Last week, Samsung announced that its Galaxy S8 phone would let you unlock it by scanning your face — a method that could be quicker and simpler than entering a passcode or even using a thumbprint. As we noted at the time, this isn’t a strong security measure; in fact, someone already fooled it with a photograph. But there’s another, less-obvious issue: one key Constitutional protection for passwords usually doesn’t apply to biometric security measures like face scanning.
The Fifth Amendment, which protects people from having to incriminate themselves, holds that passwords or passcodes are “testimonial” evidence. In other words, you can refuse to give up your PIN because doing so would mean answering a question based on the contents of your thoughts, not providing a physical piece of evidence. But as early as 2013 — the year Apple announced its Touch ID sensor — security experts were warning that fingerprints wouldn’t fall under this rule. So far, this theory has held up. A Virginia judge let police use a fingerprint to unlock a phone in 2014, and similar requests were granted by other courts in 2016 and 2017.
“The self-incrimination analysis for biometric and face scanning would be the same as for Touch ID,” says Jeffrey Welty, a law and government professor at UNC-Chapel Hill. “Standing there while a law enforcement officer holds a phone up to your face or your eye is not a ‘testimonial’ act, because it doesn’t require the suspect to provide any information that is inside his or her mind.”
Most people using Samsung’s (or another company’s) face-scanning system will never be charged with a crime. And this doesn’t prevent things like searching visa applicants’ phones, where people are complying in order to get into the country, not because of direct law enforcement action. But the Fifth Amendment still provides a general legal layer of protection against smartphone searches, which can reveal a huge amount of personal information.
This isn’t a totally cut-and-dried issue, however. In certain cases, courts can still require you to unlock a device with a passcode. “If the police already know what’s on the device and that the person in question is the owner, the ‘foregone conclusion’ doctrine may apply,” says Welty. That’s what happened last month when an appeals court ruled that a man needed to decrypt two hard drives believed to hold child pornography, because the contents weren’t in question.
Conversely, biometric security could still be “testimonial” under certain circumstances, and legal expert Oren Kerr has laid out an argument for protecting fingerprints under the Fifth Amendment. In his hypothetical example, police have a phone with a biometric sensor and seven possible owners, none of whom will claim it. Putting a finger to the sensor might not be testimony, but identifying yourself as the owner of the phone could be, and so could revealing which finger (or other body part) would unlock it. One subject of a phone-unlocking order made the latter argument last year, but in that specific case, it was shot down.
Even so, both these situations are edge cases. “Bottom line, if you are concerned about whether law enforcement can compel access to your device, a password or passcode is much better than Touch ID or facial recognition, but it isn’t ironclad,” says Welty. Of course, if you’re absolutely determined to keep your data private, you might want to just delete it.