Fingerprints or Passwords
- January 28, 2017
- Clayton Rice, Q.C.
On October 30, 2014, MH left her home in Chaska, Minnesota, southwest of Minneapolis, to run errands. Her home was burglarized while she was away and a laptop and items of jewelry were stolen. She found an envelope in her driveway with the name of SW on it. The police took photographs of shoe prints from the garage side entry. The investigation led to a Shakopee pawn shop where SW had pawned several pieces of jewelry. Meanwhile Matthew Diamond was arrested on an unrelated outstanding warrant. His shoes and cell phone were seized when he was booked into a county jail.
There were similarities between the tread on Diamond’s shoes and the shoe prints left at the entry to MH’s garage. The police obtained a warrant to search Diamond’s cell phone but they were unable to unlock it. The state then filed a motion to compel Diamond to put his fingerprint on the cell phone. The district court held that compelling Diamond to provide his fingerprint did not violate his Fifth Amendment privilege against compelled self-incrimination. Diamond refused, was found in civil contempt but later purged his contempt and the police searched the phone.
A jury convicted Diamond of second degree burglary, misdemeanour theft and fourth degree damage to property. He was sentenced to 51 months in prison. He appealed. On January 17, 2017, a three member panel of the State of Minnesota Court of Appeals released its unanimous ruling in State v Diamond, A15-2075 (2017) affirming, at p. 14, that “the order compelling Diamond to produce his fingerprint to unlock the cellphone did not require a testimonial communication [and] did not violate Diamond’s Fifth Amendment privilege against compelled self-incrimination.” Here are the four key extracts from the court’s opinion in response to Diamond’s two arguments, at pp. 12-4:
- Diamond relies on In re Grand Jury Subpoena Duces Tecum, 670 F.3d 1335 (11th Cir. 2012), to support his argument that supplying his fingerprint was testimonial. In In re Grand Jury, the court reasoned that requiring the defendant to decrypt and produce the contents of a computer’s hard drive, when it was unknown whether any documents were even on the decrypted drive, “would be tantamount to testimony by [the defendant] of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.” Id at 1346. The court concluded that such a requirement is analogous to requiring production of a combination and that such a production involves implied factual statements that could potentially incriminate. Id.
- By being ordered to produce his fingerprint, Diamond was not required to disclose any knowledge he might have or to speak his guilt. See Doe, 487 U.S. at 211, 108 S. Ct. at 2348. The district court’s order is therefore distinguishable from requiring a defendant to decrypt a hard drive or produce a combination. See, e.g., In re Grand Jury, 670 F.3d at 1346; United States v. Kirschner, 823 F. Supp. 2d 665 (E.D. Mich. 2010) (holding that requiring a defendant to provide a computer password violates the Fifth Amendment). Those requirements involve a level of knowledge and mental capacity that is not present in ordering Diamond to place his fingerprint on his cellphone. Instead, the task that Diamond was compelled to perform – to provide his fingerprint – is no more testimonial than furnishing a blood sample, providing handwriting or voice exemplars, standing in a lineup, or wearing particular clothing. See Doe, 487 U.S. at 210, 108 S. Ct. at 2347-48.
- Diamond also argues that he “was required to identify for the police which of his fingerprints would open the phone” and that this requirement compelled a testimonial communication. This argument, however, mischaracterizes the district court’s order. The district court’s February 11 order compelled Diamond to “provide a fingerprint or thumbprint as deemed necessary by the Chaska Police Department to unlock his seized cellphone. At the April 3 contempt hearing, the district court referred to Diamond providing his “thumbprint”. The prosecutor noted that they were “not sure if it’s an index finger or a thumb.” The district court answered, “Take whatever samples you need.” Diamond then asked the detectives which finger they wanted, and they answered, “The one that unlocks it.”
- It is clear that the district court permitted the state to take samples of all of Diamond’s fingerprints and thumbprints. The district court did not ask Diamond whether his prints would unlock the cellphone or which print would unlock it, nor did the district court compel Diamond to disclose that information. There is no indication that Diamond would have been asked to do more had none of his fingerprints unlocked the cellphone. Diamond himself asked which finger the detectives wanted when he was ready to comply with the order, and the detectives answered his question. Diamond did not object then, nor did he bring an additional motion to suppress the evidence based on the exchange that he initiated.
In an article titled Court rules against man who was forced to fingerprint-unlock his phone published by ArsTechnica on January 18, 2017, Cyrus Farivar said that if Diamond had been forced to disclose his passcode instead of depressing his fingerprint, the constitutional analysis would have been different: “…[U]nder the Fifth Amendment, defendants cannot generally be compelled to provide self-incriminating testimony (“what you know”). But giving a fingerprint (“what you are”) for the purposes of identification or matching to an unknown fingerprint found at a crime scene has been allowed. It wasn’t until relatively recently, after all, that fingerprints could be used to unlock a smartphone. The crux of the legal theory here is that a compelled fingerprint isn’t testimonial, it’s simply a compelled production – like being forced to hand over a key to a safe.”
The Court of Appeals also highlighted the distinction between a fingerprint and a password in footnote 2, at p. 14: “We express no opinion regarding whether, in a given case, a defendant may be compelled to produce a cellphone password, consistent with the Fifth Amendment.”
And, in a post to TechDirt titled State Appeals Court Says Unlocking A Phone With A Fingerprint Doesn’t Violate The Fifth Amendment dated January 25, 2017, Tim Cushing wrote this about the distinction between finger and brain: “Of course, it’s what’s contained in the now unlocked device that might be incriminating, which is why Diamond pointed to In re Grand Jury as being analogous to the forced provision of a fingerprint. The court’s rebuttal of this argument, however, doesn’t make a lot of sense. It says the process that unlocked the device requires no knowledge or mental capacity – which is certainly true – but that the end result, despite being the same (the production of evidence against themselves) is somehow different because of the part of the body used to obtain access (finger v. brain).”
What, then, does all this mean?
I have always thought that using biometric data like a fingerprint for privacy and security purposes is a bad idea. Everywhere we go in our daily lives we leave a technological record and a biometric record of where we were and often when. Cell site location data, images captured by facial recognition technology and cast-off DNA are some of the personal data we leave behind for the state and corporations to vacuum. Our fingerprints are everywhere we go. When Apple introduced the Touch ID fingerprint scanner for iPhone 5S in 2013, Bruce Schneier of the Berkman Center for Internet & Society at Harvard Law School posted a piece to his blog Schneier on Security titled iPhone Fingerprint Authentication dated September 11, 2013, where he commented on the good and bad. Here is what he said about the bad:
“…[F]ingerprint readers have a long history of vulnerabilities…Some are better than others. The simplest ones just check the ridges of a finger: some of those can be fooled with a good photocopy. Others check for pores as well. The better ones verify pulse, or finger temperature. Fooling them with rubber fingers is harder, but often possible. A Japanese researcher had good luck doing this over a decade ago with the gelatine mixture that’s used to make Gummi bears…Almost certainly, I’m sure that someone with a good enough copy of your fingerprint and some rudimentary engineering capability – or maybe just a good enough printer – can authenticate his way into your iPhone.”
Although many technologists see fingerprint authentication as a reasonable balance between convenience and security for mobile devices, the ruling in Diamond is a good reminder of the limits of constitutional protection. The smartphone is the single most important device most of us use. It stores a vast trove of confidential information – privileged communications between lawyers and clients, personal medical history, copyrighted data and trade secrets in the business world. Although courts in the United States and Canada have made significant rulings in recent years protecting digital privacy interests under the Fourth Amendment and s. 8 of the Canadian Charter of Rights, those guarantees do not insulate us from accident and mistake. (See e.g., Riley v California, 573 US 1 (2014); and, R v Vu,  3 SCR 657)
A fingerprint authentication system can fail in two ways. It can mistakenly allow an unauthorized person access to your cell phone. And it can mistakenly deny access to you. Why take the risk to find out which is worse? Use a password. And keep it in your head – the last refuge of privacy.