Dan GoodinAnybody know how feasible it would have been for the WaPo reporter to refuse to provide her biometrics, or intentially sabotage the attempt by, say, using her wrong finger or closing her eyes? She might go to jail, but that's what reporters do to protect sources.
Adam Shostack :donor: :rebelverified:@dangoodin@infosec.exchange I think they can force your finger onto the sensor (much like they can force fingerprints on an ink pad) and force you to open your eyes. Those are "non-testimonial" where if your password was, I dunno, "IkilledBob" then that's testimonial and the courts can't force you to self-incriminate.
Dan Goodin@adamshostack@infosec.exchange
How can cops force a journo to open her eyes? Can't she just refuse, or promise to keep her eyes open and then close them at the crucial moment? And what if she uses a finger she hasn't registered? In either case, the device would then require a password. This seems feasible to me, and maybe that's what the WaPo reporter did, but maybe I'm missing something?
Matt Blaze@dangoodin@infosec.exchange @adamshostack@infosec.exchange Keep in mind that a search warrant authorizes law enforcement to do things, but does not (directly) compel anyone else to do anything (except not actively interfere). If they want a password, they would need a court order to the target, which could then be litigated as to whether providing it would be testimonial (and 5A protected).
Dan Goodin@mattblaze@federate.social @adamshostack@infosec.exchange
Interesting. Any idea what happens if law enforcement in possession of a warrant instructs the journo to provide a biometric and she refuses? I mean, can LE physically place her finger on the scanner if she refuses to comply with an instruction?
Matt Blaze@dangoodin@infosec.exchange @adamshostack@infosec.exchange The warrant authorizes them to obtain the biometric, but doesn't compel the journalist to cooperate. For that they need an order to the journalist (which they could probably get, but it's not the search warrant).
Dan Goodin@mattblaze@federate.social @adamshostack@infosec.exchange
OK, thanks.
Andrew Zonenberg@dangoodin@infosec.exchange @mattblaze@federate.social @adamshostack@infosec.exchange Does this perhaps make faceid slightly more risky than fingerprinting (e.g. you can ball up your hands and refuse consent to have your finger scanned but hiding your face while handcuffed is difficult)?
Is there case law on this yet?
Dan Goodin@azonenberg@ioc.exchange @mattblaze@federate.social @adamshostack@infosec.exchange
Closing your eyes prevents face ID from working in all cases I'm aware of. Still pretty easy to do that, even in cuffs (which I'm guessing the journo was not).
RRB@dangoodin@infosec.exchange @azonenberg@ioc.exchange @mattblaze@federate.social @adamshostack@infosec.exchange Making a grimace?
Matt Blaze@rrb@infosec.exchange @dangoodin@infosec.exchange @azonenberg@ioc.exchange @adamshostack@infosec.exchange This is literally the origin of the term "mug shot". Arrestees would scrunch up their faces when photographed to make themselves less recognizable.