With all the commotion revolving around the Apple/FBI dispute and accessing encrypted data in the iPhone iOS, it should come as no surprise mobile device makers and application providers have been ramping up efforts to better protect mobile device content from unauthorized access. Soon, the WhatsApp secured messaging service owned by Facebook will be encrypting voice calls, in addition to its existing privacy features. Not to be outdone, Snapchat is reportedly working on a secure messaging system, while Twilio, a cloud-based communications platform, just announced a partnership with Virgil Security that will enable developers to build strong encryption into their messaging services. Notwithstanding this flurry of activity, the accelerated development in this market sector is ignoring a critical component for protection of user content on the mobile device…and it has your fingerprints all over it.
The Fifth Amendment of the U.S. Constitution guarantees “no person shall be compelled in any criminal case to be a witness against himself.” The founders intended this protection as an important check on governmental power in collecting evidence directly from a defendant. A fundamental right under the Bill of Rights, the 5th Amendment essentially prohibits the government from compelling you to provide testimony against yourself that may incriminate you, or “otherwise provide the State with evidence of a testimonial or communicative nature.” The key point here is “testimony” – something the courts have interpreted as “when the accused is forced to reveal his knowledge of facts relating him to the offense or from having him share is thoughts or beliefs with the government”. (emphasis added) So…compelling you to divulge knowledge of something that may incriminate you (such as the passcode on a mobile device) is prohibited; compelling you to provide a physical characteristic (such as presenting yourself in a lineup, being required to use your voice to provide an identifying characteristic, or being compelled to provide a fingerprint) is not.
Transposing this line of precedent to today’s technology, Judge Steven C. Frucci of the Virginia Circuit Court recently ruled that, unlike passcodes, using fingerprints to unlock a mobile phone does not constitute “compelled testimony” under the 5th Amendment. Essentially, the judge held that “exhibiting such physical characteristics is not the same as a sworn communication” – so compelling the defendant to use their fingerprint to unlock the iPhone equates to the presentation of a physical characteristic, not compelled testimony under this ruling. Ironically, compelling a defendant to provide a passcode violates the 5th Amendment, but compelling the use of a fingerprint to get to the same content does not.
This is not to say that everyone should be ignoring Touch ID on their iPhones in favor of passcodes to circumvent law enforcement – quite the contrary, companies should be aware of this security gap and stay abreast of developments so that it cannot be exploited:
- Where your company permits employees to “bring your own device” (“BYOD”), the risk of requiring fingerprint identifiers must be carefully weighed against the inherent vulnerability of fingerprint IDs, which cannot be changed and can be stolen. In many cases, your company may find it best not to permit BYOD whatsoever, or otherwise significantly restrict BYOD use (i.e. bar connection to the network, email servers, etc.)
- If your company has determined that the balance tips in favor of using fingerprint (or other biometric) identifiers, company BYOD policies should ensure that where such identifiers are available on a mobile device that your employee is using for company communications, such mechanism is enabled – to the extent a situation should ever arise where an employee may be charged with criminal conduct (i.e. embezzlement from your company) and the content on their mobile device may hold relevant evidence, the availability of this access control mechanism may be key.
- Notwithstanding the current state of the law, this ruling is not binding precedent outside Virginia, and the issue is far from settled – the fact that a fingerprint performs the same function as a passcode to provide access to the same information on the mobile device cannot be ignored, and may influence future court decisions…so you will need to stay abreast of developments through qualified counsel.
I would not be surprised if mobile device makers close this gap by allowing passcodes to be tied to biometric identifiers so that governmental access cannot be easily compelled. That said, the evolution of technology may reach the point where the underlying physical characteristic rises to the level of a “communication”. Although ultrasonic fingerprint sensors, retinal scanners and DNA fit into the current legal framework, what about hybrid methodologies that incorporate some other “passkey” intervention? Such biometric sensors are not immune from the discussion, and beg the question – at what point will biometrics cross the line into testimony that fits within 5th Amendment protections (if at all)? Does the analysis change when the access through the mobile device relates to information stored in the cloud? What about the federal government’s compilation of biometric data in the FBI’s Next Generation Identification System – information that the FBI recently sought to exempt from the Privacy Act – and its potential use (or as some fear, abuse)? As technology continues to rapidly advance, the answer to this question becomes less clear, and at a minimum, will depend on the nature of the biometric technology at issue and (potentially) the content sought. Without question, such biometrics are already making a statement…but for now, just not the kind protected by the 5th Amendment.