Saturday, April 12, 2025
Latest:
ZDNet | Security

Biometrics vs. passcodes: What lawyers recommend if you’re worried about warrantless phone searches

TH Author
customs and border sign

Nicolas Economou/NurPhoto via Getty Images

Accompanying the rise in detentions and deportations by US Immigration and Customs Enforcement (ICE) and other authorities are increasingly frequent reports of smartphone searches.

US authorities allegedly dig through past emails, photos, social network activity, and other content to establish grounds for apprehension or other enforcement decisions. While such intrusions as a function of domestic law enforcement are nothing new, concern that more people could be held accountable for their beliefs, acquaintances, work, or speech is on the rise. 

Also: 5 simple ways to regain your data privacy online – starting today

This week, the Detroit Free Press reported that Dearborn-based civil rights and criminal defense attorney Amir Makled experienced such a search on Sunday, April 6, at the Detroit Metro Airport while he and his family were returning home from the Dominican Republic. Makled told the Detroit Free Press that he was “questioned about his clients and asked to give up his cellphone.” Makled is an American citizen, but he also happens to be the attorney for a pro-Palestinian demonstrator who was arrested at the University of Michigan last year. 

As news of these smartphone searches starts to enter the national conversation, many people, including US citizens, wonder how law enforcement officials could compel them to unlock their phones without a court-issued warrant. 

Also: 5 tools I trust to keep my online conversations private and anonymous

Last week, a graphic that discouraged smartphone users from relying on biometrics to unlock their phones made the social network rounds. The graphic states, “Reminder: If you’re using thumbprint or facial recognition, you can be forced to hand over or open your phone. You can’t be forced to open your phone if you’re using a passcode. A passcode requires a search warrant. The more you know.” 

 Given the growing importance of a robust credential management strategy, I decided to double-check the legal veracity of that “reminder.” Spoiler alert: As opposed to passcodes (passwords, finger-drawn patterns, etc.), biometrics currently live in a grey area of the law. Depending on the jurisdiction (state vs. federal) and context (i.e., customs office versus a point of entry), you might be compelled to unlock your devices or your apps without a court-issued warrant. 

What the law says 

According to law enforcement veteran and attorney Ignacio Alvarez, “Courts are struggling to find common legal ground on the constitutionality of compelled password production. But the majority of the courts have found that being required by law enforcement to give your code to your devices violates your Fifth Amendment right against self-incrimination.” Alvarez, a former law enforcement executive with the Miami-Dade Sheriff’s Office, is currently a managing partner specializing in civil and criminal litigation at the Miami-based ALGO Law Firm.

Also: Is your phone eavesdropping on you? Try NordVPN’s simple test to find out

Joseph Rosenbaum, a New York-based attorney specializing in cybersecurity, privacy, and data protection at Rimon Law, concurred. “Passwords or passcodes, because they represent information contained in a person’s mind, seem to generally be considered the same as requiring someone to testify against themselves in court or in a deposition,” he told ZDNET. “That information is more likely to be legally protected under the Fifth Amendment as potentially self-incriminating.”

These Fifth Amendment references hint at a nuanced area of the law regarding your constitutional rights and the technical difference between passcodes and biometrics. Whereas passcodes can be spoken, biometrics cannot. Therefore, in the spirit of the well-known Miranda warning that “Anything you say can and will be used against you in a court of law,” law enforcement officials cannot compel you to speak your password any more than they can compel you to say anything else that’s potentially self-incriminating.

On the other hand, depending on which agency or authority has jurisdiction over a given situation, the unspoken scan of your fingerprint, face, or retina might be considered “non-testimonial.” In other words, since a biometric isn’t spoken, production of that biometric may not legally qualify as the act of testifying against yourself and therefore, you can be compelled to unlock a phone or an app without necessarily having your rights violated.

Also: 7 password rules security experts live by in 2025

This area of law is a seriously moving target. Over time, things could favor passcodes being non-testimonial or biometrics being testimonial. 

“Biometrics are a more unsettled area of the law because [relatively speaking], devices are just starting to use biometrics,” Alvarez told ZDNET. “The US Court of Appeals for the 9th Circuit just decided in 2024 that the Fifth Amendment protection against self-incrimination does not prohibit police officers from forcing a suspect to unlock a phone with a thumbprint scan. States courts have gone both ways on this issue, some claiming you cannot be compelled to use biometrics, but the US Supreme Court just denied certiorari on this case, so it will remain unsettled for now.”

In other words, until the Supreme Court shows an interest in reviewing the 9th Circuit’s decision, you could be compelled to produce a biometric without violating your rights. This leads to the next obvious question: To what extent can a law enforcement officer forcibly compel you to unlock your phone with a biometric? 

Also: The best data removal services: Delete yourself from the internet

“If they have probable cause, they can ask you to do so,” said Alvarez. “I would argue in court for my client if law enforcement forced my client (using force) to use biometrics. This is still a developing area of the law. All these issues will be extensively litigated at the right time.” 

So what should you do? 

In terms of your credential management strategy, what, if any, action should you take? ZDNET is not in the business of handing out legal advice. For that, consult with an attorney. However, given the degree to which the law is still “developing,” common sense seems to suggest that the safest route — the one where your rights currently offer you the most leverage — might be to rely on some form of password or passcode instead of a biometric (where the option exists).  

Also: The best travel VPNs of 2025: Expert tested and reviewed

Back at the Detroit Metro Airport, even after federal agents produced a document explaining how they can legally confiscate cell phones, attorney Makled stood his ground. When he was asked to turn his phone over to federal agents, he refused. After a 90-minute detention, Makled was released. But not before CBP agents allegedly got to look at his contacts list.

Alvarez told ZDNET, “I do tell my clients that unless you are ordered by the court through a search warrant, do not give your code to your cellphone or computer device.” But if you’re a non-US citizen and you refuse to comply, Alvarez warns that ICE “has a right to question you before entering. You can refuse and go back to where you came from.” 

Get the morning’s top stories in your inbox each day with our Tech Today newsletter.

READ MORE HERE