One of the most engaging contemporary debates is about the efficacy and utility of encryption as a means of protecting privacy. I’ve written, in the past, about how encryption works and about the growing body of Fifth Amendment law protecting users against compelled disclosure of their passphrases. The developing doctrine and technology is sufficiently alarming to law enforcement that the FBI Director, himself, is leading the effort to forestall encryption by default. And now comes another twist – a case from a lower Virginia state court (I can’t seem to find a copy of the opinion, so my analysis is based on this news report from Hampton Roads). The court held (consistent with the growing case law) that a defendant could not be compelled to unlock his cell phone by means of his passphrase. So far, so good.
But the defendant had made a mistake – he had also enabled the fingerprint unlock feature on his phone, so that it could be unlocked with the swipe of his finger. And the court went on to hold that the finger swipe was =not= protected and could be compelled. That holding, too, is almost certainly correct. Since at least the mid-1960s courts have drawn a distinction between the compulsion of physical evidence and the compulsion of testimony or oral statements, deeming only the latter to be protected by the Fifth Amendment privilege against compelled self-incrimination. The seminal cases is Schmerber v. California in which a divided court held that compelled production of a blood sample pursuant to a subpoena was not a violation of the privilege against self-incrimination – that the privilege only protected testimony, not physical evidence.
Today, that distinction lies at the core of almost all major law enforcement techniques. DNA; blood type; fingerprints; hair samples – you name it. The entire cornucopia of CSI techniques all rely, at bottom, on the unprivileged nature of physical evidence taken from a suspect – so much so that we can’t imagine it otherwise. Of course the law could have gone in a completely different direction – but the distinction is now deeply embedded in our practice. And, hence, the finger swipe is no different than requiring a suspect to stand in a line up or a murder suspect to give a blood sample.
What makes the recent case from Virginia especially compelling and/or interesting is that it is one of the starkest examples I know of where the law is at odds with good cyber practice. In the security domain, information security professionals are increasingly becoming skeptical of passwords as inadequate. So much so that the White House cyber czar recently spoke about the need to “kill” passwords. Most tend to think that some form of biometric identification is much more secure – avoiding problems of key management and spoofing that are common to passwords.
That is precisely why Apple has added a fingerprint unlock feature to the iPhone. And yet, legally, the inadequate password appears to be better at protecting privacy than the more robust biometrics. That’s exactly backwards – but it is likely the right doctrinal answer. As for me – I just disabled the fingerprint unlock feature on my laptop.