Forbes has discovered what the first known case of law enforcement with Face ID is to access a suspect's phone credentials by requiring the person to present his face to the iPhone X found on his person.
Everything seems legitimate, with the FBI using their search warrant as permission for the Face ID unlocking. US law does not give the same protection to someone's biometric data in the same way as a PIN that exists only in the mind of a person. This case will undoubtedly give rise to discussion about whether the law should be changed.
Try the free trial of Amazon Prime for 30 days
It is clear at this moment that both Face ID and Touch ID are legally equivalent. There are plenty of cases where law enforcement authorities have access to people's phones by forcing them to use their fingerprints to unlock the device. The fingerprints of dead people have also been used in a similar way, with unclear legal and ethical rules being introduced.
The alphanumeric access code is protected by the fifth change. A person can not be forced to tell someone his or her password because it is considered self-incrimination. Biometric passwords such as fingerprints or facial scans are not considered to fall under the same law. There is constant debate about whether the law should be amended to protect the fingerprints and faces of people in the light of the proliferation of biometrically protected smartphones.
Apple's software policy helps the individual as much as possible. The iOS device requires an access code to be used if the device has not been unlocked for more than 48 hours and the user can easily disable biometric authentication for the next unlock. Simply show the power off screen by holding the volume and the side buttons – or starting the emergency SOS mode – and the device requires password entry to re-enable Touch ID and Face ID.
Even if the device is unlocked, recent versions of iOS require access codes when connected to a computer. This is again a layer defense that makes it more difficult for a company to quickly slurp all data from the phone. For security security, set a long passcode consisting of letters and numbers instead of the standard 6-digit codes.
In this particular case, the officer unlocked the suspect's phone using Face ID, but the device does not seem to be unlocked indefinitely. The officer manually searched the phone and took some documenting photos, but then left the device locked after a while. The FBI now asks for further forensic extraction to take place on the telephone, probably with the aid of equipment from Grayshift.