The impact of Apple’s new FaceID on smartphone evidence
With each new generation of iPhone, Apple’s updates and new features become more and more nuanced. With the iPhone X, they’ve moved from fingerprint authentication, or Touch ID, to Face ID. Their website now states that, “Your face is your secure password.”
Is it though?
Biometric security is gaining popularity in part because it’s so simple, and also because it feels so secure. Both fingerprints and faces are “biometrics,” or a biological characteristic that is measurable. They are unique to individuals, making them a natural fit for security: they seem less hackable than passwords, no matter how random or complex.
At Apple’s iPhone X event last fall, Apple marketing chief Phil Schiller spoke to their system’s security:
“The chance that a random person could use their fingerprint to unlock your iPhone is about 1 in 50,000,” Schiller said. “What are the similar statistics for Face ID? One in a million. The chance that a random person in the population could look at your iPhone X and unlock it with their face is about one in a million.”
While thieves, hackers, and technology wonks rush to find the holes in Face ID’s security, our questions are more around the impact this new change will have on smartphone evidence in legal cases.
The Fifth Amendment and Biometrics
For password-protected phones and devices, if someone invoked the Fifth Amendment to police or government agents, they may not be compelled to reveal their password. The question gets grayer when biometrics enter the picture.
When you physically key in your password to your phone, it is a physical act, but one driven by knowledge – making it fall under the testimonial communications umbrella. Using your fingerprint or your face, however, has been likened in the courts to physical keys – which the government can compel citizens to provide.
Virginia judge rules in difference between passcodes and biometric information
In 2014, a Virginia judge ruled that though a defendant could not be forced to give their passcode, they could be compelled to provide their fingerprint in order to unlock their smartphone device in order to access a video recording. Defendant David Charles Baust, accused of strangling his girlfriend (eventually found not guilty) was compelled to unlock his smartphone using his fingerprint and supply evidence used in the case.
The Commonwealth (of Virginia) used the argument that “the passcode and the fingerprint [were] not testimonial because the existence of the recording [was] a ‘foregone conclusion.’ Defense Counsel [argued] that both [were] testimonial in that either would provide access to all recordings or items on Defendant’s phone.”
Citing United States v. Hubbell, 530 U.S. 27, 35-36 (2000); Fisher v. United States, 425 U.S. 391, 401 (1976), the Court ruled that “the contents of the phone, obtained pursuant to a validly executed warrant are only subject to objections raised under the Fourth Amendment not the Fifth Amendment.”
They found that “compelling the Defendant to provide access through his passcode is both compelled and testimonial and therefore protected…The fingerprint, like a key, however, does not require the witness to divulge anything through his mental processes.”
“Unlike the production of physical characteristic evidence, such as a fingerprint, the production of a password forces the Defendant to “disclose the contents of his own mind.” For this reason, the motion to compel the passcode should be DENIED but the motion to compel the fingerprint should be GRANTED.”
Moving forward under debate
In 2016, LAPD used a warrant to successfully compel a person to unlock their smartphone with their fingerprint – the first known case of police legally ordering someone to use their fingerprints for this purpose.
The debate amongst lawyers, however, continues, with some who believe fingerprints and faces should be protected by the Fifth Amendment, and others firm on the interpretation that biometric information is physical, and therefore not protected.
Apple, involved in its own arguments with the FBI about privacy of their users, quietly implemented an advanced security safeguard that allows iPhone users to quickly disable Touch ID, requiring their passcode instead. The same safeguard has been implemented for Face ID.
For now, the impact of FaceID on smartphone evidence remains fairly small – no more than Touch ID – but as more and more cases encounter the use of biometric information to obtain evidence, the only thing that is certain is that the debate will continue to grow.