Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Are fingerprints PINs or physical artifacts?

Evan Schuman | Nov. 12, 2014
A judge’s ruling that a person can be forced to open his phone with his fingerprint ignores the fact that the fingerprint scan is just a substitute PIN, which can’t be required by law enforcement.

This ruling smells of what has come to be known as civil service thinking. That pejorative term refers to someone blindly following the rules with no knowledge or understanding of the original intent. Without understanding why a rule was put in place, a manager can't make proper decisions as to when it's OK to overrule the regulation.

The reason for the distinction that Frucci cited in his ruling goes back many years and is based on the idea that people cannot be forced into saying things that are self-incriminating. Police can easily seize physical items, but forcing a suspect to tell them something against the suspect's interest is much thornier. A simple demand to see a lawyer is supposed to end such questioning.

Mark Rasch, a former U.S. Justice Department prosecutor who specializes in technology issues, says court decisions on these distinctions -- which all are based on the Fifth Amendment right against self-incrimination -- are all over the map. He cited one judge who agreed that he couldn't force the suspect to reveal an encryption key, but he did order that suspect to unencrypt the files and show them to law enforcement.

That's impressively absurd. When law enforcement wants someone's password, it's a pretty safe bet that what they really want is the data that the password unlocks. And citizens aren't all that concerned about the privacy of their passwords except for their usefulness in keeping data away from prying eyes.

"Courts are essentially wrong distinguishing between various methods of encryption and decryption," said Rasch. "They are all, at their core, a mechanism for protecting the privacy and security of data. Indeed, a person encrypting a drive with a biometric would have cause to believe that this was more secure, and that they had a greater expectation of privacy in the biometric than they do in a simple four-digit PIN. To say that announcing the numbers 2580' as a password is testimonial incrimination, but handing over a complex PGP key, or causing a complicated mathematical calculation based upon a biometric is not testimonial misses the point. The purpose of the Fifth Amendment is not simply to protect utterances. It is fundamentally a conception of privacy that there are certain things the government simply cannot do, no matter how much it wants to. It's both a zone of privacy, a concept of individual rights, and the idea of fundamental fairness that is embedded in the right against self-incrimination. The right should be read broadly -- not an absolute, but a broad right -- to protect against unnecessary encroachment."

He then illustrated his point with this example: "The best way to think of it is to imagine that the governments of Iran, North Korea, Syria or Cuba seize the contents of your encrypted drive. The local gendarme wants you to decrypt the drive for them. Should you have to do it? If your gut reaction is no -- believe me, you will have a gut reaction -- then we should consider allowing the same rights here."


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.