Feds Walk Into A Building. Demand Everyone's Fingerprints To Open Phones Oct 16, 2016 @ 12:30 PM
http://www.forbes.com/sites/thomasbrewster/2016/10/16/doj-demands-mass-fingerprint-seizure-to-open-iphones/ Apple phones are just one target of the DoJ’s numerous attempts to force suspects to open devices with their fingerprints. (AP Photo/Kiichiro Sato) In what’s believed to be an unprecedented attempt to bypass the security of Apple iPhones, or any smartphone that uses fingerprints to unlock, California’s top cops asked to enter a residence and force anyone inside to use their biometric information to open their mobile devices. FORBES found a court filing, dated May 9 2016, in which the Department of Justice sought to search a Lancaster, California, property. But there was a more remarkable aspect of the search, as pointed out in the memorandum: “authorization to depress the fingerprints and thumbprints of every person who is located at the SUBJECT PREMISES during the execution of the search and who is reasonably believed by law enforcement to be the user of a fingerprint sensor-enabled device that is located at the SUBJECT PREMISES and falls within the scope of the warrant.” The warrant was not available to the public, nor were other documents related to the case. According to the memorandum, signed off by U.S. attorney for the Central District of California Eileen Decker, the government asked for even more than just fingerprints: “While the government does not know ahead of time the identity of every digital device or fingerprint (or indeed, every other piece of evidence) that it will find in the search, it has demonstrated probable cause that evidence may exist at the search location, and needs the ability to gain access to those devices and maintain that access to search them. For that reason, the warrant authorizes the seizure of ‘passwords, encryption keys, and other access devices that may be necessary to access the device,’” the document read. Legal experts were shocked at the government’s request. “They want the ability to get a warrant on the assumption that they will learn more after they have a warrant,” said Marina Medvin of Medvin Law. “Essentially, they are seeking to have the ability to convince people to comply by providing their fingerprints to law enforcement under the color of law – because of the fact that they already have a warrant. They want to leverage this warrant to induce compliance by people they decide are suspects later on. This would be an unbelievably audacious abuse of power if it were permitted.” Jennifer Lynch, senior staff attorney at the Electronic Frontier Foundation (EFF), added: “It’s not enough for a government to just say we have a warrant to search this house and therefore this person should unlock their phone. The government needs to say specifically what information they expect to find on the phone, how that relates to criminal activity and I would argue they need to set up a way to access only the information that is relevant to the investigation. “The warrant has to be particular in how it describes the place to be searched and the thing to be seized and limited in scope. That’s why if a government suspects criminal activity to be happening on a property and there are 50 apartments in that property they have to specify which apartment and why and what they expect to find there.” Whilst the DoJ declined to comment, FORBES was able to contact a resident at the property in question, but they refused to provide details on the investigation. They did, however, indicate the warrant was served. “They should have never come to my house,” the person said. (In an attempt to protect the residents’ privacy, FORBES has chosen to censor the address from the memorandum posted below and concealed their name. But the document is public – search hard enough and you’ll find it). “I did not know about it till it was served… my family and I are trying to let this pass over because it was embarrassing to us and should’ve never happened.” They said neither they nor any relatives living at the address had ever been accused of being part of any crime, but declined to offer more information. “We’ve never seen anything like this,” Lynch added. Indeed, the memorandum has revealed the first known attempt by the government to acquire fingerprints of multiple individuals in a certain location to unlock smartphones. The document also showed the government isn’t afraid of getting inventive to bypass the security of modern smartphones. Faced with growing technical difficulties of unlocking phones, the government has sought to find new legal measures allowing them easy routes in, hence the All Writs Act order that demanded Apple open the iPhone 5C of San Bernardino shooter Syed Rizwan Farook. But with Apple refusing to comply with the order, and pushback from the likes of Google and Microsoft, cops are increasingly looking to fingerprints as one option for searching smartphones. FORBES revealed earlier this year one of the first-known warrants demanding a suspect depress their fingerprints to open an iPhone, filed by Los Angeles police in February. This publication also uncovered a case in May where feds investigating an alleged sex trafficking racket wanted access to a suspect’s iPhone 5S with his fingerprints. Both were ultimately unsuccessful in opening the devices. The Michigan State Police Department had more luck this summer by asking a university professor to create a fake fingerprint that could unlock a Samsung Galaxy S6. The team, led by Dr. Anil Jain, succeeded. He told FORBES in July the same techniques worked on an iPhone 6 and a Samsung S7. Is it legal? The memorandum – which specifically named Apple, Samsung, Motorola and HTC as manufacturers of fingerprint-based authentication – outlined the government’s argument that taking citizens’ fingerprint or thumbprint without permission violated neither the Fifth nor Fourth Amendment. In past interpretations of the Fifth Amendment, suspects have not been compelled to hand over their passcode as it could amount to self-incrimination, but the same protections have not been afforded for people’s body data even if the eventual effect is the same. Citing a Supreme Court decision in Schmerber v. California, a 1966 case in which the police took a suspect’s blood without his consent, the government said self-incrimination protections would not apply to the use of a person’s “body as evidence when it may be material.” It also cited Holt v. United States, a 1910 case, and United States v. Dionisio, a 1973 case, though it did point to more recent cases, including Virginia v. Baust, where the defendant was compelled to provide his fingerprint to unlock a device (though Baust did provide his biometric data, it failed to open the iPhone; after 48 hours of not using Touch ID or a reboot Apple asks for the code to be re-entered.). As for the Fourth, the feds said protections against unreasonable searches did not stand up when “the taking of fingerprints is supported by reasonable suspicion,” citing 1985′s Hayes v. Florida. Other cases, dated well before the advent of smartphones, were used to justify any brief detention that would arise from forcing someone to open their device with a fingerprint. The justifications didn’t wash with Medvin or Lynch. Of the Fourth Amendment argument, Medvin said the police don’t have the right to search a person or a place in hopes of justifying the search later as reasonable. “That’s not how the 4th Amendment works,” Medvin added. “You need to have a reasonable basis before you begin the search – that reasonable basis is what allows you to search in the first place.” “The reason I’m so concerned about this … is that it’s so broad in scope and the government is relying on these outdated cases to give it access to this amazing amount of information… The part the government is ignoring here is the vast amount of data that’s on the phone,” Lynch added. “If this kind of thing became law then there would be nothing to prevent… a search of every phone at a certain location.” Tips and comments are welcome at tfox-brews...@forbes.com or tbthomasbrews...@gmail.com for PGP mail. Get me on Twitter @iblametom and tfoxbrews...@jabber.hot-chilli.net for Jabber encrypted chat. -- It's better to burn out than fade away. _______________________________________________ Infowarrior mailing list Infowarrior@attrition.org https://attrition.org/mailman/listinfo/infowarrior
