You are viewing a single thread.
View all comments
32 points

In Riley v. California, the Supreme Court unanimously held that police need a warrant to search through cell phones, even during otherwise lawful arrests. But if you hand over your unlocked phone to a police officer and offer to show them something, “it becomes this complicated factual question about what consent you’ve granted for a search and what the limits of that are,” Brett Max Kaufman, a senior staff attorney in the ACLU’s Center for Democracy, told The Verge. “There have been cases where people give consent to do one thing, the cops then take the whole phone, copy the whole phone, find other evidence on the phone, and the legal question that comes up in court is: did that violate the scope of consent?”

If police do have a warrant to search your phone, numerous courts have said they can require you to provide biometric login access via your face or finger. (It’s still an unsettled legal question since other courts have ruled they can’t.) The Fifth Amendment typically protects giving up passcodes as a form of self-incrimination, but logging in with biometrics often isn’t considered protected “testimonial” evidence. In the words of one federal appeals court decision, it requires “no cognitive exertion, placing it firmly in the same category as a blood draw or fingerprint taken at booking.”

it’s unbelievable that there is a distinction in US caselaw between giving up your biometrics and giving up your password, and your essentially unchangeable biometrics are somehow the one you’re probably obliged to give to the cops if they ask. just an incredibly goofy system

permalink
report
reply
10 points

The MyColorado FAQ explicitly states that an officer cannot take your phone, even if they think your digital ID is fraudulent. This whole article is a ton of fear mongering. Digital IDs do not require you to give your phone to anyone, they do not require you to unlock (unless it’s a state specific app), and even if its a state specific app the cops aren’t allowed to take it anyway.

permalink
report
parent
reply
26 points

The MyColorado FAQ explicitly states that an officer cannot take your phone, even if they think your digital ID is fraudulent. This whole article is a ton of fear mongering.

no offense but: even if you were to grant the notion that this is an exaggerated problem–cops are not well known for their rigorous adherence to the law or proper legal procedure. they routinely fuck up and violate civil liberties, up to and including murdering people for arbitrary reasons. and unless police are held accountable (which they almost never are for a variety of systemic reasons), what a state says they cannot do is effectively meaningless. it’s just words on a screen, really.

permalink
report
parent
reply
2 points

I would agree with you if we’re talking about something like the ability to search a car, where the cop is not allowed to without the owner’s permission (assuming no probable cause or warrant). In that case the cop usually figures out a loophole to manufacture probable cause or manipulate the owner into agreeing to a search. And then there’s nothing a lawyer or judge can do later, because it’s the cop’s word vs yours.

But if we’re talking about a law that actually says the cop cannot take your phone no matter what, and they do, then any public defender would be able to point it out and the judge would certainly have to enforce it. I can’t think of a way the cop would abuse their power because, in this case they don’t have it.

I could be convinced based on the actual wording of the law, though.

permalink
report
parent
reply
1 point

It doesn’t really matter if they do take your phone in the end anyway. If it’s that clear cut illegal then anything they manufacture as evidence wouldn’t be admissible in court…no matter what.

permalink
report
parent
reply
5 points

I have a question: Is a FAQ case law?

permalink
report
parent
reply
6 points
*

Never use biometrics. It’s just not worth the tradeoffs.

permalink
report
parent
reply
1 point

Something you have, something you are, something you know. Are you willing to give up proper security for your cause?

permalink
report
parent
reply
3 points
*

When it’s being employed properly, it’s absolutely an important tool, but the way they’re presented to most users, such as on-device biometric data stores (e.g. Apple’s secure enclave, or a TPM verification), aren’t the proper implementations. Nor is using biometrics as your primary auth method.

It’s supposed to be “something you have and something you know and something you are”, not “have or know or are”.

NIST standards for biometrics require the biometric data be stored on a secure remote server, and that the scanner device check against that during auth. Putting the biometric data on the device means that you’re losing a big part of your non-repudiation.

And it’s even worse when you’re using a secondary factor (biometric) as your primary or only factor (e.g. a phone unlock), that grants access to your other factors like password store and OTP tokens.

Biometrics are never supposed to be a single-factor auth method when used properly, but that’s how most people use them now, and it degrades their security.

If your phone requires a passcode, a TOTP grant, and a biometric scan, by all means, please do employ biometrics, but if it’s going to be your only factor, DO NOT.

Or, for simplicity to the average forum reader:

Never use biometrics. It’s just not worth the tradeoffs.

permalink
report
parent
reply
29 points

Law enforcement has been collecting fingerprints for over 100 years now, and the history of using fingerprints for other reasons goes even further back.

The error here is that we decided to start using an easily obtainable piece of data as a “lock” on our phones and computers. For many reasons, it’s better to use a password or PIN.

permalink
report
parent
reply
1 point

i don’t believe stored fingerprints can actually be used on modern devices

permalink
report
parent
reply
4 points

It’s much more worrying how often face unlock works with a simple photo.

permalink
report
parent
reply
3 points

If you have an iPhone, you tap the power button 5 times to make an emergency call, after that cancel it and the PIN is required to open the phone.

permalink
report
parent
reply
4 points

Or hold the power button and any volume button for 3 seconds. Same result.

permalink
report
parent
reply

Technology

!technology@beehaw.org

Create post

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community’s icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

Community stats

  • 2.8K

    Monthly active users

  • 1.7K

    Posts

  • 9.7K

    Comments