When Apple announced in 2013 that its next iPhone would include a fingerprint reader, it touted the feature as a leap forward in security. Many people don’t set up a passcode on their phones, Apple SVP Phil Schiller said at the keynote event where the Touch ID sensor was unveiled, but making security easier and faster might convince more users to protect their phones. (Of course, Apple wasn’t the first to stuff a fingerprint reader into a flagship smartphone, but the iPhone’s Touch ID took the feature mainstream.)
The system itself proved quite secure—scanned fingerprints are stored, encrypted, and processed locally rather than being sent to Apple for verification—but the widespread use of fingerprint data to unlock iPhones worried some experts.
One of the biggest questions that hung over the transition was legal rather than technical: How might a fingerprint-secured iPhone be treated in a court of law?
The question went unanswered for a year, until a Virginia judge ruled in 2014 that police can force users to unlock their smartphones with their fingerprints. But until this February, when a federal judge in Los Angeles signed a search warrant that required a woman to use her fingerprint to unlock her iPhone, it didn’t appear that any federal law-enforcement agency had ever used that power.
The iPhone belonged to Paytsar Bkhchadzhyan, the 29-year-old girlfriend of a man accused of being a member of an Armenian gang, according to Matt Hamilton and Richard Winton of the LA Times. She was sentenced in February for one count of identity theft, and just 45 minutes later, a federal judge signed a warrant authorizing law-enforcement officers to place her finger or thumb on the Touch ID sensor of her iPhone. It’s not clear what prosecutors are searching for on her phone.
The warrant was first discovered by Thomas Fox-Brewster of Forbes in March. Fox-Brewster examined “hundreds of court documents” but wasn’t able to find any previous example of a federal warrant for device-unlocking fingerprints.
The federal judge in Los Angeles may have moved quickly to sign and execute the warrant because there’s only a 48-hour window during which an iPhone will accept its user’s fingerprints. After that window—or after a restart—the phone will require a PIN or passcode to unlock.
The Fifth Amendment, which protects people from incriminating themselves during legal proceedings, prevents the government from compelling someone to turn over a memorized PIN or passcode. But fingerprints, like other biometric indicators—DNA, handwriting samples, your likeness—have long been considered fair game, because they don’t reveal anything in your mind. (Marcia Hofmann, a digital-rights lawyer, wrote a comprehensive rundown of the question in late 2013, when it was still hypothetical.)
Now that it’s clear that police are willing to ask for warrants for phone-unlocking fingerprints—and that judges are willing to sign them—security-conscious smartphone users are faced with a menu of mostly unsavory options.
A fingerprint and a long passcode provides a good balance between convenience and security—or it did, until courts began compelling fingerprint unlocks, said Chris Soghoian, the chief technologist at the American Civil Liberties Union. The alternatives are worse: A short PIN “lets you use your phone like a human,” Soghoian said, but can be guessed by a computer algorithm in certain cases. And a long passcode, while secure, is a pain to type in every time you want to check Tinder.
The only way to turn off an iPhone’s fingerprint-reader on the fly—without waiting for the 48-hour window to expire—is to turn it off. When it’s powered back on, it will ask for the device’s PIN or passcode, and won’t accept fingerprints. (If Bkhchadzhyan’s phone was off when police found it in her boyfriend’s home, her fingerprints won’t unlock it.)
Since Apple began encrypting its iPhones in 2014 and rolled out further security improvements alongside Touch ID, law enforcement has had to get increasingly creative to access the contents of the computers, tablets, and phones that they seize.
The court fight over an iPhone used by one of the San Bernardino shooters, for example, only ended when the FBI paid for a technique to bypass the phone’s security. Similar hacking techniques—and more warrants for fingerprints—may become commonplace as the government confronts increasingly secure devices.