this post was submitted on 25 Sep 2024
92 points (100.0% liked)
Technology
37719 readers
180 users here now
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
it's unbelievable that there is a distinction in US caselaw between giving up your biometrics and giving up your password, and your essentially unchangeable biometrics are somehow the one you're probably obliged to give to the cops if they ask. just an incredibly goofy system
Law enforcement has been collecting fingerprints for over 100 years now, and the history of using fingerprints for other reasons goes even further back.
The error here is that we decided to start using an easily obtainable piece of data as a "lock" on our phones and computers. For many reasons, it's better to use a password or PIN.
i don't believe stored fingerprints can actually be used on modern devices
It's much more worrying how often face unlock works with a simple photo.
Only on devices that don’t use a 3D authentication, which for example the iPhone uses.
The MyColorado FAQ explicitly states that an officer cannot take your phone, even if they think your digital ID is fraudulent. This whole article is a ton of fear mongering. Digital IDs do not require you to give your phone to anyone, they do not require you to unlock (unless it’s a state specific app), and even if its a state specific app the cops aren’t allowed to take it anyway.
no offense but: even if you were to grant the notion that this is an exaggerated problem--cops are not well known for their rigorous adherence to the law or proper legal procedure. they routinely fuck up and violate civil liberties, up to and including murdering people for arbitrary reasons. and unless police are held accountable (which they almost never are for a variety of systemic reasons), what a state says they cannot do is effectively meaningless. it's just words on a screen, really.
I would agree with you if we're talking about something like the ability to search a car, where the cop is not allowed to without the owner's permission (assuming no probable cause or warrant). In that case the cop usually figures out a loophole to manufacture probable cause or manipulate the owner into agreeing to a search. And then there's nothing a lawyer or judge can do later, because it's the cop's word vs yours.
But if we're talking about a law that actually says the cop cannot take your phone no matter what, and they do, then any public defender would be able to point it out and the judge would certainly have to enforce it. I can't think of a way the cop would abuse their power because, in this case they don't have it.
I could be convinced based on the actual wording of the law, though.
they can abuse their power because they're a cop, with a badge and gun, and the right to maim or literally kill you with it (and probably get away with it even if it's not strictly legal) if you don't comply with their demands in the moment. again: cops consistently do not care about or follow legal procedures they're supposed to, frequently fuck up those procedures even when they do, and most cops probably don't even think of it as their job to secure some airtight case that stands up to legal scrutiny. it's not a profession that lend itself to the kind of charitability that's being given here, and the record of the profession makes it even less deserving of that charitability.
basically, put it this way: if a cop stops you and asks you for your phone--what are you realistically going to do in that situation the moment they don't respect your "no" and begin to pressure you, threaten you, and decide to throw the legal book at you (however dubious) for saying no? for most people, the answer is going to be "just give up the phone and start complying with the cop" even though that is not something the cop should be able to do. because at the end of the day they have a gun, and can put you in jail (or at least make your day hellish) more-or-less unilaterally, with very little recourse for you unless you want to do expensive litigation.
It doesn’t really matter if they do take your phone in the end anyway. If it’s that clear cut illegal then anything they manufacture as evidence wouldn’t be admissible in court…no matter what.
I have a question: Is a FAQ case law?
Never use biometrics. It's just not worth the tradeoffs.
Something you have, something you are, something you know. Are you willing to give up proper security for your cause?
When it's being employed properly, it's absolutely an important tool, but the way they're presented to most users, such as on-device biometric data stores (e.g. Apple's secure enclave, or a TPM verification), aren't the proper implementations. Nor is using biometrics as your primary auth method.
It's supposed to be "something you have and something you know and something you are", not "have or know or are".
NIST standards for biometrics require the biometric data be stored on a secure remote server, and that the scanner device check against that during auth. Putting the biometric data on the device means that you're losing a big part of your non-repudiation.
And it's even worse when you're using a secondary factor (biometric) as your primary or only factor (e.g. a phone unlock), that grants access to your other factors like password store and OTP tokens.
Biometrics are never supposed to be a single-factor auth method when used properly, but that's how most people use them now, and it degrades their security.
If your phone requires a passcode, a TOTP grant, and a biometric scan, by all means, please do employ biometrics, but if it's going to be your only factor, DO NOT.
Or, for simplicity to the average forum reader:
If you have an iPhone, you tap the power button 5 times to make an emergency call, after that cancel it and the PIN is required to open the phone.
Or hold the power button and any volume button for 3 seconds. Same result.