Cellphone fingerprint passcodes weren’t on James Madison’s mind when he authored the Fifth Amendment, a constitutional protection with roots in preventing torture by barring self-incriminating testimonials in court cases.
Yet those tiny skin ridges we all share were at the heart of a Virginia court case last week in which a judge ruled that police, who suspected there was incriminating evidence on a suspect’s smartphone, could legally force the man to unlock his device with its fingerprint scanner. While the Fifth Amendment protects defendants from revealing their numeric passcodes, which would be considered a self-incriminating testimonial, biometrics like fingerprint scans fall outside the law’s scope.
“If you are being forced to divulge something that you know, that’s not okay,” said Marcia Hofmann, an attorney and special counsel to digital rights group Electronic Frontier Foundation. “If the government is able through other means to collect evidence that just exists, then they certainly can do that without stepping on the toes of the constitutional protection.”
“The important thing is,” Hofmann said, “is it something you know, or something you have?”
The Virginia ruling was perhaps the most clear-cut decision among similar cases whose outcomes have varied significantly by circumstance. In United States v. Fricosu (2012), a court ruled because it was “a foregone conclusion” that the defendant’s password-locked data was incriminating, the Fifth Amendment didn’t apply. In United States v. John Doe (2011), the defendant, who had a hard drive protected by encryption, at first didn’t receive Fifth Amendment protection, but that decision was reversed by an appellate court that ruled that if Doe provided his decryption password, then it would “lead the Government to evidence that would incriminate him.” Last week’s Virginia ruling is a fresh example of what can happen when a 225-year-old law is applied to a field as rapidly changing as digital security.
“I think the courts are struggling with this, because a fingerprint in and of itself is not testimony,” said Hayes Hunt, a criminal defense and government investigations lawyer at Cozen O’Connor. “The concern is, once we put a password on something or on ourselves, we have a certain privacy interest.”
Judges across the country will only have to make more decisions about biometrics, as their use by everyday consumers is on the rise. Today, our data is protected by everything from iris scans at airports to heartbeat measurements and ear-print smartphone locks. “This whole area is in such a state of flux,” said Jody Goodman, a counsel at Crowell & Moring. “It seems like every week there are new things happening.”
Apple in particular is one of the most widely-recognized consumer technology companies that have adopted biometrics, though it wasn’t the first. Its latest flagship iPhones and iPads come with Touch ID, which lets users unlock their devices or make payments by scanning their thumbprints instead of inputting a numeric passcode. But while Apple and other companies with fingerprint scanners on their devices say the feature provides more protection from data theft, the Virginia ruling means that data protected only by an old-school passcode is afforded stronger legal protection under the Fifth Amendment.
The solution for those seeking more legal cover for their data, though, is surprisingly simple. If a defendant’s data is protected by both a thumbprint and a passcode, he or she could invoke the Fifth for the thumbprint, thereby blocking access to the data — at least according to the precedent set by the Virginia case. But for now, iPhones at least lack this option, probably because it’s not being demanded by consumers.
“I think Apple will respond to what the market demands,” said Goodman. “Most people don’t want to be bothered [by additional security]. That’s why the fingerprint technology was created in the first place.”