Last week, the 9th Circuit Court of Appeals in California released a ruling that concluded state highway police were acting lawfully when they forcibly unlocked a suspect’s phone using their fingerprint. You probably didn’t hear about it. The case didn’t get a lot of coverage, especially because the courts weren’t giving a blanket green light for every cop to shove your thumb to your screen during an arrest. But it’s another toll of the warning bell that reminds you to not trust biometrics to keep your phone’s sensitive info private. In many cases, especially if you think you might interact with the police (at a protest, for example), you should seriously consider turning off biometrics on your phone entirely.
The ruling in United States v. Jeremy Travis Payne found that highway officers acted lawfully by using Payne’s thumbprint to unlock his phone after a drug bust. The three-judge panel said cops did not violate Payne’s 5th Amendment rights against self-incrimination nor the 4th Amendment’s protections against unlawful search and seizure for the “forced” use of Payne’s thumb (which was more to say unlocking his phone was coerced, rather than physically placed on the screen by a third party). The court panel admitted from the outset “neither the Supreme Court nor any of our sister circuits have addressed whether the compelled use of a biometric to unlock an electronic device is testimonial.”
Listen, we all recognize the convenience of biometrics. It’s far quicker to unlock your phone with your face than to type out a passcode. The issues this practice raises—especially for groups more likely to interact with law enforcement—are enormous. The subject comes up again and again during times of civil strife. In the past few weeks, police all over the U.S. have committed mass arrests of students and even some tech workers for protesting the treatment of Palestinians by the state of Israel. You don’t have to look too far back to identify the problematic ways police have treated arrested protesters’ phones. In that way, you may want to try and cop-proof your phone. Still, that doesn’t mean there aren’t ways cops will find to access your data.
The 9th Circuit’s ruling was narrow and doesn’t necessarily create a new precedent, but it points out that the arguments surrounding the 5th Amendment and biometrics are still unsettled. The ruling was also complicated by the fact that Payne was on parole at the time, back in 2021, when he was stopped by California Highway Patrol where he allegedly had a stash of narcotics including fentanyl, fluoro-fentanyl, and cocaine. He was charged with possession with intent to sell.
A stipulation of Payne’s parole agreement was that he be willing to provide a passcode to his devices, though that agreement didn’t explicitly refer to biometric data. However, the panel said the evidence from his phone was lawfully acquired “because it required no cognitive exertion, placing it in the same category as a blood draw or a fingerprint taken at booking, and merely provided [police] with access to a source of potential information.”
What Do the Experts Say Regarding Biometrics and Police?
The “it’s like a booking at fingerprint” argument has long been in contention surrounding, police, biometrics, and phones. The Electronic Frontier Foundation, a digital rights group, has offered guides for best practices when attending protests, and one of those is to turn off your thumbprint or face unlock before you hit the street. This is because a face or thumb scan does not require a user to mentally recall their private information, whereas a passcode does.
“The general consensus has been that there is more Fifth Amendment protection for passwords than there is for biometrics,” Andrew Crocker, the Surveillance Litigation Director at the EFF, told Gizmodo in a phone interview. “The 5th Amendment is centered on whether you have to use the contents of your mind when you’re being asked to do something by the police and turning over your password telling them your password is pretty obviously revealing what’s in your mind.”
It’s not a complete failsafe from restricting cops from accessing your entire digital personality through your device. Just take the several cases of cops accessing suspects’ phones in cases of women charged with infanticide for performing an abortion. Still, Crocker said that if the cops asked Payne which finger unlocked his device, rather than compelling him to unlock his phone himself, then it may have been a different case as that would have required the defendant to rely “more on his mind.”
The law is still in flux, so there’s no hard and fast rule for protecting your phone from searches. Still, if you know you will be interacting with police, your best bet is to turn off biometrics before you head out, according to Crocker. Even then, there are so many nuances that make biometrics a hard sell for anybody concerned with protecting their private details. For instance, you can unlock Meta’s apps like Instagram, Facebook, or Messenger with Apple’s same biometric face scan. What’s the law on points of nested biometrics? Crocker said the courts have yet to get into the nitty gritty of that question, so then the answer again becomes “the strongest protection is going to be if you have a passcode on the app.”
If your apps and messages aren’t already encrypted, it’s best to start considering services that are. It’s especially important if police are conducting a warranted search, where they might find your phone “in plain view” which gives them the opportunity to search its contents, often with few restrictions.
“Police often have a kind of free rein over the contents of the phone,” Crocker said. “And so if they find other evidence, it’s kind of frequently seen as no harm, no foul.”
There’s no rule that will help in all circumstances. There’s no guaranteed safeguard for your digital life. But until a major court offers a defining legal opinion, you’re simply better off not using biometrics at all.