When Apple introduced its first fingerprint reader-equipped iPhone in 2013, scholars speculated that the Fifth Amendment may not apply to fingerprints. Indeed, just a year later, a Virginia judge ruled that police could force a person to unlock his own iPhone with his fingerprint. And this February, a federal judge in Los Angeles signed a search warrant that compelled a 29-year-old woman to do the same.
But these decisions don’t necessarily mean the debate over the Fifth Amendment and fingerprint readers is all wrapped up, says Al Gidari, a technology lawyer and the director of privacy at Stanford University’s Center for Internet and Society.
Gidari disagrees with the judges who signed warrants for fingerprint unlocks. The Supreme Court has determined that the Fifth Amendment applies only to “testimonial communication that is incriminating.” Gidari says that even though a fingerprint on its own isn’t covered by the Fifth Amendment, the act of unlocking a device with a fingerprint falls into the special protected category.
“When you put your fingerprint on the phone, you’re actually communicating something,” Gidari said. “You’re saying, ‘Hi, it’s me. Please open up.’”
The same should hold true for any other biometric authentication, Gidari said, whether it’s a physical feature like an iris pattern, a unique characteristic like a speech pattern, or a behavioral trait like a typing or clicking pattern. Any action or characteristic that’s programmed to unlock a phone becomes a way of communicating and should be protected, he said.
But Orin Kerr, a former computer-crime lawyer for the Justice Department who’s now a law professor at George Washington University, says written passwords and physical authentication are fundamentally different. “Unlocking devices through biometric systems generally won’t raise Fifth Amendment issues,” Kerr wrote in an email.
As biometrically secured devices continue to spread, more and more judges will have to decide how the law should treat the new technology. It will likely take some time to reach a universal standard.
For now, however, biometric security tends to use traditional passwords as a backstop: A fingerprint-secured iPhone will ask for a passcode after being restarted, or after 48 hours of inactivity. That’s why the federal judge in Los Angeles had to act quickly when she was presented with a search warrant this February. (She signed it less than an hour after receiving it.)
Behavioral biometrics are even more complex. Google’s prototype constantly evaluates users’ actions and compares them against established patterns to assign an ever-changing trust score. If the device is being used in a familiar way, a high trust score will allow the device to remain unlocked. If, however, a user is clicking or tapping around in an unusual way, the trust score will fall and the device may ask for a password.