Quick Look
• The FBI raid on Washington Post reporter’s home shows uncertainty about biometrics under the Fifth Amendment.
• Hannah Natanson was compelled to unlock a MacBook with her fingerprint.
• Until the law is clarified, use PINs/passwords instead of biometrics.

Recently, the FBI served a search warrant on the home of Washington Post reporter Hannah Natanson.

It's rightfully being decried as yet another disturbing attack by the Trump Administration on America's tradition of free and independent press—a tradition that was dealt yet another blow this week when the Administration arrested four Black journalists in Minnesota, one of whom was former CNN anchor Don Lemon.

While much ink has been spilled about the potential chilling effect the raid on Natanson's home may have, some key details of the search are now coming to light.

Authorities seized several devices from Natanson's home

Authorities compelled Natanson to unlock her device

The warrant used by authorities to search Natanson's home explicitly stated that agents could compel her to unlock her devices using biometrics, such as a fingerprint or face scan, but they could not compel her to reveal any passwords.

Yet, as the search continued, authorities eventually discovered a second computer inside a red backpack in her kitchen.

When agents opened the computer, the lockscreen prompted them to enter a password or use TouchID. The agents then insisted—perhaps against the orders of the search warrant shown above—that she attempt to unlock the device.

The government states that Natanson put her index finger on the scanner, which then unlocked it.

Can you be compelled to unlock your device with biometrics?

This is the exact issue the Decent Project wrote about a little more than two weeks ago.

In our article entitled Should you use biometrics on your phone?, we explored the murky legal landscape over whether law enforcement can compel someone to unlock their device using their fingerprint or face.

Currently, courts are split on the issue. It comes down to whether a court sees the use of biometrics as “testimonial” evidence.

Testimonial evidence is generally anything that requires you to divulge the contents of your mind, i.e. things you know, have seen, or have heard. This kind of evidence has a long tradition of being protected by the Fifth Amendment's privilege against self-incrimination, meaning you cannot be compelled to reveal it.

However, some courts do not think that biometrics are “testimonial” in nature. Instead, they argue a biometric unlock doesn't reveal anything about the content of an individual's thinking or knowledge.

For example, in 2024, the 9th Circuit (in purple above) said in United States v. Payne that biometrics are not afforded the same protections as passwords or PIN numbers:

“While providing law enforcement officers with a combination to a safe or passcode to a phone would require an individual to divulge the 'contents of his own mind,' turning over a key to a safe or a thumb to unlock a phone requires no such mental process.”

We at the Decent Project strongly disagree with this view, and we think Natanson's case is a great example as to why.

What Natanson's fingerprint actually revealed

When Natanson unlocked the MacBook in her kitchen, it revealed several things about her and her relationship to that device.

First, it demonstrated that Natanson knew how to biometrically unlock the device.

This, in our opinion, stands in direct contrast to the 9th Circuit's view that unlocking a device with your finger “requires no ... mental process.”

The government's filing isn't particularly clear on the exact exchange, but when agents “told her to try” to unlock the device and she did so with her index finger, it raises the question: how did she know which finger to use?

Second, her fingerprint demonstrated her control over the computer.

Unlocking a device with your fingerprint is a pretty clear indication that you are the owner of that device, or at least in control of it. If this device is not a shared computer, then it effectively demonstrates that Natanson is responsible for the content found on the device.

It's important to note that Natanson is not a defendant in this case, nor is she a target of the investigation—but in any other context, this kind of evidence could be damning.

Instead, imagine if authorities had found the computer in Natanson's home and it did not have TouchID. Since Natanson cannot be compelled to reveal a PIN or password, what would authorities have to demonstrate that the device is hers?

They could say the device was in her kitchen and that it was found in her backpack, but that's about it.

Takeaway

Not all courts agree with the 9th Circuit when it comes to biometrics. As discussed in our earlier article, the D.C. Circuit Court of Appeals ruled last year that biometrics can be afforded the same protections as other testimonial evidence.

While that's good news, this issue is new and the law is still developing. As such, unless and until there is legal clarity, the Decent Project continues to recommend that individuals do not use biometrics on their devices.

~ Torman

Verify this post: Source | Signature | PGP Key

#privacy #security #OPSEC #FifthAmendment

If you enjoyed reading this or found it informative, please consider subscribing in order to receive posts directly to your inbox:

Also feel free to leave a comment here: Discuss...

There is a saying in cryptocurrency: “not your keys; not your coins.”

In essence, if you don't control the keys to the wallet containing the cryptocurrency—usually a series of random words generated at the time that the wallet is created—then you don't really own the money inside it.

It's the difference between having your money in a bank that actually possesses your cash and lets you access it, or in an impenetrable safe where only you know the combination. If you possess the cash and the safe, you truly own the money.

The same can be said for encryption. Whether you realize it or not, it's likely that many of your devices enable encryption by default. For example, iPhones are encrypted by default and so are most modern Windows machines.

Sounds good, right?

But it presents the same problem as with crypto: who holds the keys?

When your Windows computer is encrypted, it's using Microsoft's BitLocker. The data can be accessed only once you type in your password or PIN, or authenticate with biometrics. However, Microsoft also ensures that a recovery key is created and backed up to your Microsoft account.

It's a convenient solution and provides an avenue of recovery should you ever forget your password or PIN. But it also means that Microsoft has access to that recovery key at any time.

This was evidenced recently when Microsoft gave the FBI the recovery keys to unlock hard drives belonging to suspects in a fraud case.

Notably, Microsoft complies with these kinds of requests from law enforcement multiple times each year:

Microsoft told Forbes that the company sometimes provides BitLocker recovery keys to authorities, having received an average of 20 such requests per year.

The story isn't much different at Apple, though there are some notable improvements. The company's iCloud services are encrypted by default, but similar to Microsoft, the decryption keys are sent to Apple's servers, giving the company access if needed.

The good news is that Apple has set aside 14 categories that it says it cannot access no matter what, as the keys are only stored on your devices. These categories include your messages, health, passwords, and maps.

Owning your data is a form of digital autonomy

Some might say Microsoft sharing a user's recovery key with law enforcement is not a problem. Generally speaking, the Decent Project agrees.

The Decent Project believes that law enforcement has a job to do and there are laws within which they must operate. When law enforcement has identified a suspect and obtains a lawful warrant to access account information from a company, we do not argue that the company is under an obligation to comply.

Instead, the Decent Project advocates for individuals to minimize their own risks by reducing their attack surface. If Microsoft or Apple do not have access to decryption keys, then there's virtually nothing they can turn over.

To be clear, government officials seeking information via a lawful warrant is the least of our concerns. Instead, we recognize that what is available to the “good guys” is also available to the “bad guys.”

Any decryption key stored by Microsoft or Apple runs the risk of being exploited by rogue employees, hackers, or government officials who are not operating with the bounds of the law.

Are you comfortable them seeing all your photos? Your digital journals? Your notes? Your health records?

The best defense is an offense in which individuals retain control of their data—and most importantly—the keys to it.

Recommendations

Turn on encryption wherever possible

Whether it's your computer or phone, if there are options to encrypt your device your should always do so.

Encrypting your device ensures better security and privacy, but does comes with additionally responsibility.

When encrypting your devices, you should look for options that allow you to control the recovery/decryption keys. With BitLocker, for example, this means declining any options to store the recovery key in your Microsoft account.

Keys should be securely stored and this can be done by using a reputable password manager—another basic privacy and security tool discussed below.

Turn on Apple's Advanced Data Protection

For Apple users, it is a simple procedure that can be done by following this guide.

There are two ways you can ensure recovery, one is by designating a trusted contact who would be able to use their Apple device to unlock your account, or by storing the recovery key yourself.

You'll have to decide which method is best for you, but again, storing your own recovery key is the safest method—just be sure to store it in a manner that ensures it will not get lost, stolen, or compromised.

Use a password manager

It is 2026. If you are not yet, it is time to start using a password manager.

There are a number of free or nearly free options out there that will greatly enhance your privacy and security.

Password managers almost always include password generators to ensure unique and strong passwords for each account. Your credentials can be autofilled so you virtually never have to type in your passwords or copy/paste.

A reputable password manager is an essential tool in an idividual's privacy and security toolkit. Please check out our Resources page where you can find recommendations. (As of the time of this writing, we are still working to put this together but it should be there for those reading this the future).

Many providers also allow you to securely store more than just passwords. You can store passphrases, decryption keys, or files. This makes it extremely easy to take advantage of encryption while not relying on providers like Microsoft and Apple to store your decryption keys.

~ Torman

Verify this post: Source | Signature | PGP Key

#privacy #security #bigtech #encryption

If you enjoyed reading this or found it informative, please consider subscribing in order to recieve posts directly to your inbox:

Also feel free to leave a comment here: Discuss...

There are a lot of positives to using biometrics on your devices. It's hard to deny their convenience and in some ways, avoiding passwords can be a good thing since they can be forgotten or stolen.

But the law doesn't necessarily treat your fingerprint the same as a PIN code or password when it comes to unlocking your device. This means you could be compelled to unlock your phone or computer depending on which unlock method you use.

Testimonial vs. non-testimonial evidence

Whether the government can compel you to unlock your device hinges on whether a court considers your biometric data to be “testimonial” or not.

Testimonial evidence is anything that reveals the contents of your mind, i.e., things you've seen, heard, or know.¹

Importantly, testimonial evidence falls under the Fifth Amendment's protections against self-incrimination. In other words, you cannot be compelled to provide testimonial evidence that may incriminate you.

However, courts distinguish testimonial evidence from non-testimonial evidence, which doesn't call on a person to reveal the “contents of [their] own mind.”² For example, compelled physical actions are not usually considered testimonial.^3. This is why you can be compelled to provide fingerprints during booking, or a bloodtest as part of an investigation.

Courts have illustrated the distinction between testimonial and non-testimonial by comparing an individual who is compelled to produce keys to a lockbox (non-testimonial) against an individual who is compelled to produce a combination to a safe (testimonial).⁴ One is simply handing over a key while the other requires you to divulge something you know.

This disctinction is important because when it comes to your devices courts typically agree that PINs and passcodes are testimonial, while some courts have found that biometrics are non-testimonial.

That might make the difference as to whether you can be compelled to unlock your device.

Circuit Split

Currently, there are different schools of thought on this issue.

Just last year, in United States v. Brown⁵ the D.C. Circuit Court of Appeals found that compelling an individual to unlock their phone with biometrics was testimonial. The court found the act of opening a phone with biometrics—while physical—is testimonial because it “directly announces the owner's access to and control over the phone, as well as his mental knowledge of how to unlock the device.”⁶

It's an interesting take on the testimonial vs. non-testimonial issue.

It illustrates the distinction between physical acts that communicate something and those that don't. Submitting to a fingerprint panel at the police station doesn't reveal anything incriminatory. It's only once those fingerprints are anaylzed that they may incriminate. Whereas, a fingerprint that unlocks a phone essentially authenticates you as its owner.

However, in 2024, the 9th Circuit Court of Appeals in United States v. Payne⁷ found the opposite. It ruled that a fingerprint unlock of a phone is akin to handing over the keys to a safe, rather than divulging its combination.⁸

The court rejected the idea that biometrics are a substitute for PINs or passcodes and should therefore enjoy the same protections.⁹ It also rejected the idea that a biometric unlock is testimonial because it confirms ownership and knowledge of the device's contents. The court said the access is not incriminating by itself, but only provides access to potential source of incriminating information.¹⁰

Should you use biometrics?

Each person has to assess their own threat model. But given the variances in the law and the lack of direct precedent in many circuits, it would seem that the safest approach is to use a PIN or passcode to unlock your device.

Even if you find the Brown case pursuasive or think it would apply, there have already been court decisions that distinguish its finding.

Noteably, P. Diddy cited Brown, among other cases, in his criminal case in New York in order to prevent compelled production of a cell phone. The District Court ruled in favor of the government, in part, because there was no question as to whether the phone was his.¹¹

Essentially, Brown suggests that the testimonial aspect of unlocking the phone is that it communicates control and ownership. But if the government can show that you own and control the device in other ways, then compelling a biometric unlock is not really implicating your Fifth Amendment rights.^12.

Recommendations

The Decent Project recommends you avoid using biometrics on your devices. There is little debate over whether divulging a PIN constitutes testimonial evidence.¹³

We recognizes, though, that typing in a six-digit PIN (yes, please make your PINs at least six digits) every time you want to unlock your phone can be annoying. Given this, you may consider PIN-locking important apps, such as your e-mail, messengers, and password managers.

We also recommend using unique PINs for each of these apps rather than one generic PIN.

Additionally, if you are traveling across an international border, such as returning to the U.S. from a vacation overseas, consider disabling your biometrics temporarily. This way, if you are stopped your device cannot be unlocked simply with a face scan or fingerprint.

~ Torman

Verify this post: Source | Signature | PGP Key

#privacy #security #opsec #FifthAmendment

Subscribe & Comment

If you found this post informative, please subscribe by entering your email below. You'll receive the latest posts from the Decent Project to you inbox.

Do you use biometrics on your phone or devices? Do you think there should be an exception for device biometrics in the testimonial/non-testimonial paradigm? Let us know your thoughts in the comments below! Discuss...

Footnotes

^1. “The touchstone of whether an act of production is testimonial is whether the government compels the individual to use 'the contents of his own mind' to explicitly or implicitly communicate some statement of fact.” United States v. Doe (In re Grand Jury Subpoena Duces Tecum), 670 F.3d 1335, 1345 (11th Cir. 2012).

^2. “[F]orcing the custodian to testify orally as to the whereabouts of nonproduced records requires him to disclose the contents of his own mind. He might be compelled to convict himself out of his own mouth. That is contrary to the spirit and letter of the Fifth Amendment.” Curcio v. United States, 354 U.S. 118, 128 (1957).

^3. “[T]he Fifth Amendment privilege is not triggered where the Government merely compels some physical act, i.e. where the individual is not called upon to make use of the contents of his or her mind.” _In re Grand Jury Subpoena, 670 F.3d at 1345.

^4. “He may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe — by word or deed.” Doe v. United States, 487 U.S. 201, 219, 108 S. Ct. 2341, 2352 (1988) (Justice Stevens dissent).

^5. United States v. Brown, 125 F.4th 1186 (D.C. Cir. 2025).

^6. “Though placing a thumb on a phone may seem akin to submitting to fingerprinting or providing a handwriting exemplar, the act, as performed here, is much closer to responding to a lie detector test or complying with a command to say a password. When Schwartz was ordered to open the cellphone, his act of unlocking the phone represented the thoughts “I know how to open the phone,” “I have control over and access to this phone,” and “the print of this specific finger is the password to this phone.” If Schwartz had instead been compelled to disclose whether he could open the phone, and made to say yes or to verbally disclose the password, those answers unquestionably would be testimonial communications. The compelled opening of the cellphone that occurred here is no different.” United States v. Brown, 125 F.4th 1186, 1202-03 (D.C. Cir. 2025).

^7. United States v. Payne, 99 F.4th 495 (9th Cir. 2024).

^8. “While providing law enforcement officers with a combination to a safe or passcode to a phone would require an individual to divulge the “contents of his own mind,” turning over a key to a safe or a thumb to unlock a phone requires no such mental process.” Payne, 99 at 511.

^9. “[T]he Supreme Court has framed the question around whether a particular action requires a defendant to divulge the contents of his mind, not whether two actions yield the same result.” Payne, 99 at 511.

^10. “The officers were left to identify any incriminating evidence through their own investigation.” Payne, 99 at 511.

^11. United States v. Combs, No. 24-CR-542 (AS), 2025 LX 289072 (S.D.N.Y. Apr. 18, 2025).

^12. But when “'[t]he existence and location of the papers are a foregone conclusion and the [defendant] adds little or nothing to the sum total of the Government's information by conceding that he in fact has the papers,' production does not run afoul of the Fifth Amendment.” Combs, LX 289072 at 2 (quoting Fisher v. United States, 425 U.S. 391, 410-11, 96 S. Ct. 1569, 48 L. Ed. 2d 39 (1976)); “Second, under the 'foregone [1346] conclusion' doctrine, an act of production is not testimonial—even if the act conveys a fact regarding the existence or location, possession, or authenticity of the subpoenaed materials—if the Government can show with 'reasonable particularity' that, at the time it sought to compel the act of production, it already knew of the materials, thereby making any testimonial aspect a 'foregone conclusion.'” In re Grand Jury Subpoena, 670 F.3d at 1345-46.

^13. “[P]roviding law enforcement officers with a combination to a safe or passcode to a phone would require an individual to divulge the “contents of his own mind.” Payne, 99 at 511; “Requiring Doe to use a decryption password is most certainly more akin to requiring the production of a combination because both demand the use of the contents of the mind ... Hence, we conclude that what the Government seeks to compel in this case, the decryption and production of the contents of the hard drives, is testimonial in character.” In re Grand Jury Subpoena, 670 F.3d at 1346.

Disclaimer: I am not a lawyer, and I am not your lawyer. This post is meant to be informative and not to be taken as legal advice. If you are facing a legal issue you should always consult with a licensed attorney who can render legal advice that is specific to your needs.