Apple’s new iPhone 5S fingerprint scanner “Touch ID” raises privacy and security concerns. Touch ID allows users to unlock their phones and make purchases in the iTunes store with the touch of a finger, but might not be as secure and as private as Apple would have us believe.
Who has access to your fingerprint data?
At first, the security discussion centered on where the data would be stored. Those concerns were (mostly) quashed when Apple confirmed that Touch ID does not store actual images of a user’s fingerprints on the device, nor does it upload any data to Apple servers or to the cloud. Rather, the system stores “fingerprint data” encrypted in the phone’s processor using a digital signature to unlock itself or make purchases. While this decentralized storage system decreases hacking vulnerabilities, it is still unclear whether Apple will have access to either the fingerprints or the “fingerprint data.” If Apple has access to it, any government that regulates Apple might be able to request that information similar to how they request user information from the likes of Facebook and Yahoo. It is not inconceivable then that more than one government might be able to download all of our fingerprints, as this clever meme suggests.
This would give the government even more of our private information. With the recent NSA scandals in the U.S., and reports coming out about how much personal information the government truly has access to, it is frightening to think that iPhone users are tacitly giving away more personal information without even realizing it. Legally, fingerprints are physical evidence which do not have Fifth Amendment protections as other evidence does. See, e.g., Schmerber v. California, 384 U.S. 757, 765 (1966) (no protection for blood samples); Gilbert v. California, 388 U.S. 263, 266-67 (1967) (no protection for handwriting exemplars). Thus, the government would be able to use these newly acquired prints against anyone they arrest without violating our rights against self-incrimination.
Is Apple’s Touch ID truly more secure?
More recently, the issue is whether the technology is truly more secure. The technology currently requires consumers who want to use Touch ID to create a passcode as backup, and of course you cannot guess someone’s fingerprint like you can their password. However, there are some obvious disadvantages. We leave fingerprints on everything we touch, and they can hardly be claimed to be a secret. Thus, it might not be as difficult to duplicate a fingerprint as some might believe. Senator Al Franken (D-MN), Chairman of the Senate Judiciary Subcommittee on Privacy, Technology, and the Law, summed up the basic problem nicely:
Passwords are secret and dynamic; fingerprints are public and permanent. If you don’t tell anyone your password, no one will know what it is. If someone hacks your password, you can change it—as many times as you want. You can’t change your fingerprints . . . . What’s more, a password doesn’t uniquely identify its owner—a fingerprint does. Let me put it this way: if hackers get a hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life.
Although the technology has only been available for a few days, it has already been hacked. A German hacker bypassed the system using the fingerprint of the phone user photographed from a glass surface. The success of the hack, even if arguably too complex to be practical for the majority of would-be criminals, combined with the ready availability of prints, highlights the vulnerability of the system.
Is biometrics the future?
This move by Apple may just be the first in a wave of similar changes. Facebook is currently experimenting with facial recognition software, and a Google security executive has publicly proclaimed “passwords are dead,” encouraging companies to look for other ways to secure users’ data.” Given Apple’s position in the industry, it is not hard to image biometrics becoming the norm. But this would raise a range of legal issues– First Amendment implications, the Fifth Amendment right against self-incrimination, and whether the government should have access to such data, to name a few. Before we put our faith in Apple iPhone’s new Touch ID and related emerging technologies, we must better understand both the legal and practical implications of biometrics and how our fingerprints, faces, and other permanently identifying information might be accessed by corporations, governments, and identity thieves.