More than a decade ago, the keynote speaker at a major annual cybersecurity conference strode into the spotlight and predicted the death of the password. “They just don’t meet the challenge for anything you really want to secure,” he told the audience of computer experts in San Francisco. The speaker was Bill Gates, the preeminent cyber-prophet of the day, but his forecast has not yet come true.
We’ve certainly gotten closer to the password’s demise. Millions of people use their fingerprints to unlock their smartphones every day, and tech companies are experimenting with new security features that rely on biometrics like user’s speech habits or iris patterns. The next frontier—devices that can detect an authorized user based solely on the quirks of how they interact with it—is just around the bend.
But each new step away from the traditional password brings with it new legal complications: Will new unlocking methods enjoy the same Fifth Amendment protections that prevent the government from forcing a person to give up their passwords?
It all comes down to a distinction that the legal system uses to determine how far Fifth Amendment protections extend. The amendment covers what’s in your head (thoughts, memories) but not what you are (fingerprints, DNA). A memorized password is unambiguously protected. But devices secured by biometrics or behavioral traits exist in a grayer area.
When Apple introduced its first fingerprint reader-equipped iPhone in 2013, scholars speculated that the Fifth Amendment may not apply to fingerprints. Indeed, just a year later, a Virginia judge ruled that police could force a person to unlock his own iPhone with his fingerprint. And this February, a federal judge in Los Angeles signed a search warrant that compelled a 29-year-old woman to do the same.
But these decisions don’t necessarily mean the debate over the Fifth Amendment and fingerprint readers is all wrapped up, says Al Gidari, a technology lawyer and the director of privacy at Stanford University’s Center for Internet and Society.
Gidari disagrees with the judges who signed warrants for fingerprint unlocks. The Supreme Court has determined that the Fifth Amendment applies only to “testimonial communication that is incriminating.” Gidari says that even though a fingerprint on its own isn’t covered by the Fifth Amendment, the act of unlocking a device with a fingerprint falls into the special protected category.
“When you put your fingerprint on the phone, you’re actually communicating something,” Gidari said. “You’re saying, ‘Hi, it’s me. Please open up.’”
The same should hold true for any other biometric authentication, Gidari said, whether it’s a physical feature like an iris pattern, a unique characteristic like a speech pattern, or a behavioral trait like a typing or clicking pattern. Any action or characteristic that’s programmed to unlock a phone becomes a way of communicating and should be protected, he said.
But Orin Kerr, a former computer-crime lawyer for the Justice Department who’s now a law professor at George Washington University, says written passwords and physical authentication are fundamentally different. “Unlocking devices through biometric systems generally won’t raise Fifth Amendment issues,” Kerr wrote in an email.
As biometrically secured devices continue to spread, more and more judges will have to decide how the law should treat the new technology. It will likely take some time to reach a universal standard.
For now, however, biometric security tends to use traditional passwords as a backstop: A fingerprint-secured iPhone will ask for a passcode after being restarted, or after 48 hours of inactivity. That’s why the federal judge in Los Angeles had to act quickly when she was presented with a search warrant this February. (She signed it less than an hour after receiving it.)
Behavioral biometrics are even more complex. Google’s prototype constantly evaluates users’ actions and compares them against established patterns to assign an ever-changing trust score. If the device is being used in a familiar way, a high trust score will allow the device to remain unlocked. If, however, a user is clicking or tapping around in an unusual way, the trust score will fall and the device may ask for a password.
With that nuanced a system, it’s unclear how police could force a user to retrieve information from a phone, even with a legal court order in hand. If a person intentionally behaved erratically to guarantee legal protection by prompting the device to ask for a password, he or she could be punished by a court, Kerr says. It’s possible that a more advanced system, however, would be able to pick up even a slight tremor of fear and lock up.
But until devices learn their owners’ behavior that well—and until courts figure out how to treat biometric security systems—a strong, memorized password remains the only foolproof way to get away with invoking the Fifth and keep your phone locked.