The FBI forced a suspect to unlock Amazon’s encrypted app Wickr with their face
The feds are using an unprecedented type of search warrant to obtain encrypted communications that the agency says are nearly impossible to access otherwise.
Last November, an undercover FBI agent was inside a group on the Amazon-owned messaging app Wickr, with a name that referred to young girls. The group was devoted to sharing child sexual abuse material (CSAM) within the protection of the encrypted app, which is also used by the US government, journalists and activists for private communications. Encryption makes it nearly impossible for law enforcement to intercept messages sent over Wickr, but this agent had found a way to infiltrate the chat, where they could begin to piece together who was sharing the material.
As part of the investigation into the members of this Wickr group, the FBI used a previously unreported search warrant method to force one member to unlock the encrypted messaging app using his face. The FBI has previously forced users to unlock an iPhone with Face ID, but this search warrant, obtained by Forbesrepresents the first known public record of a US law enforcement agency getting a judge’s permission to unlock an encrypted messaging app with someone’s biometrics.
According to the warrant, the FBI first tracked down the suspect by sending a request for information, via an unnamed foreign law enforcement partner, to the cloud storage provider hosting the illegal images. It gave them the Gmail address that the FBI said belonged to Christopher Terry, a 53-year-old resident of Knoxville, Tennessee, who has a previous conviction for possession of child exploitation material. It also provided IP addresses used to make the connections to CSAM. From there, investigators asked Google and Comcast via administrative subpoenas (data requests that do not have the same level of legal requirements as search warrants) for more identifying information that helped them track down Terry and raid his home.
When they arrested Terry, the FBI also obtained his unlocked phone. But there was a problem: His Wickr account was locked with Apple’s Face ID facial recognition security. “When it was made known to the FBI that facial recognition was required to access the locked Wickr application, Terry requested an attorney,” the FBI noted in its warrant. “Therefore, the United States is seeking this additional search warrant to seek Terry’s biometric facial recognition … to complete the search for Terry’s Apple iPhone 11.”
“Most courts are going to find that they can compel you to use your face to unlock your phone because it doesn’t force you to talk or incriminate yourself…”
After the FBI successfully forced Terry to use his face to unlock his Wickr account, Terry was charged in a criminal complaint with distribution and possession of CSAM, but has yet to offer a plea. His attorney did not respond to a request for comment by the time of publication.
Amazon’s Wickr had not commented at the time of publication. The FBI, Google and Comcast did not immediately respond to a request for comment.
Forcing people to unlock encrypted messages with biometrics is unprecedented – and controversial. That’s because of an illogical quirk of US law: Courts across the US have not allowed investigators to force people to hand over a passcode for phones or apps, but they have allowed them to repeatedly unlock phones using biometrics. That despite the obvious fact that the result is the same.
Jerome Greco, a public defender in the Digital Forensics Unit of the Legal Aid Society in New York City, says this is because American law has not caught up with technology. Passport codes, unlike biometric information, are legally considered “certificates,” and citizens are not obligated to provide such testimony because the Fifth Amendment protects you against self-incrimination. But body parts are inherently not as private as a person’s thoughts, Greco notes.
“Most courts are going to find that they can force you to use your face to unlock your phone because it doesn’t force you to talk or incriminate yourself … similar to fingerprints or DNA,” Greco says.
But he believes there will soon be enough divergent case law that the Supreme Court will have to decide whether forced facial recognition unlocking is legal or not. “We’re trying to apply centuries-old constitutional law that nobody could have imagined would be a problem when the laws were written,” he says. – I think the match will come.
There has been some backlash over such biometric unlocks from judges in some states. That includes two 2019 cases in California and Idaho, where police sought to force unlock phones inside properties relevant to the investigation. The judges in those cases declared that biometric data was in fact testimonial, and law enforcement could not force the owners of those phones to use their faces to unlock them.
But last year, Forbes revealed that the Justice Department continued to conduct such searches. It had also adopted new language in its warrants that said suspects have a legal right to refuse to tell police if it’s your face, finger or eye that unlocks your phone. But even if you don’t say what will unlock your phone, the DOJ said investigators could unlock your device by holding it up to your face or pressing your finger against it.
The search also comes after several years of campaigning by the FBI to get tech giants to provide more help in providing access to encrypted data. Since the terrorist attack in San Bernardino in 2015, in which the Justice Department demanded that Apple unlock the shooter’s iPhone, the debate has intensified. However, the order shows that the government has some techniques it can use to find criminals who use the likes of Wickr and its encrypted data.
For now, Greco says the best way a person can protect themselves against such searches is to lock a device with a complex password instead of a face. It is possible to do the same with Wickr by disabling Touch ID or Face ID.