Law and Technology

Biometrics as Passwords: The Slippery Scope of Self-Incrimination

Nitesh Mishra and Ritesh Patnaik

Is it constitutional to coercively use Biometrics such as fingerprints, face recognition or iris scan of an accused, to access his mobile phone?



Biometric passwords on mobile phones seem to have become an essential selling feature of smartphones in the recent times. However, with increasing technological advancements, the complexities in the legal domain are palpable..

The question that we address in the present article is whether investigative agencies are legally permitted to take our fingerprints, for accessing our mobile phones, without our consent, and whether such a compulsion is covered under the wide ambit of Article 20(3) of the Indian Constitution.

It is argued that the distinction between oral or written statements and physical features of the body needs to shift towards any form of evidence that conveys personal knowledge on the part of the accused, and therefore, investigating agencies should not be permitted to compel accused persons to provide fingerprints to be used as passwords. We intend to trace the US jurisprudence, in accordance with the Fifth Amendment, and the reasoning laid down in landmark cases by the Supreme Court of India, on the aforementioned question, and further argue that the evidence gathered by means of illegally accessing the mobile phones, using the biometrics of the accused, should be excluded from the trial itself.

The United States’ Approach:

The law in the USA, like in most jurisdictions across the globe, regarding the legality of forcibly using fingerprints or other parts of the body, to unlock the mobile phones, is still in the process of development. The courts have ruled differently on the issue, and there has not been a landmark judgement, settling the issue decisively, as of yet, and hence, there exists unsettled and contrary principles of law surrounding the issue.

The courts in the USA have recognised that a person cannot be forced to reveal the password to his mobile phone, as such an act would amount to a testimonial information, which is protected under the Fifth Amendment of the US Constitution. However, using the physical features of an individual to unlock the mobile phone is an unsure terrain.

The law enforcement agency, FBI, had reportedly, compelled a suspect in a criminal case to unlock his mobile phone, which was locked by Face ID, using a legal warrant, last year. However, earlier this year, a California District Court has ruled that biometric features of a person, used to lock a mobile phone, are equivalent to passcodes, and since no person can be compelled to give the passcode, there exists a similar bar on obtaining biometrics for accessing mobile phones as well.

However, the crucial caveat to the Fifth Amendment protection in USA, is the ‘doctrine of foregone conclusion’, which states that if the investigative agency is already in knowledge of a piece of information, such an information cannot be protected under the Fifth Amendment rights. This essentially leads to a practice where the investigative agency claims that they are in knowledge of the existence of a particular evidence present in the mobile phone, and thereby, gets the mobile phone out of the domains of protection of Fifth Amendment, where they can coercively use the fingerprints to unlock the phone.

This is analogous to the caveat provided in the case of Selvi v. State of Karnataka, by the Indian Supreme Court, which held that testimonial evidence used for identification or corroboration with facts or materials that investigators are already acquainted with, are not covered under self-incrimination. Hence, it becomes pertinent to trace the Indian jurisprudence, in this light.

The Constitutionality of Taking Biometric Passwords:

While the Supreme Court is yet to decide on the legitimacy of compulsory taking of biometrics to access the mobile phones of an accused, it is argued that the existing landmark cases can be harmoniously constructed to prevent such practice and declare it outrightly unconstitutional.

Article 20(3) of the Constitution of India, provides a right against self-incrimination to an accused in a criminal case. By means of this fundamental right, an accused is protected from giving any self-incriminatory testimony to the police, on being compelled to do so. A compelled testimony shall be held inadmissible in court.

An eleven-judge bench of the Supreme Court, in the case of State of Bombay v. Kathi Kalu Oghad, held that while the investigative authority is not allowed to take compelled testimony from an accused, it is allowed to take physical evidence from the accused, which does not come from the volition of the accused, for the purpose of identification and corroboration of evidence. The physical evidences included fingerprints, handwriting samples, hair strands, amongst others.

Prima facie, the police are allowed to take the fingerprints of the accused for the purpose of investigation. However, a close reading of the aforementioned judgment reveals that the police are allowed to take the biometrics, only for the purpose of investigation and corroboration of the evidence that is already within its possession. The police are not legally permitted to take the fingerprints of an accused person as a means to an end; the end being to have a wild goose chase in the mobile phone of the accused persons, looking for any possible evidence.

Passwords, generally, require an act of volition, in order to be given to a third party, and hence, a numerical or alphabetical password shall be protected under the Article 20(3). It is a settled principle of law that executives cannot do indirectly, what they are not permitted to do directly. A person cannot be denied of the similar protection of law, for the mere reason that he chooses to use his fingerprint as password for his mobile phone.

Further, Right to Privacy has recently been recognised to be a tenet of Article 21 of the Constitution, in the case of Justice K.S. Puttaswamy v. Union of India. Informational privacy was held to be covered within the domains of the right to privacy. Further, in the case of UIDAI v. CBI,[1] the Supreme Court had held that fingerprints and the retina scans cannot be shared with an investigative authority, without the consent of the individual.

Hence, the police taking the biometrics of accused for the purpose of accessing the mobile phone, is violative of this right to privacy on two levels. First, it violates the right to privacy with respect to the biometric itself, by taking it without the consent of the accused for the purpose of further investigation. Secondly, by giving an unbridled access to the personal information and data of an individual, it breaches the right to informational privacy as well.

Should the Exclusionary Rule apply?

In India, the general principle of law is that an evidence, even if obtained by the means of irregular, or even, illegal search and seizure, shall be an admissible evidence, as long as it is relevant to the case in hand, as laid down in the case of Pooran Mal v. Director of Inspection. The reasoning of the Supreme Court in the Pooran Mal case, is that since, right to privacy was not a fundamental right and could not be considered so by means of any “strained construction” of the Constitution, an evidence obtained by means of violation of an accused’s privacy, is still admissible in law.

However, in context of the Puttaswamy case, the right to privacy of an individual is no more a “strained construction” of the Constitution, unlike what was held in the Pooran Mal case, and hence, an evidence obtained by means of violation of right to privacy of an individual ought to be made inadmissible in a court of law. The exclusionary rule of evidence should be made applicable to the extent that the evidence obtained by violating the fundamental right of a person, should be excluded from trial.


Biometrics as passwords pose intricate problems to the interpretation of self-incrimination and the problem is aggravated by the insurmountable amounts of personal data that is stored in a mobile phone, whose access the law has the power to legitimise or de-legitimise. It needs to be realised that in 2019, the confidentiality of the mobile phone is at a different pedestal from that of a closed room or a bank safe. It is extremely alarming to know that the right to privacy of an individual can be so easily and blatantly violated by the State instrumentalities, merely on the basis of choice of passwords used on the mobile phone.

[1] (2017) 7 SCC 157.

Nitesh and Ritesh are BA.LLB students at the National Law University, Delhi.

Categories: Law and Technology