Privacy SOS

The FBI has taken a battering ram to encryption. Today their Trojan horse may be your face.

After spending years attacking cell phone privacy and encryption in the courts and in Congress, the FBI has used an Ohio man’s face to unlock his phone after obtaining a warrant to search his home. Since Apple announced its face recognition unlocking capabilities last year, the ACLU and others have warned that the feature may grant law enforcement access to encrypted information with unprecedented ease. The case in Ohio comes in the wake of courts authorizing the government to force people to decrypt their iPhones using the “TouchID” fingerprint feature—Apple’s forerunner to the face unlocking system rolled out in its latest line of devices.

Encryption—security technology billions of people around the world rely on to secure their sensitive digital information—has been a bane to law enforcement for decades. iPhones now ship with software that automatically encrypts the contents of each phone, as long as the user has locked it with a passcode. In its latest devices, Apple has introduced biometric authentication technologies as an option to take the place of passcodes—first through the fingerprint, and then through the face. But when it comes to your privacy from the government, a strong passcode seems to be the better option.

Thanks to the Fifth Amendment, which protects our right not to self-incriminate, some courts have ruled that the owner of a cell phone cannot be forced to verbally give law enforcement their passcode, even when the police have a warrant to search its contents. But courts thus far have viewed biometric security technologies differently, allowing law enforcement to force a suspect to unlock a device by forcing her finger to her phone—and now, by forcing a cellphone in front of a suspect’s face. In this way, police are getting around the Fifth Amendment’s protections by using people’s bodies—instead of their words—to incriminate them. (A Massachusetts high court ruling on forced decryption held that police could force a man to disclose his computer password because he admitted to police that the device belonged to him, and therefore forfeited his right against self-incrimination.)

Getting around, over, and through sophisticated encryption has been a major aim for law enforcement throughout the past decade plus. Companies have taken notice, and have helped the government in what’s effectively an arms race—with well-known consumer technology companies like Apple developing strong encryption technologies on the one hand, and shadowy government contractors like GreyShift and Cellebrite just as quickly trying to deploy technology to crack the latest standards.

After claiming the technology wasn’t available, the FBI spent just under $1 million to hack an iPhone after the San Bernardino shooting. ICE is paying $384,000 in a single contract which promises to grant the agency access to locked phones. And the DOJ is trying to use the courts to force Facebook to allow it access to encrypted conversations on Facebook Messenger. These maneuvers are an affront to the public’s expectations of privacy and the self-determination we exercise when we choose to encrypt our information, but the encryption arms race is not likely to end soon.

The FBI claims it is “going dark” because of encryption, but the reality is that law enforcement is living in the golden age of digital surveillance. Thus far, no forced decryption case has made its way to the Supreme Court, so there’s no single standard nationwide. But the trend is clear: If you want to protect your encrypted information from the police, use a strong passcode—not a biometric—and exercise your Fifth Amendment rights by keeping quiet when approached by law enforcement. 

This blog post was co-authored by Siri Nelson and Kade Crockford.

© 2018 ACLU of Massachusetts.