Should you use biometrics on your phone?
There are a lot of positives to using biometrics on your devices. It's hard to deny their convenience and in some ways, avoiding passwords can be a good thing since they can be forgotten or stolen.
But the law doesn't necessarily treat your fingerprint the same as a PIN code or password when it comes to unlocking your device. This means you could be compelled to unlock your phone or computer depending on which unlock method you use.
Testimonial vs. non-testimonial evidence
Whether the government can compel you to unlock your device hinges on whether a court considers your biometric data to be “testimonial” or not.
Testimonial evidence is anything that reveals the contents of your mind, i.e., things you've seen, heard, or know.1
Importantly, testimonial evidence falls under the Fifth Amendment's protections against self-incrimination. In other words, you cannot be compelled to provide testimonial evidence that may incriminate you.
However, courts distinguish testimonial evidence from non-testimonial evidence, which doesn't call on a person to reveal the “contents of [their] own mind.”2 For example, compelled physical actions are not usually considered testimonial.3. This is why you can be compelled to provide fingerprints during booking, or a bloodtest as part of an investigation.
Courts have illustrated the distinction between testimonial and non-testimonial by comparing an individual who is compelled to produce keys to a lockbox (non-testimonial) against an individual who is compelled to produce a combination to a safe (testimonial).4 One is simply handing over a key while the other requires you to divulge something you know.
This disctinction is important because when it comes to your devices courts typically agree that PINs and passcodes are testimonial, while some courts have found that biometrics are non-testimonial.
That might make the difference as to whether you can be compelled to unlock your device.
Circuit Split
Currently, there are different schools of thought on this issue.
Just last year, in United States v. Brown5 the D.C. Circuit Court of Appeals found that compelling an individual to unlock their phone with biometrics was testimonial. The court found the act of opening a phone with biometrics—while physical—is testimonial because it “directly announces the owner's access to and control over the phone, as well as his mental knowledge of how to unlock the device.”6
It's an interesting take on the testimonial vs. non-testimonial issue.
It illustrates the distinction between physical acts that communicate something and those that don't. Submitting to a fingerprint panel at the police station doesn't reveal anything incriminatory. It's only once those fingerprints are anaylzed that they may incriminate. Whereas, a fingerprint that unlocks a phone essentially authenticates you as its owner.
However, in 2024, the 9th Circuit Court of Appeals in United States v. Payne7 found the opposite. It ruled that a fingerprint unlock of a phone is akin to handing over the keys to a safe, rather than divulging its combination.8
The court rejected the idea that biometrics are a substitute for PINs or passcodes and should therefore enjoy the same protections.9 It also rejected the idea that a biometric unlock is testimonial because it confirms ownership and knowledge of the device's contents. The court said the access is not incriminating by itself, but only provides access to potential source of incriminating information.10
Should you use biometrics?
Each person has to assess their own threat model. But given the variances in the law and the lack of direct precedent in many circuits, it would seem that the safest approach is to use a PIN or passcode to unlock your device.
Even if you find the Brown case pursuasive or think it would apply, there have already been court decisions that distinguish its finding.
Noteably, P. Diddy cited Brown, among other cases, in his criminal case in New York in order to prevent compelled production of a cell phone. The District Court ruled in favor of the government, in part, because there was no question as to whether the phone was his.11
Essentially, Brown suggests that the testimonial aspect of unlocking the phone is that it communicates control and ownership. But if the government can show that you own and control the device in other ways, then compelling a biometric unlock is not really implicating your Fifth Amendment rights.12.
Recommendations
The Decent Project recommends you avoid using biometrics on your devices. There is little debate over whether divulging a PIN constitutes testimonial evidence.13
We recognizes, though, that typing in a six-digit PIN (yes, please make your PINs at least six digits) every time you want to unlock your phone can be annoying. Given this, you may consider PIN-locking important apps, such as your e-mail, messengers, and password managers.
We also recommend using unique PINs for each of these apps rather than one generic PIN.
Additionally, if you are traveling across an international border, such as returning to the U.S. from a vacation overseas, consider disabling your biometrics temporarily. This way, if you are stopped your device cannot be unlocked simply with a face scan or fingerprint.
~ Torman
Verify this post: Source | Signature | PGP Key
#privacy #security #opsec #FifthAmendment
Subscribe & Comment
If you found this post informative, please subscribe by entering your email below. You'll receive the latest posts from the Decent Project to you inbox.
Do you use biometrics on your phone or devices? Do you think there should be an exception for device biometrics in the testimonial/non-testimonial paradigm? Let us know your thoughts in the comments below! Discuss...
Footnotes
1. “The touchstone of whether an act of production is testimonial is whether the government compels the individual to use 'the contents of his own mind' to explicitly or implicitly communicate some statement of fact.” United States v. Doe (In re Grand Jury Subpoena Duces Tecum), 670 F.3d 1335, 1345 (11th Cir. 2012).
2. “[F]orcing the custodian to testify orally as to the whereabouts of nonproduced records requires him to disclose the contents of his own mind. He might be compelled to convict himself out of his own mouth. That is contrary to the spirit and letter of the Fifth Amendment.” Curcio v. United States, 354 U.S. 118, 128 (1957).
3. “[T]he Fifth Amendment privilege is not triggered where the Government merely compels some physical act, i.e. where the individual is not called upon to make use of the contents of his or her mind.” _In re Grand Jury Subpoena, 670 F.3d at 1345.
4. “He may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe — by word or deed.” Doe v. United States, 487 U.S. 201, 219, 108 S. Ct. 2341, 2352 (1988) (Justice Stevens dissent).
5. United States v. Brown, 125 F.4th 1186 (D.C. Cir. 2025).
6. “Though placing a thumb on a phone may seem akin to submitting to fingerprinting or providing a handwriting exemplar, the act, as performed here, is much closer to responding to a lie detector test or complying with a command to say a password. When Schwartz was ordered to open the cellphone, his act of unlocking the phone represented the thoughts “I know how to open the phone,” “I have control over and access to this phone,” and “the print of this specific finger is the password to this phone.” If Schwartz had instead been compelled to disclose whether he could open the phone, and made to say yes or to verbally disclose the password, those answers unquestionably would be testimonial communications. The compelled opening of the cellphone that occurred here is no different.” United States v. Brown, 125 F.4th 1186, 1202-03 (D.C. Cir. 2025).
7. United States v. Payne, 99 F.4th 495 (9th Cir. 2024).
8. “While providing law enforcement officers with a combination to a safe or passcode to a phone would require an individual to divulge the “contents of his own mind,” turning over a key to a safe or a thumb to unlock a phone requires no such mental process.” Payne, 99 at 511.
9. “[T]he Supreme Court has framed the question around whether a particular action requires a defendant to divulge the contents of his mind, not whether two actions yield the same result.” Payne, 99 at 511.
10. “The officers were left to identify any incriminating evidence through their own investigation.” Payne, 99 at 511.
11. United States v. Combs, No. 24-CR-542 (AS), 2025 LX 289072 (S.D.N.Y. Apr. 18, 2025).
12. But when “'[t]he existence and location of the papers are a foregone conclusion and the [defendant] adds little or nothing to the sum total of the Government's information by conceding that he in fact has the papers,' production does not run afoul of the Fifth Amendment.” Combs, LX 289072 at 2 (quoting Fisher v. United States, 425 U.S. 391, 410-11, 96 S. Ct. 1569, 48 L. Ed. 2d 39 (1976)); “Second, under the 'foregone [1346] conclusion' doctrine, an act of production is not testimonial—even if the act conveys a fact regarding the existence or location, possession, or authenticity of the subpoenaed materials—if the Government can show with 'reasonable particularity' that, at the time it sought to compel the act of production, it already knew of the materials, thereby making any testimonial aspect a 'foregone conclusion.'” In re Grand Jury Subpoena, 670 F.3d at 1345-46.
13. “[P]roviding law enforcement officers with a combination to a safe or passcode to a phone would require an individual to divulge the “contents of his own mind.” Payne, 99 at 511; “Requiring Doe to use a decryption password is most certainly more akin to requiring the production of a combination because both demand the use of the contents of the mind ... Hence, we conclude that what the Government seeks to compel in this case, the decryption and production of the contents of the hard drives, is testimonial in character.” In re Grand Jury Subpoena, 670 F.3d at 1346.
Disclaimer: I am not a lawyer, and I am not your lawyer. This post is meant to be informative and not to be taken as legal advice. If you are facing a legal issue you should always consult with a licensed attorney who can render legal advice that is specific to your needs.