The advent of biometric "passcodes" -- fingerprints and facial recognition -- appear to be leaving those who choose these methods with fewer Fifth Amendment protections. A handful of courts have ruled fingerprints and faces aren't "testimony." Much as officers can collect fingerprints and mugshots without a warrant following an arrest, they can also apply fingers and faces to locked phones to get to the data inside.
But it's not as simple as some court decisions make it appear. Even passwords can be considered testimonial, as they may indicate ownership of a locked device or compel production of evidence to be used against the device's owner. The passcode argument has gone both ways in court, which usually comes down to the individual judge's definition of "foregone conclusion." Does the foregone conclusion refer to the device's ownership or the evidence contained in it? The latter is harder to prove, and raising the burden of proof to this level tends to result in courts finding the compelled production of passwords to be a Fifth Amendment violation.
Via Thomas Brewster at Forbes, there's finally some good news on the biometric security front. A federal judge in California has ruled forcing people to unlock phones using biometric measures is a Fifth Amendment violation.
[I]n a more significant part of the ruling, Judge Westmore declared that the government did not have the right, even with a warrant, to force suspects to incriminate themselves by unlocking their devices with their biological features.
As the court points out [PDF], when the fingerprint IS the password, the Fifth Amendment is implicated despite these features normally being considered non-testimonial.
The Court finds that utilizing a biometric feature to unlock an electronic device is not akin to submitting to fingerprinting or a DNA swab, because it differs in two fundamental ways. First, the Government concedes that a finger, thumb, or other biometric feature may be used to unlock a device in lieu of a passcode. In this context, biometric features serve the same purpose of a passcode, which is to secure the owner's content, pragmatically rendering them functionally equivalent.
The court notes law enforcement is well aware of jurisprudence surrounding device security. In this case, the more time that passed between the seizure of the devices and their compelled unlocking, the less likely law enforcement would be able to evade the Fifth Amendment. Judge Westmore doesn't find this reasoning acceptable.
[A] passcode is generally required "when a device has been restarted, inactive, or has not been unlocked for a certain period of time." This is, no doubt, a security feature to ensure that someone without the passcode cannot readily access the contents of the phone. Indeed, the Government expresses some urgency with the need to compel the use of the biometric features to bypass the need to enter a passcode. This urgency appears to be rooted in the Government's inability to compel the production of the passcode under the current jurisprudence. It follows, however, that if a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one's finger, thumb, iris, face, or other biometric feature to unlock that same device.
The court goes on to say the government had other options to access messages -- like approaching Facebook with a warrant -- rather than intrude on the Fifth Amendment (and the Fourth Amendment -- more on that in a moment), but it chose to do it this way. Just because it's easier and faster to do it via compelled production doesn't make it right. In fact, in the court's eyes, all this effort did was violate the Constitution in multiple ways.
An attempted assault on the Fourth Amendment also occurred in this case. Investigators looking for evidence of extortion via Facebook sought to have every device and person at a residence seized and searched, with every resident compelled to unlock devices found during the search. As the judge points out in the rejection of the search warrant application, the Fourth Amendment requires far more specificity.
This request is overbroad. There are two suspects identified in the affidavit, but the request is neither limited to a particular person nor a particular device.
Thus, the Court finds that the Application does not establish sufficient probable cause to compel any person who happens to be at the Subject Premises at the time of the search to provide a finger, thumb or other biometric feature to potentially unlock any unspecified digital device that may be seized during the otherwise lawful search.
This is a far better answer to this sort of request than others we've seen. Searching someone's home and digging through their electronics is one of the scariest powers the government has. The Fourth Amendment is in place to limit these exercises of immense government power to those that are justifiable and necessary. When judges grant overbroad orders, they're doing more than failing to act as a check against government abuse. They're normalizing abuse of citizens' rights via judicial precedent.