Okay, initial thoughts here. First off, BAD Forbes, this is California law enforcement, not Federal. While I have no doubt the FBI will be greasily overjoyed if this ends up as upheld precedent, accurate reporting is still critical. Moving on from that point, however. this is the fishiest of fishing tactics. I get that law enforcement detests both the idea of encryption and those of the 4th and 5th amendments, but those ships have sailed and I for one am getting extremely tired of constant attempts to end-run around them. I can't help but wish there was some sort of way to tie a punishment to, oh, call it 'Attempted Violation of the US Constitution' by government representatives; maybe then it wouldn't be tried so damned often.Forbes wrote:Feds Walk Into A Building. Demand Everyone's Fingerprints To Open Phones
In what’s believed to be an unprecedented attempt to bypass the security of Apple iPhones, or any smartphone that uses fingerprints to unlock, California’s top cops asked to enter a residence and force anyone inside to use their biometric information to open their mobile devices.
FORBES found a court filing, dated May 9 2016, in which the Department of Justice sought to search a Lancaster, California, property. But there was a more remarkable aspect of the search, as pointed out in the memorandum: “authorization to depress the fingerprints and thumbprints of every person who is located at the SUBJECT PREMISES during the execution of the search and who is reasonably believed by law enforcement to be the user of a fingerprint sensor-enabled device that is located at the SUBJECT PREMISES and falls within the scope of the warrant.” The warrant was not available to the public, nor were other documents related to the case.
According to the memorandum, signed off by U.S. attorney for the Central District of California Eileen Decker, the government asked for even more than just fingerprints: “While the government does not know ahead of time the identity of every digital device or fingerprint (or indeed, every other piece of evidence) that it will find in the search, it has demonstrated probable cause that evidence may exist at the search location, and needs the ability to gain access to those devices and maintain that access to search them. For that reason, the warrant authorizes the seizure of ‘passwords, encryption keys, and other access devices that may be necessary to access the device,’” the document read.
Legal experts were shocked at the government’s request. “They want the ability to get a warrant on the assumption that they will learn more after they have a warrant,” said Marina Medvin of Medvin Law. “Essentially, they are seeking to have the ability to convince people to comply by providing their fingerprints to law enforcement under the color of law – because of the fact that they already have a warrant. They want to leverage this warrant to induce compliance by people they decide are suspects later on. This would be an unbelievably audacious abuse of power if it were permitted.”
Jennifer Lynch, senior staff attorney at the Electronic Frontier Foundation (EFF), added: “It’s not enough for a government to just say we have a warrant to search this house and therefore this person should unlock their phone. The government needs to say specifically what information they expect to find on the phone, how that relates to criminal activity and I would argue they need to set up a way to access only the information that is relevant to the investigation.
“The warrant has to be particular in how it describes the place to be searched and the thing to be seized and limited in scope. That’s why if a government suspects criminal activity to be happening on a property and there are 50 apartments in that property they have to specify which apartment and why and what they expect to find there.”
Whilst the DoJ declined to comment, FORBES was able to contact a resident at the property in question, but they refused to provide details on the investigation. They did, however, indicate the warrant was served. “They should have never come to my house,” the person said. (In an attempt to protect the residents’ privacy, FORBES has chosen to censor the address from the memorandum posted below and concealed their name. But the document is public – search hard enough and you’ll find it). “I did not know about it till it was served… my family and I are trying to let this pass over because it was embarrassing to us and should’ve never happened.” They said neither they nor any relatives living at the address had ever been accused of being part of any crime, but declined to offer more information.
“We’ve never seen anything like this,” Lynch added. Indeed, the memorandum has revealed the first known attempt by the government to acquire fingerprints of multiple individuals in a certain location to unlock smartphones.
The document also showed the government isn’t afraid of getting inventive to bypass the security of modern smartphones. Faced with growing technical difficulties of unlocking phones, the government has sought to find new legal measures allowing them easy routes in, hence the All Writs Act order that demanded Apple open the iPhone 5C of San Bernardino shooter Syed Rizwan Farook. But with Apple refusing to comply with the order, and pushback from the likes of Google and Microsoft, cops are increasingly looking to fingerprints as one option for searching smartphones.
FORBES revealed earlier this year one of the first-known warrants demanding a suspect depress their fingerprints to open an iPhone, filed by Los Angeles police in February. This publication also uncovered a case in May where feds investigating an alleged sex trafficking racket wanted access to a suspect’s iPhone 5S with his fingerprints. Both were ultimately unsuccessful in opening the devices.
The Michigan State Police Department had more luck this summer by asking a university professor to create a fake fingerprint that could unlock a Samsung Galaxy S6. The team, led by Dr. Anil Jain, succeeded. He told FORBES in July the same techniques worked on an iPhone 6 and a Samsung S7.
Is it legal?
The memorandum – which specifically named Apple, Samsung, Motorola and HTC as manufacturers of fingerprint-based authentication – outlined the government’s argument that taking citizens’ fingerprint or thumbprint without permission violated neither the Fifth nor Fourth Amendment. In past interpretations of the Fifth Amendment, suspects have not been compelled to hand over their passcode as it could amount to self-incrimination, but the same protections have not been afforded for people’s body data even if the eventual effect is the same. Citing a Supreme Court decision in Schmerber v. California, a 1966 case in which the police took a suspect’s blood without his consent, the government said self-incrimination protections would not apply to the use of a person’s “body as evidence when it may be material.”
It also cited Holt v. United States, a 1910 case, and United States v. Dionisio, a 1973 case, though it did point to more recent cases, including Virginia v. Baust, where the defendant was compelled to provide his fingerprint to unlock a device (though Baust did provide his biometric data, it failed to open the iPhone; after 48 hours of not using Touch ID or a reboot Apple asks for the code to be re-entered.).
As for the Fourth, the feds said protections against unreasonable searches did not stand up when “the taking of fingerprints is supported by reasonable suspicion,” citing 1985′s Hayes v. Florida. Other cases, dated well before the advent of smartphones, were used to justify any brief detention that would arise from forcing someone to open their device with a fingerprint.
The justifications didn’t wash with Medvin or Lynch. Of the Fourth Amendment argument, Medvin said the police don’t have the right to search a person or a place in hopes of justifying the search later as reasonable. “That’s not how the 4th Amendment works,” Medvin added. “You need to have a reasonable basis before you begin the search – that reasonable basis is what allows you to search in the first place.”
“The reason I’m so concerned about this … is that it’s so broad in scope and the government is relying on these outdated cases to give it access to this amazing amount of information… The part the government is ignoring here is the vast amount of data that’s on the phone,” Lynch added.
“If this kind of thing became law then there would be nothing to prevent… a search of every phone at a certain location.”
This isn't as damaging or as dangerous as the FBI's incessant attempts to go after encryption methods themselves, but it does put a chilling effect on the use of biometric authentication. If courts keep upholding constitutional protections on passwords but NOT on biometrics, it reduces overall confidence in biometric security, not unreasonably. That, in turn, pushes people back onto passwords which in practice are often far less secure than biometrics, and that has the potential to degrade IT security as an aggregate whole. Stop it, guys. Seriously. Please. Just let it go.
Then, as a separate problem, we have the it-would-be-hilarious-if-it-weren't-serious breadth of the warrant itself, that being not for a specific individual device or a selection of devices, but just everything they happen to pick up. I'm neither a lawyer nor a law enforcement officer myself, but that strikes me as massively over-broad, especially given the amount of sensitive, private information contained both in personal electronic devices and in remote accounts linked to them. That runs into another potential issue; law enforcement has historically needed warrants to access specific accounts on specific services (say, a suspect's Yahoo email account or some such). With an incredibly broad warrant like this, they just get to scoop that up with everything else because accessing the phone accesses accounts configured ON the phone.
In summary, there is practically no part of this particular shitfest that I don't have a problem with.
