How Armenian gangsters blew up the fingerprint-password debate

When it comes to protecting your privacy, four digits may be better than one.

Petrovich9/Getty Images

Paytsar Bkhchadzhyan is a woman with a colorful past and a bummer of a present.

She arrived this week in news stories with a string of criminal convictions and gained notoriety for pleading "no contest" to felony identity theft early this year. Her iPhone was seized from the home of her boyfriend, one Sevak Mesrobian, a member of Los Angeles-based gang Armenian Power.

Her fingerprint then began its long journey to giving civil-liberties fetishists a new storyboard for their "bad touch" role-play scenes.

"Bad Touch" ID

Much ado has been made over a Los Angeles judge's February decision to grant a search warrant allowing authorities to take Bkhchadzhyan's fingerprint and use it to unlock her iPhone. Surfacing in the news this week with drama, it's an unprecedented revelation that has divided legal experts and given our collective Big Brother paranoia and infosec hysteria a shot in the arm that we really didn't need.

The decision came in record time, probably thanks to Touch ID's own timeout function giving the authorities a helpful spike of urgency to their request. Within 45 minutes of Bkhchadzhyan's arrest for identity theft last February, the warrant to search her phone was granted, and her fingerprint was taken and used to bypass the biometric password for her iPhone's Touch ID.

Things would have been different had she been using a regular password or passcode, which is protected by the Fifth Amendment's safeguards for self-incrimination.

The federal judge weighing in on the search warrant, U.S. Magistrate Judge Alicia Rosenberg, didn't consider a fingerprint the same as a password. Rosenberg's decision was preceded by a Virginia Circuit Court judge in October 2014, where it was a ruled that giving biometric data is not the same as divulging knowledge.

Some argue that what happened in L.A. does violate the woman's Fifth Amendment rights. But the issue is far from being decided. In the meantime, some authorities are quick to exploit the law's failure to keep pace with technological advances like Touch ID and the public's perception of what a password really is.

The jury is out

As we learned in the San Bernadino iPhone case, phones are just about the most valuable real estate law enforcement can get its hands on. We also learned that the whole situation of laws and phones and threats and passwords is messy and baffling.

But think about it this way: Our laws around tech, privacy and the needs/wants of authorities are a bit like an old building. One that has had every inch of usable space utilized, with no overall plan for expansion. But in the era of cyber, it must remodel. The only thing really guiding it is the structural bits that can't be moved (like the Fifth Amendment). To expedite growth into the next room, cops are just punching through walls. And judges, like the tech companies whose inventions are facilitating this explosive growth, are really not interested in signing off on anyone's expansion plans.

Though, I think it's safe to assume that Apple didn't consider that its innovation was going to give law enforcement a pass to jump the search-and-seizure queue.

In this case, it all ended up boiling down to the relative value of the password protections afforded ordinary citizens vs. the worth of a gangster's girlfriend. And that's where things start to get really interesting.

It turns out that Paytsar Bkhchadzhyan is a link worth clicking on.

If only she'd used a PIN code

If you think there's irony in a woman getting sent up the river for identity theft ending up center stage in the biggest fight over passwords and privacy ever, just wait -- there's more. Authorities were actually after the treasure trove of information in Bkhchadzhyan's phone, which most likely included her boyfriend's activities in a gang called Armenian Power.

As described in an elegant piece by Halyley Fox for LA Weekly, Armenian Power members run with names like Thick Neck, Guilty, Stomper, Gunner, Lucky, Menace and Casper (there's at least one lady gangster, named Sugar). They earn these names from shootouts involving AK-47s on the streets of L.A., as well as their occupations. Their business practices include kidnappings and protection rackets but primarily involve exploiting security holes to perform identity theft, bank fraud and card skimming through hardware hacking.

To that effect, the racket that helped land an Armenian Power leader in prison in 2014 was what the FBI called "a sophisticated debit-card-skimming operation" involving "the installation and use of skimmers to steal thousands of customers' debit-card numbers and PIN codes." Gangsters went into stores and swapped out point-of-sale keypads while checkout clerks were distracted, then returned to swap them again a week later, loaded with customers' credit and debit card data.

Bkhchadzhyan's boyfriend is in prison. But since news reports link the iPhone fingerprint warrant with an ongoing investigation, he may not be the droid they're looking for. What comes to mind here is the Armenian Power's well-documented willingness to fight for Syria's President Bashar Al-Assad -- self-described "gangbanging for Syria" and for their homies back in SoCal. Bringing that war home would be very bad indeed.

At any rate, these are the kind of guys, who, unlike the genteel security team members at Apple, would be more inclined to part your hair for you about 8 inches too low than debate theories about password security use cases.

Now that American judges are treating Armenian gangsters like country mice in the big city, some of the more extreme hypotheticals about cops exploiting Touch ID have come home to roost.

And in light of all the implications here, paranoid jokes about fingerprint passwords posing a serious risk to outlying body parts under extenuating circumstances don't seem so far-fetched after all.

Images: Petrovich9/Getty (Lead); Bryan Thomas/Getty Images (No entry); Magdalena Mayo/PA Wire (ATM)