Skip to main content

Your privacy, fingerprints and the Fifth Amendment

January 2017: With the current political climate, we feel now is a great time to remind everyone about their right to privacy and where it ends. This post was originally published in May 2016 but it's just as important now, if not more so, than it was then.

Being able to unlock your phone with your fingerprints is a really good thing. It's not the most secure method you can use, and there are issues about having only one set of fingerprints if you ever need to change your login credentials, but the convenience factor means more people will keep their phones locked when they're not using them. That means your privacy is protected, as well as the privacy of everyone in your contacts or people you're networked with through social media when and if someone else gets their hands on your phone.

We all should thank Motorola for trying it, and Samsung and Apple for making it good. Biometrics used to verify identity isn't exactly new, but getting everything working on a tiny pocket computer surely wasn't easy. We've also seen Iris scanning on the Alcatel Idol 3 and short-lived Note 7. We'll probably be going through this same scenario when iris scanning tech takes off, too.

If you're in the U.S., though, there's another snag that not everyone knows about — law enforcement can force you to place your finger on your phone and unlock everything. A precedent was set by the Circuit Court of Virginia in October 2014, and recently upheld and reinforced by a federal court in February 2016, that makes it clear that while you can't be forced to provide a passcode for an electronic device, your fingerprints and using them to unlock the same device is not protected by the fifth amendment of the U.S. Constitution.

You can be forced to incriminate yourself by providing anything and everything on your phone to law enforcement by using your fingerprint as long as a warrant was requested and received. This will almost certainly be challenged as a direct violation of the fifth amendment (and possibly parts of the fourth amendment), but for now, this is the law.

You can be compelled to provide your fingerprint and unlock your phone, under current U.S. law

I want to be clear on a couple things here. Nobody at Android Central is condoning any criminal behavior, nor do we judge anyone for their feelings on how they want to help law enforcement investigate any case. If you want the U.S. government to have access to the data a person involved in an investigation has on their phone, that's fine. You should realize that not everyone feels the same way, as well as know that you don't have to be a law-breaker to value your privacy.

If you, or a peace officer in any capacity, would get access to my phone you'll find nothing that puts me at risk of prosecution, and probably be bored looking at pictures of my family and my dogs, see half-completed documents I'm working on and maybe an expense report or two. But that's my stuff, and I don't want anyone rifling through it. It's OK to feel differently.

But this leads us into ideas of how we can protect that privacy if we're using our fingers to open the secure container that holds it all. And there are a few things you can do.

You'll need a backup method to unlock your phone if you are using a fingerprint scanner. A four digit PIN works well here. It's not too difficult to break, but protections that make your wait between incorrect attempts and a self-destruct feature where data is wiped after a certain number of attempts mean that getting past a PIN will prove to be difficult. Like using a fingerprint in the first place, it's a nice balance between security and convenience.

PIN settings

The real benefit here is that you can require this PIN to be entered before your phone will start. You'll see this option when you set up a phone as new, or when you go into the security settings and change the PIN itself. This means that every time your phone is started until the correct PIN is entered, it's completely dead. No data is decrypted, no calls can come in, and no software outside of the bootloader itself is running.

Because a PIN is either required to start the phone (if you choose to use this feature) or unlock the screen for the first time after it starts up, you can't unlock it with just your fingerprint — your fifth amendment protected PIN is required. And with all current Android phones and iPhones, a piece of hardware embedded in the system-on-chip that houses the CPU keeps things locked up and inaccessible through standard software hacking.

If you see the blue lights, just hold the power button and shut down your phone.

Now, this isn't going to help if you're a fugitive and subject to being detained on sight or caught in the act doing something shady. But if you're just a regular person who doesn't want anyone to get information about you or the people you keep company with it's pretty effective. If you're able to do this, it means you get to decide if you want to share what is on your phone with "the man."

If you see the blue lights, just hold the power button and shut down your phone.

Android phones with unlocked bootloaders also pose a risk. Don't think that even your local constable doesn't have access to people just as savvy with Android as the folks you find at XDA. If your bootloader is unlocked, anyone can dump the software and all the data from your phone onto a computer without ever having to use the lock screen. With enough incentive, even an encrypted image that has a key to unlock it stored in the protected hardware of the original phone can be cracked. Chances are there's not much incentive to go through this for a regular middle-aged dude like myself, but what if I had a random Twitter interaction with someone who is worth the trouble?

The internet connects the world, and that funny meme you liked on Facebook could have been posted by anyone. Facebook is obliged (rightfully so, in my opinion) to provide any and all publicly available data (the public part is important) about a user when the right warrant is served. If you liked a post from a person of interest, the people who want to know more about you don't care that you claim to have a phone filled with texts from your friends and cat pictures — they want to see for themselves. Keeping the bootloader locked means it's almost impossible for them to have a look, and they likely won't even try.

I want the police to put people doing horrible crimes in prison where they can be rehabilitated, or at least be kept from doing more harm to society. Most of us aren't one of those people, and getting arrested or detained for drag racing or having a tiny baggie of weed in your pocket or any other minor offense doesn't make you Charles Manson or the Zodiac Killer. Neither does peacefully protesting against a government overstepping their bounds. We all have rights and a reasonable expectation of privacy. If the courts won't decide to uphold our fourth and fifth amendment rights when it comes to what we have on our phones, then we should do everything we can to protect them ourselves.

I just want to share my data on my terms, and want the same for you.

Jerry Hildenbrand
Jerry Hildenbrand

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

165 Comments
  • I've done the opposite when pulled over and when I've gone threw a DUI check point. I set my phone in the cup holder pointed towards the window and instantly start recording. I personally think every encounter with law enforcement should be recorded for your safety. Living In An Android World
  • Totally agree! Posted via the Android Central App
  • A potential idea might be to just use a fingerprint you don't have registered a couple times in a row so the device locks out and requires a PIN, then start recording. That way your stuff is protected behind a PIN, but you can also record for your own safety.
  • U can quick launch ur camera and keep ur phone locked at the same time.. At least with the Nexus 6P u can by double pressing the power button. Posted via the Android Central App
  • That's exactly what I'm suggesting. You want to make sure the biometric authentication gets locked-out so your device now requires a warrant to be searched, and then you launch the camera from the lock-screen so you can still securely record. If you start recording without first making sure your finger print is locked out, they could still seize your phone in the middle of a traffic stop and force you to unlock it (As the article says). I was merely suggesting a way to get the best of both worlds: The security of recording the traffic stop (For your own protection), and the security of making sure your biometric signatures are locked out (Also for your own protection). For example, on my Lumia 950 XL that I have set-up to work with my retinas: I would just purposefully let Windows Hello time-out three times, and then it will no longer accept an iris scan, and require me to enter my (16-digit) passcode. Then I can securely press the camera button and begin recording the traffic stop. In this scenario: I get not only my phone being locked out to cops until a warrant is issued, but also I can record the traffic stop to make sure they don't get away with anything shady.
  • First of all, always have your camera on medium resolution, keep extra room available in internal storage, default location for pics-video should be on phone not external SD. Now when you get pulled over like I do 3 times a month, all you have to do is go to Settings, Security, Fingerprint, and disable. Reboot phone before cops gets to car. Quick launch Camera and start recording. Cops have actually taken my phone to get the video footage erased and even removed my SD card to get at the footage.
  • What color are you?
  • 1/4 White, 1/4 Hispanic, 1/2 Black. I get affected by it all.
  • Sadly, I just tried this on my note 5. Used an unregistered finger until PIN was required. Then double-tapped home button to go into camera, and took a picture. After leaving the camera, I was able to unlock the phone with a registered finger.
  • Just tried it on my Note 4. It's simply a time-out, sort of like a way of deterring one from snooping on ones device. Posted via the Android Central App
  • @SwimSwim: this sounds like obstruction of justice. Also while you are not supposed to be forced to give your password, you could be held in jail like this guy http://arstechnica.com/tech-policy/2016/04/child-porn-suspect-jailed-for...
  • I'm curious: How would disabling biometrics so that a PIN is required be an obstruction of justice? As far as I can tell, it's no different than declining to let police search my home until they have a warrant. No warrant: No search. The way I understand it (And I'm not a lawyer, so I might very well be misinformed here) is that obstruction of justice would be if I locked out my phone so police needed a warrant to search it, but then before they got the chance: I wiped the memory on it so any evidence would be destroyed.
  • As a matter of fact, it doesn't have to be the index fingerprint you use to unlock your phone. It could be any finger. And there's a setting to lock up the phone after five swipes from a non-matching finger.
  • It's sounds paranoid but the one time you really wish you'd recorded the stop, you will probably REALLY wish you'd recorded the stop. They should build stop recorders into cars.
  • Exactly Living In An Android World
  • Are the cops really that bad in America? Blackberry Priv
    Nvidia Shield "Portable"
    Sony Xperia Z3 Tablet Compact
  • i'm probably going to receive a lot of grief for this...but no, they're not...there's some corrupt cops, but most cops are just trying to do their job....they're like bees, most of them, in that if you don't give them a reason, they won't screw with you beyond a typical every day stop...most of the videos you find online start up at the precise moment to make the police officer in question look like a monster, with no way of knowing what preceded the recorded events
  • Pollyana
  • YouTube corrupt cops and see how many videos you get... Then pay attention to how many videos have black cops being corrupt. Then pay attention to how many of these encounters end up with the cop being cleared of any wrong doing, despite video evidence. Then BE HAPPY YOU'RE WHITE.
  • Worse than you can imagine.
  • Depends on who you are and where you are.
  • I agree
  • What about using a pattern lock/unlock? I'm with you Jerry, I really have nothing to hide on my phone or electronics. But, I don't want to freely allow law enforcement or others to browse through my stuff without a warrant or probable cause. Majority of my pictures are of family and various family outings or unfinished projects around the house!! I have instructed my teenage son about sending and receiving "stuff" and his online usage (Facebook, Snap Chat, Memes) . My rule is , if you receive anything I would lecture you about , delete it, don't save it, and don't forward. Additionally, if at school and an administrator asks for your phone, comply, but you are not required to cough up your passcode. If this persist or involve school police, respectfully ask them to contact your parent. He uses a pattern lock.
  • I do believe pattern lock is protected.
  • I don't see why it wouldn't be. Entering in a number sequence on a pin pad is a pattern and they cannot force you to disclose that.
  • Also tell him to go into Bootloader mode and dump the entire cache. Just because you deleted it doesn't mean it's still not on your phone. Need a new OK Google phrase while hands free, OK Google factory reset my phone
  • I believe a pattern lock would be protected like a PIN or password. The key difference here is that what is needed to unlock it is in your head (PIN, password, pattern), not part of your body.
  • Yes, but don't trust a judge or law enforcement to see it that clearly. Just look how they've twisted the law to allow them to force us to unlock a phone using our fingerprint if the phone is secured with a fingerprint.
  • If they have a warrant, they can fingerprint you, and then take that fingerprint card, and use it to open your phone. So they'll still be able to open your phone, and you'll have fingerprinting ink all over your phone in the process.
  • I don't think an image of a fingerprint will work.
  • I had this idea when Jerry had me thinking about fingerprints and security and all that. Wouldn't be great if fingerprints could be used as "unsecure" method in conjunction with smart lock? In short, you have a 25 character password to keep your phone safe. But that's a bit much to type all the time, so you use fingerprints to bypass it. Just like smart lock does with other things. This in turn could be configured the same way as smart lock normal is, only when I'm at home, when I'm moving etc. Even without fingerprints it would be great to use a strong password and then a 4 digit pin when I'm at a secure location. Something Google could add in Android O =)
  • Very interesting idea. Would be nice to have as another option. Hopefully Google is kicking this around (or something like it) as the whole security genre has received a lot of attention lately.
  • in theory that is good. but im gonna play devils advocate. suppose i took a walk to the store and have a heavy bag of groceries. i'd have to type 25 characters into my device.
  • At my company, we had Airwatch (device management software) installed. The company required a pin lock on all phones which is common. I was the Airrwatch administrator and was able to apply that to my, and my bosses phones. When in a certain geographic location, pin was required. When I was at home or out of that area, no pin was required. Was pretty cool actually. ...Thinking back on it, that may have utilized a google feature, trusted locations.
  • A wonderful article. My concern as a parent, and a spouse, is that it takes you off the grid when you may need to be on the grid. Start TRON music ....... Posted via the Android Central App
  • *standing ovation* Thank you Jerry for this article and its knowledgeable and valuable information. I like how you mention multiple times that its OK for everyone to think/feel differently, while at the same time this article expresses your personal opinion. It's not preachy or pointing everyone in one direction over the other. You strike a nice balance between informative and selection. Very well written. Now, for the article itself. Thank you for explaining all options in detail so that everyone who reads this can make an informative decision on what they want to do... or in the very least, know that they have a last minute option if they see blue lights behind them. I love reading articles like this from you and look forward to the next one.
  • Interesting article Jerry.. Thanks for sharing. Posted from my AT&T LG v10
  • Question about fingerprint locks:
    Is the fingerprint stored on the device only or can the phone manufacturer/law enforcement agencies (NSA) "see" my prints when I set up my phone? SiDi™
  • THIS! Posted via the Android Central App
  • Your fingerprint is analyzed by the software, and turned into an encryption token. The token itself is stored on what's called a TEE module in the phone hardware (those haven't been cracked yet) and referenced by a separate token in software that points to the TEE when authentication is needed. The actual fingerprint data isn't stored or saved anywhere, just the result of analysis.
  • Thanks for the article and thanks for the reply!! SiDi™
  • Thank you for clearing that up. I had no idea where my fingerprints were being stored. I actually haven't used my fingerprint sensor because of that. I might give it a try now. Living In An Android World
  • @jerry
    OK. You did say "never cracked..." - if someone was to break in , is there any way to put all that data together and actually have your fingerprints? Moto XPE/VZW Moto X DE/N7
  • No. But what they would have is just as bad — the token your fingerprints generate through the algorithm, or even worse — a way to fake it. Getting your actual fingerprints is easy. They're on your mailbox or your car door handle.
  • Lol. But in that case (mailbox drive by :)) you would have to be specifically targeted.
    Wow that's interesting. At least, not having that data stored in a cloud feels somewhat safer. Moto XPE/VZW Moto X DE/N7
  • The other neat thing about fingertips, is (especially for optical sensors) pressure affects the spacing in the papillary ridges, which effects the deltas between those ridge spacings, which yields a different 'fingerprint' (a human looking at the print itself can notice, and a computer can compensate for the variations) but a simple optical reader can't. So a 'hard fingerprint' and a 'soft fingerprint' can appear to the computer/phone to be two different people. This also explains why when you angrily slam your finger against your biometrically controlled optical reader on the time clock - it doesn't always read.
  • When it comes to security, always assume that it can be compromised. But to answer, per Google it's stored locally, encrypted, at least on Nexus devices: https://support.google.com/nexus/answer/6300638
  • Thanks for the link! SiDi™
  • Thank you so much for the link. I've been very very very curious about fingerprint security. Living In An Android World
  • The fifth amendment and such don't apply to me, and I actually have no idea if I can legally be compelled to surrender my fingerprint (though I would assume so). However, regardless of legality it's good to bear in mind that it's infinitely easier to physically force someone to surrender a fingerprint than a password. Especially if someone is unconscious. It's best to assume I'm being sarcastic. if I'm ever serious I'll type "/s" to make it clear.
  • Nothing sarcastic about that, it's absolutely true. The finger print feature is great for convenience, but it is NOT secure by any means. No method is 100% secure but some are better than others.
  • Was thinking the same thing. Would love a hands free phrase for your phone, OK Google factory reset my phone, if you were being forced to unlock your phone. Or a personalized phrase in Star Trek, OK Google complete Picard Alpha 4 then your phone automatically factory resets.
  • Might be doable using Tasker.
  • Nova Launcher has an option to lock your phone and require a password, and this action can be set to a gesture. For example, use fingerprint unlock normally, but if you anticipate being pulled over just double tap your screen to password lock it. I also recommend a full password rather than a pin. Use fingerprint unlock for convenience and the regular password as your more secure backup security method. Posted via the Android Central App
  • Does anyone know of vanilla Android has a similar feature? Posted via the Android Central App
  • With the screen off, press the lock button. Then tap the "lock" at the bottom center of the lock screen. This will require you to enter your pin/pattern/password (which ARE protected under the 5th amendment) to get past the lock screen. It will also temporarily turn off any smart lock features (trusted devices, trusted places, on-body detection). Posted via the Android Central App
  • Nah that will still you log in with a finger print Posted via the Android Central App
  • Yeah. Idky I was thinking that it would lock out fingerprint scans. Posted via the Android Central App
  • Locks it out on my V10
  • Never mind. Using this method you can still get in with a fingerprint scan. It only locks out the "smart lock" features. Posted via the Android Central App
  • I use Nova Launcher and love this feature. I have mine set to lock the phone when I double-tap the screen. If I were ever pulled over, I simply unlock with my fingerprint, then double-tap the screen. Locked up all safe and secure with my 7 digit pin. My pin is required on startup as well.
  • Jerry, I like and respect you even more for this article. You've articulated the issue very well. Posted via the Android Central App
  • Great article, thank you Jerry! Posted via the Android Central App
  • Three things: 1. Great article. Well written and informative. You're just the right amount of paranoid, and I appreciate that. 2. A two factor authentication for startup on Android phones would be awesome. (Authentication factors are something you have, something you know, or something you are.) After startup, single factor would be fine just to keep things snappy. 3. If you raise enough red flags, the gov't absolutely will break your encryption and own your device no matter high security you get. If you knock off a 7-11, you will probably be ok, but if it gets to a federal level, your fingerprints, pin and encryption won't stop Uncle Sam from getting all in your business. If this is new information to you, then you haven't been paying attention. Posted via the Android Central App
  • 2. - If you need two factor authentication, what happens if your phone restarts or you turn it off when you aren't next to your computer?
  • Start up your phone with PIN and fingerprint. (Something you know and something you are.) After that, phone requires only fingerprint until restart. This is a signature.
  • Hmmm ~Android Central
  • I'd be curious to see if this covers all biometric options, including iris scanners. I do know that on the Lumia 950 series if you restart the phone, the iris scanner doesn't work at first boot up...it asks you for your pin. So by powering the phone off, it does the trick Jerry mentioned in covering your rights. I'm curious to see if other OEMs look into other biometric options besides fingerprint scanners for differentiation, what the law will say about those as well... G4 Approved
  • Can I do this on my OG Nexus 5? Can't seem to find it.
  • I agree about the Charles Manson analogy, but we could still be the Zodiac Killer. They never caught that guy. Posted via the Android Central App
  • No, I'm pretty sure I read that they know who the Zodiac Killer is, he just dropped out of the Republican presidential nomination race.
  • The reason the law says they can get a warrant for your fingerprint and not incriminate yourself, is the same way the law can get a warrant for a cotton swab of your mouth and saliva for DNA. Your fingerprint is a part of you, just like saliva. But your pin code or pattern code is a part of your memory, and that is what is protected by the 5th amendment and the law cannot ask you to unlock your phone with a pin or pattern code without incriminating yourself. I have been telling people for the last couple of years about this kind of security risk to themselves after the law said in 2014 that they could get a warrant for your fingerprint. Everyone I have told is an upstanding citizen, but even common people need to know and understand their rights. Never give out your phone to a police officer or teacher or anyone unless they have a warrant, and even then, make sure you have some kind of lock screen. Protect yourself and others that you interact with.
  • Very smart Living In An Android World
  • Great article, Jerry. I don't have anything to hide myself, but I do value my privacy, and I was just thinking about this after the recent court rulings. I was glad to find that in the Nexus Imprint support docs it says that you will have to enter your backup method (PIN, password, or pattern) at least once every 48 hours. That explains why I have been seeing a message periodically that says something like "Please provide your PIN for additional security" - at which point I cannot unlock my phone with my fingerprint until I've entered my PIN. I would like to see Google make the fingerprint entry method in Android more like Smart Lock. It would be nice to be able to tap on the fingerprint icon at the bottom of the screen to disable fingerprint unlock temporarily, making it necessary to enter the backup method instead. That option already exists with Smart Lock, and I would occasionally use it when Bluetooth unlock was enabled but someone was in the car with me. That seems more reasonable than ensuring privacy by shutting the device off entirely, but I'm curious how Direct Boot changes in Android N might affect all of this also.
  • Idk but I'm still not comfortable storing my fingerprints in the phone or any device, especially when we have so many options available (at least on Android) - PIN, 20 character Passwords, Pattern, BT devices, Location, NFC chips. Moto XPE/VZW Moto X DE/N7
  • Your fingerprints don't get stored.
  • So how does it work then? Moto XPE/VZW Moto X DE/N7
  • It converts the attributes of your fingerprint to a bunch of statistics which are then hashed and stored. When you put your finger on the sensor to unlock a hash is again generated and compared to the stored hash. If they are smart they will use a device-specific salt as part of the hash algorithm. That way even if someone were to obtain the stored hashes they would not work on other devices.
  • com.apple.MobileSoftwareUpdate.UpdateBrainService [345]
    .RoleAccount.staging/com.apple.MobileSoftwareUpdate.UpdateBrainService.16777218.566969.xpc/com.apple.MobileSoftwareUpdate.UpdateBrainService
    Identifier: com.apple.MobileSoftwareUpdate.UpdateBrainService
  • Good article, Jerry. It's nice to see articles like this on AC (instead of the completely un-researched "best SD card" type articles.) I would like to add a couple of points, however, regarding your suggestions: First, if you're device decrypts data on boot up, a password or PIN won't protect your decrypted data. It makes it slightly annoying to get to, but it's not overly difficult. This was implied in the article, but stating it directly nicely leads to... Second, if you choose the option to prevent the device from decrypting on boot up until a password/PIN is entered, be sure that your phone is running VERY stable firmware. As mentioned, the phone is essentially a brick until the decryption takes place - and if your firmware (or some app on your device) causes unexpected reboots, you won't get any calls, text messages, VM notifications, or anything else until you notice that your phone rebooted and enter that password/PIN. This can also occur if your carrier likes to FORCE firmware updates (which usually involve a reboot.) Take care
    Gary
  • Jerry mentioned:
    "Android phones with unlocked bootloaders also pose a risk."
    "With enough incentive, even an encrypted image that has a key to unlock it stored in the protected hardware of the original phone can be cracked."
    I like to keep my bootloader unlocked (so that I could from time time to time to boot into TWRP) but unrooted. It is my understanding that cracking Android encryption even if you have access to dumped image is supposed to very challenging and I'm counting on it.
    I would like somebody to chime in regarding reliability of Android encryption in context of unlocked bootloader. I have not seen on XDA something like "How-To Cracking Android encryption.
  • Hypothetically, any encryption can be cracked. I don;t know of anyone who has cracked an encrypted device, and the few people who have made the claim were found to be less than truthful. But that doesn't mean it can't (or hasn't) been done. We often think of bumbling idiots working at government offices, but I can tell you that some extremely bright and innovative people work in US intelligence around the DC area. Exactly the type of people who could find a way to break in.
  • Aww, thanks Jerry! You're a smart cookie yourself. ;) This is a signature.
  • I can confirm that is exceptionally challenging to gain access to data even with an unlocked bootloader and a using something like TWRP. I know, I just went through trying reinstall a new ROM on a rooted phone with encryption turned on. TWRP couldn't even gain access to the data, let alone decrypt it. I think Jerry's point is, if the boot loader is unlocked, the entire storage drive can be moved over to a computer with the encryption intact. Then the computer has special software and the brute power to then decrypt that data from there. Locked boot loader will not allow any data to be moved, thus someone would have to crack that encrypted data using the phone, which is very time consuming and expensive.
  • What are so many doing that you're worried being stopped by the police and then worried about the phone being searched? I've been stopped once and it was because I acknowledge I was flying down the road. My phone never became the focus of the police. Posted via the Android Central App
  • It's called securing our freedoms and liberty's. It pays to be an informed citizen. Would you let the cops search your house for no reason at all? Living In An Android World
  • I never implied that I wouldn't cooperate with law enforcement. But that should be my decision, not theirs. I'll take the choice between complying or jail over not having a say in the matter.
  • I abide by the law as i was law enforcement for quite a while. I have nothing to hide. But i will not/should not surrender my personal stuff unless its accompanied by a search warrant. Then and only then, should they be allowed, by law, to obtain any and all information stored on my electronics.
  • Yes, Gator 352, but even a warrant has its limitations.. and one of those limitations comes in the form of the Fifth Amendment.
  • If they have probable cause for specific items listed on the warrant to search, they can search as it is court ordered. Amendments at this time is suspended until search of said items is complete. But for digital items such as phones, at this time is mundane and needs to be revamped to coincide with the times.
  • I'm not sure the warrant can be for things in your head, can it? If they have a warrant for the phone, by all means, you turn it over to them and allow them to search it. If they are unable to understand its contents (because it's encrypted, or you took notes in a foreign language that they don't understand, or you took all of your notes in a language that you made up and only you know?) that is their burden to overcome.
  • It works like this: Police get warrant for phone. You hand over phone and then You have two choices. Either unlock the phone to let them search it or not. If you don't unlock it, they can charge you with obstruction and they will break into phone anyways. Now bear in mind this is for a warrant only....not a
    random search. With random searches, they cant make you unlock if you use a pin code. But yes your right about contents. Once the phone is unlocked and being searched and you took notes in a foreign language, it is thier burden to understand it. That goes for anything. Picture locations, bank accounts, phone numbers, and etc.
  • And forgot to mention, the warrant has to be specific. If they want a video from your phone the warrant will indicate video/videos. That is all they are allowed to search. They can't search banking records, messages and etc. If they want to, they have to get another warrant for those items even if they "stumble" upon another crime.
  • I'm not a lawyer, but it doesn't seem to always work that way even with a warrant. For example, my quick search yielded this: http://www.wired.com/images_blogs/threatlevel/2013/04/encryption-case.pdf A warrant was issued, but the act of decrypting the device in question (not a phone, but contents of a computer) was determined to be testimonial in nature "...I conclude that Feldman’s act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be tantamount to telling the government something it does not already know with “reasonably particularity”—namely, that Feldman has personal access to and control over the encrypted storage devices. Accordingly, in my opinion, Fifth Amendment protection is available to Feldman. Stated another way, ordering Feldman to decrypt the storage devices would be in violation of his Fifth Amendment right against compelled self-incrimination." According to the 11th Circuit: "...the decryption and production of the hard drives would require the use of the contents of Doe's mind and could not be fairly characterized as a physical act that would be nontestimonial in nature. We conclude that the decryption and production would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files." In re Grand Jury Subpoena, 2012 WL 579433 at *8 Different courts seem to have ruled different ways on this, though. My understanding is that it boils down this, basically: If the government can show with "reasonable particularity" that it already knows what is on the device and where it is on the device, and producing the unencrypted contents will reveal nothing that the government didn't already know, then it is considered a "foregone conclusion" and nontestimonial. Edit: Here's a good article where I found one of the quotes I used in my post: https://www.eff.org/deeplinks/2012/03/tale-two-encryption-cases
  • You must not live in the US then.
  • It's not a matter of doing anything wrong. It's a matter of the officer having no right to snoop into my personal data bases simply because I was stopped while driving. If they feel my phone has any relevancy in a criminal case, then there are legal routes to follow. But Officer Jones does not have the right or need to know allowing him to simply snoop around in my personal data.
  • With those with Nexus devices. Just turn off your phone since every bootup your pin or pattern has to be the first thing that must be registered and not your fingerprint. So no matter how many times they ask you to unlock it with your fingerprint the phone will not allow it #TeamFrosty Nexus 6P
  • I read the iPhone has a timeout period where you have to use you pin even if finger print unlock is enabled. Does Nexus Imprint have that option? Posted via the Android Central App
  • "Sometimes you might need to use your backup PIN, pattern, or password:
    ...
    -After more than 48 hours have passed since you last unlocked using your backup method" Source: https://support.google.com/nexus/answer/6285273?hl=en&ref_topic=3416293
  • I've never been a fan of using a fingerprint to unlock a device. I would prefer a fingerprint to be the equivalent of a username... who I claim that I am. And still require a PIN or password to PROVE that I'm the person I'm claiming to be.
  • Yup, it's not good practice to use something you are (bio-metrics), and that can't easily be changed, as a single security method. They really should only be used in conjunction with other security methods (ex. something you know: PIN/password and/or something you have: token/badge).
  • Your article was picked up by fourthamendment.com. Nice.
  • Jerry, I completely agree with you! Thanks for advocating for a reasonable expectation of privacy! Posted via the Android Central App
  • Thanks Jerry - this is the kind of reporting I expect out of a site like Android Central.
  • This article is also relevant to devices WITHOUT a fingerprint scanner running Android 5+. If you use Smart Lock "Trusted Face" the same problem comes up... SiDi™
  • Here's an idea: Don't commit a crime or act of terrorism. The was some people talk about this, you'd think that law enforcement just goes around randomly selecting individuals asking them for their data (which would not have a legal leg to stand on even if they did).
  • The problem is, not every officer is honest or has the best of intentions. I say that as someone who has friends on several police forces and in the FBI. 95% of the time public interactions are good, but what about the times that are not so good, like when offices attempt to incriminate and plant or alter evidence? Or what about when prejudice takes over. Something is wrong when officers let dozens of cars drive by with burned out lights, then pull over a non-caucasian, pull him out of the car, and cuff him face down in the dirt... for a burned out liscense plate light. I'm Scottish myself, but I recognize that not everyone is treated justly, and not every officer is just. Protecting yourself, within the law, is not something that anyone should have a problem with. Posted via the Android Central App
  • Randomly, no. Sometimes mistakenly, yes.
  • Do you have any idea how many felonies you commit every day without realizing it? Also, newsflash... Hillary Clinton STILL isn't in jail!
  • Do you want cops just waltzing into your house whenever they please? If not, why not? After all, I assume you haven't committed a crime.
  • You can commit a crime and not even know it.
  • Such as the officer who was sending photos to himself from a woman's iphone, he had been snooping through during a traffic stop? This has nothing to do with criminal acts, it is all about a reasonable expectation from an invasion of privacy. I believe the overwhelming number of officers and law enforcement officials are honest and behave ethically, but it's the dishonest ones that we need to be protect ourselves from. It's similar to the concept of not leaving your wallet laying on the front seat of your car with the windows down, while you're inside of 7-11 going to the bathroom, lock the car and roll up your windows, even better is also taking your wallet into the store with you.
  • Brain washing of people to believe that "if you haven't done anything wrong, you should have nothing to hide" is coming from every direction. They ingrain this line of thought in schools these days. It is a lie and it is my right to "hide" it (ie keep it private) UNTIL they have a legal right to demand it from me. Your statement assumes that by "hiding" something, it means someone is guilty. You have it all backwards. FIRST you stand up for your rights by keeping it private in the first place, only when they follow the law to obtain the data do you let them have it. If you let them have it first, you just gave up your rights. Those of us who don't want them to have it without proper authorization (a warrant) are protecting our rights and privacy, not hiding things.
  • @Jerry
    Can you explain us how actually a device gets to know if the fingerprint is matching our own - what info gets stored , etc ? Never mind I just saw your comment above .
    Thanks Moto XPE/VZW Moto X DE/N7
  • Great article, I'm in law enforcement. The power button goes off if I'm pulled over.
  • Great article Jerry, thank you. I'd like to know where this "Secure Start Up" is found on my Note 4. I use fingerprint scanning with a password backup but really want the feature you talked about. Posted via the Android Central App
  • I tend to not use Touch ID, and I avoided the fingerprint sensor with Android, although I like Sony's scanner/side power button combo. I'm a heavy sleeper, and just never felt comfortable with the fingerprint method. I would rather have dual speakers. And I don't want to give law enforcement the option to make me unlock my phone.
  • You can use a body part other than a finger. Let them try and figure out which one... =P
  • This article has me contemplating turning off smart lock completely. They can enable Bluetooth from the lock screen turn my headphones on and boom there're in. Or they can just take the phone to my house and they're in too. SMH. Posted via the Android Central App
  • Not really. Smart lock requires the phone to be unlocked manually first. For example, once the headphones are connected you have to manually unlock the phone once for smart lock to keep it unlocked. When you get home you have to unlock the phone first before smart lock kicks in. That is, if it works at all. I've NEVER gotten the location feature of smart lock to work lol. Personally, I don't use smart lock because the fingerprint is enough for me and I don't like the idea of my phone staying unlocked under any circumstance. However, it does work a little more securely than you think. Posted via the Android Central app on my Nexus 5X with Project Fi
  • I don't see this behaviour though. I have set it to unlock in car (connected to bluetooth) and it does that everytime without ever asking me for PIN (for the first time). Device: OPO running Marshmallow
  • Excellent article I'm sharing thus 1000 times over!!!! Posted via the Android Central App
  • i have an N6 on stock and says its encrypted but never asks me for my key at startup or restart. am i missing something?
  • Great article. It didn't say anything I don't already know, but not everyone does. People need to be informed on this issue. History has proven time and time again that Government can't be trusted to protect our rights. It's up to us to protect our rights, and they count on people being naive. Posted via the Android Central app on my Nexus 5X with Project Fi
  • Well put Posted via the Android Central App
  • Jerry has wanted to write this article for quite some time. I am glad he got the opportunity and I agree with it 100% I won't use a finger print for unlock. I used pins for everything and encrypt my phone and re-locked the boot loader. I just don't think anyone has the right to look at my phone unless they can prove to a judge it is justified and he/she issues a warrant and I see it for myself. That Judge in between is my safety net as a citizen to have my rights protected. There is no justification for any sidestepping of that right, be it even a secret court/warrant. End of story.
  • Does a pattern lock count as a pin code password or a fingerprint?
  • It is belived so.
  • thats simple... can somebody that doesn't know your pattern grab you finger and make it enter the pattern just like forcing your finger onto the finger print reader? or is it a type of information that you would have to give/show them just like a password would?
  • What's the situation in the EU?
  • 👍
  • "Android phones with unlocked bootloaders also pose a risk." Pixel phones don't have an encrypted bootloader, right? So they can be easily unlocked. So how can Google state Pixel phones are just as secure as iPhones?
  • Just because a phone has an unlockable bootloader doesn't mean it's unlocked. The user has to do this.
  • Sorry, I meant the bootloader can be unlocked, not the phone itself.
  • Once the bootloader is unlocked it will factory reset the phone automatically.
  • So what Jerry said about being able to "dump the software and all the data from your phone onto a computer" is just if the phone already comes with an unlocked bootloader from factory?
  • No. If you unlock your bootloader, It's simple to use a custom recovery image to boot up the phone and physically copy the partitions to a computer. They are still encrypted, but they are now on a machine that has a lot more processing power to try and crack it, and the data won;t be destroyed if you are wrong too often between tries or try too many times.
  • Thanks for reply Jerry. So, if you don't mind, back to my original question, how do the Pixels stack up against iPhones in this regard?
  • About equal. Both use a hardware element to actually decrypt anything, but both have been shown susceptible to NAND mirroring (using a device that can read/write to the storage module directly to pull the information off into a file on a computer). As for bootloader unlocking, the bootloader on the Pixel is locked until you manually unlock it. The first step in the unlocking process erases everything on the phone. If I find your phone with an unlocked bootloader I can pull the data off of it. If the bootloader is locked, unlocking it destroys the data and leaves me nothing to pull off. A pixel (or any Android phone that's up to date on software) is just as safe as an iPhone when it comes to accessing encrypted data stored on the phone.
  • If you're going to write about legal issues, you might want to consult a lawyer. Or at least do a Google search. The fact is that using a PIN or Password to lock your phone, instead of a fingerprint, may not be protection against being forced to unlock your phone. At least one U.S. court has ruled you CAN be compelled to provide police with your PIN / password: https://consumerist.com/2016/12/13/court-rules-that-police-can-force-you... "Florida Court of Appeal’s Second District reversed that finding, determining that the passcode itself is not connected to any criminal data found on the phone. “The information sought by the State, that which it would require [the defendant] to provide, is the passcode,” the opinion [PDF] reads. “The state has not asked [him] to produce the photographs or videos on the phone … By providing the passcode, [he] would not be acknowledging that the phone contains evidence of video voyeurism. Moreover, although the passcode would allow the State access to the phone, and therefore to a source of potential evidence, the State has a warrant to search the phone — the source of evidence had already been uncovered.” If you're really worried about what's on your phone, better do a factory reset before the police ask you for it.
  • The difference here is that they can take your finger and put it on your sensor to unlock you phone. There is no way any law enforcement would get me to give up my passcode. They can't read minds...yet.
  • Good luck with not being forced to give up your password.
    https://xkcd.com/538/
  • No, they can just lock you in a cell until you give in. Yes, really, if they have a warrant they can do that.
  • meyerweb....If you're going to write about legal issues, you might want to consult a lawyer. Or at least do a Google search as well. The fact is, laws very state by state. You referenced a Florida case, which was a state case, then a Florida State Appellant case. The author did in fact provide court case examples... both a State (Virginia) and Federal Court, which also just happens to reference this article supporting passcodes are protected....http://www.latimes.com/local/california/la-me-iphones-fingerprints-20160... ... , "In 2014, a judge said Baust could be compelled to provide his fingerprint to open a locked phone but could not be ordered to disclose a passcode. The judge reasoned that providing a fingerprint was akin to giving a key, while giving a passcode — stored in one's mind — entailed revealing knowledge and therefore testifying".... Another example....Federal court...East Pennsylvania in the case of Securities and Exchange Commission v Huang - Judge Mark Kearney, The Pennsylvania court ruled on Wednesday that forcing the pair to unlock the passcode-protected devices would violate their constitutional rights – specifically the Fifth Amendment, which spells out the right against self-incrimination. Would you like more? Simple Google search, as you suggested, you will find additional articles with the Federal Courts, which overrule State Courts, and SCOTUS upholding, forcing people to unlock a device via passcodes violates the 5th!
  • Yes, but you manage to completely miss the point. Assuming that because your phone is locked with a password you can't be forced to unlock is is simply not accurate. And that's what Jerry is claiming. The law is unsettled, and that means depending on where you are arrested, and what judge is asked for a warrant, you may not be able to get away with refusing to give up your password. Jerry's article implies that locking your phone with a password will protect you. It might, but it might not. Things are not nearly as clear or absolute as Jerry, and you, would like to think it is.
  • Lock me up. That's not gonna force me to do anything. I've been in jail for stupider things and more important things. Every time I just sit, say nothing and wait until my lawyer comes in and leads me out to a waiting car.
  • im with you jerry. Lock me up and give me free food...ya that's gonna force me to do what you want lol.
  • Jerry, this is another well-written article with information that is good to keep aware of. However, I do take issue with your new lead disclaimer about the current political climate. As your article points out, these court cases took place under the previous administration. That administration could have brought the full weight of the Justice Department to bear on these cases but chose not to. To mislead, by making it appear that the November election is now something that changed this in any way, is conjecture at best and another example of the Post-November hysteria at worst. Added to this, the new "Donate to Refugees" ad that appeared the last couple of days on this site is somewhat repugnant. Is it the position of AC that there was no refugee crisis prior to last Friday? Fake News Fake Ads displayed for political gain (trying to show your techno brethren your in the fight) is beneath the dignity of this site. IMHO
  • I get Sirius Radio (Howard Stern) and Google Pixel ads. BABABOOEY! Howard Sterns P3nis!
  • This was originally written during that administration. Never think that I feel any president we've had in my lifetime is 100% trustworthy. As far as the ads, they just rotate from the service who supplies them or are based on your internet history. The one I saw up top before I clicked here was from LG.
  • Dude you are running Google. If you are in real trouble they will just ask Google for whatever is on their servers.
  • Not necessarily. If you have illegal documents you don't upload them to Google drive. I'm not sure about Google, but tech companies like Microsoft have challenged being silent about data requests and Google will give you a heads up if you're being spied on. Although Yahoo sucks, they held out on data requests until that $200,000 daily fine finally became too much to handle. Although anything could have some hidden spyware, I don't think that tech companies are as evil as we think.
  • WOW, So much for courts upholding the rights set in the constitution, f in joke, well so that must be the meaning of "the American way". It's now becoming a "joke" of a country when things like this that contradict the constitution happen without any consideration for the consequences to everyone. It's more of protect the rich and corrupt and sod the rest.
  • Just use Knox with two forms of authentication for sensitive information
  • Good article. Thanks.
  • I would respectfully suggest that we stop worrying about smartphone security and take a hard look at what's currently really the greatest threat to our security. We seem to have forgotten the lessons from history.
  • This topic is very interesting. No definitive answers as "the law" always seems to lag technology. I'm all for helping law enforcement. All my for rights (such as not incriminating myself). An issue I am thinking about is how many school districts deal with student cell phone use and confiscation. In our district, they have strongly worded language in the student code of conduct about school personnel being able able to search a students belonging (person, backpack, purse, locker, car and even cell phone) with "probable cause" While they do give some examples, the school Principal can instruct a student to relenquish their cell phone and allow school officials to search it. It could be for unfavorable social media posts (school fights, inappropriate pictures of students, things disparaging the school district or administrators. Example: Just last week, there were a series of fights at one of the local high schools. Videos were shared on social media. One student simply texted their parent letting them know what was going on. The parent posted a comment (not any videos) on the local Facebook Page. Well, school administration "monitors" the various social media sites. The parent was initially told that by sending the parent a text message, and the parent posting to Facebook, it contributed to a string of phonecalls to the school from concerned parents and that the student who texted the parent "might" be subject to discipline for violating the student code of conduct. Since they obviously can't control the parents Facebook Posts, they threatened the student, until the parent removed the post. My child attends this school. None of this applies to us as I have had the conversation about social media and how Administrators join groups and send friend requests under aliases (spelling). I know this for a fact as I have gone through the entire member list of our 3 local Facebook pages and non of the admins at are school are members, yet they have sent email, voicemails and made public statements about "what they have read online, and that they monitor social media chatter". So, I said all this to add : I have informed my 2 children to follow the school electronics policy. Do not connect to the schools Wi-fi. Why? well because if you post something during the school day they find or deem against the code and you used their wi-fi. Fortunately both have unlimited data. Second (and this fits this discussion), they both have either pattern lock or 6-8 digit pin. My thought is that if they are requested/forced to hand over their devices, do so. But under no circumstances are they to provide the unlock code. The phones are in my name, so my stand is the phones belong to me, and "I" amd not subject to the Code of Conduct, thus without a court order, they can't make me unlock a device because an administrator is not a legal expert or lawyer. My instruction is for them to respecfully decline (so they can't get hit with insuburdination for failing to comply), have them contact their parents. At this point, I would head to the school with an attorney, and of course remotely wiping the android or Apple device. I hope and pray it never comes to this. I have the "talk" with my children at least once a month and show them the FB posts and have gone over the Code of Conduct. The thing is, in our District, a Principal might interpret things in a matter beneficial to their school, and it may not be consisent accross all schools in the district.
  • All liberal peoples must be concerned. Big data, Big surveillance, Mandated Backdoors. With our current pro-active leader how soon will drones come out after what you said in 1999 against The Donald. He's not that petty...is he?
    Watch the sky's people it's inevitable.
  • I used to be an adventurer, and made fun of Donald Trump, but then I took an arrow to the knee...
  • America First, Boris.
    Read it and weep.
  • Won't dive down into the pit and get political; however, people might want to refer to: Riley v. California and United States v. Wurie A unanimous 9-0 SCOTUS decision that "outlawed warrantless police searches of cellphones." Makes for interesting reading; that is if you can understand it.
  • No one should ever subscribe to using their body parts or 'physical person' as a means of proving their identity, as it results in ownership of your body being taken from you. Your body is your intellectual property, don't give out a free and unlimited license to it.
  • So I guess people who can unlock their device using their penis will be safe then. Seriously, it was tested and works.
  • Interesting article, but not reassuring in the least. So, I'm headed with my family on a vacation, quite possibly just transitting through the U.S. but still having to clear customs (Eg. From Canada to Australia, via LAX, as I've done before). I get asked to provide a passcode. I'm within my rights to decline, but my phone can be seized and I can be detained. So, my solution is "send me to jail"?? Sounds like an awesome family vacation and a wonderful situation for my young son to witness! I think I'll just keep my phone as "clean" as possible while travelling and reinstall everything after arrival, or preferrably try to avoid travel in the U.S. for the foreseeable future. It's sad that these have become viable/necessary options.
  • If you have an unlocked bootloader how can someone dump all the info from the device if they still don't have your unlock PIN? When I unlocked my bootloader I still can't interact with it through adb until I unlock my phone using the pin and accept the request that pops up and I have to make sure I have turned on USB debugging. If your phone is locked with a password but the bootloader is unlocked how does law enforcement accept that request for your phone to interact with your computer? And let's say you turn off USB debugging. How does law enforcement accept that request AND turn on usb debugging if your phone is password protected but the bootloader is unlocked even if they got ahold of the computer you used to unlock the bootloader? It would seem to me that as long as you turn off USB debugging there is no way law enforcement could interact with your phone unless you gave them your PIN even if the bootloader is locked. At that point they would be using hacks to gain access to your phone which they could probably do regardless of whether or not your bootloader is unlocked.