An affidavit released Tuesday reveals that the FBI requested a warrant to use former Trump lawyer Michael Cohen’s fingerprints and face to access Apple devices retrieved during a 2018 raid on his office, home, and hotel room in New York. An agent, whose name has been redacted in the document, wrote that it would “likely be necessary to press the fingers of the user of the Subject Devices to the devices’ Touch ID sensor, or hold the Subject Devices in front of the user’s face to activate the Face ID sensor” because law enforcement did not know Cohen’s password. Judge Henry B. Pitman approved the warrant application, though it is unclear whether the investigators ultimately used these biometric authenticators to unlock the devices.
Apple debuted Touch ID on the iPhone 5S in 2013 and Face ID on the iPhone X in 2017, and law enforcement sought to use each in investigations soon after their releases. In 2014, a Virginia judge issued a landmark ruling decreeing that police could not force a man accused of strangling his girlfriend to disclose his iPhone password, but that they could make him press his finger on the phone’s fingerprint sensor. The reasoning was that passwords are considered abstract knowledge, and compelling people to divulge that information would violate their Fifth Amendment right against self-incrimination. However, fingerprint logins fall under the realm of gathering physical evidence like DNA swabs and breathalyzer tests and is not considered a form of self-incrimination.
Since then, police have now and again used Touch ID to collect evidence from phones. Police in Lancaster, California, went as far as to request a warrant to force everyone inside a suspect’s home to unlock their smartphones with fingerprints in 2016. It’s unclear if the warrant was approved since the document was not made public. The FBI also weathered criticism in 2017 for failing to quickly consult with Apple on ways to access a password-protected iPhone SE belonging to Devin Patrick Kelley, who killed 26 people in a Texas church before killing himself. Law enforcement only had 48 hours to press Kelley’s fingers against the phone before the device reverted to requiring a password, but officials reportedly declined to request Apple’s help during that time. Privacy advocates contended that the FBI had no interest in cooperating with the Apple because the bureau ultimately wanted to pressure the company into weakening its encryption.
The first known case of law enforcement executing a warrant to access a phone using Face ID was in August 2018. Forbes discovered that FBI agents were raiding a Columbus, Ohio apartment in connection with a child pornography investigation when they instructed the suspect, 28-year-old Grant Michalski, to place his face in front of his phone. Michalski complied, giving agents access to his online chats and photos. His lawyer did not challenge the compelled Face ID login, and Michalski later pleaded guilty to receiving and possessing child pornography.
Yet law enforcement’s license to manipulate a device’s biometric features may soon face more challenges in the courts. In January, Judge Kandis Westmore of the U.S. District Court for the Northern District of California broke from precedent and ruled that police could not compel the use of Face nor Touch ID. Westmore wrote, “If a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device.” She further argued that lie detector tests take advantage of a host of physiological responses, and that courts have previously invoked the Fifth Amendment to prohibit police from forcing suspects to undergo such tests. But Josephine Wolff wrote in Slate at the time that “there’s already a lot of uncertainty and disagreement about when courts should be able to compel decryption of devices—and Westmore’s opinion will only make things less clear and more complicated.”
The search warrants connected to the Michael Cohen raid featured a number of other controversial technologies. Investigators apparently tracked Cohen using a Stingray, a device that mimics a cellphone tower to trick phones in the area into sharing location data. They also subpoenaed data from actual cell towers to trace the whereabouts of two of Cohen’s phones for 45 days. Google refused to provide prosecutors with certain contents from Cohen’s Gmail and Drive accounts because the data was stored overseas, but a law that Trump signed a few weeks later gave them the authority to eventually compel the company with a new warrant.