Forbes has discovered what is believed to be the first known case of law enforcement using Face ID to gain access to a suspect’s phone data, by requiring the person to present his face to the iPhone X found on his person.
Everything appears to be conducted legitimately, with the FBI using their search warrant as authorization for the Face ID unlock. US law does not give the same protections to a person’s biometrics data in the same way as a PIN code that exists only in a person’s mind. This case will no doubt spur discussion about whether the law should be changed.
It is currently understand that both Face ID and Touch ID are held in similar standing legally. There are already plenty of cases where law enforcement have gained access to people’s phones by forcing them to use their fingerprints to unlock the device. Dead people’s fingerprints have also been used in a similar fashion, entering unclear legal and ethical lines.
The alphanumeric passcode is protected by the fifth amendment. An individual cannot be forced to tell someone their passwords, as that would be considered self-incrimination. Biometric passwords like fingerprints or facial scans are not considered to be covered by the same law. There’s an ongoing argument about whether the law should be changed to protect people’s fingerprints and faces in light of the proliferation of biometrically-protected smartphones.
Apple’s software policies help the individual as much as possible. The iOS device requires a passcode to be used if the device hasn’t been unlocked for more than 48 hours and the user can simply disable biometric authentication for the next unlock. Simply show the power off screen by holding the volume and side buttons — or initiate Emergency SOS mode — and the device will require passcode entry to re-enable Touch ID and Face ID.
Even if the device is unlocked, recent versions of iOS require passcodes when connected to a computer. This is another layer defence that makes it harder for a firm to quickly slurp all data off the phone. For the security-conscious, set a long passcode made up of letters and numbers rather than the default 6-digit numeric codes.
In this particular instance, the officer unlocked the suspect’s phone using Face ID but does not appear to have kept the device unlocked indefinitely. The officer manually searched the phone and took some documenting photos but then let the device lock itself after a while. The FBI are now requesting further forensic extraction to take place on the phone, likely using equipment from Grayshift.