11:48, January 17 66 0 abajournal.com

2019-01-17 11:48:08
Compelling biometric features to unlock phones is ‘abuse of power,’ U.S. judge rules

Shutterstock.com.

Calling an FBI warrant application “an abuse of power” and “unconstitutional,” a U.S. magistrate judge has ruled that federal authorities cannot compel suspects to unlock their phones with biometric features.

The case involves a Facebook Messenger extortion plot where two suspects allegedly said they would release an embarrassing video unless the victim paid them money. The FBI filed for a warrant to search a residence connected to the two suspects, including all electronic devices on the premises. The warrant also requested the ability to compel biometric features, like fingerprint or faces, to unlock those devices.

Forbes has the story.

At the core of the opinion filed Jan. 10, U.S. District Magistrate Judge Kandis Westmore of the Northern District of California concluded that the FBI’s request to compel biometric features was unconstitutional because, in this context, the features are “testimonial” and protected by the Fifth Amendment.

Generally, submitting biometrics like blood samples, fingerprints and a handwriting sample, while potentially incriminating, is seen as non-testimonial and not protected by the Fifth Amendment’s right against self-incrimination. However, alphanumeric passcodes are protected in many circumstances because they are knowledge that could lead to self-incrimination.

“Testimony is not restricted to verbal or written communications,” Westmore wrote. “Acts that imply assertions of fact can constitute testimonial communication for the purposes of the Fifth Amendment.”

Drawing a distinction with the current application of law, Westmore notes that unlocking a phone with a fingerprint exceeds the “physical evidence” created submitting a thumbprint because it authenticates the ownership of the device and the trove of data within it.

She also found the warrant did not comport with the Fourth Amendment’s right against unreasonable search and seizure. The warrant application asked to use biometrics to unlock any device found on the premises, even if they belonged to people other than the suspects.

Leaving law enforcement an alternative, she concluded that the FBI could obtain the sought-after messages from Facebook through the Stored Communications Act and keep the suspects’ rights intact.

Being that Westmore is a magistrate, her opinion may be overturned by a U.S. district judge.

In a separate case warrant from 2017, the FBI searched the Columbus, Ohio, home of Grant Michalski. Using his face, Michalski unlocked his phone at the FBI’s request, at which point the agent was able to go through chats, photos and any other accessible material.

“Traditionally, using a person’s face as evidence or to obtain evidence would be considered lawful,” Jerome Greco, staff attorney at the Legal Aid Society, told Forbes at the time. “But never before have we had so many people’s own faces be the key to unlock so much of their private information.”

Michalski was charged with receiving and possessing child pornography. Another defendant, William Weekley, has also been charged.

Whether or not biometric passwords are testimonial under the Fifth Amendment is a growing area of dispute between courts.

Largely, this debate has taken place within the context of compelling a defendant to decrypt a hard drive or device.

In one recent example, a warrant was issued to search Ryan Michael Spencer’s residence in Aptos, California, including computers and storage devices, for evidence of child pornography. Spencer refused to provide passwords to give law enforcement access to encrypted data on three of his 12 devices, invoking his Fifth Amendment privilege against self-incrimination.

In April 2018, Judge Charles Breyer of the U.S. District Court for the Northern District of California disagreed and ordered Spencer to decrypt his devices.

In the opinion, he held the government had met its burden by showing that Spencer had the knowledge to decrypt the devices.

“A rule that the government can never compel decryption of a password-protected device would lead to absurd results,” Breyer wrote.

Other circuits have set the bar even higher for the government. In 2017, the 3rd Circuit at Philadelphia required the government show “reasonable particularity” that the defendant can decrypt a device. In 2012, the 11th Circuit at Atlanta ruled that to compel decryption, the government must show that the defendant knew the password and that particular, incriminating information was on the encrypted device.

Writing for the 11th Circuit panel, Judge Gerald Bard Tjoflat held that compelling “decryption and production would be tantamount to testimony by [the defendant] of his knowledge of the existence and location of potentially incriminating files,” which would infringe his Fifth Amendment right.

At the state level, the Minnesota Court of Appeals in 2017 and a Virginia Circuit Court in 2014 found that police could compel a defendant to provide a fingerprint to unlock his phone.