The feds are using an unprecedented type of search warrant to obtain encrypted communications that the agency says are nearly impossible to access otherwise.
In November last year, an undercover agent with the FBI was inside a group on Amazon-owned messaging app Wickr, with a name referencing young girls. The group was devoted to sharing child sexual abuse material (CSAM) within the protection of the encrypted app, which is also used by the U.S. government, journalists and activists for private communications. Encryption makes it almost impossible for law enforcement to intercept messages sent over Wickr, but this agent had found a way to infiltrate the chat, where they could start piecing together who was sharing the material.
As part of the investigation into the members of this Wickr group, the FBI used a previously unreported search warrant method to force one member to unlock the encrypted messaging app using his face. The FBI has previously forced users to unlock an iPhone with Face ID, but this search warrant, obtained by Forbes, represents the first known public record of a U.S. law enforcement agency getting a judge’s permission to unlock an encrypted messaging app with someone’s biometrics.
According to the warrant, the FBI first tracked down the suspect by sending a request for information, via an unnamed foreign law enforcement partner, to the cloud storage provider hosting the illegal images. That gave them the Gmail address the FBI said belonged to Christopher Terry, a 53-year-old Knoxville, Tennessee resident, who had prior convictions for possession of child exploitation material. It also provided IP addresses used to create the links to the CSAM. From there, investigators asked Google and Comcast via administrative subpoenas (data requests that don’t have the same level of legal requirements as search warrants) for more identifying information that helped them track down Terry and raid his home.
When they apprehended Terry, the FBI obtained his unlocked phone as well. But there was a problem: His Wickr account was locked with Apple’s Face ID facial recognition security. “By the time it was made known to the FBI that facial recognition was needed to access the locked application Wickr, Terry had asked for an attorney,” the FBI noted in its warrant. “Therefore, the United States seeks this additional search warrant seeking Terry’s biometric facial recognition… to complete the search of Terry’s Apple iPhone 11.”
“Most courts are going to find they can force you to use your face to unlock your phone because it’s not compelling you to speak or incriminate yourself…”
After the FBI successfully forced Terry to use his face to unlock his Wickr account, Terry was charged in a criminal complaint with distribution and possession of CSAM, but has not yet offered a plea. His lawyer did not respond to a request for comment at the time of publication.
Amazon’s Wickr hadn’t provided comment at time of publication. The FBI, Google and Comcast did not immediately respond to a request for comment.
Forcing people to unlock encrypted messaging with their biometrics is unprecedented — and controversial. That’s because of an illogical quirk in U.S. law: Courts across the U.S. have not allowed investigators to compel people to hand over a passcode for phones or apps, but they have allowed them to repeatedly unlock phones using biometrics. That’s despite the obvious fact that the result is the same.
Jerome Greco, a public defender in the Digital Forensics Unit of the Legal Aid Society in New York City, says this is because American law hasn’t caught up with the technology. Passcodes, unlike biometric information, are legally considered “testimonial,” and citizens are not obliged to provide such testimony because the Fifth Amendment protects you from self-incrimination. But body parts are, by their nature, not as private as a person’s thoughts, Greco notes.
“Most courts are going to find they can force you to use your face to unlock your phone because it’s not compelling you to speak or incriminate yourself… similar to fingerprints or DNA,” Greco says.
But he believes there will soon be enough diverging case law for the Supreme Court to have to decide whether or not compelled facial recognition unlocks are lawful. “We’re trying to apply centuries-old constitutional law that no one could have envisioned would have been an issue when the laws were written,” he says. “I think the fight is coming.”
There has been some pushback over such biometric unlocks from judges in some states. That includes two 2019 cases in California and Idaho, where the police wanted to force open phones inside properties relevant to the investigations. The judges in those cases declared biometric data was, in fact, testimonial, and law enforcement couldn’t force the owners of those phones to use their faces to unlock them.
But last year, Forbes revealed the Justice Department was continuing to carry out such searches. It had also adopted new language in its warrants that said suspects have a legal right to decline to tell law enforcement whether it’s your face, your finger, or your eye that unlocks your phone. But even if you don’t say what will unlock your phone, the DOJ said investigators could unlock your device by simply holding it up to your face or pressing your finger to it.
The search also comes after years of campaigning by the FBI to have tech giants provide more assistance in providing access to encrypted data. Since the 2015 San Bernardino terrorist attack, where the Justice Department demanded Apple open the shooter’s iPhone, that debate has intensified. The warrant, however, shows the government does have some techniques it can use to find criminals using the likes of Wickr and its encrypted data.
For now, Greco says the best way a person can protect themselves from such searches is to lock a device with a complex passcode rather than a face. It’s possible to do the same with Wickr by disabling Touch ID or Face ID.