I think I saw Matthew Green propose a solution for this: Apple could allow you to use a different finger to force the phone to prompt for a password. In theory you shouldn't get jailed for contempt over this since you'd be doing it much earlier than being in Court in front of a judge - like when you see the cops coming.
I only have about an 80% success rate with Touch ID anyway. It doesn't seem to like sweaty fingers. Every so often I get unlucky five times in a row and have to unlock it with my password. Who's to say it didn't happen by accident? Or is having sweaty fingers going to effectively be an imprisonable offense now, the way forgetting your password is in jurisdictions where you can be compelled to reveal your password?
It was bound to happen. You can view the fingerprint reader on the iPhone and other phones like the Samsung Galaxy S5 which feature fingerprint readers as having made it easier for law enforcement to get into your phone.
I would not be surprised if the fingerprint scans the police take from you down at the station or the ones you give up when entering a US airport when travelling from another country could be used to open up a fingerprint protected phone in the near future.
No matter what anyone says, the fingerprint reader is convenience, not extra security.
Police can get a warrant to force you to vomit up drugs you swallowed, so forcing you to put your finger on a thing being a legal thing shouldn't be a surprise.
I know this decision was "expected", however, I can't help but get the feeling that in an "ideal society", where governments wouldn't abuse their powers, and people's rights would be much more "reasonable" (in a good way), the government would not be able to force you to put your finger on something.
After all we have so many laws that offer similar type of protections already, such as a wife not having to testify against her husband. At some point the society decided that it's the "right thing" to do.
Perhaps the society can decide that having the government force you to unlock your devices with your finger is unacceptable.
> After all we have so many laws that offer similar type of protections already, such as a wife not having to testify against her husband. At some point the society decided that it's the "right thing" to do.
To put it in context: spousal privilege is rooted deeply in religious tradition going back hundreds if not thousands of years. It fell naturally out of a belief that people already had (the indivisible marital unit). That's what it takes to overcome the default presumption that "the public has the right to every man's evidence." Now, the fact that something has been the case for probably 800 years doesn't mean it can't be changed, but does suggest that if people really had a problem with it, they would have taken issue with it by now.
"Now, the fact that something has been the case for probably 800 years doesn't mean it can't be changed, but does suggest that if people really had a problem with it, they would have taken issue with it by now."
I think it certainly does suggest that, but it's worth noting that what we really have a problem with shifts over time. Whether that's going to be relevant here, I can't say...
Except it's not really a fingerprint reader - it scans under your epidermis. You can't get the fingerprint from the police files and create a fake finger to unlock the phone.
I think that is wrong. Having the finger print makes longer (or even just enable at all) pass codes practical. The passcode is also a part of the key used to encrypt the on device data and is not stored on the device so by having a longer key brute forcing is made less practical.
Note also that the passcode is needed occasionally and if the wrong print is used it can be triggered sooner. The attacker doesn't get many chances using the scanned fingerprint. I'm not saying it is impossible to break or that a long passcode on its own isn't more secure but for most people the TouchID is a better trade off.
Biomentric security is not a "security mechanism"?
This seems pedantic and absurd. A password or a username is no different than any other proxy variable to verify identity and authorizations.
The bigger question is about the implications of "authorized user access" schemata, more generally.
For example, what happens when technology allows intrusive searches of the human brain/memory?
Who is an authorized user and what is a viable way to protect against "unreasonable searches" of the human mind? Obviously the concept of a "password" is anachronistic.
"One of the contest's organizers, Washington D.C.-based security researcher Nick de Petrillo, scanned his penis with TouchID and then used it to unlock his phone. He announced his success on Twitter on Saturday (Sept. 21) and fellow security researcher Andrew Ruef replied "Now no one will ever, ever steal your phone. [Is this] the secret to the correct use of TouchID?" "
Future HN headline: "Judge Rules Suspect Can Be Required to Unlock Phone with Penis"
Police have been known to commit deliberate, lengthy, unabashed sexual assault and rape in the supposed pursuit of justice, so I'd probably just stick to using my fingerprint.
> Baust will head to the police station on Monday morning [to comply with the ruling], but [his lawyer] believes police still may be unable to unlock the phone because it should require a password [demanding which is unconstitutional], in addition to a fingerprint, once it has been shut off.
Am I naive for thinking these technicalities are really silly? Is not the goal here to establish whether accessing and searching one's phone is fair game at some point in an investigation / trial?
This is not "some point in an investigation / trial", this is a specific point. They have a warrant.
I'm not a big fan of "compelled evidence" (gathering DNA, blood or fingerprints from a suspect), but the courts have been saying it's ok, and that's the approach they're taking here.
They just can't (so far, in the US) compel you to actually produce testimonial evidence like passwords, passcodes, etc.
Biometric information is a means to verify identification. A username and a password is also a means to verify identification. A fingerprint is no more a username than a password is a username. In the case of a username/password it's the combination that's required to verify the identity.
Fingerprints identify individuals, but they should not be relied upon for authentication (which is what the article was getting at). Unlike a password or private key, you can't change your fingerprints when they get compromised.
> Biometric information is a means to verify identification. A username and a password is also a means to verify identification. A fingerprint is no more a username than a password is a username. In the case of a username/password it's the combination that's required to verify the identity.
Is it really? I think if I send you an email at colinbartlett@whateversitehostsyouremail.com I've verified your identity as much as I need with only your username.
A username and password is a case of identification (username) and authentication (password). Authentication is proof. When you have authenticated identification (like a username and password) it's proof that the person is why they say they are.
The reason people conflate identification with authentication is that we typically use the two together. But there are lots of cases where we only care about one or the other.
For example, many systems (such as routers) implement administrative tasks with an administrative password. You don't care who performed the task, you only care that they had permission to do it. That's authentication without identification.
Similarly, there are plenty of cases where you don't care about authentication, you only care about identification. For example, anyone can send you an email. On many systems you can send people messages anonymously: there's no authentication necessary, no proof of anything necessary to be allowed to send the message. The only thing necessary is the identity of the receiver. That's identification without authentication.
Fingerprints are identification. They are used as authentication because the difficulty of collecting the identification gives a small barrier to falsifying authentication, but they're pretty terrible for that purpose. You leave your fingerprints all over the place: it's like if you just went around writing your bank PIN everywhere. There are already proofs of concepts of people constructing fingerprints from polymers; this is a simple case of privilege escalation, where gaining one level of privilege allows you access to a higher level of privilege. Given that most people give everyone access to their fingerprints that's a pretty low point to allow escalation from.
Ok. Neither the argument nor your counterargument really make sense. Yeah you can argue a very long username, something like a UUID might as well be a username and password all in one in some circumstances.
But stepping back, this is kind of a dead end argument. It doesn't help with security. Biometric information and username/pass both have enough cons that you really want both.
Basically you need both:
* Something you know (your username/password)
* Something you have (some kind of a card, your finger, you retina, some physical token).
[Ok some researches say "biometrics" is something else not just "something you have" it is inherence -- something you "are". But well, I cut your finger and now it isn't something you "are" anymore. It is something _I_ have]
This is the classic multi-factor authentication, most commonly used version is 2FA (two-factor authentication).
I can use your finger like I can use your username. I can't use your password without you telling it to me. Your finger just identifies you. Your name also identifies you. Your password authenticates you to someone (as it is a shared secret, or rather shared evidence of a secret.) Just like knowing what what you did at Bob's party in 1983 can authenticate you to Fred (who watched) if you mention it in a letter.
No, a username is not meant to verify identification. Your username is your identification. It's public (or at least, not sensitive). Your passwords is the authentication to your identity.
Sure, a fingerprint might be one of several factors for authentication at secure sites, but that is rarely the only thing. It usually coincides with badge readers, photo-ID, etc.
"providing fingerprints and other biometric information is considered outside the protection"
Is it just me, or is there a contradiction here? I'm happy to provide you with a finger print (in ink), but that in itself is not enough to unlock the phone. You need my live hand attached to my live finger.
I think the problem here is that it is an oversimplification to call it a "finger print".
Not really. While there were comments about ‘sub dermal fields’ with the iPhone, it was very quickly shown that you do not need even a reasonable facsimile of flesh, let alone live flesh, to fool the sensor.
DNA tests are done by cotton swab of your 'live' cheek. Should they only be done on 'dead' dandruff? In any case, it should be pretty easy to recreate a sufficiently-convincing fake finger given an ink fingerprint.
But that all misses the point. The only reason passwords get special treatment is that an order to compel production of a password is an order to testify against oneself. For example, unless the defendant already admits to knowing the password, the fact that the defendent knew the password after production would be obviously prejudicial. It would be tantamount to requiring the defendent to testify, "yes, it was me".
In other words, compulsory production of information whose existence and location is not a foregone conclusion probably falls foul of the Fifth Amendment. Compulsory production of your finger does not require you to provide any information other than information that clearly exists about you.
Having your fingerprint as the key is no different than having a physical key. Which the police can steal and use. It's not in your head, so there is no 5th amendment protection for self-incrimination. I only see it being useful as an additional factor in multi-factor auth.
"Broccoletti believes police still may be unable to unlock the phone because it should require a password, in addition to a fingerprint, once it has been shut off."
Not surprising if you think about the law. The historical bent of the Anglo-American legal system is that courts have very expansive powers to facilitate the collection of evidence. The 5th amendment is a specific limitation to this power, which prohibits compelling a person to serve as witness against himself. Taken literally this is a very specific limit, but has been construed expansively. But a physical action like unlocking a phone with a fingerprint is not testimonial at all.
Set password as a confession of a crime -- "I am the Zodiac Killer". Wonder if 5th will still apply in that case.
Presumably they can force the person to type the password themselves and guarantee to not look or record they keystrokes. If they refuse, keep them in jail for contempt of court indefinitely.
Where did this silly meme come from? Sure, great, they can't use your "confession" to prosecute you for being the zodiac killer. They don't give a shit. They're going to prosecute you for the crimes for which evidence exists on your phone and leave the confession out of it.
I think you misunderstood - by the "expansive" interpretation, forcing you to divulge any password, be it a confession or not, would violate your 5th amendment right against self-incrimination.
- wrong finger is seen as a distress signal. Device will open up and hide/erase anything that isn't already "public" knowledge (e.g. call records can be verified with the cell company, but photos cannot)
It's actually possible to do this on a jailbroken device.
I had a discussion about this and the consensus was you're probably on better legal and usability ground to just use a shorter passcode timeout (like 30 minutes).
Or use a 1% chance that it will prompt for password after fingerprint... or 100% chance when you use the wrong finger. But how to tell? When the password prompt pops up, it might have been the 1% random chance.
If you set it to 30 minutes, you'll be typing in the PIN/password practically every time you grab it.
Which finger to use is essentially password (albeit less than 4 bits) which presumably you don't have to reveal. Ask the policeman which finger he wishes you to place on the scanner and don't register you thumbs.
Jailbreak your device and make an app that enables the passcode requirement whenever the GPS says the phone has been inside of a known police station/FBI office. It would be incredibly easy to create the database of locations and keep it updated.
Or even easier than maintaining such a database, just allow users to whitelist certain locations they frequent, with a training mode to easily set it up: start recording, go about a normal day, stop recording and save.
One thing that nobody has mentioned yet is that generally speaking, when you are booked, your possessions are confiscated (including your phone) and your fingerprints are taken. It is very trivial to transform even a latent fingerprint and fool even high-end devices (using play-dough, for example) into authenticating.
Therefore, cops would technically not even need you to be physically present to unlock your phone. Chances are, your thumbs or index fingers are the ones used to unlock your device, so if I were a cop, that's what I'd try first.
I'm not sure though how this would stand up on legal grounds. Anyone?
63 comments
[ 0.18 ms ] story [ 142 ms ] threadhttps://www.youtube.com/watch?v=C_EFSQPJh8w
Which is why 2 factor authentication is so important.
I would not be surprised if the fingerprint scans the police take from you down at the station or the ones you give up when entering a US airport when travelling from another country could be used to open up a fingerprint protected phone in the near future.
No matter what anyone says, the fingerprint reader is convenience, not extra security.
After all we have so many laws that offer similar type of protections already, such as a wife not having to testify against her husband. At some point the society decided that it's the "right thing" to do.
Perhaps the society can decide that having the government force you to unlock your devices with your finger is unacceptable.
To put it in context: spousal privilege is rooted deeply in religious tradition going back hundreds if not thousands of years. It fell naturally out of a belief that people already had (the indivisible marital unit). That's what it takes to overcome the default presumption that "the public has the right to every man's evidence." Now, the fact that something has been the case for probably 800 years doesn't mean it can't be changed, but does suggest that if people really had a problem with it, they would have taken issue with it by now.
I think it certainly does suggest that, but it's worth noting that what we really have a problem with shifts over time. Whether that's going to be relevant here, I can't say...
https://blog.lookout.com/blog/2013/09/23/why-i-hacked-apples...
Note also that the passcode is needed occasionally and if the wrong print is used it can be triggered sooner. The attacker doesn't get many chances using the scanned fingerprint. I'm not saying it is impossible to break or that a long passcode on its own isn't more secure but for most people the TouchID is a better trade off.
A fingerprint is a means to identify someone, not a security mechanism (like a password).
This seems pedantic and absurd. A password or a username is no different than any other proxy variable to verify identity and authorizations.
The bigger question is about the implications of "authorized user access" schemata, more generally.
For example, what happens when technology allows intrusive searches of the human brain/memory?
Who is an authorized user and what is a viable way to protect against "unreasonable searches" of the human mind? Obviously the concept of a "password" is anachronistic.
"Biometric security" is authentication - not authorization.
"One of the contest's organizers, Washington D.C.-based security researcher Nick de Petrillo, scanned his penis with TouchID and then used it to unlock his phone. He announced his success on Twitter on Saturday (Sept. 21) and fellow security researcher Andrew Ruef replied "Now no one will ever, ever steal your phone. [Is this] the secret to the correct use of TouchID?" "
Future HN headline: "Judge Rules Suspect Can Be Required to Unlock Phone with Penis"
Here's one example: http://www.cnn.com/2014/01/16/justice/new-mexico-search-sett...
Am I naive for thinking these technicalities are really silly? Is not the goal here to establish whether accessing and searching one's phone is fair game at some point in an investigation / trial?
I'm not a big fan of "compelled evidence" (gathering DNA, blood or fingerprints from a suspect), but the courts have been saying it's ok, and that's the approach they're taking here.
They just can't (so far, in the US) compel you to actually produce testimonial evidence like passwords, passcodes, etc.
http://blog.dustinkirkland.com/2013/10/fingerprints-are-user...
Biometric information is a means to verify identification. A username and a password is also a means to verify identification. A fingerprint is no more a username than a password is a username. In the case of a username/password it's the combination that's required to verify the identity.
Is it really? I think if I send you an email at colinbartlett@whateversitehostsyouremail.com I've verified your identity as much as I need with only your username.
A username and password is a case of identification (username) and authentication (password). Authentication is proof. When you have authenticated identification (like a username and password) it's proof that the person is why they say they are.
The reason people conflate identification with authentication is that we typically use the two together. But there are lots of cases where we only care about one or the other.
For example, many systems (such as routers) implement administrative tasks with an administrative password. You don't care who performed the task, you only care that they had permission to do it. That's authentication without identification.
Similarly, there are plenty of cases where you don't care about authentication, you only care about identification. For example, anyone can send you an email. On many systems you can send people messages anonymously: there's no authentication necessary, no proof of anything necessary to be allowed to send the message. The only thing necessary is the identity of the receiver. That's identification without authentication.
Fingerprints are identification. They are used as authentication because the difficulty of collecting the identification gives a small barrier to falsifying authentication, but they're pretty terrible for that purpose. You leave your fingerprints all over the place: it's like if you just went around writing your bank PIN everywhere. There are already proofs of concepts of people constructing fingerprints from polymers; this is a simple case of privilege escalation, where gaining one level of privilege allows you access to a higher level of privilege. Given that most people give everyone access to their fingerprints that's a pretty low point to allow escalation from.
Fair enough. I agree that it should be, and that perhaps saying "they're usernames" is not really the way to go.
But would you set your password to something you leave on almost every surface you ever touch?
Ok. Neither the argument nor your counterargument really make sense. Yeah you can argue a very long username, something like a UUID might as well be a username and password all in one in some circumstances.
But stepping back, this is kind of a dead end argument. It doesn't help with security. Biometric information and username/pass both have enough cons that you really want both.
Basically you need both:
[Ok some researches say "biometrics" is something else not just "something you have" it is inherence -- something you "are". But well, I cut your finger and now it isn't something you "are" anymore. It is something _I_ have]This is the classic multi-factor authentication, most commonly used version is 2FA (two-factor authentication).
Sure, a fingerprint might be one of several factors for authentication at secure sites, but that is rarely the only thing. It usually coincides with badge readers, photo-ID, etc.
Is it just me, or is there a contradiction here? I'm happy to provide you with a finger print (in ink), but that in itself is not enough to unlock the phone. You need my live hand attached to my live finger.
I think the problem here is that it is an oversimplification to call it a "finger print".
But that all misses the point. The only reason passwords get special treatment is that an order to compel production of a password is an order to testify against oneself. For example, unless the defendant already admits to knowing the password, the fact that the defendent knew the password after production would be obviously prejudicial. It would be tantamount to requiring the defendent to testify, "yes, it was me".
In other words, compulsory production of information whose existence and location is not a foregone conclusion probably falls foul of the Fifth Amendment. Compulsory production of your finger does not require you to provide any information other than information that clearly exists about you.
(IANAL)
What a great ending to the story.
Presumably they can force the person to type the password themselves and guarantee to not look or record they keystrokes. If they refuse, keep them in jail for contempt of court indefinitely.
Where did this silly meme come from? Sure, great, they can't use your "confession" to prosecute you for being the zodiac killer. They don't give a shit. They're going to prosecute you for the crimes for which evidence exists on your phone and leave the confession out of it.
Playing the same legal "semantics" that DOJ is playing with respect to torture, privacy and other legal issues.
- If Touch ID hasn't been used in 48 hours, you'll need to enter your passcode or password to re-enable it.
- If your iPhone has been rebooted or reset, you'll need to enter your passcode or password to re-enable it.
- If a fingerprint isn't recognized 5 times in a row, you'll need to enter your passcode or password to re-enable it.
- If a remote lock has been sent via Find my iPhone, you'll need to enter your passcode or password to re-enable it.
Remote lock - or delay for 48 hours - or - give the wrong finger 5 times in a row - or get the phone reset/Rebooted
(careful of contempt of court - there few things more unstoppable than a pissed-off Judge with contempt powers)
I had a discussion about this and the consensus was you're probably on better legal and usability ground to just use a shorter passcode timeout (like 30 minutes).
If you set it to 30 minutes, you'll be typing in the PIN/password practically every time you grab it.
Therefore, cops would technically not even need you to be physically present to unlock your phone. Chances are, your thumbs or index fingers are the ones used to unlock your device, so if I were a cop, that's what I'd try first.
I'm not sure though how this would stand up on legal grounds. Anyone?