Police can’t force you to unlock your phone by iris, face or finger

A US judge has ruled that law enforcement cannot force you to release your biometric mobile device lock.
Written by Charlie Osborne, Contributing Writer

A US judge has ruled that law enforcement does not have the right to force individuals to unlock their mobile devices through either their face or finger, whether or not a warrant is in play.

According to a judge presiding over a case in the US District Court for the Northern District of California, forcing a person to do so violates Fifth Amendment rights against self-incrimination.

Protections are already in place to protect against self-incrimination when it comes to passcodes for smartphones and so the judge, Kandis Westmore, has decided that biometric security deserves the same consideration in law.

As described by Forbes, "all logins are equal" now, no matter whether the means to access a device is achieved by revealing a passcode or using a body part.

This runs counter to how US legal professionals have previously viewed biometrics, including irises, faces, or fingerprints. Body parts for unlocking purposes were previously open season for the police, who were given the right to force a device to be unlocked through these means.

The decision came into being after Westmore reviewed a case relating to Facebook extortion. A victim received a demand for payment over Facebook Messenger on pain of an embarrassing video of them being released, and law enforcement requested a warrant to raid a suspect's property.

As well as obtaining the search warrant, the officers involved planned to force open any mobile device on the premises which was protected through biometric technology, such as Face ID or Touch ID.

In the ruling, the judge says that the government request to do so runs afoul of the Fourth and Fifth Amendments and, therefore, had to be denied.

CNET: German watchdog will reportedly order Facebook to stop gathering some data

While there were sufficient grounds to request a search warrant, Westmore said the overall request was "overbroad" and while two suspects were identified, "the request is neither limited to a particular person nor a particular device."

"Furthermore, the government's request to search and seize all digital devices at the subject premises is similarly overbroad," the ruling continues. "The government cannot be permitted to search and seize a mobile phone or other device that is on a non-suspect's person simply because they are present during an otherwise lawful search."

TechRepublic: Phishing and spearphishing: A cheat sheet for business professionals

The Fifth Amendment states that no person "shall be compelled in any criminal case to be a witness against himself," and so, arguably, biometrics and passcodes -- the latter of which were once considered "testimonial" -- should be considered the same as information found on mobile devices unlocked through these means could result in a criminal prosecution.

"There are there other ways that the government might access the content that do not trample on the Fifth Amendment," the judge added, citing the possibility of obtaining Facebook messenger data under the Stored Communications Act or through a warrant.

See also: NotPetya an 'act of war,' cyber insurance firm taken to task for refusing to pay out

The judge says that "technology is outpacing the law," and this rings true worldwide. For now, at least, US citizens can enjoy a small victory for privacy. It does not mean, however, that the motion to treat biometrics in the same way as passcodes when it comes to forced device unlocking will not be challenged in future cases. 

The worst cyberattacks undertaken by nation-state hackers

Previous and related coverage

Editorial standards