TIME Security

Watch Out For These 3 Holiday Online Shopping Scams

157027870
Shopping online John Lamb—Getty Images

How to keep your personal info safe while you shop

The holiday deals are already rolling out with early Black Friday specials on Amazon, holiday circulars leaking online and big name retailers offering incentives to buy directly from their sites to get a jump on your gift list. But along with the amazing Internet deals come the scammers with new and inventive ways to trick you into handing over your credit card number and personal information.

Here are three of the biggest scams to watch out for this holiday shopping season:

1. Incredible discounts from unknown site

Not every site offering a great deal is up to no good, but the more amazing the offer, the more wary you should be. Entering your credit card info won’t get you that great gift on a bogus site, but it will get the scammers your credit card info and address which, will allow them to start racking up charges.

These sites can also lure you in by offering not products, but coupons for popular gifts. If you find yourself having to enter a lot of personal information to get the coupon, reconsider if it’s worth it.

What to look for: Watch out for sites with strangely spelled names (i.e. Taarget.com). Be wary of ridiculously discounted deals on high price items like iPads or hard to get items like the hot toy of the season. And when using a lesser known site, use a unique password if you have to sign up for an account to purchase.

2. Malicious links in text, email or Facebook feeds

Your digital life will be targeted in a number of ways to get you to click on a link that will download spyware or a malicious program designed to capture your passwords and other personal information. These will come in the form of offers for great deals in your inbox, on your mobile phone via text messages and on Facebook from shady accounts. Also beware the emails telling you a package you didn’t order is being delivered.

What to look for: Carefully check the source of the link. Even if it’s from someone you know, if you didn’t know it was coming, contact them first to make sure they sent it. If it’s from an unknown source and offers an amazing deal, you can bet that it’s a scam.

3. Bogus gift card offers

This popular stocking stuffer is a vehicle for a common Internet scam. It involves an email or text saying you’ve qualified for a deep discount on a gift card ($10 for a $25 card!) But the site it takes you to asks for extensive personal information. Enough for scammers to get into your bank account, for example.

What to look for: This one is straightforward, don’t click on any links for amazing deals. Also, be wary if you come across any sites that offer gift cards at unheard of prices.

What to do if you think you’ve been scammed
If you think you’ve clicked on a link that downloaded something malicious to your device, immediately run a virus scanning program. This is especially true if you are on your mobile phone or tablet. Those devices aren’t immune to scamware, even iPhones and iPads.

If you given your credit card information to a site you think may be shady, call your credit card company immediately and alert them. They will put a watch on your card for suspicious activity.

In general, stick to the well-known sites, don’t click on an links from unfamiliar sources and don’t be duped into giving up extensive personal information to get a good deal.

This article was written by Dan O’Halloran and originally appeared on Techlicious. More from Techlicious:

Passwords Often Reveal People’s Deepest Secrets
Doctors 3D Printing Replacement Parts for the Human Body
Best TVs under $500

TIME Security

New Malware Is a ‘Highly Complex’ Stealth Security Threat

Laptop, speed typing, screen glowing in the dark
Dimitri Otis—Getty Images

A new piece of malware called Regin is spying on people across industries. Why? Researchers aren’t exactly sure

The cyber security firm Symantec on Sunday revealed that a malicious new piece of software is collecting information on individuals, companies, and government entities without their knowledge.

The malware, called Regin, is considered to be a mass surveillance and data collection tool (sometimes referred to as “spyware”). Its purpose and origin is still unclear, Symantec said, but researchers believe that the program is the work of a nation-state.

“We believe Regin is used primarily for espionage,” said Liam O’Murchu, a security researcher at Symantec. “We see both companies and individuals targeted. The ultimate goal is to listen in on phone calls or something like that. [Regin’s operators] target individuals and spread the attack to find whatever it is they’re looking for. All of these things together make us think that a government wrote it.”

Symantec said Regin (pronounced “re-gen,” as in “regenerate”) monitors its targets with a rarely-seen level of sophistication. Internet service providers and telecommunications companies make up the bulk of the those that are initially infected, researchers said. Regin then targets individuals of interest—in the hospitality, energy, research, and airline industries, among others—that are served by those ISPs. Regin’s operators continue to use infected companies as a springboard to gain access to more individuals. Once they gain access, they can remotely control a person’s keyboard, monitor Internet activity, and recover deleted files.

More than half of observed attacks have targeted Russia and Saudi Arabia, Symantec said. The rest are scattered across Europe, Central America, Africa, and Asia. The initial infection can come from a wide variety of sources, such as copies of popular websites or web browsers and USB drives that have been plugged into contaminated systems.

Regin has five attack stages. It begins with an initial “drop,” also called a Trojan horse (or “backdoor”) breach, that allows it to exploit a security vulnerability while avoiding detection. The first stage deploys what is called a loader, which prepares and executes the next stage; the second stage does the same to complicate detection. The third and fourth stages, called kernels, build a framework for the fifth and final stage, called the payload. That’s when it can wrest control of a computer or leap to a new victim.

Each stage prepares and executes the next, rather than deploy from a common framework. It’s similar in concept to Russian nesting dolls. Regin’s distributed structure makes it difficult for cyber security researchers to identify it without capturing information about all five stages.

The malware is made up of a system of customizable modules so that it may collect the information it needs across a number of different victims. For example, one Regin attack might capture a password from a hotel clerk’s computer while another attack may obtain remote control of another computer’s keyboard for purposes unknown. Each module is customized for one task or system, making detection and prevention of a comprehensive Regin attack difficult.

“One of the problems we have with analyzing is we don’t have all the components,” O’Murchu said. “You only get the modules set on that [particular] victim. But we know there are far more modules than what we have here. We don’t have enough information to understand. On top of that, it’s coded in a very advanced way to leave a small footprint. Anything they leave behind is encrypted. Each part is dependent on having all the parts.”

This kind of operational complexity is typically reserved for a state or a state-sponsored actor, Symantec said. Only a handful of malware programs to date have demonstrated such sophistication. In 2012, the Flamer malware used the same modular system to hit targets in the West Bank of Palestine, Hungary, Iran, and Lebanon, among other countries. Regin’s multi-stage attack pattern operates similarly to the Duqu malware and its descendent Stuxnet, the malware responsible for the disruption of Iranian nuclear facilities in 2010. O’Murchu said Regin is part of a disquieting trend of government-written and government-enacted malware.

“We often say that Stuxnet opened Pandora’s box,” O’Murchu says. “Whether that is because we know what to look for now or because there has been a genuine increase since Stuxnet is up for debate, but what we can say is that yes, we now know about a lot more scary government malware than before. It is far more pervasive, it is embedded in more organizations than we have ever seen, it is more organized than ever, and it is more capable than ever. I would say there has been an explosion in government related malware, and it doesn’t seem to be going away anytime soon.”

What makes Regin different is who it attacks. Instead of going only after high-worth targets, Regin attacks many different targets in an attempt to piece together contextual information. Of the 9% of Regin attacks in the hospitality industry, 4% targeted low-level computers, presumably for this information.

“The average person needs to be aware,” O’Murchu says. “A lot of the infections are not the final target. They are third parties providing some extra information to get to a final target. Lot of people think, ‘I don’t have anything of importance, why would anyone get on my computer?’ Ordinary people who may not think they’re targets in fact are.”

TIME Security

What To Do When Your Email Gets Hacked

171110589
Person typing on a laptop. Benjamin Howell—Getty Images

First thing's first: Change your password

Last week, I got an email from a friend urging me to check out an amazing page. Between the grammatical errors and a link obviously pointing to a server somewhere in Russia, it was obvious that my friend’s email account had been hacked.

When I checked in with her another way, she already knew about the problem—the hacker’s message had gone out to her entire address book—and she was quite concerned. So I walked her through the steps for getting everything back in order.

Step #1: Change your password.

The very first thing you should do is keep the hacker from getting back into your email account. Change your password to a strong password that is not related to your prior password; if your last password was billyjoe1, don’t pick billyjoe2—and if your name is actually BillyJoe, you shouldn’t have been using your name as your password in the first place.

Try using a meaningful sentence as the basis of your new password. For example, “I go to the gym in the morning” turns into “Ig2tGYMitm” using the first letter of each word in the sentence, mixing uppercase and lowercase letters and replacing the word “to” with “2.”

Step #2: Reclaim your account.

If you’re lucky, the hacker only logged into your account to send a mass email to all of your contacts.

If you’re not so lucky, the hacker changed your password too, locking you out of your account. If that’s the case, you’ll need to reclaim your account, usually a matter of using the “forgot your password” link and answering your security questions or using your backup email address.

Check out the specific recommendations for reclaiming possession of your account for Gmail, Outlook.com and Hotmail, Yahoo! and AOL.

Step #3: Enable two-factor authentication.

Set your email account to require a second form of authentication in addition to your password whenever you log into your email account from a new device. When you log in, you’ll also need to enter a special one-time use code the site will text to your phone or generated via an app.

Check out two-step authentication setup instructions for Gmail, Microsoft’s Outlook.com and Hotmail and Yahoo!. AOL doesn’t support two-factor authentication yet.

Step #4: Check your email settings.

Sometimes hackers might change your settings to forward a copy of every email you receive to themselves, so they can watch for any emails containing login information for other sites. Check your mail forwarding settings to ensure no unexpected email addresses have been added.

Next, check your email signature to see if the hacker added a spammy signature that will continue to peddle their dubious wares even after they’ve been locked out.

Last, check to make sure the hackers haven’t turned on an auto-responder, turning your out-of-office notification into a spam machine.

Step #5: Scan your computer for malware.

Run a full scan with your anti-malware program. You do have an anti-malware program on your computer, right? If not, download the free version of Malwarebytes and run a full scan with it. I recommend running Malwarebytes even if you already have another anti-malware program; if the problem is malware, your original program obviously didn’t stop it, and Malwarebytes has resolved problems for me that even Symantec’s Norton Internet Security wasn’t able to resolve. Scan other computers you log in from, such as your work computer, as well.

If any of your scans detect malware, fix it and then go back and change your email password again. (When you changed it in step #1, the malware was still on your computer.)

Step #6: Find out what else has been compromised.

My mother-in-law once followed the ill-advised practice of storing usernames and passwords for her various accounts in an email folder called “Sign-ups.” Once the hacker was into her email, he easily discovered numerous other logins.

Most of us have emails buried somewhere that contain this type of information. Search for the word “password” in your mailbox to figure out what other accounts might have been compromised. Change these passwords immediately; if they include critical accounts such as bank or credit card accounts, check your statements to make sure there are no suspicious transactions.

It’s also a good idea to change any other accounts that use the same username and password as your compromised email. Spammers are savvy enough to know that most people reuse passwords for multiple accounts, so they may try your login info in other email applications and on PayPal and other common sites.

Step #7: Humbly beg for forgiveness from your friends.

Let the folks in your contacts list know that your email was hacked and that they should not open any suspicious emails or click on any links in any email(s) that recently received from you. Most people will probably have already figured out that you were not really the one recommending they buy Viagra from an online pharmacy in India—but you know, everyone has one or two friends who are a little slower to pick up on these things.

Step #8: Prevent it from happening again.

While large-scale breaches are one way your login information could be stolen—this summer, Russian criminals stole 1.2 billion usernames and passwords—they’re certainly not the only way. Many cases are due to careless creation or protection of login information.

Last year, Google released a study that reveals most people choose passwords based on readily available information, making their accounts hackable with a few educated guesses. Easy passwords make for easy hacking, and spammers use programs that can cycle through thousands of logins every second to identify weak accounts.

Picking a strong password is your best protection from this type of hacking. It also is prudent to use a different password for each site or account, or, at the very least, use a unique password for your email account, your bank account and any other sensitive accounts. If you’re concerned about keeping track of your passwords, find a password management program to do the work for you.

In my friend’s case, her passwords were pretty good and there was no malware on her computer. But she was careless about where she was logging in. On a recent trip overseas, she used the computer in her hotel lobby to check her email. That was a bad idea.

Computers in hotel lobbies, libraries and other public places are perfect locations for hackers to install key-logging programs. The computers are often poorly secured and get used by dozens of people every day who don’t think twice about logging into their email or bank accounts or entering credit card information to make a purchase. The best practice is to assume that any public computer is compromised and proceed accordingly.

This article was written by Suzanne Kantra and originally appeared on Techlicious.

More from Techlicious:

TIME Security

London Police and NYC Prosecutors to Swap Staff in Cybercrime Fight

Cybercrime costs the United Kingdom some $40 billion a year, and the United States more than double that

Leading prosecutors in New York and London police plan to embed staff in each others’ offices, officials said Wednesday, increasing transatlantic collaboration in an effort to combat cybercrime.

The New York County District Attorney’s Office and the City of London Police will exchange one staff member each this spring, with the intention that the program will likely expand in the future.

The New York County District Attorney Cyrus Vance Jr. made the announcement at a Wednesday cybersecurity symposium at the New York Federal Reserve, where Adrian Leppard, City of London’s police commissioner, gave a keynote address.

The goal, officials said, is to expand joint cyber investigations in two of the largest financial centers in the world, where firms are ripe targets for cyber criminals. “The same people that are hitting us in New York are very likely hitting Adrian in London,” Vance said. “A collaboration between our two agencies would make really good sense from an investigative standpoint and also make sense from a security standpoint.”

Leppard said that cybercrime costs the United Kingdom some $40 billion a year, and the United States more than double that.

The two offices worked closely together this summer to break up an international ring of hackers that attacked over 1,600 StubHub users’ accounts and purchased more than $1 million in tickets.

MORE: Here’s How Hackers Stole Over $1 Million From 1,600 StubHub Users

“Our international partnerships, in particular our ongoing collaboration with Commissioner Leppard and the City of London Police, reflect a changing landscape and the understanding that cybercriminal attacks will not be limited by state or national borders,” Vance said.

TIME Retail

Shoppers Just Don’t Care About Credit Card Hacks

Major Retailers Begin Black Friday Sales Thanksgiving Night
People shop at a Target on Thanksgiving night November 22, 2012 in Highland, Indiana. Tasos Katopodis—Getty Images

Target and Home Depot both reported great earnings reports this week

If Target and The Home Depot are still reeling from the collective breach of 96 million customers’ credit and debit cards, it didn’t show in either company’s earnings reports this week.

Target posted $17.73 billion in revenue on Wednesday, beating one Wall Street consensus forecast by $17 million. That paled in comparison to Home Depot’s rosy earnings report on Tuesday, which showed store sales in the U.S. climbed by 5.8% in the third quarter. Breaches? What breaches?

Target’s dataclysm receded into the rear view mirror as the company revealed that expenses related to a credit card data breach late last year had plateaued at $153 million. The market rallied around its stock, driving up the share price by more than 6%. The Home Depot’s breach, though, was bigger and more recent. The verdict?

“We believe the breach is firmly behind [Home Depot] with momentum heading into 4Q,” wrote J.P. Morgan analyst Christophers Horvers. That assessment comes two months after Home Depot’s September announcement that 56 million credit card accounts had been hacked and upwards of 53 million email addresses were stolen. The only major business fallout for the company, as far as analysts could detect, was a curious blip in traffic toward Home Depot’s chief competitor, Lowe’s. “Perhaps the breach provided some traffic benefit,” Horvers speculated, before moving onto the retailer’s solid sales growth.

If neither shoppers nor shareholders ultimately punish big businesses for data breaches, will companies move to prevent them before they occur?

“In the end, the market’s behaving completely rationally,” says Avivah Litan, a security analyst for Gartner. “It’s still a pain in the neck for everyone, but there’s very little actual fraud committed as a result of these breaches.”

Litan says that hackers like those who pilfered credit card numbers at Target and Home Depot typically have a very short window of opportunity — less than one month — to rack up fraudulent charges before banks detect the suspicious activity. These heists tend to run in the range of $10 million, and shoppers rarely ever bear the costs. Instead, banks split the sum with the affected retailer, where any remaining cash vanishes into the fine print of the company’s quarterly earnings reports.

The real question, then, is why credit card hacks continue to make front page news. In the grand scheme of online theft, Litan says, what happened to Target and Home Depot shoppers is small potatoes — identity thieves have pulled off heists at ten times the scale of credit card fraud by going after medical and tax records. However, credit card hacks on retailers get lots of public attention because so many people can be affected so quickly.

“Stealing 50 million cards is just as easy as stealing 100 cards,” Litan says. The sheer number of stolen cards conjures up an image of a whole nation of shoppers exposed and helpless. But these crime stories tend to end with about as much drama as a third quarter earnings report.

TIME privacy

What Is Uber Really Doing With Your Data?

The Hamptons Lure Uber Top Drivers Amid NYC Slow Summer Weekends
Th Uber Technologies Inc. car service application (app) is demonstrated for a photograph on an Apple Inc. iPhone in New York, U.S., on Wednesday, Aug. 6, 2014. Bloomberg—Bloomberg via Getty Images

"I was tracking you"

Uber has had a rocky few days. On Monday, it was revealed that the ride-sharing app’s senior vice president, Emil Michael proposed the idea of investigating critical journalists’ personal lives in order to dig up dirt on them. On Tuesday, the company published a blog post clarifying its privacy policy. And Uber is investigating its top New York executive for tracking a reporter without her permission, TIME learned Wednesday.

What is Uber really up to, and what are its employees allowed to do?

What Uber does with your data

Uber has a company tool called “God View” that reveals the location of Uber vehicles and customers who request a car, two former Uber employees told Buzzfeed. Corporate employees have access to the tool, though drivers do not. But a wide number of Uber employees can apparently view customers’ locations. (Uber did not confirm or deny the tool’s existence to TIME, but it’s worth noting that “God View” is a widely used term in the gaming world.)

Still, several previous incidents appear to confirm the existence of Uber’s so-called God View.

Venture capitalist Peter Sims said in a September blog post that Uber had once projected his private location data on a screen at a well-attended Chicago launch party:

One night, a couple of years ago, I was in an Uber SUV in NYC, headed to Penn Station to catch the train to Washington DC when I got a text message from a tech socialite of sorts (I’ll spare her name because Gawker has already parodied her enough), but she’s someone I hardly know, asking me if I was in an Uber car at 33th and 5th (or, something like that). I replied that I was indeed, thinking that she must be in an adjacent car. Looking around, she continued to text with updates of my car’s whereabouts, so much so that I asked the driver if others could see my Uber location profile? “No,” he replied, “that’s not possible.”

At that point, it all just started to feel weird, until finally she revealed that she was in Chicago at the launch of Uber Chicago, and that the party featured a screen that showed where in NYC certain “known people” (whatever that means) were currently riding in Uber cabs. After learning this, I expressed my outrage to her that the company would use my information and identity to promote its services without my permission. She told me to calm down, and that it was all a “cool” event and as if I should be honored to have been one of the chosen.

And this month, a Buzzfeed reporter arrived for an interview at Uber’s New York headquarters only to find the company’s top manager in the city, Josh Mohrer, was waiting for her. According to Buzzfeed, Mohrer said, “There you are,” while gesturing at his iPhone. “I was tracking you.” Mohrer didn’t ask for permission to track Johana, Buzzfeed reports.

Of course, Uber also uses customer data for the humdrum daily task of connecting riders with drivers as well as resolving disputes and reaching out to customers.

What Uber says it can do with your data

Uber says it only uses your data for “legitimate business purposes” and that its team audits who has access to its data on an ongoing basis. “Our data privacy policy applies to all employees: access to and use of data is permitted only for legitimate business purposes,” a spokesperson told TIME. “Data security specialists monitor and audit that access on an ongoing basis. Violations of this policy do result in disciplinary action, including the possibility of termination and legal action.”

And in its privacy policy, Uber says that it can use your personal information or usage information—that includes your location, email, credit card, name or IP address—”for internal business purposes” as well as to facilitate its service for pickups and communicating with customers.

Uber clarified in a blog post Tuesday that “legitimate business purposes” include facilitating payments for drivers, monitoring for fraudulent activity and troubleshooting user bugs.

Another important point: Uber says it can hold on to your data even if you delete your account. The company claims it keeps your credit card information, geo-location and trip history “to comply with our legal and regulatory obligations” and “resolve disputes.” Users have to provide a written request in order to completely delete an Uber profile along with all their data.

MORE: A Historical Argument Against Uber: Taxi Regulations Are There for a Reason

So did Uber do anything wrong?

Strictly by its own standards, it appears that Uber may not have violated its own rules when Josh Mohrer tracked Buzzfeed’s reporter. There’s no indication Mohrer shared the information outside Uber—which would disqualify it from being “internal”—but it’s hard argue that he tracked the reporter for a “business purpose.” (Maybe it saved Mohrer time? Or he was showing off the feature? It’s hard to say.)

At the Uber Chicago launch party where Peter Sims’ location was reportedly tracked, the data was shared with people outside the company, as non-employees were at the event. That’s hard to justify by Uber’s rules. However, Uber’s privacy policy was updated in 2013, and the Chicago launch party occurred “a couple of years ago,” by Sims’ telling. So it’s unclear whether the move violated Uber’s privacy rules at that time.

Should you delete your Uber account?

If you’ve lost all trust in Uber and think that other ride-share apps like Lyft (or plain old taxis) are better, than yes, perhaps. But there isn’t any evidence that Uber is inappropriately using customer data on a widespread scale. And if you do delete your account, remember: unless you write in, Uber will still have your data.

TIME privacy

9 in 10 Americans Feel They’ve Lost Control of Their Personal Data

Facebook Said to Plan IPO Filing for as Early as Coming Week
David Paul Morris—Bloomberg / Getty Images

A new survey finds many Americans want stronger safeguards for their personal data

More than 90% of Americans feel they have lost control of their personal data, according to a new survey of Internet users that reveals a pervasive sense of unease about who is monitoring and misusing their information.

Pew Research Center surveyors asked 607 Americans which interlopers, in particular, were a cause for concern. Eight out of ten respondents expressed concerns about the government surveilling their online communications and phone calls. An equal percentage shared concerns about businesses and marketers accessing their social media feeds. Meanwhile, nearly two-thirds of respondents wanted lawmakers to pass tighter regulations against advertisers looking to access people’s personal data.

Still, those polled expressed ambivalence about exchanging their personal information for access to free online services — more than half said they were willing to accept that trade-off.

The survey results come despite recent efforts by social media companies to give users a greater sense of control over privacy settings. Facebook, for example, tightened its default privacy settings in May and launched a “privacy checkup” pop-up window.

Read the full survey at Pew.

TIME Security

U.S. Postal Service Says Data on Up to 800,000 Workers Hacked

The U.S. Postal Service (USPS) logo is seen on the shirt of a letter carrier.
Bloomberg/etty Images

Some customer information may have been compromised as well

The U.S. Postal Service (USPS) revealed Monday that data on its employees may have been compromised in a “cyber intrusion incident.”

USPS said it recently learned of a data breach affecting the names, dates of birth, Social Security numbers, addresses, employment dates and emergency contact information of up to 800,000 employees.

Post office customers who contacted the Postal Service Customer Care Center via telephone or e-mail between Jan. 1 and Aug. 16 may have had their names, addresses, telephone numbers or e-mail addresses compromised, the USPS said, but added there’s no evidence to suggest customers’ credit card information was stolen or hacked.

“The intrusion is limited in scope and all operations of the Postal Service are functioning normally,” said USPS media relations manager David Partenheimer in a statement. “We began investigating this incident as soon as we learned of it, and we are cooperating with the investigation, which is ongoing. The investigation is being led by the Federal Bureau of Investigation and joined by other federal and postal investigatory agencies.”

Employees possibly affected by the data breach have been notified, and will receive credit monitoring services for one year at no charge, USPS said.

The mail service did not identify suspects in the investigation, but Partenheimer told the Washington Post that the intruder may be “a sophisticated actor that appears not to be interested in identity theft or credit card fraud.”

TIME Security

Apple Says It’s Blocking Malware-Infected iPhone Apps

Apple Inc.'s iPhone 6 and iPhone 6 Plus Go On Sale
An Apple Inc. iPhone 6 stands on display at the company's Causeway Bay store during the sales launch of the iPhone 6 and iPhone 6 Plus in Hong Kong, China, on Friday, Sept. 19, 2014. Bloomberg—Bloomberg via Getty Images

Apple moved quickly to combat a massive iPhone hack from a Chinese app store

Apple said Thursday that it’s blocking apps infected with malicious software in an effort to protect iPhone users in China from being hacked.

Over 450 apps available on third-party Chinese app store Maiyadi have been infected with Wirelurker malware, which steals data from iPhones and iPads by lying in wait on computers running Apple’s Mac OS X operating system.

Apple moved quickly to block the affected apps. “We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching,” Apple said in a written statement Thursday, the Wall Street Journal reports.

Palo Alto Networks, the security company that first reported the breach, said that hundred of thousands of iPhone users may have been affected.

You can learn more about how to protect yourself from the Wirelurker malware here.

 

TIME legal

Why the Constitution Can Protect Passwords But Not Fingerprint Scans

Password Fingerprints Fifth Amendment
A portable fingerprint scanner is displayed at the Biometrics Conference and Exhibition at the Queen Elizabeth II Conference Centre. Peter Macdiarmid—Getty Images

Fingerprint scans are more secure, except when it comes to the Fifth Amendment

Cellphone fingerprint passcodes weren’t on James Madison’s mind when he authored the Fifth Amendment, a constitutional protection with roots in preventing torture by barring self-incriminating testimonials in court cases.

Yet those tiny skin ridges we all share were at the heart of a Virginia court case last week in which a judge ruled that police, who suspected there was incriminating evidence on a suspect’s smartphone, could legally force the man to unlock his device with its fingerprint scanner. While the Fifth Amendment protects defendants from revealing their numeric passcodes, which would be considered a self-incriminating testimonial, biometrics like fingerprint scans fall outside the law’s scope.

“If you are being forced to divulge something that you know, that’s not okay,” said Marcia Hofmann, an attorney and special counsel to digital rights group Electronic Frontier Foundation. “If the government is able through other means to collect evidence that just exists, then they certainly can do that without stepping on the toes of the constitutional protection.”

“The important thing is,” Hofmann said, “is it something you know, or something you have?”

The Virginia ruling was perhaps the most clear-cut decision among similar cases whose outcomes have varied significantly by circumstance. In United States v. Fricosu (2012), a court ruled because it was “a foregone conclusion” that the defendant’s password-locked data was incriminating, the Fifth Amendment didn’t apply. In United States v. John Doe (2011), the defendant, who had a hard drive protected by encryption, at first didn’t receive Fifth Amendment protection, but that decision was reversed by an appellate court that ruled that if Doe provided his decryption password, then it would “lead the Government to evidence that would incriminate him.” Last week’s Virginia ruling is a fresh example of what can happen when a 225-year-old law is applied to a field as rapidly changing as digital security.

“I think the courts are struggling with this, because a fingerprint in and of itself is not testimony,” said Hayes Hunt, a criminal defense and government investigations lawyer at Cozen O’Connor. “The concern is, once we put a password on something or on ourselves, we have a certain privacy interest.”

Judges across the country will only have to make more decisions about biometrics, as their use by everyday consumers is on the rise. Today, our data is protected by everything from iris scans at airports to heartbeat measurements and ear-print smartphone locks. “This whole area is in such a state of flux,” said Jody Goodman, a counsel at Crowell & Moring. “It seems like every week there are new things happening.”

Apple in particular is one of the most widely-recognized consumer technology companies that have adopted biometrics, though it wasn’t the first. Its latest flagship iPhones and iPads come with Touch ID, which lets users unlock their devices or make payments by scanning their thumbprints instead of inputting a numeric passcode. But while Apple and other companies with fingerprint scanners on their devices say the feature provides more protection from data theft, the Virginia ruling means that data protected only by an old-school passcode is afforded stronger legal protection under the Fifth Amendment.

The solution for those seeking more legal cover for their data, though, is surprisingly simple. If a defendant’s data is protected by both a thumbprint and a passcode, he or she could invoke the Fifth for the thumbprint, thereby blocking access to the data — at least according to the precedent set by the Virginia case. But for now, iPhones at least lack this option, probably because it’s not being demanded by consumers.

“I think Apple will respond to what the market demands,” said Goodman. “Most people don’t want to be bothered [by additional security]. That’s why the fingerprint technology was created in the first place.”

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser