this post was submitted on 19 Apr 2024
329 points (99.7% liked)

Privacy

31952 readers
855 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

The legal situation is more complex and nuanced than the headline implies, so the article is worth reading. This adds another ruling to the confusing case history regarding forced biometric unlocking.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 61 points 6 months ago (1 children)

Reminder that on an iPhone, if you hold the Volume Up and Power buttons simultaneously for several seconds, the phone will vibrate and will require the PIN or password next time you unlock it, not Face/TouchID. This happens whether the screen is on or off, so you can discretely do it in your pocket.

[–] [email protected] 19 points 6 months ago (10 children)

Basically every Android also has a variation of this

[–] [email protected] 5 points 6 months ago

Absent an idiotic carrier/mfg skin that disables the feature, you just long-press power then click "lockdown".

Or reboot the device. Rebooting the device will also leave it encrypted if your device has encryption (the PIN/password is needed to decrypt, essentially).

[–] [email protected] 5 points 6 months ago (1 children)

So you know what it is? I just tried both volume keys and all I got was TalkBack (Google's screen reader).

[–] [email protected] 7 points 6 months ago (2 children)

it's called lockdown mode. on my phone you press and hold the power button and select the option. you might have to enable this in settings.

[–] [email protected] 13 points 6 months ago (2 children)

Holy connoli, you are right! I just enabled it.

load more comments (2 replies)
load more comments (1 replies)
load more comments (8 replies)
[–] [email protected] 31 points 6 months ago (2 children)

Not sure about all phone models, but at least with mine, if I switch it off then it requires a PIN, rather than biometrics, upon being switched back on. Thus if the police arrive, immediately switching off your phone could be a sensible thing to do

[–] [email protected] 10 points 6 months ago

Restarting phone as well so the same thing

[–] [email protected] 7 points 6 months ago (3 children)

On iPhone, maybe Android too, you click the power button 5 times and you have enter the pin.

[–] [email protected] 10 points 6 months ago (2 children)

On my phone, it gives a 5 second delay before making an SOS call.

load more comments (2 replies)
load more comments (2 replies)
[–] [email protected] 29 points 6 months ago (15 children)

This isn't new. I've been on the passcode to unlock train for a long time because of this. It's only news in that it's been codified by the court. You can't be compelled to reveal info.

On iPhone: press and hold the lock button and either volume button for 1-2sec. It'll force a passcode despite biometrics.

[–] [email protected] 9 points 6 months ago

I hate Siri, but you can do a "Hey Siri, whose phone is this?" and it will force PIN unlock. Great if you aren't able to physically touch the phone.

[–] [email protected] 9 points 6 months ago

You can also turn your phone off. Phones require a passcode after booting up.

load more comments (13 replies)
[–] [email protected] 24 points 6 months ago (14 children)

Makes perfect sense to me (not a lawyer, not a US person)... what doesn't make sense is how many people still think biometric is high security (maybe because of how cool they make it look in the movies?)

[–] [email protected] 63 points 6 months ago (4 children)

Idk… you being forced to use your body against your will to reveal secret and private things sounds pretty awful to me

load more comments (4 replies)
[–] [email protected] 9 points 6 months ago

Biometric is high security against thieves and nosy girlfriends, not kidnappers or cops apparently. You need to be physically present for most of them which means it can't be done without you knowing. The problem arises when the person who wants access also has access to you.

[–] [email protected] 8 points 6 months ago (2 children)

Also not a lawyer or a US person, but from listening to American tech media, this has been an issue of some debate for a decade or more now.

The trick lies in their 5th amendment right against self-incrimination. Police cannot require you to give your PIN because that would violate 5th amendment rights. It has been ruled in some parts of America (but the ruling in other parts has been the opposite, IIRC) that you can be forced to give biometric unlocks. In my opinion this is kinda silly and inconsistent. It might be in line with the letter of the law, but it's certainly not in keeping with its spirit.

[–] [email protected] 7 points 6 months ago (2 children)

As an American and avid rights understander, it is not the 5th Amendment which this risks violating (which you did cite correctly), but the 4th Amendment, which guarantees protection from undue searches and seizures of your person, property, or effects. This is the whole reason for the warrant requirement and the reason you hear us bitching whenever something comes up that lets police or agents of the government acquire non-public access to information or property in a warrantless way.

An example: the police are investigating Mary's death and suspect you of having planned the murder in the Notes app on your phone, so they want to get into your phone. Without a court order (warrant), you have to give them permission. With the court order, you must give the passcode and/or unlock the phone.

Now, at this point, if your passcode happened to be 'I killed John02&' you could argue 5th Amendment protection because divulging the information would incriminate yourself in the crime, or a different crime.

load more comments (2 replies)
load more comments (1 replies)
load more comments (11 replies)
[–] [email protected] 18 points 6 months ago (1 children)

Enter pin

"I don't know what happened, it's the right code, might be broken."

That pin was device self sanitiziation trigger for preventing information from falling in the hands of the enemy.

Then buy enough claymores to make sure there will not be a second encounter with enemy forces.

[–] [email protected] 16 points 6 months ago (2 children)

I really wish the GrapheneOS devs would add duress passwords...

[–] [email protected] 13 points 6 months ago* (last edited 6 months ago) (1 children)

Not as part of core GrapheneOS, but an app called "Private Lock" can detect sudden force via accelerometer and disable the fingerprint based unlocking for next unlock.

But yeah, an erase passcode feature with opening a decoy profile would be a great feature to have.

E: grammar

load more comments (1 replies)
[–] [email protected] 7 points 6 months ago (1 children)

A duress password to remove selected profiles would be amazing. So it still unlocks but quietly removes the profiles you are worried about.

[–] [email protected] 6 points 6 months ago (1 children)

Not even remove them, honestly. Just unlock the phone into a sanitized, honeypot account that has no access to the secured accounts contents!

[–] [email protected] 5 points 6 months ago

If you do go digging you would get caught. Safest way is removal in those situations. I rather have some data removed which preferably I have backups up. Then have to risk jail time in some country.

[–] [email protected] 17 points 6 months ago (4 children)

For iphone brothers and sisters (courtsey of rpcameron)

You must be using an Android device. On the iPhone, 5 quick presses of the side/power button (or long-pressing power+volume) will bring up the Power Off/SOS menu; any future attempt to unlock will require the passcode. (Either action can be down without any screen interaction, meaning that you can enable this feature silently as soon as you feel it necessary.)

(Also to note for iPhones: if you choose a 7 digit or longer passcode, the entry field does not indicate how long the passcode is; the same is true if you choose an alphanumeric passcode.)

(Extra safety for those in the US if you are in a car, after doing the above stash your phone in the console/glove box; if it is within a sealed compartment not on your person additional cause/warrant is required to gain access to the device.)

[–] [email protected] 5 points 6 months ago

Another benefit to this is that the USB port goes into a restricted mode that only allows for charging, and you can still use your cameras to record while it’s in this mode.

load more comments (3 replies)
[–] [email protected] 15 points 6 months ago (1 children)

This may be the first time a federal ruling has been made but I don't know if it applies to state crimes. Many counties across the nation have ruled one way or another.

SCOTUS once ruled law enforcemeny cannot compel you to unlock a device at all and cannot access your phone without a warrant, but I don't know if that is current. Police can legally lie to you (and beat you with a $5 wrench and pronably get away with it in court).

They also have strong phone cracking packages despite FBI's lament about evidence locked away in seized devices.

Generally, do not consent to searches or cooperate without a lawyer present. Expect everything an officer tells you is intended to mislead. They will even lie in court to the judge.

[–] [email protected] 7 points 6 months ago

@[email protected]

First order of business: never enable the thumbprint lock on your phone.

Second order of business: never conduct any sensitive business or communication with a mobile phone.

Third order of business: use a very strong passphrase to lock your phone.

Fourth order of business: understand that all your phone calls and text messages are hoovered up into spook databases.

[–] [email protected] 11 points 6 months ago (1 children)

This is one of many reasons you should use a password of some kind that you keep inside of your head to unlock your phone rather than a biometric that people can use to unlock it against your will.

[–] [email protected] 6 points 6 months ago (4 children)

Or just use lockdown mode in android to force phone to only unlock with password

load more comments (4 replies)
[–] [email protected] 11 points 6 months ago (1 children)

Use. Lockdown. On. Your. Phones. It is easy and prevents legal shitbags from literally forcing your hand.

[–] [email protected] 14 points 6 months ago (2 children)

I just wish you could setup logic for this. Pulling out your phone to hold the power button for 3 seconds and then tapping the lockdown button is slow, very obvious, and likely to be prevented by an attacker.

Would be great if I could set it up to lockdown on a specific finger, or a specific number of presses on an analog button. Or even like if I leave a WiFi network or some other arbitrary condition.

[–] [email protected] 10 points 6 months ago (3 children)

This article and similar threads keeps popping up in my feed, so I'm going to keep spreading this tip around. (I'm using Android.)

I use tasker to automatically lockdown my phone based on accelerometer and Bluetooth. A sharp tap to my phone or being disconnected from Bluetooth is enough to lockdown my phone and disable all biometric access. I dialed in the sensitivity so that it doesn't take much, just a tap on my pocket, being set down a little too aggressively, pulled from my car and thrown to the ground is all it takes. I set it to notify me with a quick vibrate when it does this for a little added confidence that it is behaving as expected.

For a little added effort I can have tasker snap a photo that gets backed up to the cloud any time there is a failed unlock attempt, just be prepared for some unflattering photos of yourself looking like an aging male boomer posting selfies to the facebook.

load more comments (3 replies)
[–] [email protected] 6 points 6 months ago (1 children)

I like using a specific finger. Guess which one wed all pick 😂

load more comments (1 replies)
[–] [email protected] 11 points 6 months ago (4 children)

Hmm, is there an app/feature where if I use my thumb-print instead of say, my fore-finger print, it wipes the phone instead?

load more comments (4 replies)
[–] [email protected] 9 points 6 months ago (4 children)

This is the best summary I could come up with:


The US Constitution's Fifth Amendment protection against self-incrimination does not prohibit police officers from forcing a suspect to unlock a phone with a thumbprint scan, a federal appeals court ruled yesterday.

The ruling does not apply to all cases in which biometrics are used to unlock an electronic device but is a significant decision in an unsettled area of the law.

Judges rejected his claim, holding "that the compelled use of Payne's thumb to unlock his phone (which he had already identified for the officers) required no cognitive exertion, placing it firmly in the same category as a blood draw or fingerprint taken at booking."

Payne conceded that "the use of biometrics to open an electronic device is akin to providing a physical key to a safe" but argued it is still a testimonial act because it "simultaneously confirm[s] ownership and authentication of its contents," the court said.

The Supreme Court "held that this was not a testimonial production, reasoning that the signing of the forms related no information about existence, control, or authenticity of the records that the bank could ultimately be forced to produce," the 9th Circuit said.

The Court held that this act of production was of a fundamentally different kind than that at issue in Doe because it was "unquestionably necessary for respondent to make extensive use of 'the contents of his own mind' in identifying the hundreds of documents responsive to the requests in the subpoena."


The original article contains 662 words, the summary contains 241 words. Saved 64%. I'm a bot and I'm open source!

load more comments (4 replies)
[–] [email protected] 9 points 6 months ago* (last edited 6 months ago)
[–] [email protected] 7 points 6 months ago* (last edited 6 months ago)

This has been a theory for a while, just not sure it was a specifically ruled precedent. The notion being similar to how they can force fingerprinting but not testimony. Access to a physical lock or location you can't simply say 'stay out' but they can't force you to divulge a password since it's a thought in your mind.

Also, relying on biometrics is terrible, quick but immutable keys are a big no-no.

load more comments
view more: next ›