protections from state and federal law enforcement and shield you from abuses of government powers Many of these rights have loopholes and exceptions, and the courts struggle with how these interact with consumer technologies.
https://www.flickr.com/photos/78744619@N05
https://www.flickr.com/photos/jasmic/2418715405/
You’re arrested and your phone is held up to your face to be unlocked by the arresting officer, then sent to a forensics lab. Does this worry you? Even if you don’t think that you’ve committed any serious crimes, our phones contain an incredible amount of information about our lives. Should information taken from the phone be able to be used in a court case against you?
The Bill of Rights, specifically the 4th and 5th Amendments, give you some protections.
https://www.flickr.com/photos/ferran-jorda/3295094604/
What is the Fourth Amendment?
https://www.flickr.com/photos/12614773@N07/3926801152
a. “Come back with a Warrant” – this is the amendment behind all those “Come back with a warrant” doormats and “I do not consent to a search of this device” phone stickers. - CONSENTb. What is needed for a warrant? Law enforcement must show that there is “probable cause.”c. what’s “probable cause”?
→ next
https://twitter.com/CathyGellis/status/949442443966955520
facts and circumstances known to the officer provide the basis for a reasonable person to believe that a crime was committed at the place to be searched, or that evidence of a crime exists at the location
Search warrants must specify the place to be searched, as well as items to be seized
subpoena v warrant
Subpoena - lower standard than probable cause but only get metadata
Warrant - full content, higher standard
● Consent - from phone stickers
● Search incident to arrest
● hot pursuit
● plain view
● Car search exception
● Exigent circumstances
Supreme Court case from 2015
Riley Court held
warrantless search exception following an arrest exists for the purposes of protecting officer safety and preserving evidence
Neither at issue in the search of digital data
digital data cannot be used as a weapon to harm an arresting officer, and police officers have the ability to preserve evidence while awaiting a warrant by disconnecting the phone from the network and placing the phone in a "Faraday bag."
https://www.flickr.com/photos/9304652@N06/6406662487/
Government made a request under Stored Communications Act
allows data when "specific and articulable facts show[] that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation."
Subpoena -- "metadata"
Obtained cell site request data - revealing the location and movements of a cellphone user over the course of 127 days
Argued before Supreme Court Nov 29, 2017
a. The Fifth Amendment gives you many rights, but the one we’ll focus on is the right against Self Incrimination.b. What’s self-incrimination? This means that you can’t be required to give testimony in a court case that would show that you’d committed a crime.
If the government already knows the information implicit in a testimony, then you aren’t incriminating yourself by giving that testimony; you’ve already been incriminated.
https://www.flickr.com/photos/iggyshoot/16007451309/
2012
Colorado district
Ramona Fricosu (mortgage fraud case)
surrender password to her locked laptop after she was heard on a recorded phone call telling co-defendant husband that the incriminating evidence was encrypted
call was enough to nullify her Fifth amendment argument - judge ruled that she give police access to the files or be held in contempt.
https://www.flickr.com/photos/andymw91/4804053349
487 U.S. 201 (1988)
produced some records as to accounts at foreign banks, but invoked his Fifth Amendment privilege against self-incrimination when questioned about the existence or location of additional bank records
Signature needed bc foreign banks refused to comply with subpoenas
The Court first held that the compelled exhibition of the body’s characteristics was not testimonial under the Fifth Amendment in Holt,218 U.S. at 252. The Court explained that it would be an “extravagant extension of the 5th Amendment” to prevent a jury from hearing a witness testify that a prisoner, who was compelled to put on clothes, did so and that the clothes fit him.
i. Courts have interpreted this to mean that a person may refuse to enter a password for a computing device if doing so would grant law enforcement access to evidence that would incriminate the person.
ii. Entering the password is akin to testifying.
https://www.flickr.com/photos/alescicchitano/6206982979/
https://www.flickr.com/photos/smss/8329600691/
a. Apple devices require a passcode after they’ve been restarted, or after 48 hours. This provides some protection for users, as law enforcement must do the biometric unlocking within 48 hours. Several other devices now use fingerprint unlocking as well- Samsung Galaxy S5 can also do a fingerprint unlock; some Thinkpads, and other devices.
b. Samsung Galaxy S8 and iPhone X both offer facial recognition unlock, which will unlock the mobile device when it’s held up to your face
https://www.flickr.com/photos/73014677@N05/7651902808/
act of unlocking the cellphone communicates some degree of possession, control, and authentication of the cellphone’s contents
a biometric unlock is (usually) not seen as equivalent to testifying against yourself
What you are
DNA swabs
breathalyzer
https://www.flickr.com/photos/sarath_kuchi/8043044878/
Fingerprint but not passcode
Maryland v. King, 569 U.S. ___ (2013)
4th Am
suspicionless collection of the DNA of those arrested for a serious crime did not violate the Fourth Amendment
although swabbing an arrestee's cheek for DNA collection did constitute a search, the minimal physical invasiveness of the collection technique was important in evaluating the reasonableness of the search
https://www.flickr.com/photos/janitors/10575772326
https://arstechnica.com/tech-policy/2016/10/to-beat-crypto-feds-have-tried-to-force-fingerprint-unlocking-in-2-cases/
https://www.flickr.com/photos/jca_does_photos/7294238880/
Ybarra v. Illinois government can’t search a person present where the warrant is executed for evidence under the warrant unless the government has probable cause that this particular person is involved in the criminal activity.
limitation on the search of people that gets to the seizure of the phone, not a search of the phone after it has been seized.
https://twitter.com/JakeLaperruque/status/951113970949263360
Vermont 2009
Sebastien Boucher child pornography defendant
allowed police access to computer following his arrest at the Canadian border
found child pornography
but after seizing his computer realized the portion of the hard drive containing the incriminating files was encrypted
Demanded password
He plead the Fifth
judge ruled "foregone conclusion"
This problem is very similar to the Fourth Amendment’s Third Party doctrine, so let’s quickly look at that to see what similarities we can draw:a.
cases which established this doctrine involved the phone numbers you dialed and banking information. i. Without a reasonable expectation of privacy in that information, a warrant is not needed for law enforcement to obtain this information. ii. Cloud computing and social networking throw a wrench into this idea – I personally think that I have a pretty strong expectation of privacy in my social media DMs and the information I store in Gmail.
After pushback from tech companies, and the Warshak opinion in the 6th Circuit in 2010, a warrant is now required to access emails and other information stored on the servers of tech companies. i. The Supreme Court is currently considering this expectation of privacy in third party information to Cell Site Location Data, in the Carpenter case. ii. Also see Riley, even once a phone is unlocked, a warrant is required to search it.c. So here we see the law adapting to technology and re-extending some privacy protections. This could happen with biometric unlocks.
(But you should still want to have 5th Amendment protections for biometric unlocks, because of the plain view doctrine!)
1. Device makers may want to emulate Apple and create special modes for their devices that quickly and securely disable biometric unlock.
a. Should users have a vocal way to put phones into a secure mode that they can enable even if they can’t touch their phone?
i. Would this lead to harmful side effects in restraining people who are arrested?
ii. Are “duress” fingers the answer? Some devices, such as Samsung Galaxy, require a passcode if the fingerprint unlock doesn’t work five times in a row (but see consumer frustration with the fingerprint scanner quality & this fallback).
Apple’s TPM module makes it very difficult to bypass the security protections they put on devices. However, we saw in the San Bernardino case that the phone was eventually hacked into in order to bypass the lock. Should we assume that security vulnerabilities will give law enforcement access?
a. But then what about criminal actors?
b. Using security vulnerabilities as an escape hatch is damaging in the long term, as it allows both sides to side step the legal issues and keeps any real consensus from forming about where the right level of access is. In a way, this is not just about biometric unlocks, this is also about many kinds of compelled decryption and law enforcement access.
https://www.flickr.com/photos/matsuyuki/15482074983/
“duress fingers” for Touch ID
Should users should be given a duress password to wipe their data in the cloud from the field to protect it from discovery with a search warrant (and would that could be obstruction of justice or evidence tampering)?
how emergency mode works and how it might be tweaked to provide a cloud wipe or better biometric lock protection while still balancing user convenience – for instance while in a location or during a time, requiring the user to say a phrase while doing a face or fingerprint unlock, thus doing an end-run around the “non- expressive” issues with pure biometric unlock while balancing with user convenience)?
https://www.flickr.com/photos/roozbeh11/4137075891
How do device manufacturers balance my privacy with convenience?
a. This is really the core issue here- people use biometric unlock because they’re fast and easy and making using your phone simple. The self-incrimination issue is, at most, a distant afterthought for many users.
b. Should it be this way? Should we have to give up our civil rights for ease of use and being able to participate in a technological society?
Not quite the same as biometric unlock, but implicated in collection of biometric data & 4th Amendment protections
Convenience, entertainment: users like using fitness trackers
1. Balancing usability & releasing awesome new features for consumers with protecting civil liberties is a tough job right now, as we’re in a period where we are trying to figure out how our historical case law precedent applies to new technologies
2. As with everything in infosec, enabling TouchID or FaceID is a risk-based calculation you should make yourself; hopefully this talk has helped inform you about some of those risks
3. If you work on consumer devices, hopefully this helped you think about risks to weigh in designing your devices to balance safety and usability.
https://www.flickr.com/photos/hjl/9048268938/