So a couple months back in May, the Department of Justice in California, USA sought “authorization to depress the fingerprints and thumbprints of every person who is located at the SUBJECT PREMISES during the execution of the search and who is reasonably believed by law enforcement to be the user of a fingerprint sensor-enabled device that is located at the SUBJECT PREMISES and falls within the scope of the warrant.”
According to the court filing, “it [The Government] has demonstrated probable cause that evidence may exist at the search location, and needs the ability to gain access to those devices and maintain that access to search them. For that reason, the warrant authorizes the seizure of passwords, encryption keys, and other access devices that may be necessary to access the device.’”. But the problem here lies between when are we using the info to identify someone and when are we using it to gain access to all of a person’s other info?
Think back to the the case where border agents were able to force passwords out of our own citizens or the R.v Fearon case where police have a particular agreement to search cellphones under specific circumstances.
Of course, in either circumstance one can outright we refuse and say they forgot the password, or attempt to get it wrong, but when a fingerprint is at hand you have a new game at play. We’ve seen how its possible for someone to break in using a fingerprint fairly easily. Thus, the issue here comes down to how the law is meant to be interpreted and how law enforcement is encouraged to act. It also creates a pressing reminder that while biometrics are convenient to use, they should typically be used in association with 2 factor authorization (i.e. a password + something belonging to a person) and not just something on its own.