The Fingerprint Lock on Your Phone Isn’t Cop-Proof

Law enforcement has an end run around smartphone encryption. For now.
Illustration: 731

The FBI’s feud with Apple over access to Syed Farook’s iPhone might never have happened if the San Bernardino, Calif., shooter had been carrying a 5S or newer. For the 250 million phones sold around the world with fingerprint authentication since 2013, law enforcement may be able to compel suspects to press their fingers to the devices and unlock them.

With minimal litigation on the books in the U.S., police and prosecutors require only a judge’s blessing on a warrant for a suspect’s fingerprints. So far they’ve used the power sparingly. But as the number of fingerprint scanners in hip pockets grows, district attorneys across the country say the technology is poised to become a major engine of evidence-gathering. “It is likely to be just a matter of time till this does become a primary gateway to accessing phones,” says Micheal O’Connor, an Alameda County assistant district attorney in Oakland, Calif.

If a person has enabled Apple’s Touch ID, her fingerprint will unlock the phone for 48 hours after locking before the device requires a PIN. Systems on newish Samsung and LG phones work similarly. Los Angeles and Oakland are among the cities that have already granted or received warrants for the use of a finger to unlock a phone. The next step may be a lawsuit that determines whether a fingerprint is off-limits.

Legal scholars say law enforcement is likely to win that fight. Two years ago, David Baust, a paramedic in Virginia Beach, Va., admitted that his locked iPhone 5S may have filmed him in bed strangling his girlfriend, according to a court filing. Baust’s lawyers argued that unlocking the phone would violate his Fifth Amendment right to avoid incriminating himself. A state judge ruled that demanding Baust type in his pass code would entail a “mental process” leading to self-incrimination, but that asking for his fingerprint was more like drawing a blood sample and therefore OK.

Although the Virginia decision isn’t binding on other judges, it’s only a matter of time before a higher court weighs in and sets a precedent, says Rahul Gupta, a senior deputy district attorney in Orange County, Calif. He, too, is betting on police and prosecutors. “It’s just the same old evidence, blood or a mouth swab, being used in a different way,” he says.

Fingerprint-scanning phones will become the majority within about two years, estimates researcher IDC. As the pile of warrant requests grows, the pressure will be on magistrate judges to draw a line between genuine seizures and fishing expeditions, says Leslie Harris, a lecturer at the University of California at Berkeley’s School of Information. “They could be the last line of defense,” says Harris, who’s also president of the Harris Strategy Group, a think tank that advocates for privacy rights. “And they often get calls in the dead of night that force them to make immediate decisions. It’s not an ideal situation.”

The fingerprint lock systems, as they stand, though, aren’t foolproof skeleton keys for law enforcement. When the phone is switched off and restarted, it requires a pass code. And it won’t take long for criminals to learn that the little scanner on the home button isn’t their friend.

The bottom line: Fingerprint locks, which will be the norm in two years, give law enforcement an end run around smartphone encryption.

    Before it's here, it's on the Bloomberg Terminal.