by Anthony W. Accurso
In the first known public instance of such a warrant, a US District Court approved a warrant allowing the FBI to use a suspect’s face to unlock his secure messaging app in order to find evidence of a crime in his chat history.
The FBI was surveilling a group chat on the Amazon-owned messaging platform Wickr, because they had reason to believe the group’s members were sharing child sexual abuse material (“CSAM”). Because of the way the Wickr app operates, it would normally be difficult to obtain identifying information on its users. The app was designed this way to protect the identities of activists, journalists, and some US government agents using the platform.
However, one of the users in this group chat posted a link to a cloud storage provider based in another country. With the assistance of that country’s law enforcement, the FBI was able to obtain the email and IP addresses of the person who uploaded the CSAM, as well as IP addresses of people who had accessed it. From there, the FBI sent administrative subpoenas to the email provider (Google) and the internet service provider (Comcast). Both requests pointed to Christopher Terry, a 53-year-old resident of Knoxville, Tennessee, who had prior convictions for “possession of child exploitation material.”
This information was sufficient for the FBI to obtain a search warrant for Terry’s home, and they recovered his unlocked iPhone during the search. However, after they had Terry in custody and he had lawyered up, the FBI realized that access to his Wickr app required additional authentication. Based on the information investigators had discovered thus far linking Terry to the CSAM group on Wickr, the FBI sought—and was granted—a warrant allowing the agents to unlock the app using Terry’s face.
It is a little-understood nuance in US law that allowed this outcome. While courts can compel a defendant to produce certain kinds of evidence, they cannot require a defendant to “testify” against themselves. This has traditionally included providing a password, as this necessarily involves access to the content of a person’s mind. However, nearly all courts have allowed law enforcement to force suspects to unlock phones and other devices where the only “password” necessary is biometric—meaning a fingerprint or face image. Because this is obtained from a publicly visible body part, it is less private.
“Most courts are going to find they can force you to use your face to unlock your phone because it’s not compelling you to speak or incriminate yourself…similar to fingerprints or DNA,” said Jerome Greco, a public defender in the Digital Forensics Unit of the Legal Aid Society in New York City.
Greco believes however that this state of affairs will not continue forever. Though passwords and faces are obtained from different places, the effect—law enforcement compelling access to a secured device—is the same.
In 2019, two cases from California and Idaho saw courts draw the opposite conclusion, denying similar warrants while ruling that biometric data was, in fact, testimonial. More courts are likely to rule this way, setting the stage for a Supreme Court battle.
“We are trying to apply centuries-old constitutional law that no one could have envisioned would have been an issue when the laws were written,” commented Greco, adding, “I think the fight is coming.”
While FaceID is convenient and futuristic, users concerned with the security of their data should disable biometric authentication—TouchID and FaceID—in favor of strong passwords, at least until Fourth Amendment case law catches up with technology.
As a digital subscriber to Criminal Legal News, you can access full text and downloads for this and other premium content.
Already a subscriber? Login