... and fingerprint authentication has problems too

Mike Bushroe mbushroe at gmail.com
Tue Aug 2 14:08:39 MST 2016 

This is scary. I would hope that as caselaw becomes more extensive and
complete they split this into two parts. I have no qualms about allowing
police to compel finger prints of any degree of fidelity. It is already
standard practice to photograph and finger print every arrested person, so
this is little change from decades worth of standard practice. However, I
think they should split this when it comes to the step of fabricating a
fake finger (or compelling the defendant to use their own finger) to unlock
any secure data store (phone, computer, network file server(that is a scary
hole in the security system itself!), safe, etc. If they have gone to the
effort of securing access with a finger print then the information inside
is clealry not 'public domain'. It should be as secure as their own
testimony. It should be illegal for them to 'force' entry with a fake
finger, and they should not be able to use any data inside, nor any further
leads developed from data learned by that process. However, I am not
confident that the world will be that reasonable.

A second weakness in my argument is that on TV, they routinely hack into
someone's encrypted files and disks. If they can actually use anything that
they can hack out of your computer, then faking a finger print to gain
access is just a partially physical method of doing the same encryption
hacking.

If this turns out to be the case, or becomes the case, then there would be
no safe way to store *any* information digitally. And since having a
passphrase to unlock a large encryption key is no more secure than the
passphrase and encryption key storage program, I begin to wonder about
encrypting entire disks with a 2048 bit key that IS the passphrase! Now we
just need to learn how to do passphrases with 2048 bits of significant
data. ugh! Upper and lowercase letters, digits, punctuation only give about
6 1/2 bits per character. That would need a 315 character pass phrase to
remember and type in each time to get maximum security. And don't even
*think* about writing it down somewhere! :)

Mike


> The Smartphone versus the Fifth Amendment," Berkeley Technology Law
> Journal, 21 Dec 2014[3]
>
>> in the aftermath of Virginia v. Baust, many smartphone users may soon
>> reconsider their reliance on fingerprint ID technology.
>>
>
> In October [2014], a Virginia trial judge ruled [in Virginia v. Baust]
>> that unlike a passcode, the production of one's fingerprint is not
>> "testimonial communication", and therefore, the Fifth Amendment privilege
>> against self-incrimination cannot be invoked. Rather, the government may
>> properly compel the production of a smartphone user's fingerprint to unlock
>> the user's device. This force compulsion would ostensibly extend to any
>> applications within a device that can be opened via fingerprint.
>>
>
> However,
>
> As a trial court, the ruling in Virginia v. Baust is not mandatory law.
>> However, as with any early caselaw in a novel and undeveloped area of the
>> law, this opinion will likely be cited as a persuasive authority.
>
>
-- 
"Creativity is intelligence having fun." — Albert Einstein
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20160802/c0f991f8/attachment.html>

More information about the PLUG-discuss mailing list