Data security practitioners often say that user credentials consist of something you know (a password), something you have (a token), or something you are (biometric). Device makers, financial institutions, and others have embraced the concept that two of these factors make you safer than one. Two-factor authentication has been widely adopted.
But clashing court decisions within the 9th Circuit will muddy the water when police are demanding access to smarphones, and all personal electronic devices.
The United States District Court of Northern California ruled last year that a biometric credential is a substitute for a password. Extending the Supreme Court’s reasoning that forcing password disclosure is compelling a suspect to testify against himself, the California Court prohibited forcing a suspect to grant biometric access, on 4th and 5th Amendment grounds.
But a U.S District Court Judge in Idaho ruled that “physical characteristics” do not equal testimony. A suspect’s testimony discloses the “contents of his own mind.” A fingerprint doesn’t.
The two decisions place smartphone users at the mercy of two separate standards, based only on the configuration and capabilities of their device. Is it protected biometrically (something you are)? Or with a string of characters (something you know)? This will be especially confounding for users of multi-factor authentication. Which factor will control the person’s rights?
Habeas Hard Drive says attorneys should prioritize detailed discussion of electronic devices with clients – criminal or civil – and not just phones. All personal electronic devices. Too often, questions about their relevance in discovery takes place well after process is underway, leaving fewer strategic options. As always, Habeas Hard Drive recommends consulting with a digital forensic expert prior to ordering preservation.
One last thing. Please don’t forget that electronic devices don’t function without power cords. Devices should be turned over for discovery with their power cables.