Issues with biometrics: Here’s looking at you, Fed

HACKING THE LAW

I'm writing these first few lines on my brand new iPhone X. The phone is super cool, but for the fact that I'm still learning all of the new moves that I have to use to manipulate the machine in the absence of a home button. There's an awful lot of swiping here and there.

The most promoted feature if the iPhone X -- said to be the wave of the future -- is that the X uses facial recognition software to unlock the device. It replaces the fingerprint that was formerly required to unlock the device. The phone no longer has a home button. To make things even easier on the end user, facial recognition can even unlock your apps and data by simply pressing a new "key" button and just looking at the phone. Accordingly, there isn't much need to remember your iPhone passwords anymore. It's great -- but for the fact that we all know the facial recognition feature is soon going to be cracked, just like the Chaos Computer Club did to the fingerprint recognition days after that debuted. Eventually, we'll wind our way to data theft or insecure devices.

Those bold enough to go to the infamous /b/ board on 4Chan and post child pornography will be the first to inflame the hacking community such that hackers simply have to find a way to remotely crack facial recognition. /b/, as it is fondly known, is the birthplace of the hacktivist collective Anonymous, for whom I'm said to be something ridiculous like in-house counsel. I'm not. Don't believe everything you read. Hackers hate child pornographers. They hunt them. "CP" they call it, or Cheese Pizza, or Hard Candy. Hackers hate CP not just because of the deviance, but child porn is a threat to a free and open internet. Nothing brings government scrutiny down upon the net like child pornography. Nothing makes bad law like CP. (See, e.g., the new Federal Rule of Criminal Procedure 41). The hacker ethos is "death before censorship," except when it comes to CP. The internet is overflowing with articles about hackers that have taken down large chunks of the Dark Net to eliminate CP. There has been talk by the US government of outlawing TOR software, a randomizing and anonymizing tool invented by the Navy to securely disseminate information online that was not searchable or reachable without knowledge of the exact location. In other words, you can't just go and Google sites on the Dark Net. I use TOR and a VPN to securely communicate with clients. There's even talk of banning encryption.

But this column isn't about the CP exception to censorship that hackers have carved out to protect a free and open net.

This column is about convenience vs. security.

Whether we are talking about the ease of access offered by facial recognition or fingerprint access, there are important privacy, security and Fifth Amendment implications to consider. The Fifth Amendment is the natural place to start. After all, a court may, and likely will, consider a face or a fingerprint to be an exemplar. The U.S. Supreme Court, in Schmerber v California, 384 U.S. 757, 764 (1966), did just that:

"On the other hand, both federal and state courts have usually held that it offers no protection against compulsion to submit to fingerprinting, photographing, or measurements, to write or speak for identification, to appear in court, to stand, to assume a stance, to walk, or to make a particular gesture. [fn omitted] The distinction which has emerged, often expressed in different ways, is that the privilege is a bar against compelling 'communications' or 'testimony,' but that compulsion which makes a suspect or accused the source of 'real or physical evidence' does not violate it."

That is the beginning, and not the end of the inquiry. Over a decade ago I represented a client named Diaz in the trial court and brought a motion to suppress. Diaz had been contacted by a "friend" who wanted ecstasy (commonly referred to as "X") and a ride. Diaz had six pills that he sold to his friend for $80. He gave his friend a ride and his friend sold the X to an informant, leading to an immediate arrest for both of them. Diaz invoked his right to remain silent. The friend spoke and told the police that Diaz sold him the X that he turned around and sold to the snitch. The detective, who was already in possession of Diaz's phone, opened it and looked through his texts. There was a text to his friend in response to a query for X that said "6 4 80." Of course, the friend had already told the detective that he had purchased six pills from Diaz for $80. Confronted with this evidence, Diaz confessed. My suppression motion, based upon an expectation of privacy in a cellphone and the fact that the detective failed to obtain a warrant was denied. The denial was ultimately upheld by our Supreme Court. See People v. Diaz, 51 Cal. 4th 84 (2011).

The Supreme Court majority analyzed the case without regard to changing technology or the personal nature of a cellphone. When the issue reached the U.S. Supreme Court in Riley v. California three years later, they came out opposite Diaz in a unanimous 9-0 opinion. 134 S. Ct. 2473 (2014). The narc and I had a lot of intellectual discussions about the issue over those three years. When Riley came out, instead of having any regard for the Constitution, he simply told me "It was good while it lasted. A lot of crooks went to jail." (I kept that email. That's exactly what he said.)

Thus, the issue is settled. One has a reasonable expectation of privacy in their cellphone. The police must obtain a search warrant to search a cellphone.

Still, once they have a warrant they still have to gain access to the phone. iPhones can be set to remotely wipe after 10 failed password login attempts. You can do that between the time you're pulled over for a traffic stop and the police officer makes his way to your window. But if you are using biometrics instead of a password you are in exemplar territory. And that is where the trouble begins.

As lawyers, we all have a duty to maintain client confidences inviolate. (See Rule of Professional Responsibility 3-100 and Business and Professions Code Section 6068). As a matter of practicality, representing a client often requires frequent access to information stored on electronic devices. Mostly, those devices are computers and smartphones. Smartphones are extremely convenient to take to court and to bring information home. Biometric access creates stronger security and greater ease of access. Seems like a win-win, right? It isn't what it seems. For example, it certainly isn't for those accused of crimes that wish to retain the privacy of the contents of their device. One case in particular is illustrative of this point.

Francis Rawls was a Philadelphia police officer. He was suspected of possessing child pornography. A warrant issued and among the items seized were two external hard drives. He invoked his Fifth Amendment right against compelled self-incrimination. He refused to comply with a court order commanding him to use his password to unlock the two hard drives the authorities say contain child porn. The two external drives were encrypted. He claimed to have forgotten the password. He has been in jail on a coercive civil contempt for almost two years. Of course, if he divulges his password, he could face decades in prison for possession of the child pornography.

Forensic computer examinations revealed that the file signature for many files on the external hard drives was the file signature, or "hash" known to belong to particular child pornography files. See U.S. v. Apple MacPro Computer, 851 F. 3d 238, 242 (3d Cir. 2017). "A 'hash' is '[a] mathematical algorithm that calculates a unique value for a given set of data, similar to a digital fingerprint, representing the binary content of the data to assist in subsequently ensuring that data has not been modified.'" Id. 242 n.3 (citation omitted). No two hashes are the same. Those files are what the FBI claims them to be.

Based upon the computer forensics, the 3rd U.S. Circuit Court of Appeals had no trouble deciding that it was a "foregone conclusion" that the files on Rawls' computer were child pornography. Accordingly, the contempt order was upheld. Rawls can either stay in jail or he can give up his password.

What, then, if Rawls had simply secured his device with a fingerprint or facial recognition? Ugh oh. It's clear to me that the judge would have allowed the police to force a fingerprint or allowed them to put the phone up to Rawls' face.

Contrast Rawls with In re Grand Jury Subpoena Duces Tecum Dated Mar. 25, 2011, 670 F.3d 1335, 1337 (11th Cir. 2012). There, the court found that "(1) [the suspect's] decryption and production of the contents of the drives would be testimonial, not merely a physical act; and (2) the explicit and implicit factual communications associated with the decryption and production are not foregone conclusions." Id. at 1346. The court reached this decision after noting that the government did not show whether any files existed on the hard drives and could not show with any reasonable particularity that the suspect could access the encrypted portions of the drives. Id. U.S. v. Apple MacPro Computer, 851 F. 3d at 248.

In that case the authorities were tipped off that the contemnor was arriving from overseas with a laptop that contained child pornography. Like Rawls, the file was encrypted. In Grand Jury Subpoena, the court ordered the government to grant derivative use immunity if they wanted access to the computer in that there was a valid assertion of the Fifth Amendment privilege. 630 F.3d 1335, 1352-53. Accordingly, the difference between derivative use immunity and perpetual contempt rests upon whether the nature of the files is a "foregone conclusion."

It is becoming more and more common that CP cases involve images on smartphones. Once a judge is persuaded that it is a foregone conclusion that the files on the device are CP, one need not turn over an encrypted password. Nope. Smile. The Feds have just gained access to the device. Here's looking at you, Fed.

These lessons apply across the board for all of us. Query: What sensitive client information do you have on your phone? Emails? Files? Discovery? Trade secrets? Texts, direct messages, stored contacts? Do we sacrifice convenience for security?

And what about that iPhone X? It's so damn cool. You just look at it and you can watch the lock icon open. So quick. So, so awesome. But with convenience comes sacrifice. Sometimes, especially as a criminal defense attorney, warrants are served for client information. It happened to Mark Geragos in the Michael Jackson case. In Ventura, where I practice, a lawyer for a medical marijuana collective had a warrant served upon his office, car, computers and cellphone. He just simply gave over the password to the phone. He made no attempt to preserve his client confidences. The warrant called for a seizure of the phone, not the relinquishing of the password. Is he in violation of the letter or spirit -- or both -- of Rule of Professional Responsibility 3-100 and B&P 6068? I'll leave that to you to decide.

What could possibly be scarier than a warrant for a lawyer's office that invades his client files? The corporate espionage that may accompany a massive dollar civil lawsuit. The hacking. The incentive to steal client secrets; to get a leg up. Remember, it took days for the Chaos Computer Club to crack the first iteration of fingerprint identification. They were very public and took the hack as a challenge; a puzzle to be solved. What if opposing counsel has no scruples and has already hired a black hat hacker to crack facial recognition on your phone? At that point, you may wish you can simply say: "Here's looking at you, Fed."