FTS

via ARS

Apple’s Touch ID is already on its way out. Just five years ago, iPhones began getting the famed fingerprint scanner that makes unlocking your phone dozens of times a day even easier.

But all of the new iPhones released this year—iPhone XS, iPhone XS Max, and iPhone XR—only have Face ID. They do not have Touch ID.

Back in 2013, some smart privacy-minded lawyers (notably Marcia Hofmann) began pointing out that a seemingly small change in technology may have a notable impact on the legal landscape.

As Hofmann pointed out in a September 2013 op-ed for Wired, being compelled by American law enforcement to produce something that you are—a biometric—is not normally protected by the Fifth Amendment privilege against self-incrimination. By contrast, being forced to reveal something that you know (a traditional alphanumeric passcode, for example), is generally protected.

This notion was upheld earlier this year by the Minnesota Supreme Court. The court found that a criminal suspect could be compelled to provide his fingerprint to unlock his phone and could not invoke his Fifth Amendment privilege.

However, Touch ID requires a physical, affirmative act of pressing a finger onto the scanner. But Face ID can be used from a few feet away, practically with just a furtive glance.

After Ars spoke with a handful of attorneys, the legal landscape does not appear to have changed from Touch ID to Face ID. It seems very possible that law enforcement (notably, border agents) would be able unlock a phone with such facility under Face ID.

Worse still, because of the strange American legal “border doctrine,” in which normal Fourth Amendment protections do not apply, agents might be able to get into a newer iPhone with no problem.

“I agree that that hypothetical is at least plausible, if not more than that,” Andrew Crocker, an attorney with the Electronic Frontier Foundation, told Ars. “It’s concerning that it could be that easy to get into the contents of a device at the border.”

No touching required

We concocted a scenario in which an American iPhone XS owner was crossing into the United States at an international airport from abroad. She gets taken aside for secondary screening. Her phone is confiscated. Under questioning across a table, an aggressive agent holds up the iPhone XS in front of her.

“Is this your phone?” the agent asks, facing the screen toward her. She looks directly at the screen, and, as Face ID is enabled, the phone unlocks—even though the traveler is sitting a few feet away and hasn’t touched her phone since it was seized. The agent then swipes up to reach the home screen and has access to most of the personal data on her phone. (In short, basically everything except Apply Pay or Keychain password data. That would require a second Face ID unlock or the passcode.)

Federal authorities rely on what’s known as the “border doctrine“—the legal idea that warrants are not required to conduct a search at the border. This legal theory has been generally recognized by courts, even in recent years. Such a scenario isn’t hard to imagine.

In May 2017, we reported the story of Aaron Gach, who told us that border agents threatened to “be dicks” if he didn’t hand over the password to his phone upon his arrival at San Francisco International Airport.

Months later, Gach and a handful of other people with similar stories sued the Department of Homeland Security and Customs and Border Protection, arguing that they were coerced into unlocking their phones. Their argument is essentially based on a landmark 2014 Supreme Court decision, known as Riley v. California, which found that, without a warrant, police could not search the phone of someone being arrested.

Alasaad v. Duke

The Gach case, Alasaad v. Duke, wants to know which one trumps: the border doctrine or the Rileydecision? The case is still pending in federal court in Boston.

Border searches of phones, after all, aren’t theoretical. According to the government’s own figures, there has been a notable uptick in digital-device searches at the border in recent years. Federal authorities continue to note that such searches are rare but have not explained why they have increased significantly.

Ars tested this border scenario with one of the latest iPhones. We had a user program their face into their phone as any iPhone owner would. Then at a later time, we sat across from them at a table, held their phone in hand, and casually raised it to face them across a table and asked “is this your phone?” They looked at it and the phone unlocked and we were able to then access data like emails, contacts, and messages. Data like stored iCloud passwords would have required an additional Face ID authentication, however.

To make this approach work consistently, authorities must already know that the phone has Face ID enabled and that it will work within a few feet.

As a defense mechanism, an owner who knows how her phone works can prevent this by simply avoiding eye contact. This is because of the iPhone’s technology, which is new and more advanced than most other consumer facial-recognition tech to date in that it uses infrared to read the face in 3D. In addition, these new models can read facial expressions and have eye tracking driven by machine learning. Any one of these iPhones can tell when it’s being looked at or not. If the owner is ever within a few feet of the phone and looks directly at the screen, it unlocks.

So if the user anticipates this deception and knows how the phone works, they can close their eyes or otherwise avoid looking directly at the phone, and it will not unlock. But if they take the bait and look, the phone consistently unlocks—in just a few milliseconds—after seeing the face.

Bespoke passwords

We presented this scenario to law professor Brian Owsley of the University of North Texas, who formerly served as a federal magistrate judge along the border in southern Texas. Owsley said that anyone in such a situation should argue (as in Alasaad) that post-Riley warrantless searches are questionable.

“The United States would likely argue that border patrol agents have broad authority to engage in warrantless searches of people entering the country at the nation’s borders and that authority extends to cell phones,” he emailed.

When we clarified to him that unlocking a Face ID-enabled phone from a few feet away is relatively easy, he immediately wrote back.

“Fascinating,” Owsley emailed. “That seems like a design flaw. Is Apple aware of this problem? Nothing beats a good old-fashioned numerical password for phone security.”

But unlocking quickly is Apple’s intended functionality for the iPhone as part of a goal to remove friction for the user. With Face ID, Apple wants to free the user from having to think about manually locking or unlocking the phone. It happens automatically when they look at it.

Similarly, Blake Reid, a law professor at the University of Colorado, pointed out an even more extreme way to thwart the Face-ID-at-the-border gambit.

“A more threshold step for knowledgeable owners is to invoke SOS mode or simply turn their phones off (both of which disable Face/Touch ID, IIRC) before a border crossing,” he wrote. “Of course, the coercion can escalate, too. I always think of this grim XKCD.”

The new iPhones also have a feature that temporarily disables Face ID, though it is not immediately obvious to users. They can hold down the volume and right-side buttons simultaneously as if turning off the phone. After this, only a typed passcode can unlock the phone.

Apple did not respond to Ars’ request for comment on the record.