Privacy

TouchID and the Exigent iPhone

By Nicholas Weaver
Monday, July 25, 2016, 3:12 PM

As a matter of established legal precedent, the police can compel someone to provide their fingerprint onto a fingerprint reader. Equally well-established is that exigent circumstances—including "the need to prevent the imminent destruction of evidence in individual cases"—can justify conducting a search before obtaining a warrant.

Riley v. California, held that absent exigent circumstances any search of a suspect's phone requires a warrant. But the court explicitly conceded that “case-specific exceptions may still justify a warrantless search of a particular phone.” And when it comes arresting someone with an iPhone or any phone with a fingerprint lock, the exigency automatically exists because fingerprint readers only work for a short period of time.

Apple views the fingerprint reader as an important convenience feature, one which allows someone to use a long password without having to type it in every time. But in order to avoid substantially weakening the phone's security, the fingerprint reader is a secondary authentication mechanism: it won't work until the password is entered on a newly powered phone and it automatically stops working after two days of non-use or a shorter period if the users selects one. This means that, from the moment of arrest, the fingerprint begins to "self-destruct"—within 48 hours any evidence residing on the phone becomes inaccessible without the phone's password.

The problem isn’t theoretical. This past May, police officers in Texas arrested Martavious Keys, a fugitive with an outstanding warrant for both gun and child trafficking charges. Less than a week later an ATF agent obtained a search warrant and a court order requiring the defendant to apply his finger to unlock the phone. By then, of course, it was too late: the fingerprint reader already timed out. Unless the defendant agrees or can be compelled to unlock the phone by password, that evidence is lost forever.

To extent to which a defendant can be forced to produce a password consistent with the Fifth Amendment is unclear. But as a practical matter, even if the law can force the production of a password, defendants have every incentive to forget (see, for example, the defendant in that other Apple v. FBI standoff in Brooking: the defendant “forgot” his pin code but then miraculously remembered after pleading guilty.) However the law resolves, when law enforcement confronts a fingerprint reader exigency exists—for all intents and purposes that evidence is going to be "destroyed." Once a phone is unlocked and attached to the forensic reader, of course, the exigency resolves. Presumably, law enforcement would need a warrant prior to actually examining the contents.

As stronger and more convenient technological protections become available, they might interact with the law in interesting ways. Riley requires a warrant before cops get to search your phone, but—under an entirely defensible read of the law, to my non-lawyer’s mind at least—using TouchID might as well stamp “Warrant Exception” right on the back.

Topics: