You lock your phone so other people can't access it. But how you lock your phone is an important factor in whether law enforcement can compel you to unlock it. Apple's year-old Face ID system is no exception. On Sunday, Forbes reported the first known example of law enforcement anywhere using a suspect's face to unlock a phone during an investigation.

The question of whether cops can force someone to unlock their phone in the US for a search hinges on Fifth Amendment protections against self-incrimination—that no one "shall be compelled in any criminal case to be a witness against" themselves. Privacy advocates argue that this extends to the act of unlocking a phone or generally decrypting data on a device. But while that line of thinking has succeeded as a defense against having to produce a passcode, it works less reliably in the context of Touch ID or other biometrics. Something you know, like a passcode, is easier to view as testimonial—legally speaking, a statement made by a witness—than something you have, like a physical attribute.

"Big picture, a warrant is required for the search of a device except in certain circumstances at the border," says Greg Nojeim, director of the Freedom, Security and Technology Project at the Center for Democracy & Technology. In the newly reported Face ID case, police did have a warrant to compel 28-year-old Grant Michalski of Ohio to unlock his smartphone, and Michalski has gone on to face child pornography charges.

"The next question is whether a person has a right against self-incrimination in providing the tool that law enforcement would use to search the device—a password or a fingerprint or a face," Nojeim says. "For the issue about whether you can be compelled to provide your fingerprint or your face, so far the courts are ruling that fingerprints and faces are not testimonial, and therefore there isn’t a Fifth Amendment violation. In terms of whether compelled disclosure of a password is a violation of the Fifth Amendment, the majority of courts are saying it is."

"You should understand that you do have the power to withhold your passwords from law enforcement." Stephanie Lacambra, EFF

Which means that in Michalski's case, the seemingly remarkable instance of unlocking a suspect's iPhone by pointing it at his face was likely entirely straightforward for police. "It’s not at all surprising to me that this happened. In fact, it seems as though Face ID opens up less invasive ways for police officers who have authority to access data on a phone," says Ahmed Ghappour, an associate law professor at Boston University who specializes in cybersecurity and criminal law. "There might be less intrusion and physical coercion with forcing a faceprint versus a fingerprint."

The Supreme Court has not decided the issue directly for either biometrics or passcodes, though. This could mean that an opening still exists to make the case that the Fifth Amendment should protect against decryption by any means. "It is EFF's position that compelled decryption, whether by biometric or alphanumeric password, should be protected by the Fifth Amendment because decryption is always testimonial," says Stephanie Lacambra, a criminal defense staff attorney at the Electronic Frontier Foundation. "You should understand that you do have the power to withhold your passwords from law enforcement."

Until a definitive court decision, though, if you're at all concerned about compelled unlocking of your phone, you're better off using a strong six-digit passcode than your fingerprint or face. Just don't count on that to protect you in all situations, because there are case by case circumstances that can impact the chance of a successful Fifth Amendment defense.

A crucial caveat to Fifth Amendment protections in general is something called the “foregone conclusion” doctrine, which essentially says that if prosecutors already know a piece of information, that information is not protected by the Fifth Amendment, because it can independently be proven true. This means that testifying to confirm it is not self-incriminating. US courts have issued mixed decisions on how to interpret applying the foregone conclusion doctrine to compelling a person to produce a passcode.