Biometric authentication may be more convenient than passwords, and harder for hackers to duplicate, but how much protection does it offer from the law?
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Police departments in the United States have taken to unlocking phones with fingerprints from corpses.
- Among the living, multiple court rulings have found that compelling people to unlock phones with fingerprints does not violate Fifth Amendment protections.
Technology companies are trying to usher in the age of biometric security with increasing fervor, but privacy concerns remain as police in Florida recently attempted to use a dead man's fingerprint to unlock his phone.
A report in the Tampa Bay Times detailed the case of Linus F. Phillip, who was fatally shot by police last month as he was attempting to evade a search after an officer indicated that they smelled marijuana upon pulling Phillip over for illegally-tinted windows. Later, detectives arrived at the funeral home where Phillip's corpse was being held, and attempted to unlock his phone "by holding the body's hands up to the phone's fingerprint sensor."
While the attempt was unsuccessful, according to Largo Police Lt. Randall Chaney who was cited in the report, the case highlights a number of problems with biometric security and the legal protections for users of the technology. Specific to this case, the Times report noted that Chaney thought no warrant was needed for the attempt, as there is no expectation of privacy after death. The only reason this attempt was reported was because the deceased's fiancee was at the funeral home at the time the unlocking attempt occurred.
SEE: Disaster recovery and business continuity plan (Tech Pro Research)
A report last month by Forbes staff writer Thomas Fox-Brewster indicated that separate sources close to local and federal police investigations in New York and Ohio indicated that "it was now relatively common for fingerprints of the deceased to be depressed on the scanner of Apple iPhones."
Independent of police involvement, if the security integrity of your organization hinges on employees not dying, your industry is either spycraft, or your organization faces larger problems that are well beyond the scope of this article. That said, among the living, legal protection against the forced unlocking of phones for individuals who use biometric authentication such as fingerprints or face recognition is practically nonexistent.
In 2016, a warrant was issued in Lancaster, CA, allowing police to compel people in a given building to unlock phones via fingerprint, which the government argued did not violate Fifth Amendment protections against self-incrimination, as no passcode was given to authorities. Similarly, a 2014 case in Virgina compelled a man to unlock a phone using his fingerprint, but found that passcodes were protected under the Fifth Amendment.
At border crossings and airports, using a PIN is not more advantageous. In February 2017, NASA Jet Propulsion Lab scientist Sidd Bikkannavar was forced by US Customs and Border Patrol (CBP) to unlock a work-issued phone when re-entering the country from South America, according to a report in The Verge. Ironically, because of the nature of Bikkannavar's work, the phone may have contained information that was above the security level of the CBP agents demanding access to begin with. While US citizens are not absolutely required to divulge PIN numbers, it is possible to be detained or have your device confiscated.
TechRepublic's Dan Patterson recently interviewed IBM Security's Limor Kessem and BioCatch's Frances Zelazny, both of whom made compelling arguments about why passwords are insecure. Certainly, easily guessable passwords are insecure, though suggesting that poor passwords are reason to dispense with passwords entirely is ill-advised.
Limiting the amount of sensitive information on a phone is a good first defense in the event a device is lost, stolen, or confiscated. Presently, the law does not afford the same protections to biometric authentication as it does to standard passwords. Therefore, exercising caution with the use of biometric security is strongly advised.
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- FBI can keep secret who's in its biometrics 'mega database,' says Justice Dept. (ZDNet)
- Apple's FileVault 2 encryption program: A cheat sheet (TechRepublic)
- Symantec says biometrics isn't the answer for protecting against financial fraud (ZDNet)
- Your Alexa and Fitbit can testify against you in court (CNET)
- WebAuthn API helps businesses ditch passwords for biometric security (TechRepublic)