Experts say constitutional protection for passwords doesn’t apply to biometric security measures

April 7, 2017 - 

The face recognition security feature for the upcoming Samsung Galaxy S8 will not have the same legal protection of a password, as constitutional protection for passwords typically do not apply to biometric security measures, according to a report by The Verge.

Samsung confirmed last week that its upcoming Galaxy S8e will feature facial, iris and fingerprint recognition, enabling users to unlock the smartphone by scanning their face.

Under the Fifth Amendment, which protects Americans from having to incriminate themselves, passwords or passcodes are considered “testimonial” evidence.

Therefore, people can refuse to disclose their PIN because doing so would mean answering a question based on their thoughts, and not explicitly providing physical evidence.

Ever since Apple announced its Touch ID sensor in 2013, security experts have warned that fingerprints would not be protected by the constitutional right,

A Virginia judge allowed police to use a fingerprint to unlock a phone in 2014, while other courts granted similar requests in 2016 and 2017.

“The self-incrimination analysis for biometric and face scanning would be the same as for Touch ID,” Jeffrey Welty, a law and government professor at UNC-Chapel Hill, said. “Standing there while a law enforcement officer holds a phone up to your face or your eye is not a ‘testimonial’ act, because it doesn’t require the suspect to provide any information that is inside his or her mind.”

The Fifth Amendment provides general legal protection against searching an individual’s smartphone, which can ultimately provide a large amount of personal information. In some cases, however, courts can still order people to unlock their device with a passcode.

“If the police already know what’s on the device and that the person in question is the owner, the ‘foregone conclusion’ doctrine may apply,” Welty said.

As such, biometric security could still serve as “testimonial” in certain situations. Legal expert Oren Kerr offered a solution to protect fingerprints under the Fifth Amendment.

He cites a hypothetical example in which police have a phone with a biometric sensor and are trying to unlock the contents. The phone has seven potential owners — none of whom will come forward to claim the device.

Although placing a finger to the sensor might not be considered testimony, a person identifying himself as the owner of the phone could certainly be, as well as the individual revealing which finger or other body part would unlock it.

A subject of a phone-unlocking order made the latter argument in a case brought forward to the Minnesota Court of Appeals last year, but the Judge disagreed. In any case, Welty argues that both these situations are extreme cases.

“Bottom line, if you are concerned about whether law enforcement can compel access to your device, a password or passcode is much better than Touch ID or facial recognition, but it isn’t ironclad,” says Welty.

A federal court in Illinois recently denied the government’s search warrant request to enter a building and unlock all phones with fingerprint recognition functionality, stating that it needed to be more specific about the exact devices and data they wanted to obtain.

Leave a Comment

comments

About Justin Lee

Justin Lee has been a contributor with Biometric Update since 2014. Previously, he was a staff writer for web hosting magazine and website, theWHIR. For more than a decade, Justin has written for various publications on issues relating to technology, arts and culture, and entertainment. Follow him on Twitter @BiometricJustin.