You lock your phone so other people can't access it. But how you lock your phone is an important factor in whether law enforcement can compel you to unlock it. Apple's year-old Face ID system is no exception. On Sunday, Forbes reported the first known example of law enforcement anywhere using a suspect's face to unlock a phone during an investigation.
The question of whether cops can force someone to unlock their phone in the US for a search hinges on Fifth Amendment protections against self-incrimination—that no one "shall be compelled in any criminal case to be a witness against" themselves. Privacy advocates argue that this extends to the act of unlocking a phone or generally decrypting data on a device. But while that line of thinking has succeeded as a defense against having to produce a passcode, it works less reliably in the context of Touch ID or other biometrics. Something you know, like a passcode, is easier to view as testimonial—legally speaking, a statement made by a witness—than something you have, like a physical attribute.
"Big picture, a warrant is required for the search of a device except in certain circumstances at the border," says Greg Nojeim, director of the Freedom, Security and Technology Project at the Center for Democracy & Technology. In the newly reported Face ID case, police did have a warrant to compel 28-year-old Grant Michalski of Ohio to unlock his smartphone, and Michalski has gone on to face child pornography charges.
"The next question is whether a person has a right against self-incrimination in providing the tool that law enforcement would use to search the device—a password or a fingerprint or a face," Nojeim says. "For the issue about whether you can be compelled to provide your fingerprint or your face, so far the courts are ruling that fingerprints and faces are not testimonial, and therefore there isn’t a Fifth Amendment violation. In terms of whether compelled disclosure of a password is a violation of the Fifth Amendment, the majority of courts are saying it is."
Which means that in Michalski's case, the seemingly remarkable instance of unlocking a suspect's iPhone by pointing it at his face was likely entirely straightforward for police. "It’s not at all surprising to me that this happened. In fact, it seems as though Face ID opens up less invasive ways for police officers who have authority to access data on a phone," says Ahmed Ghappour, an associate law professor at Boston University who specializes in cybersecurity and criminal law. "There might be less intrusion and physical coercion with forcing a faceprint versus a fingerprint."
The Supreme Court has not decided the issue directly for either biometrics or passcodes, though. This could mean that an opening still exists to make the case that the Fifth Amendment should protect against decryption by any means. "It is EFF's position that compelled decryption, whether by biometric or alphanumeric password, should be protected by the Fifth Amendment because decryption is always testimonial," says Stephanie Lacambra, a criminal defense staff attorney at the Electronic Frontier Foundation. "You should understand that you do have the power to withhold your passwords from law enforcement."
Until a definitive court decision, though, if you're at all concerned about compelled unlocking of your phone, you're better off using a strong six-digit passcode than your fingerprint or face. Just don't count on that to protect you in all situations, because there are case by case circumstances that can impact the chance of a successful Fifth Amendment defense.
A crucial caveat to Fifth Amendment protections in general is something called the “foregone conclusion” doctrine, which essentially says that if prosecutors already know a piece of information, that information is not protected by the Fifth Amendment, because it can independently be proven true. This means that testifying to confirm it is not self-incriminating. US courts have issued mixed decisions on how to interpret applying the foregone conclusion doctrine to compelling a person to produce a passcode.
Things get even more complicated at the US border. As of January, US Customs and Border Protection has a new policy—built on a Ninth Circuit case decision—that its agents can do basic, manual phone searches at the border, even without any suspicion of a crime. Meaning agents can look through any phone they want.
CBP does require "reasonable suspicion"—a notch below probable cause—before its agents can execute a forensic search of a device, in which they connect it to a system that crawls or downloads its contents for deeper analysis. This more invasive search doesn't require a warrant, however, because the courts have found that taking the time to seek them is not practical at the border. US Immigration and Customs Enforcement has its own digital-device search policy. Unchanged since it was issued in 2009, ICE guidelines say agents can do both basic and in-depth forensic searches on any device without suspicion. In general, digital searches have become more prevalent and more involved at the border in recent years, and it is unclear how far Fifth Amendment protections might extend in these situations.
Forcing you to unlock your phone also isn't law enforcement's only avenue to access a device. Departments and agencies develop and buy hardware and software workarounds that can grant access without any involvement from a device's owner. But while tech companies—particularly Apple—and cops wage an endless battle of plugging these holes and discovering new ones, compelled unlocking is a consistent question that still doesn't have a clear resolution.
Regardless of how law enforcement might get in, though, legal analysts agree on one thing: If a person's device isn't locked to begin with, there's no barrier at all to getting access, legal or otherwise. So you might as well slap a passcode on there. "There’s a large number of people who don’t protect their information at all by putting a password or other protection before law enforcement or a thief could get it," CDT's Nojeim says. "That’s still very common, and people need to pay more attention to securing data as much as they can."