New Security Features in iOS 11 Will Reinforce Digital Fourth and Fifth Amendment Protections

Posted on September 19, 2017

According to a new article in Ars Technica, the latest  version of the iOS mobile operating system will include new features allowing users to more easily safeguard their digital rights. The iOS 11 update, scheduled for release later this week, will allow users to disable the TouchID unlock method, and toggle it to PIN mode until the toggle is reversed, by tapping the power button five times in quick succession. Additionally, the forthcoming firmware update will place a barrier between connecting an iOS device to a computer and copying data off of the device’s hard drive by requiring the entry of a PIN code to confirm the data transfer. 

Since the introduction of fingerprint unlock functionality, such as that employed by Apple’s TouchID, smartphone users were confronted with the novel privacy considerations of using biometric authentication to conveniently unlock their devices. While device users in police custody can still in most cases not be compelled to disclose the PIN codes locking their devices, as this piece of knowledge is classified as testimonial evidence and therefore protected under the Fifth Amendment, law enforcement is permitted to collect and compel the disclosure of biological samples and biometric data points, including fingerprints. Because of these distinctions, police can force users to unlock devices locked with fingerprint authentication, but generally cannot demand users to unlock their PIN-locked devices. 

By allowing users to disable TouchID authentication from the phone’s lock screen, rather than by unlocking it and manually doing so in the Settings menu, Apple has afforded even those who primarily employ TouchID to enjoy Fifth Amendment protection of device data. This added toggle feature represents the first of its kind, leaving law enforcement and prosecutors to determine how aggressively they may attempt to oppose or circumvent it in the lack of legal precedent. It is possible that, if police officers arresting an iOS device user can reasonably claim to have witnessed the arrestee enabling this feature in the moment before arrest, prosecutors may be able to pursue obstruction of justice charges, as it could be argued that the practice parallels the destruction of evidence.

Even so, the TouchID quick disable feature marks a considerable stride in consumer digital privacy rights–as there is nothing unlawful about users locking their devices with PIN codes, the feature would allow, for instance, those attending protests to toggle off their TouchID authentication as soon as they reach the site of the demonstration, long before arrests are potentially made. As an academic in the field of computer science interviewed for Ars Technica‘s piece, Nicholas Weaver, points out, this easy method of disabling TouchID, which would otherwise leave police unobstructed in acquiring the data on a phone they seize, dissuades police from the increasingly popular approach of amassing as much arrestee data as possible, even of those arrested for minor offenses, or of those against whom charges are never ultimately pursued. 

The second of iOS 11’s privacy-focused features offers even more robust, and less legally questionable, protections for users. To begin with, users do not need to be aware of the feature or consciously invoke it at the right time, but are simply afforded its safeguards automatically. More significantly, the benefits that it confers apply in all cases–whether the phone is locked with PIN or TouchID, or even regardless of whether it is locked or unlocked, no data transfers can occur until the PIN is inputted. While law enforcement officers who arrest an individual while their device is unlocked could simply actively prevent the device from locking, in order to derive any data from it they would have to search and read it directly from the device, as the convenience of browsing it after transferring it to a department database would be unavailable. This scenario presents such an onerous hurdle that, unless the arrestee is of particular interest to law enforcement, officers will likely not go to the trouble of doing so, providing a de facto shield to the privacy of low-level arrestees, such as those apprehended as part of a demonstration. 

Although law enforcement has many means of incursion into citizens’ digital privacy, in practice they must strike a balance between the difficulty in overcoming digital defenses and the payoffs in doing so. Surveillance by every level of law enforcement and intelligence entities has become pervasive purely on account of the ease with which it can generally be deployed. Police will seize data from arrestees whenever they are able to do so with minimal time and effort, but as soon as the minimum requisite investment of these resources becomes too high, they will reserve it for the investigation of serious crime. Protections such as those extended in iOS 11, however modest, are among the vanguard of advances toward precisely this.

You can read the original report from Ars Technica here

Jonathan Terrasi has been a Research Assistant with the Chicago Committee to Defend the Bill of Rights since January 2017. His interests include computer security, encryption, history, and philosophy. In his writing, he regularly covers topics on current affairs and political developments, as well as technical analyses and guides on security issues, published on his blog, Cymatic Scanning, and Linux Insider.