As law enforcement continues to battle for access to mobile devices, police are being advised to not even look at a suspect’s phone. The idea is that a phone that authenticates via facial recognition could fail to unlock for the officer repeatedly and then default to password/PIN.

This advice, contained in a series of vendor slides accessed by Motherboard, refers to iPhone’s security lockout, which kicks in after five failed biometric authentication attempts. On the one hand, this could be an issue with FaceID. Unlike finger scans, it’s hard to determine when one facial-recognition ends and a second begins. If someone looks at the phone and looks away and looks again, does that constitute two attempts? What if the person just looks at the phone for a relatively long time? Will the phone eventually conclude this should constitute more than one failed authentication attempt?

On the other hand, this seems unlikely. With the phone locked, the detective isn’t going to learn much by staring at the screen. Maybe he or she might glance again, but five times?

Note: The Motherboard story includes a BBC link to a story about British law enforcement officers waiting for a suspect to unlock the phone and then quickly grabbing it, being careful to continually swipe the screen so it won’t time out and ask for reauthentication.

All of this is of interest because, when dealing with police, there have been suggestions that PINs/passwords cannot be compelled but biometric authentication can. The argument typically speaks to practicality, meaning that law enforcement can physically force a suspect’s fingers onto a mobile device — or place the suspect’s face in front of the screen — but officers can’t force suspects to speak or type their password/PIN.

Even at the practicality level, I don’t see this holding up. First off, sometimes law enforcement can get, how shall we say, hands on? Legal or not, with the ever-present threat of physical violence or prolonged detention, it’s going to be a rare suspect who will stick with a refusal. Even if the suspect does consistently refuse, can the suspect be jailed until the password/PIN is revealed?

Source link