The Federal Bureau of Investigation (FBI) has announced that it will use Facial Recognition Technology in its Next Generation Identification (NGI) system. The system, which will eventually serve as an upgrade to the current Integrated Automated Fingerprint Identification System (IAFIS), will use security footage from public cameras to identify suspects and people of interest across the country. IAFIS contains only fingerprint information, while the NGI system can store information about a person’s voice, iris, and facial biometrics. The program is currently being tested in certain areas, using photographs drawn from law enforcement databases. When the system is rolled out in full scope in 2014, the FBI will provide facial recognition software to law enforcement agencies nationwide.

For this technology to work effectively as an identifying mechanism, a large database of faceprints must exist, against which images captured by the camera could then be compared.  These faceprints will need to have already been matched with a name. A criminal database is an obvious initial source for this, but it has limited reach. To grow its faceprint database, the NGI program could draw from non-criminal government photograph databases such as those maintained by a state’s Department of Motor Vehicles, U.S. Citizenship and Immigration Services, or even privately held databases that are maintained by social networking websites. Often, photographs in these databases will be connected to a person’s real-name identity, and the originators may not hold exclusive rights to the photographs, making the database accessible to law enforcement. While no law directly protects people’s interests in their faceprints, the acquisition of faceprints without a warrant may implicate the subjects’ Fourth Amendment right to be “secure in their persons…against unreasonable searches and seizures.”

Fourth Amendment Implications

No court has yet explicitly recognized Fourth Amendment protection of faceprints. The Supreme Court has recognized, however, that other biometric data is constitutionally protected. In Davis v. Mississippi (394 U.S. 721 (1969)), defendant Davis was held without a warrant or probable cause during the course a rape investigation. During this time, defendant’s fingerprints were taken by authorities, and were matched to a set of fingerprints found at the scene of the crime. The evidence of the match was used at trial, and defendant was convicted of rape. Davis appealed, alleging that the acquisition of the fingerprints was the result of an unreasonable search and seizure. The Supreme Court agreed, stating that fingerprints could not be collected without a warrant. Like possessions taken from a person, the fingerprints bear “evidentiary value which the public authorities have caused an arrested person to yield.”

Some guidance is provided by Skinner v. Railway Labor Executives Ass’n (489 U.S. 602 (1989)), in which labor organizations challenged the drug testing procedures used by their employers. The challenged procedures included collection of blood and urine. The court found such procedures, without warrant or probable cause, to violate the Fourth Amendment, citing “concerns about bodily integrity.” While such concerns differ from those that arise in the use of facial recognition technology, Skinner is indicative of the notion that the Fourth Amendment includes some protection against using evidence that was drawn from the a person’s own body to convict him or her.

Most recent is United States v. Jones (132 S.Ct. 945 (2012)), in which authorities planted a tracking device on defendant’s car. The court found that tracking the defendant’s public movements through a Global Positioning System unit violated the Fourth Amendment. Similarly, matching a faceprint to an image captured by a public camera in order to track a person’s location at a given time may violate these protections.

Together, these cases imply that the warrantless collection and use of faceprints by law enforcement is unlikely to overcome the hurdle of the Fourth Amendment. As the use of facial recognition technology becomes more prevalent and faceprints gain prominence as a form of biometric identification, that theory is likely to be put to the test.

Those closest to Aaron certainly believe so. His family, in a statement, decried the “intimidation and prosecutorial overreach” of the US Attorney’s Office. At the funeral, Aaron’s father remarkedthat his son had been “killed by the government.” On the other hand, it has been widely documented — perhaps no more poignantly than by Aaron, himself — that the young programmer had long suffered from depression.

Regardless, we need not ascribe blame for Aaron’s suicide to realize that the stiff penalties and heavy-handed prosecution Aaron faced are both dangerous and asinine. Regrettably, they are also not outliers. Instead, they are the product of decades of vague and uninformed technology legislation and enforcement.

Law and Technology

In 2006, the late Senator Ted Stevens (R-AK) famously described the Internet as a “series of tubes,” providing fodder for late-night comics and activists who argued that an aging Congress was woefully out of touch with the realities of technology. Despite lawmakers’ limited understanding, though, the impact the law has on technological change can be profound.

To prove that aphorism, one need look no further than the historical development of peer-to-peer (P2P) file sharing. Since Napster broke onto the scene in 1999, lawmakers, courts, and P2P providers have been engaged in a game of legal cat-and-mouse. When Napster’s liability was predicated on its use of centralized servers to list and index available files, a new generation of P2P providers created decentralized networks. When decentralized Grokster was found liable for copyright infringement under a new theory of inducement liability, BitTorrent (an innovative and relatively unlitigated protocol) gained prominence.

The growth of P2P file-sharing highlights two truths about technology and law — first, that law has the ability to affect the trajectory of technological advancement, and second, that technologists may ultimately be able to find and exploit the gray areas in the law. In many ways, innovative technology is much like a young sapling in a dense forest — angling and contouring to reach to the limited sunlight available.

Vague and Overbroad Laws

One method lawmakers have used to ensure that laws continue to work in the face of new and unanticipated technology is to pass legislation with broad, encompassing language. While doing so might accomplish the intended task, such legislation can often end up being used in ways wholly unforeseen (and arguably unwanted) by legislators. An example of this can be found in Section 1201 of the 1998 Digital Millenium Copyright Act (DMCA). The provision criminalized circumvention of “technological protection measures” that protect access to or prevent copying of copyrightable works. The intended effect of the law was to help copyright owners curb piracy of digitally disseminated works by ensuring that any technological “locks” would not be quickly broken.

In reality, the law has been used to criminalize far broader activity than piracy. In 2010, the Ninth Circuit ruled on MDY Industries, LLC v. Blizzard Entertainment, Inc., a suit brought by the makers of the popular online game World of Warcraft. At issue was a program known as Glider, a bot automating the play of early levels of the game. Because Blizzard had sought to prevent bots through its own software (and because Glider had found a way around these ‘protection measures’), the court held that Glider’s creator had violated the DMCA.

While grounded in sound logic by the court, the outcome was irrational. In effect, a law intended to defend against piracy had made it a criminal act to cheat in a video game.

Aaron’s Charges

Aaron wasn’t indicted for a violation of §1201. The law he allegedly violated, though — the Computer Fraud and Abuse Act (CFAA) — is plagued with similar vagueness and absurdity,cataloged expertly by Marcia Hofmann of the Electronic Frontier Foundation (EFF). In her piece, she highlights the law’s reliance on the undefined phrase “exceeds authorized access.” As she notes, the broad language has often been used to criminalize activity that exceeds the law’s intent of preventing hacking.

Aaron’s indictment was much of the same — the government’s allegations seem to have relied heavily on the idea that Aaron had “exceeded his authority” by violating JSTOR and MIT’s terms of service and by bypassing restrictions JSTOR had put into place. But, as Aaron’s would-have-been expert witness detailed, this was far from a “criminal hack.” While the indictment breathlessly mines for salacious bits (like Aaron breaking into a wiring closet and seeking to avoid capture with a bicycle helmet mask), the reality of what Aaron did is far more benign — he broke the rules of a website and service provider. Yet, because of the overbroad and undefined language of the CFAA, prosecutors were able to treat the violation of JSTOR’s terms of service as a violation of federal law.

Where to Go From Here

Aaron’s death need not be in vain. In the past week, Representative Zoe Lofgren (D-CA) announced a bill known as Aaron’s Law, which would amend the CFAA to ensure that breaches of terms of service agreements would not independently constitute “exceeding authorized access.” This is a great first step, and something that should be passed by Congress immediately.

The legislative patch, though, does not solve all of our problems. Congress is still woefully under-informed about technology and still subject to powerful lobbying efforts that lead to the passage of vague and overbroad laws. The cruel irony of Aaron’s suicide is that he was among the best situated to create an effective change agent for Congress; his organization, Demand Progress, was instrumental in preventing the passage of the controversial Stop Online Piracy Act. Today, Aaron’s death serves as a tragic reminder of the potential impact of the law on technology and technologists. Tomorrow, we must hope it inspires the technological community to take a more active role in legislation, education, and congressional outreach.

The facts of the case, In re Grand Jury Subpoena Duces Tecum Dated March 25, 2011, are as follows. The government served a subpoena duces tecum on the suspect (“Doe”), compelling him to produce the unecrypted contents located on the hard drives of his laptop computers and five external hard drives. In re Grand Jury Subpoena Duces Tecum Dated March 25, 2011, No. 11-12268, 2012 WL 579433, at *1 (11th Cir. Feb. 23, 2012). Doe refused to comply with the subpoena, instead invoking his Fifth Amendment right against self-incrimination. Id. The U.S. Attorney applied to the district court for an order that would grant Doe immunity and require him to respond to the subpoena. Id. The district court rejected Doe’s explanations, judged him to be in contempt of court, and ordered him incarcerated. Id.

On appeal, the 11th Circuit arrived at two overall conclusions. First, [the district court] erred in concluding that Doe’s act of decryption and production would not constitute testimony. Second, in granting Doe immunity, it erred in limiting its immunity, under 18 U.S.C. §§ 6002 and 6003, to the Government’s use of his act of decryption and production, but allowing the Government derivative use of the evidence such act disclosed. Id. at 3. I will be focusing on the first issue—the issue of “whether the act of production may have some testimonial quality sufficient to trigger Fifth Amendment protection when the production explicitly or implicitly conveys some statement of fact.” Id. at 4.

The Court stated that there were two ways for the government to avoid implicating the Fifth Amendment right. First, Doe’s decryption and production of the hard drives would have to be a physical act, not a testimonial act that “requires the use of the contents of his mind.” Second, the government would have to already know what is inside the drives. The government would only be asking Doe to produce the decrypted drives; the knowledge of what is inside would have only been a foregone conclusion. However, the Court held that the government failed in satisfying either of these methods. The Court stated that it reached its holding for this issue by concluding that “(1) Doe’s decryption and production of the contents of the drives would be testimonial, not merely a physical act; and (2) the explicit and implicit factual communications associated with the decryption and production are not foregone conclusions.” Id. at 8.

While the Court’s analysis mostly seems correct, I have a few problems with some parts of the analysis. First, regarding the distinction between a physical act and a testimonial act, the Court lists some implied factual statements that determine whether or not Doe’s decryption and production of the hard drives would be testimonial. The Court states that “the decryption and production would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt those files.” Id. The latter two factors can certainly be classified as making the use of one’s mind, but I would argue that the first factor should not be involved if Doe were to decrypt and produce the hard drives. By producing the decrypted hard drives, Doe would be showing that he had possession, control, and access to the hard drives, and he would also be showing that he had the ability to decrypt the files. In regards to the first factor, however, Doe would not necessarily be showing that he had knowledge of the existence and location of potentially incriminating files. The government basically just needs the decryption passwords so it can access the encrypted partitions inside the hard drives.

Second, the Court uses a useful analogy in comparing Doe’s situation to surrendering a combination as opposed to surrendering a key; however, I believe that the Court’s analogy should focus on a different point. The Court believes that producing a key is a physical act while producing a combination is a testimonial act that requires use of the contents of one’s mind. The Court analogized Doe’s situation to producing a combination, saying that “[r]equiring Doe to use a decryption password is most certainly more akin to requiring the production of a combination because [it demands] the use of the contents of the mind, and the production is accompanied by the implied factual statements noted above that could prove to be incriminatory.” Id. To further explain its point, the Court referred to the Supreme Court’s explanation of this distinction in U.S. v. Hubbell:

“The assembly of those documents was like telling an inquisitor the combination to a wall safe, not like being forced to surrender the key to a strongbox . . . The Government’s anemic view of respondent’s act of production as a mere physical act that is principally nontestimonial in character and can be entirely divorced from its “implicit” testimonial aspect so as to constitute a “legitimate, wholly independent source” . . . for the documents produced simply fails to account for these realities.” U.S. v. Hubbell, 530 U.S. 27, 43 (2000).

My problem with the Court’s analysis here is that I believe the focus should simply be on whether or not implied factual statements are involved or not. A key vs. combination analogy seems to wrongly focus on a physical production of a key as opposed to a mental production of a combination, and whether there are implied factual statements seems to be an additional factor to consider when that should be the primary factor.

Putting this proposal into action, if compelling the production of a key or combination to some kind of safe ends up involving implied factual statements, then such an act of production would be testimonial. For instance, in this case, the key factor is whether or not the government actually knows that Doe has “knowledge of the combination”—for instance, whether Doe has the decryption passwords for the hard drives. If the government is not sure whether or not the suspect has knowledge of the combination, then the act of production should qualify as a testimonial act because such an act would be accompanied by the implied factual statement that the suspect knew the combination (e.g., a decryption password in this case). However, if the government knows that the suspect knows the combination, then producing the combination should qualify as a physical nontestimonial act. This would be functionally similar to asking a suspect to produce a key—there is no accompanying implied factual statement, and the combination would essentially be acting as a “key.”

Under this proposed focus, then, it is the fact that the government does not know for sure whether or not Doe has “the combination to the safe” that makes Doe’s decryption and production of the hard drives testimonial—producing the decrypted hard drives would bring in the implied factual statement that Doe knew the decryption passwords. In conclusion, the focus should simply be on whether or not implied factual statements are involved or not; this key point better fulfills the purpose behind the standard of “requiring the use of the contents of one’s mind.”