In brief: While Apple’s Face ID system could give law enforcement a new way to grab information from handsets, a forensic company is warning agents not to look at the phones in case they get locked out—much like Craig Federighi at the iPhone X launch event.
Earlier this month, it was reported that authorities had made someone unlock a modern iPhone by compelling them look at it. In what’s thought to be a world first, the FBI asked Columbus, Ohio, resident Grant Michalski, who was later charged with receiving and possessing child pornography, to place his face near his iPhone X so they could access its contents, which he did.
Suspects are able to invoke their fifth amendment rights, which protect against self-incrimination, so they can refuse to hand over passcodes for electronic devices, but courts have forced people to unlock phones with their faces or fingerprints, which don’t have the same protections.
In a presentation slide from forensics company Elcomsoft obtained by Motherboard, law enforcement agents are warned “don't look at the screen, or else.” If they do gaze at the front-facing camera five times, they’ll be locked out and have to enter a passcode.
Back when Face ID was debuted in the iPhone X last year, Apple’s senior vice president of Software Engineering, Craig Federighi, failed to unlock the device while on stage. The demo unit asked for a passcode, forcing him to swap it for another iPhone X. He later revealed that staff setting up the event had been looking at the screen as they moved the phone around backstage. Once it failed to recognize five people, it locked. Elcomsoft references this incident in the slide.
“This is quite simple. Passcode is required after five unsuccessful attempts to match a face,” Vladimir Katalov, CEO of Elcomsoft, told Motherboard. “So by looking into suspect’s phone, [the] investigator immediately lose one of [the] attempts.”
Previously, law enforcement agencies were told to use the power button to turn on a Touch ID-enabled device, not the Home button. But with Face ID, it’s a lot easier to accidentally activate the security system and ‘lose’ an attempt.