A Southern California woman was recently ordered to provide her fingerprint to unlock a seized iPhone, according to a report by the Los Angeles Times

The case highlights the ongoing balancing act between security and convenience and how the law treats something you know (a passcode) as being quite different than something you are (a biometric). Under the Constitution, criminal defendants have the right not to testify against themselves—and providing a passcode could be considered testimonial. However, being compelled to give up something physiological or biometric (such as blood, DNA sample, fingerprint or otherwise), is not.

As the Times reports, Paytsar Bkhchadzhyan was ordered by a federal judge to provide her fingerprint on February 25, and the warrant was executed and unsealed on March 15.

"Why authorities wanted Bkhchadzhyan to unlock the phone is unclear," the Times noted. "The phone was seized from a Glendale residence linked to Sevak Mesrobian, who according to a probation report was Bkhchadzhyan's boyfriend and a member of the Armenian Power gang with the moniker of ‘40.’"

iPhones equipped with such a scanner, if that feature is enabled, can only can be unlocked via fingerprint if the phone hasn't been unlocked within 48 hours. If the phone is rebooted or has been sitting for longer than 48 hours, the phone's passcode is required.

A search of federal court records of both Bkhchadzhyan and Mesrobian came up empty, which suggests that any charges remain sealed or have not yet been filed.

Cases that have demanded that someone unlock his or her smartphone with their own fingerprint remain relatively rare. In 2014, a Virginia Circuit Court judge found that a person does not need to provide a passcode to unlock their phone for the police, and it also ruled that demanding a suspect to provide a fingerprint to unlock a phone would be constitutional.

Since Apple introduced Touch ID in 2013, some privacy law experts have warned of relying too much on the fingerprint system. That same year, Marcia Hoffman, a well-known Silicon Valley lawyer, concluded in a Wired op-ed that defendants may be subject to a weakened Fifth Amendment protection against self-incrimination:

But if we move toward authentication systems based solely on physical tokens or biometrics—things we have or things we are, rather than things we remember—the government could demand that we produce them without implicating anything we know. Which would make it less likely that a valid privilege against self-incrimination would apply.

A wake-up call

That logic seems to continue to hold, at least for some of Hoffman’s colleagues.

"This is why I tell my criminal procedure students that they have more protections if they use a passcode rather than fingerprint to guard entry to their phones," Mary Fan, a law professor at the University of Washington, told Ars by e-mail. "While I don’t conduct crimes on my cell phone, I still decline to use my fingerprint out of an abundance of caution!"

Riana Pfefferkorn, a cryptography fellow at the Stanford Center for Internet and Society, said that she's not sure there would be a good legal defense to a judicial order such as this one.

"I don't find this warrant legally problematic under the Fifth Amendment, but it does serve as a wake-up call to folks who may not have been aware of the important legal consequences that hang on which option they pick to protect their phones," she e-mailed. "To be sure, it's troubling to think that the police could end up using against you a choice you made for the sake of convenience and to make it harder for someone to snoop into your phone without your knowledge. But I don't think it runs counter to the Fifth Amendment."

However, Pfefferkorn added that while she doesn’t currently own a smartphone with Touch ID, she didn’t enable it on her previous phone "for precisely this reason: the legal protection against being compelled to unlock your phone is lesser with fingerprint-unlocking than with entering a passphrase. (Not that I expect to get arrested!)"

In 2013, Hoffman noted that there is a simple solution to avoid this entire problem: use biometrics in conjunction with passcodes.