Feds Serve Warrant Demanding Fingerprints of Everyone in the Building

October 18, 2016 CyberCecurity Leave a comment

As has been predicted, in a court filing from May 2016, the DoJ authorized the cops to

“depress the fingerprints and thumbprints of every person who is located at the subject premises during the execution of the search and who is reasonably believed by law enforcement to be the user of a fingerprint sensor-enabled device that is located at the subject premises and falls within the scope of the warrant.”

The US Attorney for the Central District of California said that they don’t know what people or devices might be in the premises, it has demonstrated probable cause that evidence may exist at the search location and needs the ability to gain access to those devices and maintain access to search them.

“The warrant authorizes the seizure of passwords, encryption keys and other access devices that may be necessary to access the device.”

Since companies like Apple and Google have been somewhat less than cooperative with the Feds (witness the FBI-Apple lawsuit over the use of the All Writs Act), the Feds have gotten creative.

While the feds might be able to physically force you to put your finger on your phone, while the warrant may say that they can make you turn over your password, they can’t choke it out of you – at least not legally.

If there is a warrant and the warrant asks you to give them your password, you at least have the option to go before a judge and make your case that you shouldn’t have to do that. You may have to go to jail in the meantime, so you have to decide how important it is to you.

Apparently, this is not the first time that police got a court’s authorization to make people press their fingers onto a phone. That distinction may have happened in Los Angeles in February of this year.

While the search warrant may require a person to press here, that may or may not actually work, depending on things like how long it has been since the phone was last unlocked.

If that is a concern for you, then the experts say, do not use the fingerprint reader to unlock the phone.

Most – but not all – courts have ruled that the police cannot compel you to enter your password. In most courts interpretation, that is too much like compelling testimony in violation of the Fifth Amendment.

In one case, the police had someone create a fake fingerprint to fool a Galaxy 6. That worked and the person who did that, said that the fake fingerprint would work on a Galaxy 7 and iPhone 6.

Depending on what they are looking for – such as texts (SMS messages) – those may be available from the phone’s carrier. If they are looking for iMessages, WhatsApp messages of other digital messages, those messages are not available from the carrier, so the only way to get them would be to unlock the phone.

On some phones the user can set the amount of time that can pass since the last fingerprint scan before the password is required and also the number of failed fingerprint attempts that require a password be entered.

Assuming the phone in question allows this (My Galaxy Note does not appear to have those features), then setting those thresholds lower make this technique less effective. For example, setting the failed fingerprint read to one before requiring a password makes this warrant technique less useful, but likely also requires you to enter your password more frequently.

As always, we have a trade-off between security and convenience.

If bad guys are after you, they may also “ask” you to put your finger on the phone to unlock it, but in that case, if it doesn’t work, they might “ask” you to unlock the phone as an alternative to killing you.

It appears, that if security is your concern, that you should not use the fingerprint, just like you should not use a 4 digit numeric PIN. An 8-16 digit alphanumeric password is quite effective at stymieing and current brute force techniques. And less convenient for you. Security. Convenience. Pick one.

This is a cat and mouse game, so both the bad guys and the police are advancing the technology while the law is desperately trying to catch up.

Information for this post came from Forbes.