Hexbyte – Tech News – Ars Technica |
Apple’s Touch ID is already on its way out. Just five years ago, iPhones began getting the famed fingerprint scanner that makes unlocking your phone dozens of times a day even easier.
But all of the new iPhones released this year—iPhone XS, iPhone XS Max, and iPhone XR—only have Face ID. They do not have Touch ID.
Back in 2013, some smart privacy-minded lawyers (notably Marcia Hofmann) began pointing out that a seemingly small change in technology may have a notable impact on the legal landscape.
As Hofmann pointed out in a September 2013 op-ed for Wired, being compelled by American law enforcement to produce something that you are—a biometric—is not normally protected by the Fifth Amendment privilege against self-incrimination. By contrast, being forced to reveal something that you know (a traditional alphanumeric passcode, for example), is generally protected.
This notion was upheld earlier this year by the Minnesota Supreme Court. The court found that a criminal suspect could be compelled to provide his fingerprint to unlock his phone and could not invoke his Fifth Amendment privilege.
However, Touch ID requires a physical, affirmative act of pressing a finger onto the scanner. But Face ID can be used from a few feet away, practically with just a furtive glance.
After Ars spoke with a handful of attorneys, the legal landscape does not appear to have changed from Touch ID to Face ID. It seems very possible that law enforcement (notably, border agents) would be able unlock a phone with such facility under Face ID.
Worse still, because of the strange American legal “border doctrine,” in which normal Fourth Amendment protections do not apply, agents might be able to get into a newer iPhone with no problem.
“I agree that that hypothetical is at least plausible, if not more than that,” Andrew Crocker, an attorney with the Electronic Frontier Foundation, told Ars. “It’s concerning that it could be that easy to get into the contents of a device at the border.”
Hexbyte – Tech News – Ars Technica | No touching required
We concocted a scenario in which an American iPhone XS owner was crossing into the United States at an international airport from abroad. She gets taken aside for secondary screening. Her phone is confiscated. Under questioning across a table, an aggressive agent holds up the iPhone XS in front of her.
“Is this your phone?” the agent asks, facing the screen toward her. She looks directly at the screen, and, as Face ID is enabled, the phone unlocks—even though the traveler is sitting a few feet away and hasn’t touched her phone since it was seized. The agent then swipes up to reach the home screen and has access to most of the personal data on her phone. (In short, basically everything except Apply Pay or Keychain password data. That would require a second Face ID unlock or the passcode.)
Federal authorities rely on what’s known as the “border doctrine“—the legal idea that warrants are not required to conduct a search at the border. This legal theory has been generally recognized by courts, even in recent years. Such a scenario isn’t hard to imagine.
In May 2017, we reported the story of Aaron Gach, who told us that border agents threatened to “be dicks” if he didn’t hand over the password to his phone upon his arrival at San Francisco International Airport.
Months later, Gach and a handful of other people with similar stories sued the Department of Homeland Security and Customs and Border Protection, arguing that they were