This article is reposted from FORBES in the same manner as it appears on their site.
NOV 2, 2016 @ 10:30 AM
Cops Could Force Unlock Androids By Demanding Owner Says ‘OK Google’ by: Thomas Fox-Brewster
With its Pixel smartphone, Google has decided to turn on a smart, seemingly-innocuous feature by default: unlocking via voice. It recognizes your voice so that instead of having to enter a passcode, the user only needs to say “OK Google” to get into the device. It’s called Trusted Voice.
But that has opened another avenue for both criminals and cops to break into compatible Android devices. For criminals, they could piece together snippets of recordings to unlock a target’s device. Security researcher and former NSA staffer David Kennedy was somewhat perturbed when he found out this week his Google Pixel ran the feature by default. “It’s an extremely insecure method for unlocking your device,” he told me.
Law enforcement, meanwhile, should also be able to bypass the encryption and other security mechanisms in Android by legally compelling suspects to open their Android with those two simple words, said Orin Kerr, professor of law at the George Washington University Law. Fifth Amendment protections around self-incrimination won’t offer individuals protection, he said.
Kerr pointed to U.S. v. Dionisio to show just why the government would have legal precedent to fall back on. The case saw 20 individuals subpoenaed to provide voice recordings for the purposes of identification. The key idea, Kerr said, was that the ”recordings were to be used solely to measure the physical properties of the witnesses’ voices, not for the testimonial or communicative content of what was to be said.” The Fifth offered no protection in that case.
The government recently made a similar argument in support of its request to enter a property and ask anyone inside to supply their fingerprint. As it’s bodily information, it’s not testimonial and not protected by the Fifth Amendment.
“If the government tells you to say ‘OK Google’ so that the computer will recognize your voice, it is not making you communicate your thoughts – you are not testifying about anything,” Kerr added.
There is, however, an argument that Fifth Amendment protections should stand for voice authentication. Just as giving away a passcode is self-incriminating, so is handing over any other form of login, said Marina Medvin of Medvin Law. The case Kerr cited was for identification, not access to a mobile phone containing a trove of data on an individuals’ life, she noted. “The Supreme Court instructs us that we must look at what the police seek to find, not just how. The contents on the phone are real, physical evidence. I cannot stress this enough. No police officer is using a fingerprint or voice just to double-check that the phone belongs to the subject he is investigating,” Medvin added.
“To say there is no expectation of privacy in locking your life up with the most fool-proof key imaginable, your individualized biometrics, is a slap in the face to the entire concept of privacy.”
Even where the cops had a warrant to search a device, the Fifth should prevent any unlocking, she said. “You cannot be forced to produce papers that you wrote incriminating you, the Supreme Court has already ruled in 1966 in Schmerber v. California,” Medvin added. “Well, that’s what’s on your phone – your phone is filled with things you wrote or typed.”
For anyone concerned, it’s simple to turn Trusted Voice off, either during setup or afterwards. Head to the voice settings in Android and switch the OK Google option to off.