How Face ID could change the game for aggressive US border agents

The Apple Touch ID is already endangered. Just five years ago, iPhones began using the popular fingerprint scanner, which unlocks your phone dozens of times a day even more easily.

But all the new iPhones launched this year – iPhone XS, iPhone XS Max and iPhone XR – have only the facial identity. They do not have Touch ID.

In 2013, some intelligent lawyers (including Marcia Hofmann), concerned with privacy, began to point out that a seemingly minor change in technology could have a noticeable impact on the legal landscape.

As Hofmann pointed out in a September 2013 editorial for wired, being forced by US law enforcement to produce something that you are – a biometric – is not normally protected by the fifth amendment privilege against self-incrimination. On the other hand, being forced to reveal something you know (a traditional alphanumeric code, for example) is usually protected.

This notion was confirmed earlier this year by the Minnesota Supreme Court. The court found that a suspect could be forced to provide his fingerprint to unlock his phone and could not invoke his fifth amendment privilege.

However, Touch ID requires a physical and affirmative act of pressing a finger on the scanner. But Face ID can be used from a few meters, virtually with a simple stealthy look.

After Ars had spoken with a handful of lawyers, the legal landscape does not seem to have changed from Touch ID to Face ID. It seems very likely that law enforcement agencies (including border agents) will be able to unlock a phone with this feature under Face ID.

Worse still, because of the US's strange "American" legal doctrine, in which the fourth amendment's normal protections do not apply, agents might be able to access a new iPhone without a problem.

"I agree that this assumption is at least plausible if not more," said Andrew Crocker, a lawyer at the Electronic Frontier Foundation in Ars. "It's worrying that it's so easy to get into the content of a device at the border."

No contact required

We have concocted a scenario in which a US iPhone XS owner was crossing into the United States from an international airport. She is caught for secondary screening. His phone is confiscated. When questioned on a table, an aggressive agent holds the iPhone XS in front of her.

"Is this your phone?" asks the agent, facing the screen towards her. She looks directly at the screen and, as the face ID is activated, the phone unlocks – even if the traveler is sitting a few feet away from him and has not touched his phone since it was seized. The agent then scans the screen to access the home screen and has access to most personal data stored on his or her phone. (In short, virtually anything except the Apply Pay or Keychain password data, which would require a second facial identity unlock or secret code.)

Federal authorities rely on what is called the "doctrine of the border" – the legal idea that warrants are not required to conduct a search at the border. This legal theory has been generally recognized by the courts even in recent years. Such a scenario is not hard to imagine.

In May 2017, we recounted the story of Aaron Gach, who told us that border officials were threatening to "queue up" if he did not pass the password to his phone. upon arrival at the San Francisco International Airport.

Months later, Gach and a handful of other people with similar stories sued the Department of Homeland Security, Customs and Border Protection, claiming that they had been forced to unlock their phone. Their argument is essentially based on a landmark 2014 decision of the Supreme Court, known as Riley c. California, who concluded that without warrant, the police could not search the phone of an arrested person.

Alasaad c. Duke

The Gach affair, Alasaad c. Duke, wants to know which prevails: the doctrine of the border or the Riley decision? The case is still pending before a federal court in Boston.

After all, phone searches at borders are not theoretical. According to the government's own figures, there has been a noticeable increase in the number of searches for digital devices at the border in recent years. Federal authorities continue to note that such searches are rare but have not explained why they have increased significantly.

Ars tested this border scenario with one of the latest iPhone. We had a user program in their phone as would any iPhone owner. Then, later, we sat in front of them at a table, held their phone in hand and raised it casually to make them pass a table and asked them, "Is what is your phone? They examined the phone and unlocked the phone. We were then able to access data such as emails, contacts and messages. However, data such as stored iCloud passwords would have required additional authentication by Face ID.

For this approach to work consistently, authorities must already know that face identity is enabled on the phone and that it will work within a few feet.

As a defense mechanism, an owner who knows how his phone works can avoid this by simply avoiding eye contact. This is due to the technology of the iPhone, which is new and more advanced than most other consumer face recognition technologies in that it uses infrared to read the face in 3D . In addition, these new models can read facial expressions and follow eye movement through machine learning. No matter which of these iPhones can say when it is watched or not. If the owner is a few meters away from the phone and looks directly at the screen, he unlocks.

Thus, if the user anticipates this disappointment and knows how the phone works, he may close his eyes or avoid looking directly at the phone, which will not unlock. But if they bite at the hook and look, the phone systematically unlocks – in just milliseconds – after seeing the face.

Custom passwords

We presented this scenario to Brian Owsley, a law professor at the University of North Texas, a former federal judge along the border in southern Texas. Owsley stated that anyone in such a situation should argue (as in Alasaad) that postRiley searches without a warrant are questionable.

"The United States would probably argue that border patrol agents have the power to search without a warrant for people entering the country on the borders of the country and that this authority extends to mobile phones," he said. he sent.

When we explained to him that it was relatively easy to unlock a Face ID compatible phone, he immediately responded.

"Fascinating," sent Owsley. "This seems to be a design flaw – is Apple aware of this problem – nothing beats a good old-fashioned digital password for the security of the phone."

But unlock quickly is the feature provided by Apple for the iPhone in order to remove the frictions of the user. With facial identity, Apple wants to prevent the user from thinking about manually locking or unlocking the phone. This happens automatically when they watch it.

Similarly, Blake Reid, a law professor at the University of Colorado, pointed to an even more extreme way of foiling the Face-ID-at-the-border game.

"An additional step for savvy owners is to call the SOS mode or simply turn off their phone (both disabling Face / Touch ID, IIRC) before crossing the border," he wrote. "Of course, the stress can also increase, I'm still thinking about this sinister XKCD."

The new iPhones also have a feature that temporarily disables facial identity, although this is not immediately obvious to users. They can simultaneously hold down the volume and right buttons as if you were turning off the phone. Then, when they have the option to turn it off, users can press the "cancel" button. After that, only an entered secret code can unlock the phone.

Apple has not responded to Ars's comment request.

Samuel Axon contributed to the report.