Police looking to identify criminals now only need a tip. A fingertip, that is.

The United Kingdom’s South Wales Police were recently able to identify a drug dealer via their fingerprints in a photo on the messaging app WhatsApp.

The photo, of a palm-up hand holding ecstasy pills, came from the mobile phone of another person arrested in Wales; unlike in the United States, U.K. police can search the contents of a person’s phone without a warrant if they are arrested. Though the photo didn’t reveal enough of the person’s fingers to match the fingerprints to national database records, there was enough for the police to compare the prints to those of a potential suspect for a positive match.

Law enforcement officials from all over the country are now sending a flood of photographs to South Wales Police’s scientific support unit to re-analyze leads for other cases, the BBC reports.

Though this is the first arrest of its kind made in the U.K., it’s not the first in the world; Florida law enforcement arrested a child abuser and pornographer in 2015 based on clear photos of his fingers in the videos he sold, as did Australian authorities in a similar case in March 2018.

And while it’s amazing for law enforcement to be able to identify criminals through tech, these arrests also speak to the potentially unsettling security implications of incredible high-res photos that come from cameras we constantly have in our pockets. Namely: that you can snag biometric data from them.

As has been proven on many smartphone models, it’s already very possible to spoof fingerprint scanners by making a cast of a finger, even with something as simple as Play-Doh. It’s not a huge jump to imagine that someone could swipe fingerprints from a photo and pressing them into a similar mold. In fact, that dorky peace-sign photo you took in front of the Empire State Building could be a security risk, as Japanese researchers demonstrated last year. The same is true of new facial recognition systems, which have been fooled before by masks.

So it’s probably not surprising that many tech companies are trying out different iterations of this biometric data as users log into their devices. One technique: ensuring that a finger is “live” by testing for a pulse or the presence of perspiration. Other options vary from scanning for your heart rhythm through your chest or tying biometric data into a multi-factor authentication.

But let’s face it: security is a cat-and-mouse game. If you’re an ordinary person, it’s a good reminder that no form of security is infallible; if you’re a criminal, maybe remember not to share pictures of your identifiable body parts when you’re doing illegal things.