Apple unveiled its newest iPhones this week – the iPhone 8 and the iPhone X. Tim Cooks assured the world that Face ID – Apple’s face recognition technology – is 20 times more secure than Touch ID (Apple’s fingerprint recognition.) That hasn’t stopped privacy concerns being raised about the new phone – such as whether photos or masks could be used to unlock the phones and whether third parties would have access to the facial recognition data stored on the device.
The new (to Apple) technologies raise Fourth and Fifth Amendment concerns as well.
The Fourth Amendment protects individuals against unreasonable search and seizure by the government. While phones are routinely collected as evidence by both state and federal law enforcement agents, the Supreme Court ruled in a unanimous opinion in 2014 that police officers must get a warrant to search a cell phone.
Imagine an officer procures a signed search warrant for a locked phone after asserting probable cause exists that some evidence of a crime is contained on the device. The next step would be for law enforcement to effect that warrant by getting into the phone.
Law enforcement officials can try a brute force attack, but that can be a time-consuming and expensive process. Modern iPhones have 256-bit encryption, support four-digit, six-digit, and arbitrary length alphanumeric passcodes.
By way of example, a computer could crack:
- a 4-digit passcode in 6 minutes and 34 seconds
- a 6-digit passcode in 10 hours 57 seconds, and
- a 12 character alphanumeric password with special characters: more than a trillion years.
While just under 11 hours may not seem long, remember how difficult it was to unlock the San Bernardino shooter’s phone? That is because Apple automatically disables the passcode after five attempts to enter a passcode incorrectly. If you have a six digit passcode, it would take 22 hours to try all the possible combinations including the time-outs. A six-letter passcode made up of numbers and letters would take 5.5 years to crack with the time-outs. The difficulty in cracking a password by brute force goes up exponentially with the length of the passcode.
With the volume of cases that come in and limited resources, state and local agencies reserve brute force attacks for the most serious of cases. You should anticipate law enforcement will ask for a court to order that a defendant provide a fingerprint or a facial scan because doing so would not implicate the Fifth Amendment, and there is little intrusion into the person’s privacy that would prevent such an order under the Fourth Amendment. A judge faced with the decision of signing such an order would balance the intrusiveness of the request with the purposes of law enforcement. For example, a blood draw during a DWI investigation is considered highly invasive and requires a warrant. However, taking a buccal (cheek) DNA swab from someone who was arrested for a serious crime is considered a minimal intrusion and does not require a warrant.
Steps You Can Take to Keep the Police Out of Your iPhone
First, remember not to give consent to search your phone or any other electronic device, even if the agent says “we will get into it anyway.”
Second, if at all possible, turn your phone off and then back on if you are stopped by the police and have an iPhone. This will force the device to require a passcode to access the device instead of Face ID or Touch ID. (This has been our advice since 2014.)
AppleInsider reports that pressing the buttons on both sides will “will temporarily disable Face ID.” This might slow things down, but turning off your iPhone (for now) ensures that a passcode will be necessary no matter how long law enforcement waits to try accessing your phone again.
Third, use a secure passcode. A long alphanumeric password will make it extremely difficult for law enforcement to crack using brute force.
How to enable alphanumeric passcode in iPhone
1. Go to Settings
2. Go to Touch ID & Passcode
3. Click Change Passcode
4. Re-Enter Your Existing Passcode
5. Click Custom Alphanumeric Code
6. Enter your new passcode.
Also published on Medium.