Fingerprint readers are ubiquitous in the phone world these days [1]. Almost everybody who has a phone with a fingerprint reader seems to use them. While It's certainly convenient and provides a nice feeling of security, I will never use my phone's fingerprint reader for two main reasons: it is not protected under the 5th amendment, and honestly it just makes for a poor password.

Fingerprints Aren't Protected by the Fifth Amendment

The Fifth Amendment is an important right that we enjoy as Americans: the right not to incriminate ourselves. I will emphasize that I am not a lawyer, but in general, the courts have agreed that in order to invoke this right, we must be asked to provide testimony. Providing a password - that is, knowledge you posess - is testimonial. However, providing your fingerprint is not testimonial - it is a physical characteristic that is observable. You can be compelled to touch your finger to your phone to unlock it[2], but you cannot be compelled to provide the password[3]. In fact, the police don't even need a court order to compel you to provide your fingerprint.

The U.S. Supreme Court has held that police can search phones with a valid warrant and compel a person in custody to provide physical evidence such as fingerprints without a judge's permission.

And yet, why is this at all relevant? Law abiding citizens shouldn't be concerned with the police going through their phones because they have nothing to hide, right?

The problem is there are so many laws that the average American commits three felonies a day [4]. Literally nobody knows how many laws there are on the books, though estimates are 3600 to 4500 federal laws that impose criminal sanctions.[5]. And that's not even including federal regulations that carry criminal penalties, which are estimated to be as many as 300,000, or the average amount of laws per state.

Honestly, if somebody wants to prosecute you of a crime, they probably could do so with the evidence on your phone.

Fingerprints are Poor Passwords[6]

When you use your fingerprint as your password, you are literally leaving your password on evertyhing you touch. It's possible to create, given a scan of someone's fingerprint, a mold of a finger that can fool an iPhone.

Does this take time and resources? Yes. Not just anybody will be able to do this. But that's the nature of security - there's simply no such thing as a 100% secure system, and you have to decide what threats you want to protect yourself against.

What are we to do?

I just don't find fingerprint readers to provide all that much convenience. Ultimately everybody has to weigh for themselves the pros and cons, but I'd rather just spend the extra couple of seconds to type my passcode every time than carry the risk of my phone being searched or broken into.

That being said, there is a middle ground, though it may in some situations constitute obstruction of justice.
For both Android and iOS phones, if the phone is rebooted, your actual password needs to be used first before it will accept your fingerprint as a method of unlocking your phone. So, to prevent the police from going through your phone, you could shutdown your phone before the police get to it.

However, imagine the following scenario. Some criminal has a video recording of a crime they committed on their phone. The police have a reasonable suspicion that such a video exists on the criminal's phone, so they get a warrant and knock on the criminal's door. The criminal suspects that the police are here for his phone, so he reboots it. By doing so he is preventing the police from getting that evidence (so long as he invokes his 5th amendment rights). I am by no means a lawyer, but it seems a plausible argument that this is obstruction of justice.

Another scenario: A cop pulls you over for a traffic stop. They believe that you were texting while driving. You shut down your phone so as to prevent the cop from looking through your phone. Again, this may constitute obstruction of justice. But, in this scenario, they may not care about any possible obstruction of justice as they can always get the records from the cell phone company.

If there are any lawyers out there willing to comment, I'd be interested.

  1. Though they are phasing out in some of the latest phones that try to reduce the bezels so much that they don't have room for one, and rely on facial recognition instead. Facial recognition is even worse than fingerprints with respect to my 5th amendment argument ↩︎

  2. US vs Kirschner ↩︎

  3. Judge Frucci in case against David Baust ↩︎

  4. You Commit Three Felonies a Day ↩︎

  5. Reynolds: You are probably breaking the law right now ↩︎

  6. Yes, technically your fingerprint is not your actual password. You still have a numeric or alphanumeric passcode for your phone, and your fingerprint can be used in place of your password. But because it can replace your password in most situations, it's functionally the same as being your password. ↩︎