Apple, first and foremost, has made phone security a selling point and has been in the forefront, technically and PR-wise, of pushing this anti-breaching ability as a consumer desideratum.
In 2013, Apple introduced fingerprint ID for the 5s. Apple’s Touch ID system uses a scanner under the home button to identify the phone’s owner, and therefore the fingerprint is used in the same manner as a passcode.
The sensor incorporated in the home button uses advanced capacitive touch to take a high-resolution image from small sections of the fingerprint from the subepidermal layers of the skin. Touch ID creates a mathematical representation of the fingerprint and compares this to the enrolled fingerprint data to identify a match and unlock the device.
The increase in security for the phone is significant. The odds are 1 in 10,000 of guessing a typical 4-digit passcode. (This figure excludes the few moronic passcodes such as “1-2-3-4.”) The probability of two separate fingerprints being identified as the same is 1 in 50,000. In addition, Touch ID only allows five unsuccessful fingerprint match attempts before you must enter the passcode, and you can’t proceed until entry is made using the passcode.
To configure Touch ID, the owner sets up a passcode. Touch ID is designed to minimize the input of the passcode, but the passcode is needed for additional security validation such as restarting the device, turning the device on after 48 hours of non-use, and to set up Touch ID.
On the other hand, purchases from the iTunes Store, App Store, and iBooks Store can be made either through Touch ID or Apple ID passcode. The latter is distinct from the phone entry passcode.
If the phone is lost or stolen, one can immediately disable Touch ID from being used to unlock the device with Find My iPhone Lost Mode. iOS 7 or subsequent systems feature Activation Lock, which requires an Apple ID and passcode to turn off Find My iPhone, erase data, or reactivate the device.
Touch ID stores only a mathematical representation of the fingerprint. Reverse engineering of the actual fingerprint image can’t be accomplished from this mathematical representation. Apple assures us that the mathematical representation can’t be used to search other fingerprint databases, although it seems with the appropriate formula for translation this can’t be 100% true.
Fingerprint data is encrypted and protected with a key available only to the Secure Enclave archItecture on the phone chip. The Secure Enclave is walled off from the rest of the chip and the rest of iOS. Therefore, iOS and other apps never access the fingerprint data, the data is never stored on Apple servers, and the data is never backed up to iCloud or anywhere else. Only Touch ID uses it,
Touch ID is the fingerprint application using a biometric key. The other possible keys are facial recognition powered by high-definition cameras and voice recognition based on a large collection of vocal samples. All biometric keys are subject to the same 5th Amendment legal analysis set forth below.
What could go wrong? The creation of a better security barrier which is easier to cope with while creating substantial product differentiation must have driven Apple marketers mad with joy.
However, the many consultants on the Touch ID project obviously did not have the assistance of criminal defense lawyers. Put another way, it is one thing to try to secure the phone from hackers in general, and an entirely different matter to try and secure it from law enforcement.
The problem with Touch ID and any other fingerprint unlocking mechanisms is illustrated in two recent trial cases in Virginia and California. Trial court rulings are often ephemeral, but the outlines of the Fifth Amendment in this area are quite clear.
Assume that the suspect owns the phone and will not unlock it. A fingerprint ID system protects the phone. The Fifth Amendment states: “No person shall be compelled in any criminal case to be a witness against himself.” Is forcing a criminal suspect to use his or her fingerprint to gain access to the phone a violation of the Amendment?
Note that this is not an illegal search under the Fourth Amendment for we assume that enough of a criminal context can be described by the police to obtain a valid search warrant. Rather, the main issue is whether opening the phone to obtain derogatory evidence is self-incrimination under the Fifth Amendment.
The Fifth Amendment applies only to testimonial evidence. This means “testimony [or] evidence relating to some communicative act or writing.” (Schmerber v. Calif., 384 U. S. 757, 765 (1966)) For example, drawing a blood sample from a drunk driving suspect was valid.
“[The suspect's] testimonial capacities were in no way implicated; indeed, his participation, except as a donor, was irrelevant to the results of the test, which depend on chemical analysis and on that alone. . . . Since the blood test evidence, although an incriminating product of compulsion, was [not] testimony [or] evidence relating to some communicative act or writing by the petitioner, it was [admissible].”
The same is true for “fingerprinting, photographing, or measurements, to write or speak for identification, to appear in court, to stand, to assume a stance, to walk, or to make a particular gesture . . . “ (Id. at 764) In general, admissible evidence external to the suspect are admissible, while internal matters such as thought and memory, which are communicated to others in statements, are not.
Unfortunately for Apple, there is no better illustration of the difference between non-testimonial and testimonial evidence under the Fifth Amendment than the contrast between a fingerprint and a passcode. While a fingerprint is an external aspect of the suspect’s body, open to all, a passcode is contained within the suspect’s mind and must be communicated in order to be utilized.
One proposed, although ultimately futile, exception illustrates the rule. Suppose the suspect was allowed to enter the passcode with no one watching and thus unlock the phone. Was the suspect making a testimonial statement under duress if he or she never actually told anyone what the passcode was? (Exclude the possibility that the suspect would open the phone and immediately wipe all of the phone’s information before anyone could stop it.)
The answer is that the suspect is being made to communicate even if no one can state what the communication was. Compulsion is applied to create the communication to reveal a non-observable internal thought, the passcode.
The Apple marketing thrust is well-grounded in the acute awareness among millenials and younger buyers that information security depends on how much money is spent on targeting the information. Hence, the resistance from Apple to the FBI’s attempts to break into various criminal phones is based on marketing logic. Apple cannot simultaneously sell improved security AND aid law enforcement.
Irony is wasted on the stupid, so it is abundently clear that Apple is well aware of the irony that constitutional law, not engineering, has cancelled the effectiveness of a major (and unique) (and profitable) technical achievement which would have provided markedly more effective protection for iPhone consumers. However, the rationale for the lack of Fifth Amendment protection for fingerprint ID is simply that suspects and criminals should not receive constitutional protection for planning their crimes on a phone.
Compare this result with the last Apple fights in Brooklyn and San Bernadino over passcode access to iPhones. The latter case, involving terrorist Farook is less compelling because no decision was reached and because the phone was a County phone issued to Farook in connection with his job. There is an arguable Fifth Amendment issue because Farook, although he did not own the phone, had encoded the phone with a passcode. This may have been a testimonial use under Schmerber.
In any case, Farook is was dead and no one in existence, a co-defendant or co-conspirator, has standing to assert the Fifth Amendment for him. At loggerheads with Apple, the FBI threw $1.3 million at the problem and gained access to the phone through the aid of a consultant. This end-run created no change in the law. (http://www.law.com/sites/jamesching /2016/03/02/fbi-worm-burrows-into-apple-feds-freak-farooks-phone-brooklyn-intervenes-pre-argument-analysis-in-re-search-of-an-apple-iphone-no-ed-cm-no-16-10-03222016/)
The Brooklyn decision was somewhat more on point, as there exists a live suspect who owns the phone. Although the opinion contains many pages about Congress’ intent, none of this is of value given the lack of any statute on point. Therefore, the ultimate holding of the case is that under the All Writs Act, the federal judge facing a decision to require Apple to unlock a phone has discretion to decide whether the government really has no means to open the phone except an All Writs Act order and this is hardly a major victory for either side.
Thus far, then, the Apple/FBI battle over requiring Apple to bypass passcodes under the All Writs Act is a stand-off. Apple has waxed eloquent about the government’s threat “to force companies like Apple to undermine the basic security and privacy interests of hundreds of millions of individuals around the globe.”
However, another aspect of the conflict is preserving the desirability of a product feature and after all of Apple’s expenditures the utility of any given security feature is still in doubt. Moreover, it is perfectly clear that the FBI, in pursuit of the right suspect, now has carte blanche to spend on consultants. Indeed, did the government pursue the matter so rabidly, after Apple had initiated a court battle, to create a precedent for massive expenditures in future cases of manufacturer non-cooperation?
If this realpolitik interpretation is in play, then Apple clearly is facing a nastier situation outside the US, where the rule of law is not so easily invoked. Consider Apple’s disastrous last quarter in China. Not only did China shut down Apple’s ebook and digital music outlets after only a month in operation, but second-quarter revenue fell 13%, and sales in the greater China region fell 26% when financial observers had hoped for a blossoming of iPhone sales to the Chinese upper middle class.
This may be the basis for a squeeze play on Apple by the Chinese government, linking Apple’s marketing success in China to cooperation with the Chinese government. A similar squeeze was forced on Blackberry in 2010 by Saudi Arabia and the United Arab Emirates.
In the case of Blackberry, it maintained servers only in its home territory rather than relying on subordinate servers in the customer nations. This enhanced the security of Blackberry communications by limiting government interception of messages within its territory. The Saudis and the UAE simply cut off Blackberry services until the servers were relocated. India also joined the clamor for local servers.
The Chinese power play does not solely involve phone security, as China has often made demands for concessions for state participation in the manufacture, marketing, and retention of intellectual property rights, but China in the recent past has made state security (not to mention state hacking) a governmental fetish diametrically opposed to Apple’s commitment to individual privacy on its phones.
In retrospect, Apple’s sudden intransigence this year after a history of quiet cooperation with the FBI may have been the natural result of the debut of Touch ID. It is possible that Apple’s recent non-conforming behavior with regard to FBI cooperation is directly related to the possibility of the Chinese government’s cooperation in aiding Apple’s future Chinese sales in return for Apple’s concessions to that government on passcode and biometric unlocking of iPhones.