The Courts and Passcode vs. Biometric Access to Your Smartphone: It’s Complicated

(With a special message at the end for facial recognition and cybersecurity marketing leaders)

Years ago, when I was in Mexico City on a business trip, one of my coworkers stated that he never uses biometrics to protect the data on his smartphone.

His rationale?

Government officials can compel you to use your biometrics to unlock your smartphone. They can’t compel you to provide your passcode to government officials.

Ironically, we both worked for a biometric company at the time.

But my former coworker isn’t the only one making this statement. With the recent protests, and with the recent searches of people crossing the U.S. border by plane or otherwise, this same advice is echoed everywhere.

But is it true?

As ZDNET says, it’s complicated.

Passcodes: it’s complicated

ZDNET quotes law firm managing partner Ignacio Alvarez on passcodes:

“But the majority of the courts have found that being required by law enforcement to give your code to your devices violates your Fifth Amendment right against self-incrimination.”

Note what Alvarez said: the MAJORITY of the courts. So if you end up before the “wrong” court, you might have to provide your passcode anyway.

ZDNET also quotes attorney Joseph Rosenbaum:

“Passwords or passcodes, because they represent information contained in a person’s mind, seem to generally be considered the same as requiring someone to testify against themselves in court or in a deposition,” he told ZDNET. “That information is more likely to be legally protected under the Fifth Amendment as potentially self-incriminating.”

Notice his “seem to generally be” and “more likely to be” language. Again, you could still be compelled to give your passcode.

But that’s the easy part.

Biometrics: it’s complicated

But passcodes are the easy part. Biometrics are much more of a gray area.

Anything you say.
By NBC Television – eBayfrontback, Public Domain, https://commons.wikimedia.org/w/index.php?curid=33340402.

The rationale behind not giving up your biometric is similar to the rationale behind the Miranda warning. As Dragnet fans know, “Anything you say can and will be used against you in a court of law.” Regarding passcodes, the courts…well, some of the courts, hold that since a passcode can be “spoken,” it’s covered under Miranda and therefore can’t be given without violating your Fifth Amendment rights.

What about biometrics? (Excluding voice biometrics for the moment.)

“…since a biometric isn’t spoken, production of that biometric may not legally qualify as the act of testifying against yourself and therefore, you can be compelled to unlock a phone or an app without necessarily having your rights violated.”

Again, note the use of the words “may not.” It isn’t clear here either.

And even these wishy-washy definitions may change.

“This area of law is a seriously moving target. Over time, things could favor passcodes being non-testimonial or biometrics being testimonial.”

In other words, a few years from now lawyers may advise you to use biometrics rather than passcodes to protect your private data on your smartphone.

Or maybe they’ll say both methods protect you equally.

Or maybe they’ll say neither method protects you, and your private data is no longer private.

But most likely they’ll say “It depends.” In the same way that our 18,000 law enforcement agencies have 18,000 different definitions of forensic science, they could have 18,000 different definitions of Miranda rights.

And one more thing…

Bredemarket has two openings!

The formal announcement is embargoed until Monday, but Bredemarket has TWO openings to act as your on-demand marketing muscle for facial recognition or cybersecurity:

  • compelling content creation
  • winning proposal development
  • actionable analysis

Book a call: https://bredemarket.com/cpa/

Do We Have 18,000 Forensic Sciences?

Mike Bowers (CSIDDS) shared a Substack article by Max Houck regarding the uneven nature of forensic science in the United States. Houck’s thesis:

…how the fragmented, decentralized nature of American law enforcement and forensic practice creates a landscape where what counts as science (and possibly what counts as justice) can vary wildly depending on where you happen to be.

There are about 18,000 police agencies in the United States at all levels of government, and 400 separate forensic laboratories.

But we have standards, right?

Do Even when national scientific bodies like ASTM or NIST’s OSAC develop well-reasoned, consensus-based forensic standards, adoption is purely voluntary. Some laboratories fully integrate these standards, using them to validate methods, structure protocols, and train staff. Most others ignore them, modify them, or apply them selectively based on local preference or operational convenience. There is no enforcement mechanism, no unified system of oversight. The science exists, but whether it is followed depends on where you are.

Houck’s article details many other issues that plague forensic science, but the main issues arise because there are 18,000 different authorities on the matter. Because this is a structural issue, deeply rooted in how Americans think of governing ourselves, Houck doesn’t see an easy solution.

Reforming this system will not be easy. It runs up against the powerful American instincts toward local control, political independence, and legal precedent. Federal mandates for forensic accreditation, national licensing of analysts, or the establishment of an independent forensic science* oversight body (all ideas floated over the years) face stiff political and logistical resistance. I don’t give these ideas much of a chance.

Even Houck’s minimal suggestions for reform are questionable. In fact, if you read the list of his solutions at the bottom of his article, you’ll see that he’s already crossed one of them out.

Federal funding could be tied to meaningful accreditation and quality assurance requirements.

(Imagen 3)

The Facial Recognition Vendor Is Not At Fault If You Don’t Upgrade Your Software

This is the second time that I’ve seen something like this, so I thought I’d bring attention to it.

Biometric Update recently published a story about an Australian agency that is no longer using Cognitec facial recognition software.

Why? Because the facial recognition software the agency has is not accurate enough.

Note “the facial recognition software the agency has.” There’s a story here.

Police and Counter-terrorism Minister Yasmin Catley clarifies that Cognitec has released numerous updates to the product since its deployment, but the police did not purchase them. As with other developers, Cognitec’s legacy algorithms have higher error rates for various demographic groups.

Important clarification.

Now perhaps the agency had its reasons for not upgrading the Cognitec software, and for using other software instead.

But governments and enterprises should not use old facial recognition software. Unless they have to run the software on computers running PC-DOS. Then they have other problems.

(A little aside: when I prompted Google Gemini to create the Imagen 3 image for this post, I asked it to create an image of a 1980s IBM PC running MS-DOS. Those in the know realize my prompt was incorrect. I should have requested a 1980s IBM PC running PC-DOS, not MS-DOS. PC-DOS was the version of MS-DOS that IBM licensed for its own computers, leaving Microsoft able to provide MS-DOS to the “clone computers” that eventually eclipsed IBM’s own offering.)

Defeating the Metabot to Share Whistic’s Survey Results

There are some things that I don’t bother to share in the Bredemarket blog, but instead just share to my socials.

This morning, I shared a story about the third-party risk management firm Whistic to LinkedIn’s Bredemarket Technology Firm Services page.

From LinkedIn.

You can see an oft-used Bredemarket technique: rather than sharing everything from a third party (geddit?) article, I only share a bit of it, then encourage the reader to click on the link to see the rest of the content. Makes everybody happy. What could go wrong?

Then I shared the same story to Facebook’s Bredemarket Technology Firm Services page.

Or tried to.

First attempt to share to Facebook

Facebook removed the post, accusing me of using “misleading links or content to trick people.”

I’m so devious that even I couldn’t figure out what I did.

Until I re-read the post and noticed this parenthetical comment.

(And one more key finding. Read the article.)

Doesn’t seem like a trick to me, but I explicitly urged people to leave Facebook’s walled garden and read something.

I do this all the time—Facebook is the second most popular traffic source for Bredemarket, after Google—but apparently the way I did it in the Whistic post was a trick to Facebook’s readers.

Second attempt to share to Facebook

The solution was simple: repost the article WITHOUT the offensive parenthetical comment.

So I did.

And Facebook removed the post again.

This isn’t the first time Facebook has rejected content that other platforms accepted without question…including other Meta platforms such as Instagram, Threads, and WhatsApp.

I was this close to ceasing content sharing on Facebook altogether.

But then I had an idea.

Now I’m engaging in real trickery

If I am offending Zuck by using text to supposedly trick people into clicking on a link…

…what would happen if I ONLY posted a link with no text at all?

And rather than posting the text of interest in Facebook’s walled garden…

…I put the text of interest in the Bredemarket blog, along with the Whistic link that offended Facebook so much?

Then I could share it on character-limited platforms such as Threads and Bluesky.

You see the irony here. For a while I’ve strived to place social content natively on each platform. Now the platforms are forcing me to place the real content on a platform I control.

And the text would look something like this:

What I tried to say this morning

Every year, Whistic surveys hundreds of Risk-Management and Information Security leaders to understand the trends, challenges, and opportunities that are actively shaping the third-party risk management (TPRM) industry.

In 2025, the average company in our survey works with 286 vendors—up by 21% versus last year….That increased demand comes with increased risk.

[C]ompanies are spending more time, more money, and more resources on TPRM, but still not meeting their own risk standards or reducing security events. 

(And one more key finding. Read the article.)

https://www.whistic.com/resources/blog/2025-impact-report-takeaways

When Beneficial Ownership Diverges From Legal Ownership

I recently discussed some proposed changes to the way in which beneficial ownership information (BOI) is collected. However, even after the changes are made, FinCEN will still collect BOI for foreign firms.

Hungary, facial recognition, and geolocation

Biometric Update recently published a story about facial recognition in Hungary, and its use to identify people who display rainbows and dress in ways “that diverge from the gender they were assigned at birth.” I’m going to zero in on one portion of the story: the facial recognition provider involved.

The company FaceKom has been around under different names since 2010 but has seen significant growth during the past few years thanks to investments from the Central European Opportunity Private Equity Fund (CEOM). The fund has no direct links with [Prime Minister Orbán’s son-in-law, István] Tiborcz. However, it is registered on the same address in Budapest where several companies owned by Orbán ‘s son-in-law operate.

Ah, geolocation! The Chi Fu Investment Fund Management Zrt.’s address of record is 1051 Budapest, Vörösmarty tér 2.

And do you know what else is at that address?

A Western Union Currency Exchange.

From https://interchangefx.com/branches/vorosmarty/.

Well, that’s enough to drive some conspiracy theorists crazy.

Beneficial ownership and legal ownership

So I didn’t find the smoking gun, but I do want to take this opportunity to point out what BENEFICIAL ownership is. Investopedia:

A beneficial owner is a person who enjoys the benefits of ownership even though the title to some form of property is in another name.

Using the Hungarian example (without the Western Union part), it’s not enough to say that CEOM and/or Chi Fu Investment Fund Management Zrt. (I don’t know enough Hungarian to confirm they are one and the same) does not list István Tiborcz (or Victor Orbán) as an official owner or co-owner.

As Unit21 points out, you don’t have to literally own (either on your own or through a trust) 25% of an entity to be a beneficial owner. Here’s another criterion of a beneficial owner:

Any individual that holds a significant ability to control, manage, or direct the legal entity

De facto control without de jure control could very well be wielded by a powerful politician, or his son-in-law.

(Imagen 3)

Enter the Wildebeest Truckers

You can bet that I paid attention to AKings’ latest post after I saw how it began:

“Indiana. The Crossroads of America. A place where colossal semi-trucks roar in from the north, south, east, west, and every conceivable direction in between, like a great migration of diesel-belching wildebeests on their way to deliver vital supplies.”

Bredemarket’s self-promotional content is replete with wildebeests, iguanas, and wombats. Much of this was from an urge to differentiate from those who eat their own dog food. So Bredemarket ate its own iguana food, then its own wildebeest food.

But “wildebeest trucker” is a new one on me.

How do you differentiate your marketing content from that of your competitors?

Or do you eat their dog food?

But goin’ back to Indiana, AKings’ post is a literal tour of the state over a year, including an encounter with angry union members in Kokomo (not that Kokomo). Recommended reading.

(Wildebeest truck driver Imagen 3)

If the United States Won’t Pay For the CVE Program…Who Will?

From The Register:

“The [CVE] program is sponsored, and largely funded by the Cybersecurity and Infrastructure Security Agency, aka CISA, under the umbrella of the US Department of Homeland Security. It appears MITRE has been paid roughly $30 million since 2023 to run CVE and associated programs.”

$30 million is peanuts. 

If the U.S. government won’t fund it (and it still may), and if private firms won’t fund it, perhaps the EU will take it over. Or Canada. Or China. 

The only complication is whether MITRE can run it if someone other than the feds is paying.