Can Law Enforcement Force You To Use Your Finger to Unlock Your Phone?

Can a fingerprint alone provide “testimony” about a person? Earlier this month, a federal court in California said yes. But the court was not engaging in a highly-localized form of palm-reading; rather, the question arose in the ever-evolving field of how to balance law enforcement needs and individual citizens’ privacy interests as new technologies emerge.

The United States District Court for the Northern District of California has been a hotspot for privacy-related litigation, but this case—In the Matter of the Search of a Residence in Oakland, California, No. 4-19-70053 (N.D. Cal. Jan. 10, 2019)—arose out of a simple warrant request. Law enforcement agents, investigating two individuals suspected of extortion via Facebook messenger, sought a warrant to search the suspects’ house and seize their electronic devices. They further sought “the authority to compel any individual present at the time of the search to press a finger (including a thumb) or utilize other biometric features, such as facial or iris recognition, for the purposes of unlocking the digital devices found in order to permit a search of the contents.”

The extent to which digital devices such as cell phones are subject to search is, of course, a major Fourth Amendment issue. As digital devices become methods by which crimes can be committed (as in the extortion accusation here) their value to law enforcement grows, while at the same time their increasing centrality to our lives raises the stakes on the privacy interests involved as well.

So, can law enforcement compel someone to unlock a digital device with their fingerprint or other biometric identifier? One way of approaching the question is recognize that in this situation, a fingerprint is functioning like a password or a numeric passcode. The law is settled that someone cannot be compelled to give up a passcode to a device, but perhaps not for the most intuitively obvious reason: The doctrine relies not so much on the Fourth Amendment’s guarantee of privacy, but rather the Fifth Amendment’s guarantee against self-incrimination. It relies on the idea that a password is, in itself, testimonial, as the very act of sharing a password can reveal something about its creator’s innermost thoughts. Imagine, for example, that Colonel Mustard’s laptop password was “Me+LeadPipe+Conservatory”—compelling him to write that down for the police would be tantamount to forcing a confession. Murder confessions in passwords may be rare, but most of us probably have at least one password that would reveal something private about ourselves (even if it’s just an unhealthy devotion to chocolate syrup).

But, on the other hand, (again setting aside palmistry), a fingerprint does not reveal anything about the inner workings of its owner’s mind. And, for this reason, as the court noted, the collection of fingerprints and other biometric identifiers (such as blood samples or voiceprints) is not usually considered to raise an issue of self-incrimination.

The court chose function over form. Recognizing that when it comes to unlocking devices, a fingerprint does the same thing as a passcode, the court found that the use of a fingerprint to unlock a device is a “testimonial” act. How? According to the court, the act of unlocking a phone with a fingerprint “concedes that the phone was in the possession and control of the suspect, and authenticates ownership or access to the phone and all of its digital contents.” Call it the “Cinderella Rule” (which perhaps comes with an “OJ corollary”): you can “testify” you own (or don’t own) a shoe/glove/device, with all the implications that may follow, using not words but limbs.

In a way, this seems like a Fifth Amendment solution to a Fourth Amendment problem. The real issue is that our mobile devices contain so much of our lives that we want to make sure privacy interests are respected. In daily life, we make that happen by installing passcodes or using biometric identifiers to lock the devices. In a legal context, the Fifth Amendment protection for passcodes (and now biometrics) is just a doctrinal justification to ensure that privacy interests receive their proper protection in the Fourth Amendment analysis.

Or is it? Perhaps the Fifth Amendment protection against involuntary self-incrimination is just the right fit as biometrics advance and become more common. It may be convenient to unlock a phone with a finger, without having to memorize a passcode, but it’s also a lot harder to get a new fingerprint than to come up with a new passcode. You can walk into a restaurant and choose to give a pseudonym to the maître d’, but if that restaurant has a camera that uses facial recognition to identify customers, you can’t choose to use a new face. There is a recognition, therefore, embodied in the ever-growing body of privacy laws dealing with biometrics, that biometric identifiers should only be used with the consent of the subject. And so it is perhaps fitting that, as courts grapple with striking the right balance between law enforcement interests and privacy interests, that the Constitution’s venerable protection against involuntary self-incrimination plays a central role.