Apple recently announced that it is moving toward biometric security measures
on its devices, for example, the fingerprint scanner (unlock) on new iPhone,
and away from knowledge-based authentication, like passwords. Based on
the current state of the law, there are serious legal implications to
The Fifth Amendment to the United States Constitution guarantees that "no
person shall be compelled in any criminal case to be a witness against
himself." The Supreme Court has held that this extends to any civil
proceeding where statements may be made by a person which give rise to
exposure to criminal prosecution. This is why Lois G. Lerner, the woman
at the center of the IRS scandal involving special scrutiny of Tea Party/"Patriot"
non-profits, "took the Fifth" before a Congressional hearing.
The Fifth Amendment only applies to "testimonial" statements
or information. It applies, in a word, only to "knowledge,"
things you remember and the like. That is why the government can compel
you to give a breath sample in a DUI prosecution, or a DNA sample in a
criminal proceeding. The Supreme Court gave this example: if an accused
has a safe deposit box, the government can compel the accused to give
up the key to the box (with a search warrant). The key is a physical instrument
and is not knowledge. Therefore, the Fifth Amendment provides no protection
in that example.
How does this apply to biometric authentications in your electronic devices?
The government can compel you (again, upon a proper search warrant) to
provide your fingerprint to unlock your iPhone, iPad, computer, etc. Your
fingerprint is not knowledge; it is not something you have to remember.
This is vastly different from supplying knowledge-based authentication.
Last year the 11th Circuit Federal Court of Appeals ruled that a man cannot be forced by
the government to give passwords to "decrypt" data on his computer
hard drives, even if a search warrant was properly derived. To force the
accused to give a password is the same as being forced to be a "witness
against himself," and would violate the Fifth Amendment to the Constitution.
Our standard advice to our clients is to stay away from biometric authentication
UNLESS it is used in conjunction with knowledge-based authentication,
such as passwords.