Federal Court Refuses Warrant to Force Owners to Unlock iPhones with Fingerprints
Federal agents in Chicago planned to raid a house in a child pornography investigation. The agents knew only that child pornography had been transmitted from an IP address that was associated with the house.
In their application for a search warrant, the agents requested permission to search any device they found in the home that was capable of storing digital files. They feared (for no particular reason) that some files might be located on iPhones that are protected by biometric security. To further their desire to search those phones, they asked for authority to force any iPhone owner who happened to be in the house during the search to use his or her fingerprint to unlock the iPhone.
A federal magistrate declined that request. The magistrate’s decision raises questions about the propriety of seeking blanket authority to use warrants to force people to unlock their biometric security.
The Warrant Application
The government told the court that someone in the house they wanted to search had been transmitting child pornography in digital form from an unidentified electronic device. That device might have been a computer or it might have been a mobile device. The government assumed that evidence of pornography was electronically stored on at least one device. It therefore wanted permission to access every device in the home that could be used to store or transmit digital images.
The government knew who owned the house and presumably knew who paid for the IP address associated with the house. The government did not know who was using the internet connection. It did not know the source of any pornography that was being transmitted from the IP address. Nor did the government know who (if anyone) would be visiting the house at the time it conducted its search. The government wanted to search the mobile phones of visitors anyway, on the off chance that they might have been used to connect wirelessly to the home’s internet connection and that they might have been used to distribute child pornography.
An increasingly common form of privacy technology, now found on iPhones and other devices, is a biometric password. In the case of an iPhone, the owner locks the phone using a fingerprint, and the phone can only be unlocked by using the same fingerprint.
The government had no reason to believe that anyone in the house during its search would have an iPhone, or that any iPhone they found would be protected by biometric security. They nevertheless asked for authority to force iPhone owners to use their fingerprints to unlock their phones in the event that any iPhones protected by biometric security were found during the search.
The magistrate expressed concern about the government’s use of boilerplate language (the kind of statements that are routinely included in legal documents) in the warrant application, particularly the government's use of language that described outdated technology. For example, the application suggested that “cloud technology” is an exceptional and rarely used method of transferring information between computers. The warrant application asserted that information is usually moved from one computer to another by physically connecting computers with a cable. The government apparently did not bother to update its boilerplate language after flash drives and wireless data transfer became commonplace.
Apart from making the government look foolish (and making the agent who swore to the warrant application appear to be ignorant, if not a perjurer), the boilerplate language made no mention of wireless technology. The magistrate expressed concern that criminals routinely access wireless connections that are not properly encrypted, and that the home’s internet connection might have been used to transmit pornography without the owner’s knowledge. The warrant application’s boilerplate assertions failed to acknowledge that possibility.
The magistrate nevertheless concluded that the application established probable cause for issuance of the warrant. The magistrate was more troubled by the boilerplate request to force everyone who happened to be present when the warrant was served to use fingerprints to unlock their iPhones.
Court Denies Request for “Extraordinary Authority”
The government conceded that it would be making the same boilerplate request in all of its applications to search for digital data. Instead of making the particularized showing of a need for evidence that the Fourth Amendment requires, the government wanted to engage in a fishing expedition for iPhone content every time it had a need to search for digital information.
The magistrate noted that the government was seeking “extraordinary authority” without justifying its need for that authority. The magistrate scolded the government for asking for the power to compel iPhone owners to use their fingerprints to unlock their phones when the government did not know who was transmitting pornography, could not identify the files it expected to find or the device on which they might be located, and had no reason to suspect that people who happened to be in the home during the search were involved in pornography distribution.
The magistrate decided that the warrant application should be denied for two reasons. First, the application did not establish probable cause to justify forcing iPhone owners to use their fingerprints to unlock their phones.
While the government argued that the Fourth Amendment does not protect fingerprints, the Magistrate made an appropriate distinction between seizing a fingerprint and seizing a person to compel the person to use a fingerprint to unlock a phone. With no evidence to suggest that an unknown guest’s iPhone had been used to commit a crime, the court was unwilling to give federal agents the extraordinary authority to force the phones’ owners to apply their fingers to their iPhones.
The Fifth Amendment protects an individual’s right not to make a self-incriminating statement. The government argued that fingerprints are not statements and that the Fifth Amendment therefore had no relevance to its request.
However, the magistrate concluded that forcing a telephone’s owner to unlock the phone would also force the owner to produce any incriminating evidence that might be contained within the phone. Requiring a suspect to produce a fingerprint for the purpose of identification, the magistrate reasoned, is quite different from forcing a suspect to produce a fingerprint to unlock a phone in which the owner has stored private (and possibly illegal) material.
Reaction to the Decision
Legal analyst Orin Kerr thinks the magistrate made the right decision for the wrong reason. He suggests that search warrants should not contain directions about how the warrant is or is not to be executed. Kerr argues that the agents should go ahead and do what they want, leaving the reasonableness of their actions to be decided later.
Suppose, however, that the agents force someone to use a fingerprint to unlock an iPhone and then find no evidence in the phone. Will a court ever have the opportunity to decide whether the agent’s actions were unreasonable? Probably not, since the reasonableness of a warrant’s execution is usually an issue raised by people who are being prosecuted for a crime. Defining the authority to execute a warrant before it is executed may be the only effective safeguard against the use of unreasonable methods to execute warrants.
Kerr also criticizes the magistrate’s Fifth Amendment analysis. There’s little doubt that the analysis hangs on a weak limb, but the magistrate made important points about the privacy protections that iPhone users should enjoy. Those protections might, as Kerr says, be more properly governed by the Fourth Amendment, but just as suspects have the right to say “No, I won’t tell you where I hid my incriminating evidence,” they might have a similar right to say, “No, I won’t help you find incriminating evidence on my iPhone.”
Regardless of the merits of the decision, iPhone users who don’t want to share a phone’s contents with the government might want to rethink the use of biometric security. Given the unsettled nature of the law, a password might actually provide better protection against government-sanctioned intrusion into a phone than a fingerprint.