There’s a lot of talk around biometric authentication since Apple introduced its newest iPhone, which will let users unlock their device with a fingerprint. Given Apple’s industry-leading position, it’s probably not a far stretch to expect this kind of authentication to take off. Some even argue that Apple’s move is a death knell for authenticators based on what a user knows (like passwords and PIN numbers).

While there’s a great deal of discussion around the pros and cons of fingerprint authentication – from the hackability of the technique to the reliability of readers – no one’s focusing on the legal effects of moving from PINs to fingerprints.

Because the constitutional protection of the Fifth Amendment, which guarantees that “no person shall be compelled in any criminal case to be a witness against himself,” may not apply when it comes to biometric-based fingerprints (things that reflect who we are) as opposed to memory-based passwords and PINs (things we need to know and remember).

#### Marcia Hofmann ##### About Marcia Hofmann recently launched a boutique law practice focusing on computer security, electronic privacy, free expression, and intellectual property. Prior to that, she was a senior staff attorney at the Electronic Frontier Foundation. Hofmann is also a non-residential fellow at Stanford's Center for Internet and Society and an adjunct professor at U.C. Hastings College of the Law. Follow her on Twitter [@marciahofmann](https://twitter.com/marciahofmann).

The privilege against self-incrimination is an important check on the government’s ability to collect evidence directly from a witness. The Supreme Court has made it clear that the Fifth Amendment broadly applies not only during a criminal prosecution, but also to any other proceeding “civil or criminal, formal or informal,” where answers might tend to incriminate us. It’s a constitutional guarantee deeply rooted in English law dating back to the 1600s, when it was used to protect people from being tortured by inquisitors to force them to divulge information that could be used against them.

For the privilege to apply, however, the government must try to compel a person to make a “testimonial” statement that would tend to incriminate him or her. When a person has a valid privilege against self-incrimination, nobody – not even a judge – can force the witness to give that information to the government.

But a communication is “testimonial” only when it reveals the contents of your mind. We can’t invoke the privilege against self-incrimination to prevent the government from collecting biometrics like fingerprints, DNA samples, or voice exemplars. Why? Because the courts have decided that this evidence doesn’t reveal anything you know. It’s not testimonial.

Take this hypothetical example coined by the Supreme Court: If the police demand that you give them the key to a lockbox that happens to contain incriminating evidence, turning over the key wouldn’t be testimonial if it’s just a physical act that doesn’t reveal anything you know.

However, if the police try to force you to divulge the combination to a wall safe, your response would reveal the contents of your mind – and so would implicate the Fifth Amendment. (If you’ve written down the combination on a piece of paper and the police demand that you give it to them, that may be a different story.)

>To invoke Fifth Amendment protection, there may be a difference between things we have or are – and things we know.

The important feature about PINs and passwords is that they’re generally something we know (unless we forget them, of course). These memory-based authenticators are the type of fact that benefit from strong Fifth Amendment protection should the government try to make us turn them over against our will. Indeed, last year a federal appeals court held that a man could not be forced by the government to decrypt data.

But if we move toward authentication systems based solely on physical tokens or biometrics – things we have or things we are, rather than things we remember – the government could demand that we produce them without implicating anything we know. Which would make it less likely that a valid privilege against self-incrimination would apply.

Biometric authentication may make it easier for normal, everyday users to protect the data on their phones. But as wonderful as technological innovation is, it sometimes creates unintended consequences – including legal ones. If Apple’s move leads us to abandon knowledge-based authentication altogether, we risk inadvertently undermining the legal rights we currently enjoy under the Fifth Amendment.

Here’s an easy fix: give users the option to unlock their phones with a fingerprint plus something the user knows.

Editor: Sonal Chokshi @smc90