Last week, Samsung announced that its Galaxy S8 phone would let you unlock it by scanning your face — a method that could be quicker and simpler than entering a passcode or even using a thumbprint. As we noted at the time, this isn’t a strong security measure; in fact, someone already fooled it with a photograph. But there’s another, less-obvious issue: one key Constitutional protection for passwords usually doesn’t apply to biometric security measures like face scanning.
The Fifth Amendment, which protects people from having to incriminate themselves, holds that passwords or passcodes are “testimonial” evidence. In other words, you can refuse to give up your PIN because doing so would mean answering a question based on the contents of your thoughts, not providing a physical piece of evidence. But as early as 2013 — the year Apple announced its Touch ID sensor — security experts were warning that fingerprints wouldn’t fall under this rule. So far, this theory has held up. A Virginia judge let police use a fingerprint to unlock a phone in 2014, and similar requests were granted by other courts in 2016 and 2017.
“The self-incrimination analysis for biometric and face scanning would be the same as for Touch ID,” says Jeffrey Welty, a law and government professor at UNC-Chapel Hill. “Standing there while a law enforcement officer holds a phone up to your face or your eye is not a ‘testimonial’ act, because it doesn’t require the suspect to provide any information that is inside his or her mind.”
Most people using Samsung’s (or another company’s)…
click here to read more