Mixed Messaging Harms Innovation: Court Affords Greater Constitutional Protection to Passcodes Than Fingerprints and Biometrics Authentication

In just a matter of weeks, the government has managed to send mixed messages to the tech industry, creating uncertainty for app developers and businesses. As I wrote in my October post, Encryption Whiplash, government agencies such as the Federal Trade Commission insist that app developers secure consumers’ personal information through encryption and other security measures to protect consumers from hackers and data thieves. At the same time, other government actors, including Attorney General Eric Holder and Federal Bureau of Investigation (FBI) Director James Comey, want that information to be accessible to the government. 

In this week’s contradictory message for app developers, it is the courts that are now sending even more mixed messages to developers and consumers alike. In Commonwealth v. Baust, a Virginia Circuit Court judge drew a distinction between the constitutional protection afforded different types of authentication mechanisms (a fingerprint or passcode) to unlock a person’s cell phone. In February 2014, David Baust was charged for attempting to strangle his girlfriend. 

Prosecutors sought access to his smartphone because he had video equipment in his bedroom that they thought might have captured footage of the couple’s argument prior to the incident. The court ruled in favor of Mr. Baust finding that a defendant cannot be compelled to reveal his passcode because that is an action that is mentally directed and forcing Baust to reveal the code would violate the right against self-incrimination. A fingerprint – the Court reasoned – is, in contrast, similar to compelling DNA, handwriting, or an actual key, which is lawful. 

Like the Attorney General and FBI’s recent proclamation that devices with end-to-end encryption are detrimental to law enforcement efforts, the Baust case is another problematic example of how government is on the one hand compelling companies to create more secure devices and apps, and on the other undermining novel built-in security features. 

Depending upon the number of characters, a passcode is generally considered a weaker method of authentication compared to fingerprint identification. By finding that passcodes are afforded greater legal protections than fingerprint verification, the tech industry is once again faced with increasing uncertainty regarding how to placate the government’s requirement for increased security and their desire for information access. The brightest minds in tech are turning to biometrics to make mobile devices more secure than traditional pass codes, but decisions such as the Baust case may cause developers to suspend their efforts and deter adoption of biometrics as a form of authentication by consumers and companies. 

While phones secured through fingerprinting may be more secure from hackers and data thieves, as long as the government chooses to make illogical and arbitrary distinctions between forms of authentication, consumers and innovators will suffer.

Posted By: 

Tim Sparapani 

VP of Law, Policy, and Government Relations