I remember way back in the day, there was some question as to the legality of compelled unlocking of devices; IIRC, it’s been deemed legal to compel a fingerprint, but illegal (under the first amendment?) to compel entry of a password—IIRC, as long as that password hasn’t been written down anywhere.
I gather this is written to that end primarily? Or is there some other goal as well?
I wrote this after the case of a Washington Post reporter, Hannah Natanson, was compelled to unlock her computer with her fingerprint. This resulted in access to her Desktop Signal on her computer, revealing sources and their conversations.
(I've put a copy of this text at the top of the thread, since it's standard for Show HNs to have some intro/background up there. I hope that's ok with you!)
While it's true that the legality of law enforcement forcing passwords in unclear, courts can absolutely force you to enter a password even if it's not written down by holding you in contempt indefinitely.
>courts can absolutely force you to enter a password even if it's not written down by holding you in contempt indefinitely.
This is not true outside of a narrow exception. Indeed this is the core point of the 5th Amendment, to protect you from having to be witness against yourself. It's just as binding on the judicial branch as it is on the executive. Ordinarily, a court may not compel a defendant to testify or say something that could incriminate them.
The narrow exception is the "foregone conclusion doctrine", which allows compelling testimony about specific evidence the government legally knows exists, knows the defendant controls access to, and knows is authentic. All of which has a bunch of caselaw around it. The textbook example is somebody has a device open, and an officer directly witnesses illegal material on it, but before they can seize it the person manages to turn it off and now it cannot be accessed without a password. So the government can say "we witnessed this specific illegal material, and this device is owned by the defendant and we can prove from video that they have accessed the device, and we want access to that specific material". But if you're just crossing the border with a locked device, they cannot compel the password just to search through it, or even if they're suspicious of something specific. They need actual knowledge, either through their own evidence or because the person foolishly talks and confesses something.
Otherwise they can definitely physically seize the device for a time (which could be very inconvenient/expensive depending) but that's it.
Take it to the logical end - you can tie up / handcuff / sedate / restrain an individual in order to get their fingerprint (or, ahem, way worse) but you cannot extract a password from someones brain.
There's also the issue that the device is covered in fingerprints, and if you can build a clean image of the print, you can likely manufacture a gelatin copy of that fingerprint that will work on most fingerprint scanners.
I can't speak to the current generation of Apple fingerprint scanners, but historically iirc you can grab a print, clean it up in Photoshop, print it on OHP transparency using a laser printer and use it like a mould to copy a fingerprint.
PSA to iOS users: if you tap the lock button 5x it forces password-only unlocking. Useful at protests or any precarious situations with law enforcement.
Correct. This is a classic security vs convenience tradeoff. I mention that trade off on the landing page, PanicLock vs Shutdown
> Use shutdown when you can, PanicLock when you can't. Shutting down is the most secure option—but when you need your Mac locked now and you'll be back in five minutes, PanicLock is your answer.
*PanicLock*
- Fast "oh shit" button
- Lid closed when in transit.
- Instant lock (1 second). Disables Touch ID immediately
- Preserves your session
- Back to work in minutes
*Full Shutdown*
- Maximum security
- Purges encryption keys
- Fully locks FileVault
- Takes time to shutdown & restart
- Kills your session
A person might use it to stop someone getting into your computer through certain types of physical coercion, forcing your finger to the reader, or (much less likely but I’m sure security services know how) a copy of your fingerprint.
But it isn’t a why, it is a what. That what is a tool that lets you quickly disable Touch ID for whatever reason you want to.
That's good feedback. I just added it to the readme:
> "PanicLock fills a gap macOS leaves open: there is no built-in way to instantly disable Touch ID when it matters. Biometrics are convenient day-to-day, and sometimes preferable when you need speed or want to avoid your password being observed. But in sensitive situations, law enforcement and border agents in many countries can compel a biometric unlock in ways they cannot with a password. PanicLock gives you a one-click menu bar button, a customizable hotkey, or an automatic lock-on-lid-close option that immediately disables Touch ID and locks your screen, restoring password-only protection without killing your session or shutting down."
I've more details on the apps landing page - paniclock.github.io
When the bad guys are too impatient to wait until you leave the computer but not fast enough to stop you before 30 degrees while keeping the convenience of life.
This is great. I see many times "security advice" against biometrics replacing password unlock, but most of the time I am more worried about getting recorded by somebody/something while typing a password in the open than anything else. This makes it better for those other cases.
I've thought the Apple platform has two glaring omissions
- touchid and biometric configuration profiles (standard, paranoid, extra paranoid)
- versioning for icloud backup
The simple fact is that there is no one-sized-fits-all use case for this.
Biometrics are great for the average user! They reduce shoulder surfing and increase security.
But for some users, you might want two factor for biometrics (such as an apple watch), or short windows before password entry is forced. You might want both biometrics AND password entry required. You might want to enable biometrics only when two factor is enabled.
Look, I'm not saying that what I've said is the ideal setup, by the way. Just that there is a lot of room for improvement versus the status quo.
This would be perfect if it could monitor the force with which the lid is closed (macs have accelerometers after all, either this info or an acceptable proxy could be derived?).
Gently close? no action.
Stronger, faster action? Disable touch ID
Slam shut in full panic? yeah disable all biometrics, lose all state, even wipe the ram and the filevault key if it's an option
Perfect rage quitting machine. There should be an enterprise version: when lid is closed with full force it also sends a professional resignation letter to the current employer.
I'm surprised Apple doesn't offer an option. On the iPhone you could do this by pressing the power button several times. Not sure if this still works because the iPhone 6 was my last one though.
> in sensitive situations, law enforcement and border agents in many countries can compel a biometric unlock in ways they cannot with a password.
If the threat model includes state-level actors, then disabling biometrics won't prevent data from being retrieved from physical memory. It would probably be wiser to enable disk encryption and have a panic button that powers down/hibernates the computer so that no unencrypted data remains on RAM.
The website says shutdown "takes time" and "kills your session" but a hibernation button would take effect just as fast and would preserve the session.
How do you define "state-level actor?" Police departments certainly have access to state and federal forensic resources to access unencrypted data in memory.
In the context of breaking into phones and laptops, "state-level actor" usually implies a team of people with NSA-type forensic capabilities. That is, they have deep expertise in infosec and related topics, access to 0days that the security apparatus has hoarded and kept secret for their own use, and they may have bespoke hardware to facilitate attacking the device.
A random cop might have access to a Cellebrite machine but they can't just call up the NSA and ask them to break into some drug dealer's macbook.
mrdomino- | 7 hours ago
I remember way back in the day, there was some question as to the legality of compelled unlocking of devices; IIRC, it’s been deemed legal to compel a fingerprint, but illegal (under the first amendment?) to compel entry of a password—IIRC, as long as that password hasn’t been written down anywhere.
I gather this is written to that end primarily? Or is there some other goal as well?
[OP] seanieb | 6 hours ago
https://www.yahoo.com/news/articles/washington-post-raid-pro...
Edit: I've a lot more details about the legality and precedence on the apps landing page https://paniclock.github.io/
mrdomino- | 6 hours ago
dang | an hour ago
[OP] seanieb | 57 minutes ago
xoxxala | 6 hours ago
https://paniclock.github.io/
420official | 5 hours ago
xoa | 4 hours ago
This is not true outside of a narrow exception. Indeed this is the core point of the 5th Amendment, to protect you from having to be witness against yourself. It's just as binding on the judicial branch as it is on the executive. Ordinarily, a court may not compel a defendant to testify or say something that could incriminate them.
The narrow exception is the "foregone conclusion doctrine", which allows compelling testimony about specific evidence the government legally knows exists, knows the defendant controls access to, and knows is authentic. All of which has a bunch of caselaw around it. The textbook example is somebody has a device open, and an officer directly witnesses illegal material on it, but before they can seize it the person manages to turn it off and now it cannot be accessed without a password. So the government can say "we witnessed this specific illegal material, and this device is owned by the defendant and we can prove from video that they have accessed the device, and we want access to that specific material". But if you're just crossing the border with a locked device, they cannot compel the password just to search through it, or even if they're suspicious of something specific. They need actual knowledge, either through their own evidence or because the person foolishly talks and confesses something.
Otherwise they can definitely physically seize the device for a time (which could be very inconvenient/expensive depending) but that's it.
whalesalad | 5 hours ago
stavros | 4 hours ago
whalesalad | 3 hours ago
stavros | 3 hours ago
vunderba | 3 hours ago
May I introduce you to XKCD Number 538.
https://xkcd.com/538
Nexxxeh | 29 minutes ago
I can't speak to the current generation of Apple fingerprint scanners, but historically iirc you can grab a print, clean it up in Photoshop, print it on OHP transparency using a laser printer and use it like a mould to copy a fingerprint.
ttul | 6 hours ago
Forgeties79 | 6 hours ago
chuckadams | 6 hours ago
itsdesmond | 6 hours ago
freehorse | 5 hours ago
sigio | 5 hours ago
jonpalmisc | 5 hours ago
The only thing you can do (to protect your data from forensics, etc) is to return it to BFU by shutting it off.
Forgeties79 | 5 hours ago
[OP] seanieb | 5 hours ago
> Use shutdown when you can, PanicLock when you can't. Shutting down is the most secure option—but when you need your Mac locked now and you'll be back in five minutes, PanicLock is your answer.
*PanicLock* - Fast "oh shit" button - Lid closed when in transit. - Instant lock (1 second). Disables Touch ID immediately - Preserves your session - Back to work in minutes
*Full Shutdown* - Maximum security - Purges encryption keys - Fully locks FileVault - Takes time to shutdown & restart - Kills your session
ASalazarMX | 46 minutes ago
- Traveler: [takes phone from the bin] [finds lock button] [click] [click] [click]
- TSA: Hey, stop what you're doing Mr. Terrorist!
p0w3n3d | 6 hours ago
itsdesmond | 6 hours ago
But it isn’t a why, it is a what. That what is a tool that lets you quickly disable Touch ID for whatever reason you want to.
[OP] seanieb | 6 hours ago
> "PanicLock fills a gap macOS leaves open: there is no built-in way to instantly disable Touch ID when it matters. Biometrics are convenient day-to-day, and sometimes preferable when you need speed or want to avoid your password being observed. But in sensitive situations, law enforcement and border agents in many countries can compel a biometric unlock in ways they cannot with a password. PanicLock gives you a one-click menu bar button, a customizable hotkey, or an automatic lock-on-lid-close option that immediately disables Touch ID and locks your screen, restoring password-only protection without killing your session or shutting down."
I've more details on the apps landing page - paniclock.github.io
quicklywilliam | 6 hours ago
alin23 | 5 hours ago
Wowfunhappy | an hour ago
hervature | an hour ago
orthogonal_cube | 6 hours ago
freehorse | 5 hours ago
Terr_ | 12 minutes ago
Regrettably, that's not often offered as a feature, even when the infrastructure is already there.
akdev1l | 5 minutes ago
parl_match | 4 minutes ago
The simple fact is that there is no one-sized-fits-all use case for this.
Biometrics are great for the average user! They reduce shoulder surfing and increase security.
But for some users, you might want two factor for biometrics (such as an apple watch), or short windows before password entry is forced. You might want both biometrics AND password entry required. You might want to enable biometrics only when two factor is enabled.
Look, I'm not saying that what I've said is the ideal setup, by the way. Just that there is a lot of room for improvement versus the status quo.
gruturo | 3 hours ago
Gently close? no action.
Stronger, faster action? Disable touch ID
Slam shut in full panic? yeah disable all biometrics, lose all state, even wipe the ram and the filevault key if it's an option
QuercusMax | 3 hours ago
gruturo | 3 hours ago
thih9 | 3 hours ago
wolvoleo | 3 hours ago
bhj | 2 hours ago
dozerly | 25 minutes ago
nailer | 3 hours ago
(If you’re about to comment about fingerprints on transparency film and balloons filled with warm water then yes good point)
rglover | 3 hours ago
surround | 2 hours ago
If the threat model includes state-level actors, then disabling biometrics won't prevent data from being retrieved from physical memory. It would probably be wiser to enable disk encryption and have a panic button that powers down/hibernates the computer so that no unencrypted data remains on RAM.
The website says shutdown "takes time" and "kills your session" but a hibernation button would take effect just as fast and would preserve the session.
jovial_cavalier | 2 hours ago
surround | 2 hours ago
stackghost | an hour ago
A random cop might have access to a Cellebrite machine but they can't just call up the NSA and ask them to break into some drug dealer's macbook.
surround | 25 minutes ago
LoganDark | 2 hours ago