back to article US judge halts mass fingerprint harvesting by cops to unlock iPhones

An Illinois judge has rejected a warrant sought by the US government to force everyone in a given location to apply his or her fingerprints to any Apple electronic device investigators happen to find there, a ruling contrary to a similar warrant request granted last year by a judge in California. Under current law, the …

  1. James 51

    So, how long before this judge is branded an enemy of the people for a bad decision and lots of tlas comes with losely worded warrents (assuming he's not 100 miles from an airport) instead if asking for one?

    1. Old Used Programmer

      Not a well protected judge

      A magistrate judge is NOT an "Article III" judge, nominated by the president and confirmed by the Senate. To remove an Article III judge requires impeachment and conviction (and that has only happened 8 times in US history). A magistrate judge...not so much.

    2. Anonymous Coward
      Anonymous Coward

      So, how long before this judge is branded an enemy of the people for a bad decision and lots of tlas comes with losely worded warrents (assuming he's not 100 miles from an airport) instead if asking for one?

      Give it an hour or so. Trump is recharging his phone.

  2. vir

    Isn't there a reasonably high (in this case, nontrivial) rate of fingerprint "collision", for lack of a better term? I can see someone getting stuffed away for a while because their fingerprint just happened to be close enough to someone else's to unlock a trove of illicit smut.

    "Open and shut case. Of course he said it wasn't his. All those accounts and profiles under someone else's name? Aliases. Clever aliases."

    1. Voland's right hand Silver badge
      Headmaster

      At reader level yes

      This is the difference between a fingerprint digitization used by a lame fingerprint scanner and fingerprint as such.

      The collision rate of fingerprints, if memory serves me right, 1:10^9. So it is for all practical purposes unique. The collision rate after it has been digitized by a scanner in the class used by Apple and on PCs is probably many orders of magnitude higher. How much - no idea.

      1. Doctor_Wibble
        Boffin

        Re: At reader level yes

        > The collision rate of fingerprints, if memory serves me right, 1:10^9.

        Is that not the claimed rate for DNA? I'm reasonably sure we don't have enough fingerprints in various databases to approximate this, and has anyone actually tried a serious collision test? Add 'reasonable doubt' to the infallible fingerprints and you have a whole stack of cases to appeal.

        >So it is for all practical purposes unique.

        For a gadget, maybe, but this is court territory. Reasonable doubt, especially when viewed in the light of the Birthday Paradox, which will get you 99.9% chance of a collision in a random sample of just 117540 with 'one in a billion', yet only a 95% chance of a correct match, given an initial sample and a database of 50 million different records.

        Probably ought to re-post the calcs somewhere, the hosting I used has disappeared in the 10 years since then...

      2. Anonymous Coward
        Anonymous Coward

        Re: At reader level yes

        The collision rate of fingerprints, if memory serves me right, 1:10^9. So it is for all practical purposes unique. The collision rate after it has been digitized by a scanner in the class used by Apple and on PCs is probably many orders of magnitude higher. How much - no idea.

        You may add to that that the resolution of the scanners used in law enforcement for validation isn't that hot either - unlike TV series, especially incomplete prints often give multiple hits, which is why the best evidence is always a couple of fingers, not just one.

        In any case, I stopped using fingerprints for access to devices with critical data (most of that is now dual password, one of which is usually OTP based). For a start, any serious FP reader should be a wipe-motion one so you don't leave a usable print right there where it can do the most harm, but you're also leaving prints behind on shiny surfaces. Judged by what you leave when touching things, your safest fingers to use are your pinkies :). There are very good FP reader units around, but they cost substantially more which makes them less likely to be used in mass-produced goods.

        Sorry if it's TMI - I spent far too much time researching biometrics at one point in my life. It's fascinating stuff - if you want something to worry about, worry about facial recognition..

      3. Adam 1

        Re: At reader level yes

        Wrt to the collision rate of fingerprints, that is a side issue. It actually becomes worse in some cases. Some occupations are notorious for using chemical compounds that effectively eat away the prints so for those people the templates have a lot less points of interest and so collisions become possible. Most APIs won't let such people record a template. But the templates are basically a set of angles and distance measurements. No two scans of the same finger would ever result in the same measurements any more than taking two photos from a tripod could create a byte wise identical bitmap. The question is never "are they a match" (hint: infinite FRR). It is always "are they acceptably close". That's where the complex math starts because you are expecting features in a similar location to distort in a similar way, and some features are missing altogether because of sloppy scans.

    2. Adam 1

      Most biometric APIs I have played with allow you to trade off your false accept rate (FAR) vs false reject rate (FRR). FAR and FRR are opposite sides of the same coin. You can't improve one without making the other worse. There are usually two broad use cases.

      1. The person claims an identity and this is a second factor where they prove it. (Well technically they only prove they have your finger/iris/hand but you need to understand your threat model)

      2. Out of a large number of candidates, decide which identity has presented their digit.

      With 1, you can tolerate a much higher FAR (it's the FRR that makes usability suck). With 2, you need a very small FAR but that does require a nicer template and a nicer scan than 1

      If you take a mobile phone use case, it's actually much closer to 1. You want it to unlock even with the vaguest of touches in any orientation and with any light level. You could tolerate a 1:10000 FAR quite easily. For blame purposes, you want FAR to be 1:10s of millions+.

  3. a_yank_lurker Silver badge

    A road bump

    The ferals and the local stasi will just judge shop to find one does not care about the Constitution.

  4. tfewster Silver badge
    FAIL

    Weasel words

    > the distinction being that a fingerprint is not testimonial whereas a passcode is.

    The law is an ass. If a fingerprint is being used _as_ a passcode, then it's a passcode. And as it's tied to an individual, it could be (false) self-incrimination. Unlike a key on my keyring that unlocks a safe - there could be many copies of that key, and it might have been borrowed without my knowledge.

    1. P. Lee Silver badge

      Re: Weasel words

      I think the problem is the scope of the request.

      This would appear to be a one-time prosecution device. No-one involved in this type of crime is going to use their fingerprint for unlocking in the future.

      However, rejecting the request does stop the government from abusing the system when they want to trawl for fingerprints.

    2. Indolent Wretch

      Re: Weasel words

      Surely simple logic would dictate that if the police are in the circumstance where they would be justified in taking the persons fingerprints they are also justified in trying to unlock a smart phone with them.

      If they aren't in those circumstances then no-go.

      And given collision rates it would seem some case law is in order to decide whether or not your finger unlocking a phone proves it was your finger used to lock it. More so if they are checking a great many people against a phone. I wonder in any large block or campus how many people are capable of unlocking how many phones that aren't theirs with their fingers.

    3. Old Handle

      Re: Weasel words

      I can think of some legitimate reasons for the distinction, for instance with a password, it's possible you forgot it or they've got the wrong guy and you never even knew it. But you can't forget your fingerprints and if it turns out yours isn't the right finger, that would been you're off the hook, rather up the creek.

      That said, I totally agree with the judge that this kind of fingerprint dragnet is over the line.

  5. Keef

    C'mon guys...

    Get with the program.

    The USA is the land of the free, it's in the national anthem which as I recall usurps any constitution or amendments thereof.

    1. Hans 1 Silver badge
      Holmes

      Re: C'mon guys...

      >The USA is the land of the free

      Yes, it is called "land of the free" because freedom is buried there under the famous big statue in New York ...

      1. Version 1.0 Silver badge

        Re: C'mon guys...

        Actually, these days it's "The Land of the Fee"

    2. The Boojum

      Re: C'mon guys...

      Yes, but you didn't read the associated Terms and C 44 Conditions!

    3. Andrew Moore

      Re: C'mon guys...

      Q: How do Americans know that they are free?

      A: Because they keep being told they are,...

  6. HappyBlue
    WTF?

    Give them the middle finger

    If you are forced to try a finger to open a phone, do they specify which finger?

    If you have set up fingerprint recognition on your phone using your index finger, are you within your rights to present your middle finger?

    On the other hand (excuse the pun), if you set up your phone to unlock with your ring finger and you allow the feds to borrow your middle finger to attempt to unlock, is that considered following the requests? Will they force you to try all fingers and toes, just in case??

    1. andrewj

      Re: Give them the middle finger

      "If you have set up fingerprint recognition on your phone using your index finger, are you within your rights to present your middle finger?"

      Perhaps your index + middle finger, suitably orientated.

      1. Anonymous Coward
        Anonymous Coward

        Re: Give them the middle finger

        This would be a good reason to use some odd finger, like your left ring finger, to unlock your phone. They might want you to present your thumbs and index fingers, but it would be unlikely they'd make everyone try all ten fingers.

        Though if you are thinking about it down to this level it would seem to be much easier to just use a password. The problem is that unless you want to type in your password every time you pick up your phone (i.e. no grace period if you just put it down 30 seconds ago) you're going to be typing it all the damn time.

        I keep saying Apple should provide something that works like the old unlock did - have a user settable timeout after which a password is required. But instead of leaving it unlocked if it has been locked for less than the timeout, simply require Touch ID due to the timeout. That timeout currently defaults to 48 hours, with no way to change it.

        IMHO if you are a criminal and the police are about to arrest you, hold down the home and sleep/wake button simultaneously for a few seconds and it'll force reset the phone. When it comes back up it will require a passcode. The trick will be not having the cops think you are going for a gun and shooting you, of course...

        1. Kiwi Silver badge
          Boffin

          Re: Give them the middle finger

          This would be a good reason to use some odd finger, like your left ring finger, to unlock your phone. They might want you to present your thumbs and index fingers, but it would be unlikely they'd make everyone try all ten fingers.

          Other ways that might work (not seen the reader or even the phone so I don't know how they're built) - use your finger upside down (so if it's one of those little reader bars and normal use would have you swipe from top to bottom, swipe from bottom to top instead), and if you can try using say the side of your hand rather than a finger or to.

          Or get really creative and use other body parts.. "Er, sorry officer, I need to enter a bathroom stall to unlock my phone, it'd be indecent of my to unlock it out here"... (Or you could try licking it.. How unique is someone's tongue print?)

  7. Anonymous Coward
    Anonymous Coward

    I thought this was a pretty obvious reason that fingerprints are less "secure" than passcodes. It's a lot easier to force your finger to unlock a device.

    1. Adam 52 Silver badge

      I suspect anyone capable of using enough force to apply my finger is capable of enough force to make me reveal my pass code. I doubt most of us nerds are any good at resisting torture (GM excluded, of course).

      1. Aladdin Sane Silver badge

        I doubt most of us nerds are any good at resisting torture.

        I'm a 6', 16st rugby player. They're welcome to try.

        1. Agamemnon

          Re: I doubt most of us nerds are any good at resisting torture.

          Upvote because: I'm 6'4", extreme sportsman (read: I do stupidly dangerous shit), stunningly high pain threshold, and a general dislike for people making me do things against my will/the letter OR spirit of The Law.

          Moving along, anyone that actually uses an FP reader is, in the view of my Work Functions, an idiot. I've got a 12 Char passcode on my phone. It is somewhat inconvenient unlocking it everytime I'd like to use it...my inconvenience is SECONDARY to protecting the data on my device(s) BECAUSE, much of that data isn't mine, it's my customers'. If I'm not groovy with folk trucking through MY bits, I'm MUCH more aggressive about data that isn't mine, but in my care. I can hammer out those 12 characters in less than two seconds, dead exhusted leaving the CoLo, and then after a few pints (Lagged and Laggered) because: PRACTICE.

    2. Rich 11 Silver badge

      About a dozen years ago my then-boss was excited to get a brand new laptop, complete with fingerprint sensor. "Look at this, Rich11," he enthused. "This is much better than your AD password policy, a lot more secure!" "Really?" I said, pulling out my pocket knife and opening up the blade.

      I always did enjoy watching comprehension dawn on his face. The opportunities were frequent.

    3. creepy gecko

      Obligatory xkcd...

      https://www.xkcd.com/538/

  8. Anonymous Coward
    Anonymous Coward

    Available now: Fake-i-Finger [C]

    Don't use your own fingers.

    Cheap and disposable, Fake-i-Finger [C] opens your device using a randomised 'finger print' on a handy prosthetic digit.

    Caught by the G-Men?

    Throw away (or destroy) your Fake-i-Finger [C] and let them use your analog meat-indexes.

    Fool them every time.

    Replacement fingers just $2.95

    1. Richard 12 Silver badge

      Re: Available now: Fake-i-Finger [C]

      Fake-i-Finger 2

      Not enough time to destroy your fake-i-finger? Introducing the Fake-i-Finger 2!

      Made of tasty jelly, the finger can be quickly eaten, destroying it in seconds.

      Available in strawberry and lime flavours.

      Only $3.99. As seen on El Reg.

    2. kmac499

      Re: Available now: Fake-i-Finger [C]

      Tut-Tut

      Be very careful with your Fake-i-Finger [C], as this is not a genuine Apple i-Finger, useage may invalidate your warranty. This will result in Apple forcibly giving you the genuine i-Finger for the remarkably good value price of $295.00

      (Bonus Feature: The genuine i-Finger comes packed in a Latex sleeve with a slippy protective coating can't think why??)

      1. Dan 55 Silver badge
        Devil

        Re: Available now: Fake-i-Finger [C]

        Apple gives the genuine iFinger to each customer who buys an iPhone with that price tag.

        1. Anonymous Coward
          Anonymous Coward

          Re: Available now: Fake-i-Finger [C]

          So is Samsung giving the sFinger to people who pay the same price for a Note?

      2. harmjschoonhoven
        Happy

        Re: Available now: Fake-i-Finger [C]

        A genuine Apple i-Finger with rounded corners™.

    3. James 51

      Re: Available now: Fake-i-Finger [C]

      Make it out of jelly babies and eat it.

    4. Kiwi Silver badge
      Trollface

      Re: Available now: Fake-i-Finger [C]

      Replacement fingers just $2.95

      Isn't the decimal a few places to the left of where it should be? You're talking an Apple device, right?

  9. scrubber

    American Revolution

    What is it with the US government and general warrants? Do they not teach history over there any more?

    1. W4YBO

      Re: American Revolution

      Why, that's part of the purpose behind our public education system. To not teach the history that would make life inconvenient for all levels of government.

      An aside: My Nexus 6P running Android 7.1.1 only gives five tries to the fingerprint reader before requiring the password. Blow the password ten times, and it does a factory reset. Also requires password on restart.

  10. Anonymous Coward
    Anonymous Coward

    Land of the FREE!

    America is due a revolution. Land of the free is it not.

    1. Anonymous Coward
      Anonymous Coward

      Re: Land of the FREE!

      They're hunting down all the free and putting them behind bars. That'll teach those hippies! It's still the land of the free, as long as there is still one roaming in the wild!

  11. tiggity Silver badge

    Pointless, bring on the bears

    I'm guessing any suspect phone may have a few of the users fingerprints on it..

    Quite easy to lift (I'm assuming police resources stretch beyond gummy bears) and try them on the sensor.

    So a bit of effort should get police into fingerprint protected phone without needing to compel suspects to use their fingers.

  12. Anonymous Coward
    Anonymous Coward

    Thus?

    From the article:

    "the government is seeking the authority to seize any individual at the subject premises and force the application of their [sic] fingerprints as directed by government agents."

    I do not understand why there is a sic in there. The use of "their" in conjunction with "anybody" ("any individual" in this case) is abundantly established and semantically correct even if there would appear to be a grammatical dissonance.

  13. fraunthall

    US Magistrate Reigns in Cops trying to force mass fingerprint seizure re iphone

    First of all, it is extremely likely that a Magistrate's decision carries little precidential weight or force affecting other courts across the country, so it probably won't have any major effect or scope, so it's real value is primarily persuasive.

    The more interesting question is why UK geeks have gotten their knickers in a knot over this. The state of effective civil rights protection in the UK is much, much worse than it is in the U.S. and other places that have a history of judicial independence AND court decisions protecting civil rights encroachments by cops and other arms of the State. The UK essentially has no constitutional protections against abuses of power and its people are at the mercy of courts that have no true boundaries set by a constitution designed to prevent state abuses of its powers. The almost blanket coverage of spy cameras in the UK is an example of this. The situation in this regard is much worse in most of Europe, particularly Germany and France, which are, in my view, little better than fascist states.

    1. Toni the terrible

      Re: US Magistrate Reigns in Cops trying to force mass fingerprint seizure re iphone

      Possibly they got their knickers in a twist because they dont like seeing the land of the free getting to be worse than the UK?

      - by the by you reminded me to get a set of CCTV devices to scan the area around my house...

  14. Anonymous Coward
    Anonymous Coward

    EFF FTW

    You can support the EFF via Amazon Smile (and regular donations!)

  15. Kiwi Silver badge
    Headmaster

    What the hell?

    First they elect CMIC, with the only other realistic option being that thing that was almost replaced by Ms Lewinsky in Bill's Knob Polishing Shoppe, and now we have a judge upholding constitutional law, and in a sensible manner to boot?

    WTF is happening to this world?

    Oh, and El Reg...

    But in this case, the judge wrote in his order, "the government is seeking the authority to seize any individual at the subject premises and force the application of their [sic] fingerprints as directed by government agents."

    Tsk tsk.. You should know better.. "Their" in this case is perfectly correct, no need for the "[sic]" (unless I've badly missed something?)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020