For many people, the issue of cell phone security may be as simple as password protecting it from intrusion by family members, friends and curious lovers. For these folks, keeping their kids from racking up excessive charges playing games; friends from deleting those embarrassing photos you have so much fun teasing them with; or a partner snooping through those same photo galleries and your address book, are all reasons enough not to leave it accessible to all and sundry.

For others, however, securing their cell phone is a necessary step in covering the tracks of their criminal or terroristic activities — something that was recently highlighted in the very public battle between the U.S. Department of Justice and Apple over unlocking an iPhone linked to last year’s ISIS-inspired terrorist attack in San Bernardino, California.

But there is another intriguing headline making news: a court case this year in Glendale, California, where the judge has ordered 29-year-old Paytsar Bkhchadzhyan to place her thumb on her iPhone to unlock it for police investigators.

One catch here is that the woman in question is not suspected of committing a crime, but is merely the girlfriend of an Armenian gang member who is under investigation — and the cops are curious if there is any text or photo evidence on Bkhchadzhyan’s phone to prove her boyfriend engaged in criminal activity.

Another catch is that whereas the San Bernardino case centers around a four-digit numerical password, the Glendale case involves Apple’s thumbprint-based Touch ID biometric system — and it appears that a password you invented may enjoy more legal protection than the unique thumbprint that nature gave you.

Consider that criminal suspects, security clearance candidates, military personnel, bonded employees, and more, have long had to give up the image of their fingerprints on demand; but according to many legal experts, refusing to divulge verbal information — such as pass codes or encryption keys, might be protected under the Fourth and Fifth Amendments to the U.S. Constitution.

University of Dayton law professor Susan Brenner says that the issue isn’t about fingerprints and the biometric readers, but about the phone’s contents, which could be incriminating.

“By showing you opened the phone, you showed that you have control over it,” Brenner told The Los Angeles Times, explaining that “It’s the same as if she went home and pulled out paper documents — she’s produced it.”

It is one of the conundrums created by lawmaker’s inability to keep pace with the rapid evolution of technology and it is not the only such case to ever be considered.

In a 2014 Virginia murder trial, Circuit Court Judge Steven C. Frucci ruled that as with providing a DNA or handwriting sample, or being compelled to produce a physical key, the police could lawfully require that a suspect provide their fingerprint for the purposes of unlocking a phone. On the other hand, he ruled that pass codes constitute knowledge that defendants are not required to divulge, in accordance with Fifth Amendment protections against self-incrimination. Complicating the matter, the same phone protected by password and also protected by biometrics might only be subject to the tickle of a thumb, but not the telling of the pass code — the end result being that the phone remains inaccessible to authorities.

In other words, the products of the body (such as DNA and fingerprints) are not protected under the law — but the products of the mind are (such as information, including passwords).

Of course these issues will only grow in complexity and scope as technology continues to evolve and increasing emphasis is placed on the biometric identification of device users, and the use (and misuse) of copious amounts of Big Data that will be gathered in this process.

This can take some surprising turns. Take for example the science of keystroke dynamics, which enables the identification of device users by their unique data input patterns — a trait that may be as unique as your fingerprint — and it is information that is already being gathered with ease today.

This data includes dwell and flight times, or the length of time a key is held down when pressed, and the time it takes for a user to release one key and then press another — which can be seen as typing speed, and is information that contains personally identifiable patterns discoverable through neural networks.

An example used by Wikipedia is that when reading the phrase “I saw 3 zebras!” the reader does not know whether it was typed rapidly or slowly, if the typist used the left shift key, the right shift key, or the caps-lock key to make the lowercase “i” into a capital “I,” if the letters were all typed at the same speed, or if there was a lengthy pause before the letter “z” or number “3” while the typist searched for the correct key. Did the sender type anything incorrectly and then go back to correct it, or did they get it right the first time? Keystroke dynamics will tell you.

The concept of a telegrapher’s “fist” — idiosyncrasies in the operator’s technique while sending Morse or other code that could reveal his or her identity (an expert insight allowing intelligence agencies and others to verify the sender of a message), can be applied as a tool for analyzing a website’s visitor metrics.

Take into consideration that digital media time is split 65/35 between mobile and desktop, with many users visiting via both types of devices — surfing the sites on a phone, but then signing up and buying using a desktop PC — or vice versa.

The question then becomes one of the accuracy of these stats: if one person is arriving via multiple devices (and perhaps multiple carriers, IP addresses, ISPs, locations and more), then how can these varying visits be attributed to a single user, without having him or her register and log in on each visit?

The total visitor volume lies in the balance, with some sites potentially reaching a fraction of the actual people that traditional usage analysis might otherwise suggest. For example, 100 visits may mean only 50 people, each of whom visited twice, but via different platforms. It’s the old “raw vs. unique visitors” stumbling block, with a new twist from today’s audiences.

If you're concerned with the metrics of actual customers and prospects, rather than the raw use of your server and site resources, keystroke dynamics may point the way.

One thing that’s really clear from all of this is that the way we interact with our digital devices provides a personally identifiable signature, which can be used by both marketers and prosecutors alike. This isn’t just some futuristic “Big Brother” nightmare, but something that individual website owners will want to do to better understand their visitors.

While many folks worry about the new computers and other devices that use a webcam to identify users based on facial recognition, or the increase in retina-based and other biometric IDs, your keyboard is as big a threat to your privacy and security — while current laws may not provide users much protection from key-logging eavesdroppers and the information they uncover — and don’t get me started on how happy the NSA is that we’re all using Siri and other voice-activated services.

While we hope you don’t have a need to secure your digital devices against government investigators, we do hope that you will keep an eye on the evolving threats to your privacy, the opportunities this technology presents to marketers and the measures you can take to maintain your privacy. With this information, you can make better decisions online and decide how long of a digital shadow you're willing to cast. Forewarned, forearmed.

Photo - CC0 1.0 Kevin Sequeira

Share this post