PSA: Samsung’s new face scanner won’t give you the legal protection of a passcode – The Verge

Last week, Samsung announced that its Galaxy S8 phone would let you unlock it by scanning your face a method that could be quicker and simpler than entering a passcode or even using a thumbprint. As we noted at the time, this isnt a strong security measure; in fact, someone already fooled it with a photograph. But theres another, less-obvious issue: one key Constitutional protection for passwords usually doesnt apply to biometric security measures like face scanning.

The Fifth Amendment, which protects people from having to incriminate themselves, holds that passwords or passcodes are testimonial evidence. In other words, you can refuse to give up your PIN because doing so would mean answering a question based on the contents of your thoughts, not providing a physical piece of evidence. But as early as 2013 the year Apple announced its Touch ID sensor security experts were warning that fingerprints wouldnt fall under this rule. So far, this theory has held up. A Virginia judge let police use a fingerprint to unlock a phone in 2014, and similar requests were granted by other courts in 2016 and 2017.

Standing there while a law enforcement officer holds a phone up to your face or your eye is not a testimonial act.

The self-incrimination analysis for biometric and face scanning would be the same as for Touch ID, says Jeffrey Welty, a law and government professor at UNC-Chapel Hill. Standing there while a law enforcement officer holds a phone up to your face or your eye is not a testimonial act, because it doesnt require the suspect to provide any information that is inside his or her mind.

Most people using Samsungs (or another companys) face-scanning system will never be charged with a crime. And this doesnt prevent things like searching visa applicants phones, where people are complying in order to get into the country, not because of direct law enforcement action. But the Fifth Amendment still provides a general legal layer of protection against smartphone searches, which can reveal a huge amount of personal information.

This isnt a totally cut-and-dried issue, however. In certain cases, courts can still require you to unlock a device with a passcode. If the police already know whats on the device and that the person in question is the owner, the foregone conclusion doctrine may apply, says Welty. Thats what happened last month when an appeals court ruled that a man needed to decrypt two hard drives believed to hold child pornography, because the contents werent in question.

Conversely, biometric security could still be testimonial under certain circumstances, and legal expert Oren Kerr has laid out an argument for protecting fingerprints under the Fifth Amendment. In his hypothetical example, police have a phone with a biometric sensor and seven possible owners, none of whom will claim it. Putting a finger to the sensor might not be testimony, but identifying yourself as the owner of the phone could be, and so could revealing which finger (or other body part) would unlock it. One subject of a phone-unlocking order made the latter argument last year, but in that specific case, it was shot down.

Even so, both these situations are edge cases. Bottom line, if you are concerned about whether law enforcement can compel access to your device, a password or passcode is much better than Touch ID or facial recognition, but it isnt ironclad, says Welty. Of course, if youre absolutely determined to keep your data private, you might want to just delete it.

View original post here:
PSA: Samsung's new face scanner won't give you the legal protection of a passcode - The Verge