The Inspector General’s seizure of John Eastman’s phone should be a wakeup call for corporate legal and security stakeholders. US v. Barrera ruling in 2019 opened the door for law enforcement to use biometrics (face or fingerprints) to unlock a seized personal device. Every domestic or foreign customs agent just added this trick to their interview protocol. Think about that.
Putting aside politics, I wanted to think through how corporations should adapt their policies, protocols and employee training to minimize the risk of a governmental ‘data breach’. Let’s start with the tech.
High security passwords are a hassle. So much so that Microsoft Security is now pushing for biometrics like fingerprints over passwords. The vast majority of phone users rely on fingerprints, facial recognition or a short PIN to unlock their heavily encrypted devices. We now know that law enforcement can force you to use fingerprints or your face to get access to that device in seconds.
So what can you do to prevent that?
- Apple iOS 1 – You can quickly, silently disable the iOS biometrics by pressing and holding Volume Up and Side buttons.
- Apple iOS 2 – If you have Siri active, just say, “Hey Siri, whose iPhone is this?” That will lock out biometrics.
- Android – Change the default security so that Lockdown mode is available from the unlock screen. This does require the user to hit a button, but it is very fast.
So, John Eastman could have avoided exposure of his ‘client’ communications, even if he had been cuffed. But do you want to rely on an executive returning from an overseas vacation to have the presence of mind to lock his phone before entering the customs line?
As I thought through strategic approaches that balanced usability and protection, it occurred to me that banning all biometric, PIN or location-based access controls is probably unfeasible even if it is an easy Intune setting. As far as I could find, neither Android nor iOS support device level 2FA combining biometric and PIN sequential access. So that leaves us with setting location or status-based rules that disable biometrics while employees are traveling as a more practical approach.
Alternatively, employers could empower their employees to truly disconnect when on vacation, after work hours or otherwise off the clock and lock down work profile access at those times. Right. Encourage key employees to return to a 40-hour work week? Is this France?
I look forward to hearing solutions from all of my security peers and providers. Until then, know how and when to disable your biometrics.
Greg Buckles wants your feedback, questions or project inquiries at Greg@eDJGroupInc.com. Contact him directly for a free 15 minute ‘Good Karma’ call. He solves problems and creates eDiscovery solutions for enterprise and law firm clients.
Greg’s blog perspectives are personal opinions and should not be interpreted as a professional judgment or advice. Greg is no longer a journalist and all perspectives are based on best public information. Blog content is neither approved nor reviewed by any providers prior to being published. Do you want to share your own perspective? Greg is looking for practical, professional informative perspectives free of marketing fluff, hidden agendas or personal/product bias. Outside blogs will clearly indicate the author, company and any relevant affiliations.
See Greg’s latest pic on Instagram.