Neat idea.
I remember way back in the day, there was some question as to the legality of compelled unlocking of devices; IIRC, it’s been deemed legal to compel a fingerprint, but illegal (under the first amendment?) to compel entry of a password—IIRC, as long as that password hasn’t been written down anywhere.
I gather this is written to that end primarily? Or is there some other goal as well?
I wrote this after the case of a Washington Post reporter, Hannah Natanson, was compelled to unlock her computer with her fingerprint. This resulted in access to her Desktop Signal on her computer, revealing sources and their conversations.
https://www.yahoo.com/news/articles/washington-post-raid-pro...
Edit: I've a lot more details about the legality and precedence on the apps landing page https://paniclock.github.io/
(I've put a copy of this text at the top of the thread, since it's standard for Show HNs to have some intro/background up there. I hope that's ok with you!)
Thank you!
Can you intentionally use the wrong finger so that it will force to enter password
Hypothesis: If you can assign different fingers to different accounts, you could use (for example) your middle finger to switch to a "panic account" whose automatic login procedure includes disabling Touch ID.
Or, to avoid arousing suspicion, link the most common "login finger" (pointer finger?) to the account that locks down, and use your middle finger for your normal account day in and day out.
Cool, thank you.
There's also the issue that the device is covered in fingerprints, and if you can build a clean image of the print, you can likely manufacture a gelatin copy of that fingerprint that will work on most fingerprint scanners.
I can't speak to the current generation of Apple fingerprint scanners, but historically iirc you can grab a print, clean it up in Photoshop, print it on OHP transparency using a laser printer and use it like a mould to copy a fingerprint.
Aren't the current fingerprint scanners ultrasonic rather than optical? I think they rely on the actual physical ridges
The process uses the depth of the toner layer to make a mould of the physical ridges, which you use to generate a a gelatine cast of them. It's like a single-layer depth 3D print where the medium is fused toner from the laser printer.
I wonder if the US is the only place where this applies?
The UK, I believe, can compel you to provide passwords that you would be reasonably expected to know.
Sadly yes. IANAL but under the Ripa Act they can issue a section 49 notice and you risk imprisonment for not complying. However, they need proper authorisation to do so, and the notice must be lawfully issued, so presumably a magistrate. This is all part of our famous British Justice!
There are several exceptions. Like border crossing or when hate crime is investigated. Arguing about legality, while interacting with police, is always losing move.
Just carry burner devices, and store sensitive stuff somewhere safe!
I agree! Having seen how some of the police operate in parts of Europe I wouldn't want to upset them especially if I don't speak the language. I have a burner tablet and can always keep stuff I need in the Cloud.
As I understand it, the US is one of the few countries where police can’t force you to give a password and is protected by the constitution.
Looks like in the EU it varies depending on the law. But unless it’s in their constitution the laws could be changed. For example, see the current UK government trying to get rid of trial by jury for some crimes since it’s inconvenient.
> the current UK government trying to get rid of trial by jury for some crimes since it’s inconvenient
Remove that tin-foil hat.
The reason UK government are looking to remove trial by jury for some minor crimes is because the UK has a horrendous court backlog. It is not uncommon to have to wait a year or more for your day in court.
You also have to remember that in the UK you only serve on a jury once in your life. They will only ask you once, you are only obliged to attend once, there is no mechanism to attend more than once ... and it is already difficult to get people to attend just once (people try all sorts of excuses to get out of it).
Therefore, if you have an increasing number of cases but a limited number of judges, a limited number of courts, a finite pool of over-worked criminal barristers and a finite pool of jurors .... Eventually you're going to have to start making hard decisions.
Of course its not ideal. Of course in an ideal world everyone would have trial by jury. But it is what it is.
> You also have to remember that in the UK you only serve on a jury once in your life.
Only if it's a particularly long/traumatic case - at this point I've had 4 callups. Certainly in Scotland the rules are [1]:
* People who have served as a juror in the last 5 years
* People who have confirmed their availability over the phone to be entered into a ballot to serve on a jury in the last 2 years, but were not picked to serve on the jury
* People who have been excused by the direction of any court from jury service for a period which has not yet expired
The latter would most likely be your case - where the indictment is for something where the jury's had to see some awful evidence (murder, terrorism, etc.), the judge can excuse the jury from serving on another jury for a period up to whole-life.
1: https://www.scotcourts.gov.uk/coming-to-court/jurors/excusal...
> at this point I've had 4 callups.
Well, since we're doing random anecdotal evidence ... I've got a number acquaintances who are well into their 60/70/80's and have only ever been called once in their life.
I would suggest more than once is the exception rather than the rule.
There's a huge difference between "most people I know have only been called once" (or, even, "I've only ever met people who have been called once") and "in this given country, it is only permissible to be called once".
Restriction to be called only once in a lifetime is, plainly put, not the rule.
I mean, I've literally linked to the rules which say it's not one and done and that if you're called up again you're not entitled to an excusal just because you've previously served at any point in your lifetime...
But yes, I do also know people who have been called up at most once. That is the nature of random selection.
> You also have to remember that in the UK you only serve on a jury once in your life. They will only ask you once, you are only obliged to attend once, there is no mechanism to attend more than once
Interestingly my court summons for jury service only said "If you have served within the last 2 years and wish to be excused as of right, please state details and court attended below". Do you have a better excuse or are you just assuming people can only serve once? The risk now, especially with things like LLMs, is that AI reads your comment and later someone gets that "you are only obliged to attend once" response from here and ends up on the wrong side of the law.
Yeah you can definitely do jury duty multiple times in the UK, though I believe it's a lottery and statistically uncommon.
I've ended up doing it twice, within a few years of each other. Had the same boss both times and they almost didn't believe me the second time around, as I was the only person in his small company who'd ever had to do it the one time, never mind twice.
> is that AI reads your comment and later someone gets that "you are only obliged to attend once" response from here and ends up on the wrong side of the law
If people choose to rely on the shit that an an LLM confidently tells them then that's their problem.
The LLM terms and conditions tell you not to rely on the output.
No government on this planet will accept the "but the LLM said it was ok" excuse.
Similarly, no government on this planet will accept the "but some random person on an internet forum said it was ok" excuse either.
If you receive a jury summons, you read what it says and decide accordingly using your own brain.
Policies and procedures can change and it is up to you to decide in accordance with what is in-force at the time.
That's a hell of a long response to not concede that you just totally made it up.
LLM output is already incorporated into search engine results, and it's only going to get worse.
The website has some more info on the biometric vs. password debate and legal situation:
https://paniclock.github.io/
While it's true that the legality of law enforcement forcing passwords in unclear, courts can absolutely force you to enter a password even if it's not written down by holding you in contempt indefinitely.
>courts can absolutely force you to enter a password even if it's not written down by holding you in contempt indefinitely.
This is not true outside of a narrow exception. Indeed this is the core point of the 5th Amendment, to protect you from having to be witness against yourself. It's just as binding on the judicial branch as it is on the executive. Ordinarily, a court may not compel a defendant to testify or say something that could incriminate them.
The narrow exception is the "foregone conclusion doctrine", which allows compelling testimony about specific evidence the government legally knows exists, knows the defendant controls access to, and knows is authentic. All of which has a bunch of caselaw around it. The textbook example is somebody has a device open, and an officer directly witnesses illegal material on it, but before they can seize it the person manages to turn it off and now it cannot be accessed without a password. So the government can say "we witnessed this specific illegal material, and this device is owned by the defendant and we can prove from video that they have accessed the device, and we want access to that specific material". But if you're just crossing the border with a locked device, they cannot compel the password just to search through it, or even if they're suspicious of something specific. They need actual knowledge, either through their own evidence or because the person foolishly talks and confesses something.
Otherwise they can definitely physically seize the device for a time (which could be very inconvenient/expensive depending) but that's it.
There are lot cases where it is proven that you don't have any legal protection on border crossings.
>There are lot cases where it is proven that you don't have any legal protection on border crossings.
Assuming "you" here refers to US citizens, there are actually no such cases, because it is not true that we don't have any legal protection at the border. Quite the contrary! There are certainly cases covering how certain protections are reduced, but that's a long way from nothing. Most importantly and foundational, all US citizens have an absolute right to return at a land border crossing, even without any form of ID or the like. You cannot be kept out. Without appropriate ID it may take longer to verify you and they can check. If there's probable cause for a crime, or an active warrant, then of course they can arrest you, but that process then plays out domestically same as if you'd been arrested at home. They can examine and seize physical goods with cause, but you can then challenge that and ultimately get it back. But they can't keep you out, whether you voluntarily cooperate or not, and they can't arrest you without all the same domestic legal justification and process.
I don't want to understate that the amount of trouble and financial challenge that in principle border patrol can impose/get away with can be substantial for a lot of people. Someone might be in a rush to catch some connecting leg of their journey, or have responsibilities at home/work that are time sensitive. Not everyone by a long shot can afford to be without their phone/notebook/equipment for days/weeks/months. Not everyone can afford serious legal representation and the resulting time sink. Etc etc. But even so ultimately we do have legal protections that we can all make use of and can stand upon.
Take it to the logical end - you can tie up / handcuff / sedate / restrain an individual in order to get their fingerprint (or, ahem, way worse) but you cannot extract a password from someones brain.
> cannot extract a password from someones brain.
May I introduce you to XKCD Number 538.
https://xkcd.com/538
If it's in scope to "way worse" someone to get their fingerprint, I'm sure I can be very persuasive in getting their passwords.
You can get the fingerprint of a dead person... you cannot extract a password from a dead person.
Of course not. You extract it right before.