As pertaining to biometics

Biometric Constitutional Conundrum

Well established law

It is well established that the law can compel you to provide a “thing” you have. For example: a warrant for the key to a storage vault is a communication from the court to provide it, or else. Can the court compel you to provide a combination to a lock? That combination exists only in your mind.

The Fifth Amendment

The Fifth Amendment to the US Constitution states that “no person shall be compelled in any criminal case to be a witness against himself nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.” This amendment was derived from English legal protections from the 1600s which protected people from torture to reveal information that could be used against them.

How does this help? In invoking Fifth Amendment protection, there may be a difference between things we have or are and things we know.

The Fifth Amendment may not apply when it comes to biometric-based fingerprints (things that reflect things we are) as opposed to memory-based passwords and PINs (things we know).

An example from the Supreme Court 1988

A hypothetical example described by the Supreme Court 487 U.S. 201 (108 S.Ct. 2341, 101 L.Ed.2d 184) John DOE, Petitioner v. United States No. 86-1753 . Look for the dissenting opinion of Justice Stevens.

If the police demand that you give them the key to a lockbox that happens to contain incriminating evidence, turning over the key wouldn’t be testimonial. It is just a physical act that doesn’t reveal anything you know.

If the police try to force you to divulge the combination to a wall safe, your response would reveal the contents of your mind — and so Fifth Amendment protections would apply. Memory-based authenticators (like PINs and passwords) are the type of fact benefiting from strong Fifth Amendment protection.

US Court of Appeals, 11 Circuit 2012

In February 2012 a federal appeals court held that a man could not be forced by the government to decrypt data.

The case was In The United States Court Of Appeals For The Eleventh Circuit Numbers 11-12268 & 11-15421 D.C. Docket No. 3:11-mc-00041-MCR-CJK In RE: Grand Jury Subpoena Duces Tecum Dated March 25, 2011 United States Of America (Plaintiff-Appellee) vs JOHN DOE (Defendant-Appellant) (36 page PDF) (Related article)

Physical tokens (including biometrics) are things we have or things we are, not things we remember. Thus demands we produce them (without implicating anything we know) would likely fail of Fifth Amendment protections.

Fingerprint unlock forced 2016

April 30, 2016 the Los Angeles Times reported a judge ordered a person to press their finger on the fingerprint reader of an iPhone to unlock it. The act was physical and did not reveal the contents of that person’s mind. Hence, Fifth Amendment protections did not apply. Had the fingerprint reader been disabled and a passcode required it is unlikely the judge could have compelled the person to reveal the contents of their mind, a testimonial act.

A Way Around the Fifth Amendment?

Having established that the contents of your mind are testimonial and can’t be compelled if they would violate your Fifth Amendment protections, prosecutors and police are attempting to circumvent this protection.

All Writs Act – Contempt of Court 2015

As of late May 2016 Francis Rawls, a former Philadelphia Police Department sergeant, has yet not been charged with a crime, yet he was taken by US Marshals for “indefinite imprisonment” on September 30, 2015 and been there for eight months. Why? Because a court ordered him to decrypt two password-protected hard drives seized in connection with a child pornography investigation. Any evidence of the crime is in these drives. One judge ruled that such an attempt was a violation of the Fifth Amendment protection (see the contempt of court appeal page 18, paragraph 3 filed 03/30/2016).

So why is Rawls in jail? First understand there were five devices involved. An iPhone 5S, iPhone 6, a MacPro computer and two external hard drives. The iPhone 5S and the MacPro were unlocked by investigators and no incriminating evidence was found.

Just three days after the Fifth Amendment ruling federal prosecutors filed using the All Writs Act (28 U.S.C. § 1651) to compel Rawls to unlock drives they believed contained evidence of child sex abuse. As ordered, Rawls attempted to unlock the drives by entering a passcode. After repeated attempts Rawls succeeded in unlocking the iPhone 6, but was unable to unlock the two drives. (appeal page 20, paragraph 4) Rawls indicated he no longer remembered the passcodes. It was then he was taken into custody for contempt of court.

There were no charges existing when the All Writs Act was invoked. Is this proper? Did the judge who signed the AWA have jurisdiction to make such an order? Is a decryption order equivalent to conscripting a third party to provide assistance to facilitate the execution of a non-existing warrant?

The future resolution unclear, but at this point a person has been in custody because he won’t decrypt devices that may contain evidence to convict him, or can’t remember the passcodes. After he was taken into custody he was fired.

As of 5/16/2016 the federal prosecutors filed to continue indefinite incarceration per Ars Technica

Remember, he hasn’t even been charged with a crime, let alone convicted. Could this happen to you?

Social & Privacy Concerns

All of the above has raised serious social concerns on what general adoption of biometric security in general, and face recognition in specific, could mean to society at large.

Collections of Biometric data 2013

Apple shared fingerprint database with the NSA. Did you give your permission?

NTIA talks 2015

For more than a year civil liberties and consumer advocate groups had met periodically with trade associations with the help of the Commerce Department’s National Telecommunications & Information Administration (NTIA). On 6/16/2015 the privacy advocates withdrew from the talks on how to write guidelines (not even the guidelines themselves, just how to write guidelines) because they could not achieve what they consider minimum rights for consumers — the idea that companies should seek and obtain permission before employing face recognition to identify individual people on the street. The industry groups will continue with NTIA.

The advocates joint statement

We believe that people have a fundamental right to privacy. People have the right to control who gets their sensitive information, and how that information is shared. And there is no question that biometric information is extremely sensitive. You can change your password and your credit card number; you cannot change your fingerprints or the precise dimensions of your face. Through facial recognition, these immutable, physical facts can be used to identify you, remotely and in secret, without any recourse. (the whole statement)

From the EFF announcement

Despite the sensitivity of face recognition data, however, the federal government and state and local law enforcement agencies continue to build ever-larger face recognition databases. Last year the FBI rolled out its NGI biometric database with 14-million face images, and we learned through a Freedom of Information Act (FOIA) request that it plans to increase that number to 52-million images by this year. Communities such as San Diego, California are using mobile biometric readers to take pictures of people on the street or in their homes and immediately identify them and enroll them in face recognition databases. These databases are shared widely, and there are few, if any, meaningful limits on access.

6/16/2015 Announcement from the Electronic Frontier Foundation. Source for the 52-million images in the Next Generation Identification (NGI) database that includes criminal and non-criminal, low resolution images.

The advocates for privacy included:
  American Civil Liberties Union
  Center for Democracy & Technology
  Center for Digital Democracy
  Center on Privacy & Technology
  Consumer Action
  Consumer Federation of America
  Consumer Watchdog
  Common Sense Media and
  Electronic Frontier Foundation.

NYT Bits article and our comment

TSA Body Scans 2015

December 18, 2015  Today the Transportation Security Administration released a Privacy Impact Assessment Update DHS/TSA/PIA-032(d) (7 page PDF) that removes the option for passengers to opt-out of a whole body scan. Pat-downs, which generated myriad complaints about inappropriate contact, are being discontinued. Is the TSA building a database of biometric information? TSA says current versions of Advanced Imaging Technologies (AIT) do not include a storage function (according to footnote 4 on page 3). Earlier versions were manufactured with storage functions which TSA required to be disabled. The backscatter devices were removed after radiation concerns and their ability to create a near-naked image. Source: USAToday and DHS/TSA/PIA-032(d) (7 page PDF)

How would we ever know if the raw scan (prior to being converted into a block image) is being saved? Has the public ever been misinformed about a government program?

FRCP Rule 41 changes 2016

Late in April the US Supreme Court approved changes to Rule 41 of criminal procedure. The changes are not yet law, the Congress to modify or reject the changes. If Congress does nothing these changes become law.

The document sent from the Supreme Court was http://www.supremecourt.gov/orders/courtorders/frcr16_8mad.pdf but that document has vanished from the SupremeCourt.Gov web site without explanation. The good news: This is the internet where nothing is gone forever. The 12 page PDF document is at
https://www.documentcloud.org/documents/2819194-frcr16-8mad.html

What are The Federal Rules of Criminal Procedure (FRCP)? They describe how federal criminal prosecutions operate, day-to-day details to keep the system running. These rules describe holidays, forms and similar. They don’t change substantive rights which are embodied in the law.

So what is the problem? In 2014, when the rule change was proposed, the Department of Justice described it as a “small modification” and the changes would not authorize searches that were not otherwise legal. That appears to be not quite accurate. These changes are not small modifications to procedures. They provide new avenues for government surveillance that were not law as approved by Congress, the body charged with creating our law. How important is that provision? Our founders put it right at the top.

 
Proposed changes – Part 1 Under the current federal rules a magistrate judge could not issue a requested warrant to search a computer via remote access if the investigator didn’t know the location of that computer. Why? Because that computer might be outside the judge’s jurisdiction. That is: a judge in District X may not authorize a warrant to be served in District Y. The change allows that warrant to be issued regardless of where that computer is. Use of Tor, or other anonymizing techniques, has risen for privacy purposes, both legal and not. The proposed change expands surveillance power from US jurisdiction to the world.

Proposed changes – Part 2 Another change allows the FBI to hack computers that are serving as zombies (computers co-opted without user consent or knowledge) doing criminal activity such as virus spreading or spam distribution. That change allows the FBI to search the victim’s property. Privacy for the victim is no longer a consideration.

Specific problems

Fourth Amendment violation
The Fourth Amendment, to the US Constitution (the ultimate source of US law) requires warrants to specifically describe the places to be searched. A warrant to search a garden shed does not authorize a search of the garage or the house.

Forum Shopping made easy
Because warrants can be obtained from any district, law enforcement can choose the forum most favorable to their position rather than the district where the computer lies. This could mean that a computer in a district with rulings favorable to citizen privacy could be searched based on a warrant from a district less so inclined. Precedence in one district is not binding on another district, yet this imposes the rules of one district on another district.

MLAT Circumvention
The changes may circumvent multiple Mutual Legal Assistance Treaties (MLATs) by imposing US law on non-US countries, a violation of sovereignty and comity. If other countries impose a quid pro quo and allow the same form of changes, then US computers may be legally searched remotely by unfriendly government based on their legal system and eliminating our protections.

[ If the Congress does nothing … doing nothing means they can take no responsibility for this expansion of surveillance powers.

Think on this a moment: People who use Tor, virtual private networks (VPN), disable tracking applications, could now be susceptible to remote access, seizure or copying of data by federal law enforcement. So using security can get you hacked, not by crooks, but by cops? Think too, the worst government you can think of could impose reciprocal rules of law allowing them to remotely access your machine without your permission or knowledge.

Here is a markup of the Rule 41 changes (5 page PDF), more from the EFF and Center for Democracy & Technology.

If a lobbyist ghost writes a bill for a member of the Legislative Branch, that bill has some elected official’s name on it and there will be a vote. If the Supreme Court makes law by adding powers not granted by Congress there is no elected official’s name on it and there isn’t even a vote. Who makes law in this country? Article I, Section I says the Legislative Branch, not the Judicial. -ed ]

FBI Facial Recognition Database 2016

Biometric data is collected by more than a few agencies and shared. Did Apple have your fingerprints? Did you authorize them to be shared with the NSA?

On 6/15/2016 the Government Accountability Office (GAO) reported

That the Department of Justice’s (DOJ) Federal Bureau of Investigation (FBI) operates the Next Generation Identification-Interstate Photo System (NGI-IPS) — a face recognition service that allows law enforcement agencies to search a database of over 30 million photos to support criminal investigations. NGI-IPS users include the FBI and selected state and local law enforcement agencies, which can submit search requests to help identify an unknown person using, for example, a photo from a surveillance camera. When a state or local agency submits such a photo, NGI-IPS uses an automated process to return a list of 2 to 50 possible candidate photos from the database, depending on the user’s specification. As of December 2015, the FBI has agreements with 7 states to search NGI-IPS, and is working with more states to grant access.

In addition to the NGI-IPS, the FBI has an internal unit called Facial Analysis, Comparison and Evaluation (FACE) Services that provides face recognition capabilities, among other things, to support active FBI investigations. FACE Services not only has access to NGI-IPS, but can search or request to search databases owned by the Departments of State and Defense and 16 states, which use their own face recognition systems. Biometric analysts manually review photos before returning at most the top 1 or 2 photos as investigative leads to FBI agents.

DOJ developed a privacy impact assessment (PIA) of NGI-IPS in 2008, as required under the E-Government Act whenever agencies develop technologies that collect personal information. However, the FBI did not update the NGI-IPS PIA in a timely manner when the system underwent significant changes or publish a PIA for FACE Services before that unit began supporting FBI agents.

DOJ ultimately approved PIAs for NGI-IPS and FACE Services in September and May 2015 [ 7 years later ], respectively. The timely publishing of PIAs would provide the public with greater assurance that the FBI is evaluating risks to privacy when implementing systems. Similarly, NGI-IPS has been in place since 2011, but DOJ did not publish a System of Records Notice (SORN) that addresses the FBI’s use of face recognition capabilities, as required by law, until May 5, 2016 [ 5 years after it was required ], after completion of GAO’s review. The timely publishing of a SORN would improve the public’s understanding of how NGI uses and protects personal information.

[ Source: GAO announcement and report (68 page PDF) highlighting ours. How is it that our premiere investigative agency wasn’t following the rules about timely disclosure? -ed ]

“… the FBI has collected, preserved, and exchanged biographic and biometric information, including photos associated with criminal files, for many decades.” [Source: Section 2.3 of the FBI’s 2015 privacy impact assessment (PIA) for NGI-IPS. Highlighting ours. Do those “many decades” include collection of biometric information about the general public? -ed ]

NGI-IPS has more than 411 million images. Included are 140 million of US visa applicants; 30 million images of criminals and the driver’s license photos from every driver in states, often without public notice, without opt-out option and whether or not they have ever been accused of a crime. Has this data been used properly? Who knows? The FBI has never audited the program. Facial recognition is far from perfect and has demonstrated biases for some groups. Humans have been identified as animals of several species.

One oft-stated “benefit” of collected facial images is the potential real-time detection of wanted persons. In addition to snaring the innocent with a false-positive there are multiple methods to avoid recognition by surveillance cameras. One recent such is embodied in a pair of glasses. More at Hack Read.

[ Regarding the image – Tennessee is one of the states sharing all driver’s license photographs with the FBI. See page 56 of the GAO report. -ed ]

Tor Exploit & the Sixth Amendment 2016

Quick Review: The Onion Router (Tor) is a browser and a service based on open-source code from Mozilla. It allows anonymous browsing so web sites can’t track you. The FBI announced they have a way to de-anonymize Tor users. Mozilla has asked for the details of this method, which they describe as an exploit and a hack, to repair it. The FBI has refused and attempted to classify even its reasons for refusal. The Tor community is working on a repair. The Sixth Amendment to the Constitution

In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the state and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the assistance of counsel for his defense. [ source. Highlighting ours -ed ]

The highlighted part is called “The Confrontation Clause” and was included to preclude testimony that could not be cross examined by the defense. Machines can be examined for operational reliability. A early example was then-new radar detectors. When examined in court some machines would show the sitting judge moving at high speed. That indicates unreliability and raises reasonable doubt. Modern radar is more accurate, but not perfect. The operator of machines can be cross examined. That Tor exploit is part of over 1,000 pending cases.

[ Think on this cross examination potential:

Defense counsel: Stipulated by the prosecution that at 3am you and a team of sworn law enforcement officers broke down the door to the defendant’s home without announcement, forcibly removed him from his bed, applied restraints and took him into custody. Why is that legal?
Officer: We had a warrant signed by a judge.

Defense counsel: Who applied for the warrant?
Officer: I did.

Defense counsel: On what basis did you apply for that warrant?
Officer: I can not reply citing national security restrictions.

Defense counsel: Did you receive credible information?
Officer: I can not reply citing national security restrictions.

Defense counsel: Did you get an anonymous tip?
Officer: I can not reply citing national security restrictions.

Defense counsel: Did you get a lead from use of a Stingray without a warrant?
Officer: I can not reply citing national security restrictions.

Defense counsel: Did you monitor electronic communications without a warrant?
Officer: I can not reply citing national security restrictions.

Defense counsel: Did you just create probable cause from thin air?
Officer: I can not reply citing national security restrictions.

If the tool’s user cites a national security prohibition and refuses to reply then how can the tool use be shown to be legal? It could have been improperly obtained and inadmissible. Improperly obtained evidence is “fruit of the poisonous tree” and absence of proper procedure or disclosure of procedure used can raise “reasonable doubt” sufficient for exoneration.

So, if the hack can’t be disclosed, how can it be ruled admissible? If not admissible then how does it help a case if everything that derives from it is poison? If everything from it is poison why use it? If not used, why not protect the law abiding public?

This is not the first recent attempt to subvert the Bill of Rights. Like most of the others it wasn’t covered by mainstream “infotainment”, what used to be journalism. Certainly there are crooks who use Tor for criminal purposes. Given rampant data theft from commercial, academic and government web sites, the law abiding who wish to secure their own data are in the huge majority just as the vast majority of cars were not driven by impaired persons. Why remove protections from the lawful? – ed ]

No Presumption of Privacy – US District Court / East Virginia – 2016

The 4th Amendment of the Constitution:

 
no longer applies, at least in Virginia.

A little background: the FBI took control of “PlayPen”, a distributor of pornography. For several weeks they used a “network investigative technique” (NIT), a program, surreptitiously installed on a web visitor’s computer, which identifies their internet address even if they have Tor or another anonymizing tool.

One defendant protested the use of NIT to counter Tor as a violation of his right to privacy. Senior U.S. District Judge Henry Coke Morgan Jr. upheld warrant and stated that the warrant is unnecessary because of the type of crime being investigated and because users should have no “objectively reasonable expectation of privacy.” Judge Morgan sits in the United States District Court For The Eastern District Of Virginia, Newport News Division. In an opinion and order for criminal case number 4:16crl6 issued 6/21/2016, Judge Morgan wrote:

However, the Court FINDS that any such subjective expectation of privacy – if one even existed in this case – is not objectively reasonable. (highlighting ours, source middle of page 46)

Few will shed tears for this particular defendant, but the highlighted text reinforces the court’s opinion that connecting to the internet means there is no expectation of privacy and a warrant isn’t even necessary. Specifically, a personal computer connected to the internet has no expectation of privacy. The Electronic Freedom Foundation (EFF) wrote:

 
More at eWeek

[ I use a cell phone from home. I connect to a cell network. My calls are private and require a warrant for some third party to listen in. I go to a brick-and-mortar library. What I read is private and requires a warrant for some third party to see. Why is my personal computer exempt from Fourth Amendment protections?

Henry Morgan was a privateer and he might have been happy with this ruling. Founders Patrick Henry, Thomas Jefferson, Richard Henry Lee, James Madison, and George Washington were from Virginia whose state motto is Sic semper tyrannis. I’d imagine they would be very unhappy as would be fellow founders from Virginia: Thomas Adams, John Banister, John Blair, Richard Bland, Carter Braxton, Benjamin Harrison John Harvie, Francis Lightfoot Lee, Thomas Nelson, Jr., Edmund Pendleton, Peyton Randolph and George Wythe. Neither are we. -ed ]

No Warrant For StingRay? Evidence Excluded – US District Court / New York – 2016

Read the story under Cell Skimmers.

Return to References page