SoylentNews is people
SoylentNews
from the something-you-have,-something-you-are,-something-you-know dept.
FBI is quietly waging a different encryption battle in a Los Angeles courtroom. The authorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone that had been seized from a Glendale home. The phone uses Apple's fingerprint identification system for unlocking. It's a rare case were prosecutors have demanded a person provide a fingerprint to unlock a computer, but experts expect such cases to become more common.
In a Circuit Court decision in Virginia 2014, the judge ruled that a criminal defendant cannot use Fifth Amendment protections to safeguard a phone that is locked using his or her fingerprint. According to Judge Steven C. Fucci, a criminal defendant can't be compelled to hand over a passcode to police officers for the purpose of unlocking a cellular device, law enforcement officials can compel a defendant to give up a fingerprint. The Fifth Amendment states that "no person shall be compelled in any criminal case to be a witness against himself," which protects memorized information like passwords and passcodes, but it doesn't protect fingerprints in the eyes of the law. Frucci said that "giving police a fingerprint is akin to providing a DNA or handwriting sample or an actual key, which the law permits. A passcode, though, requires the defendant to divulge knowledge, which the law protects against.
In other words fingerprints are bad security. On the other hand... maybe some fingers like 9 out of 10, instead can trigger a silent self-destruct?
(Score: 3, Insightful) by RedBear on Tuesday May 03 2016, @08:22AM
I've seen a lot of people suggesting giving a different passcode or fingerprint for the express purpose of triggering a self destruct of the data. Problem with that is, if we're dealing with a legal investigation and it could be proven that you deliberately gave them a self destruct code, it could result in a conviction of destruction of evidence, which is a felony in and of itself. I'm no lawyer but I'm pretty sure it doesn't matter whether it would have been incriminating evidence or not. It should be left up to the investigators to attempt to crack the device and trigger the automatic erasure after 10 tries, if you have that feature enabled. If they perform the necessary actions themselves that results in the destruction of data, it's much harder to legally make you responsible.
There is a much simpler solution to this problem, which is to make sure that biometric data is always paired with some sort of non-physical passcode that cannot be compelled by a warrant. Even something as ridiculously simple as a 1-digit pin number would make it highly improbable that the device could successfully be accessed before triggering a demand for the longer passcode, even if the attacker knew the correct fingerprint to try. The iPhone allows only 5 attempts to use Touch ID. If that fails or if you reboot the device you must then use the full passcode before Touch ID will be re-enabled. Anyone with a brain has moved on from 4-digit numeric pins to a longer alphanumeric passcode, so at that point it should be nearly impossible to access the device. A 2-digit pin paired with a fingerprint would make it basically impossible to guess the pin within 5 tries, but it would still be quick to use and easy for the user to remember.
There was a hardware-based device for brute-forcing an iPhone passcode. It worked by immediately cutting power to the device if the passcode attempt is unsuccessful, before the phone could record that the attempt failed, so you could keep trying thousands of times without triggering the 10-failure self destruct. But as I said when you reboot the iPhone it no longer accepts fingerprints until you enter your passcode. So as far as I know there would be no way of bypassing this simple fingerprint-plus-pin security option. I have been quite miffed for some time now that Apple still hasn't offered us this security option. Hopefully they will after this practice of compelling fingerprints with a warrant starts to spread. A fingerprint is very convenient but by itself is an almost worthless security option. You might as well tattoo your passcode on your forehead and try to keep it secure by wearing a hat.
¯\_ʕ◔.◔ʔ_/¯ LOL. I dunno. I'm just a bear.
... Peace out. Got bear stuff to do. 彡ʕ⌐■.■ʔ
(Score: 3, Insightful) by davester666 on Tuesday May 03 2016, @09:00AM
now they can compel you to enter your passcode via an 'all writs' warrant, without formally charging you with anything. You just have to help the police to search your phone or computer, if you don't help them, go directly to jail for contempt of court.
this has already happened.
(Score: 3, Insightful) by RedBear on Tuesday May 03 2016, @09:51AM
They think they can, and a judge has been allowed to keep someone imprisoned for 7 months now for refusing to decrypt a storage device, but as others have said this seems to be a clear violation of 5th Amendment protections against being compelled to self-incriminate. I don't believe such things will survive a good Supreme Court case. I'm fairly certain there have already been multiple Supreme Court decisions making it clear that it's unconstitutional.
The All Writs act is tyranny, plain and simple, as far as I'm concerned.
¯\_ʕ◔.◔ʔ_/¯ LOL. I dunno. I'm just a bear.
... Peace out. Got bear stuff to do. 彡ʕ⌐■.■ʔ
(Score: 2) by choose another one on Tuesday May 03 2016, @09:37AM
Problem with that is, if we're dealing with a legal investigation and it could be proven that you deliberately gave them a self destruct code, it could result in a conviction of destruction of evidence, which is a felony in and of itself.
Problem with that is that any evidence the device was set to wipe to factory settings with a particular secret code is (was) on a device that is now wiped to factory settings with a secret code...
Reality is they should never ever let a defendant touch an such item of evidence or enter a passcode of any sort into it - the phone should be cloned and the defendant allowed to touch the clone, if necessary. Of course it is more difficult to do that so they will try and take shortcuts or try and compel someone else to do it - as is the Apple case.
(Score: 3, Insightful) by RedBear on Tuesday May 03 2016, @12:21PM
Naive. There are many ways in which the device could give away the fact that you gave them a self-destruct code rather than the unlock code. Such as when they film the procedure and the very first time they try the code the screen immediately says, "Erasing all data... Please wait". Unless you know your device would wipe itself sneakily behind the scenes without ever giving the attackers evidence that it had been wiped, I would advise not risking prosecution for felony destruction of evidence. The iPhone for instance will wipe the encryption header and reboot, presenting itself as a new phone waiting for activation. They make it quite obvious what just happened, unfortunately.
You don't need to touch anything. But if you tell them to use the wrong code or fingerprint and it clearly results in purposeful destruction of evidence, in the court's eyes it will be the same as if you put it in yourself. The phone can't be cloned unless it's unlocked first. So they're kind of stuck.
Interesting thing is if the device makers do implement self destruct codes, nobodies' compelled passcodes could ever be trusted again. Because some people would go ahead and risk a destruction of evidence charge for a chance to destroy the data permanently. The courts would be left with their unconstitutional trump card, using the All Writs act to try and compel the defendant to self-incriminate by successfully unlocking the device, and then imprisoning them if they fail. For failure to comply with the unconstitutional All Writs warrant.
So I guess this leads to the ultimate defense against the All Writs bullshit: Let the real data be stored in a hidden container TrueCrypt-style, and have a second sacrificial password unlock the phone which only gives access to a fully working but clean version of the system, containing no information of any interest. In other words it appears we need to add more layers of obfuscation and deniability to our security, until it literally cannot be proven either that anything is being hidden or that we are being uncooperative in any way. "Your Honor, I gave you the password as I was compelled to do, it unlocked the phone, the phone works, what more do you want?" At that point it becomes totally unsupportable tyrannical insanity for the court to continue to demand that a person come up with some sort of evidence to incriminate themselves.
¯\_ʕ◔.◔ʔ_/¯ LOL. I dunno. I'm just a bear.
... Peace out. Got bear stuff to do. 彡ʕ⌐■.■ʔ
(Score: 2) by mhajicek on Tuesday May 03 2016, @02:22PM
You could have the unlock screen display an EULA that must be accepted to unlock, stating that the person unlocking the phone is the owner and not under duress. Include penalties for violation. You could then make it a crime for anyone else to unlock the phone, or for you yourself to do it under duress, and I don't think the court can compel you to commit a crime.
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 2) by hemocyanin on Tuesday May 03 2016, @11:08PM
Geek faith in technology or hyper-convoluted agreements or destruction of evidence or jury nullification or etc. is always sadly amusing in the context of the other side being armed to teeth. This isn't about some clever hack, it is about pure power -- the power they have and we don't. It's about tyranny.
(Score: 0) by Anonymous Coward on Tuesday May 03 2016, @08:51PM
The better solution is to simply "forget, but try" enough times that it gets wiped naturally through the inbuilt anti-brute-force protections.
However, I believe that if you are under duress, and the police *force* you to do something which results in the destruction of data, then because there was no free will involved, only obeying direct orders from an authority asserting dominance over you. that authority is the one that caused the destruction, not you.
The 5th needs bolstering, certainly.