Fingerprints Are More Secure than Passcodes, but Apple May Overestimate Our Trust

| Editorial

Apple is one of the major tech companies under huge pressure to reveal what it knew about the U.S. National Security Agency's PRISM spying program (as revealed by British newspaper The Guardian) and what information they handed over to the NSA and other security agencies. Despite all the assurances given by Apple, the introduction of fingerprint scanning as part of iOS7 is likely to cause concern for many.

The Guardian disclosed in June that "the National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants", and Apple CEO Tim Cook has even met President Obama, seemingly to discuss the issue. Publicly, Apple, like most of the accused companies, has denied giving the NSA direct access, saying that it complies with individual requests as the law requires.

It is in this context that Apple made security updates to its iPhone line on Tuesday. As a result, when it made the expected announcement that the iPhone 5s would include a fingerprint sensor, Apple was unsurprisingly keen to emphasize that the fingerprint would never be stored or backed up in the cloud.

In the company's press release, Apple said that fingerprints will be, "encrypted and stored securely in the Secure Enclave inside the A7 chip on the iPhone 5s; it’s never stored on Apple servers or backed up to iCloud."

The company specified that apps will not have access to the fingerprint, as well. It will, though, be possible to purchase apps and other content like music and movies in the app store using the fingerprint authentication. Other payments will not yet be possible through fingerprint authentication, although Apple introducing it in its own store gives a strong indication that soon iPhones will be able to authenticate payments on other services by touch. 

Touch ID will be part of the home button. Authentication is made by 500ppi scanner, which gives a high level of scanning beyond the surface of thumb. Wired explains:

The button is made of sapphire crystal, one of the hardest [and] clearest materials available. The steel ring detects your finger using capacitive touch. The sensor analyzes your print, categorizing it by arch, loop, or whorl. It inspects minor variance in ridge direction, among other details.

While it is an important move for Apple to say that the fingerprint is only stored on one device and is accessible only by the iTunes Store, I think the company will have to do more to quell some of the security fears around this feature. After the Snowden revelations the tech savvy portion of the public is increasingly cynical about handing over personal data, and there is little more personal than a fingerprint.

It feels to me like there has been a dramatic loss of trust in our favorite tech brands, and we are increasingly concerned about how we as consumers are also becoming the product. Whereas previously many people would have happily embraced the new technology, now there is a greater questioning of Apple's motive, and distrust of what we are being told. Just because Apple says that it will not store our data, that there is no online database, that doesn't necessarily mean we believe it.

For instance, this image was posted (and received a lot of attention) at image sharing service Imgur just a few hours after Apple's media event:

As well as fears about the NSA getting hold of people's fingerprints, and all the implications that that has, concerns have also been raised that the inclusion of fingerprint sensing could lead to criminals harming people in order to get hold of thumb prints instead of just stealing the iPhone. Sensors are apparently increasingly able to differentiate between a 'live' thumb and a 'dead' one, which will hopefully put off any particularly unpleasant phone thieves.

Overall, a fingerprint is much more secure than a password. Consequently, the fears of security services and others getting hold of it are greater, but so are the benefits to the consumer. Not only is touching the home button easier than remembering a password, it's not like someone can guess your fingerprint.

Ultimately, there are many people who do not bother to use passwords on their iPhone, and Apple likely hopes that but simplifying authentication by using touch, more users will improve their devices' security. However, before we all scan our fingerprints, Apple is going to have to do a lot of work to allay the real privacy concerns that still remain.

Read more on Touch ID on TMO.

Comments

John Hamilton Farr

Good analysis, and I agree that Apple needs to be more forthcoming here.

However, I’m personally not the slightest bit concerned about the idiots at the NSA getting access to my fingerprints. Surely they have them already!  (I have a dim memory of having my prints taken somewhere, sometime in the past.) And to even get to this point of worry, one would have to assume that Apple is lying, which I don’t. So with all the things one has to worry about these days, this one just isn’t on my list. If I’m too naive to grasp what kind of horror having my prints that I leave everywhere I go “stolen” would unleash, so be it.  I’ll be dead in 30 years anyway, and all the paranoids can say they told me so. As I tweeted late last night:

“I believe Apple & I don’t care if the NSA has my fingerprint anyway. I want a gold one. Just gimme the damn phone & shut up. #iphone5s”

Thank you. Carry on!

mjtomlin

Not sure I think there’s any need for alarm here. Apple has stated the the data is only stored in a secure (encrypted) location on the A7 SoC that only the sensor can access. Furthermore it’s not an actual “print” - it’s not saved in any meaningful readable form, it’s just digital data that’s compared against successive “scans”. In other words even if NSA was to get access to this data, it couldn’t be compared to a real print. Actual fingerprints lifted off items are of the outer epidermal layer, the data saved here is a topography of the live tissue that resides underneath.

In this day and age, consumers ARE NOT as concerned about personal secrecy that so called analysts and “experts” like to say they are. If that were the case no one would ever sign up for any of Google’s services.

This is an attempt by the media to downplay a clear Apple advantage. And one that’s not even entirely new in the world of consumer electronics - just done correctly.

Martin-Gilles Lavoie

I couldn’t care less what NSA gathers on me for I have nothing to blame myself for.

Still, after seeing how the US public was suckered into an Iraq war and the very questionable motives/proofs behind it, you have to wonder what a nifty database of fingerprints could do to ill-intentioned civil servants working for NSA and other branches of the USG.

Cherry-picking a convenient suspect scape-goat out of a billion-plus database is a terrifying prospect.

Jules Hobbes

Sorry, but I don’t get it. If somebody is really paranoid about his finger print being recorded by his phone, then she has far more things to be paranoid about, and she shouldn’t use a smartphone at all.

Lee Dronick

  Apple is going to have to do a lot of work to allay the real privacy concerns that still remain.

I would say that there no “real” privacy concerns, only imaginary ones.

Also a lot of people already have fingerprints on file. Not just because of criminal activity, but because they were in the military, worked at a school, day care, security, and so on.

Anyway, is the use of the fingerprint to unlock the iPhone required? Is it an option during setup? Can a passcode be used instead?

 

Lee Dronick

Jules, a good tinfoil hat will keep your iPhone from connecting to your brain via BlueTooth. smile

Bosco (Brad Hutchings)

Lee, right now, post-Snowden, every CIO for a company big enough to need a CIO is reevaluating cloud strategy in light of ongoing revelations. It’s not about the NSA so much, if at all. It’s really about physical custody of data. When that is outsourced, it makes data potentially physically accessible to a whole bunch more people than it should. One then relies on contractual and legal mechanisms to keep such data in the right hands and out of the wrong ones. The clear lesson from the Snowden leaks is that in the case of the NSA, the legal lines we might have all assumed were in place via the 4th Amendment are not, and even those that are have been violated by both malfeasance and incompetence. Nobody has come up with numbers about the domestic cost of reevaluating the cloud in light of new risks, but someone did recently drop $35B of lost US cloud business to foreign customers due to NSA revelations.

Lest you think that newfound data paranoia is only for CIO, consider that lawyers who have become highly reliant on public cloud services to communicate with clients, opposing attorneys, and courts are completely freaked out because data not in their physical possession is potentially discoverable.

So what I would advise is that into this hurricane, Apple has dropped a new techno gizmo that is opaque, not well understood, and has obvious high potential for abuse. Calling people who want to know more “paranoid” or tossing the “tinfoil hat” slur around is not helpful. Apple can allay concerns about this thing by being more transparent about how it works, what it does, what it stores, etc. and being open to criticism from the security sector. Or maybe they don’t want to. Whatever.

There are a whole host of reasons that I am starting to advise people to think carefully about what goes on their phones, and what needs to be removed daily. It’s severely complicated by such silly things as not wanting to be a jerk when your son, daughter, niece, or nephew wants to install some stupid game to play while you’re enjoying a Bloomin’ Onion at Outback. But you know, now that we know that there is at least one actor (the NSA) which would go to any means to get any data and sift through it later regardless of cost, we’ve got to assume that others are trying vectors that get them some subset of data they want. And that’s the context that new techno-gizmos like fingerprint scanners on phones now fall into.

wab95

Apple is one of the major tech companies under huge pressure to reveal what it knew about the U.S. National Security Agency’s PRISM spying program

Huge pressure? Really? From whom?

I think this is an overstatement. To be sure, your statement

After the Snowden revelations the tech savvy portion of the public is increasingly cynical about handing over personal data, and there is little more personal than a fingerprint.

bears some truth, but the tech savvy public is not a monolith.

My reading of privacy concerns in the tech community leads me to believe that there are two types of concerns:

1) Concerns about what the private sector collect and how they will use our data (e.g. Google, FB, etc);

2) Concerns about what governments, particularly the US NSA collects and how they will use our data.

There are those in the tech savvy community that have concerns about one and not the other, those who have concerns about both, and those who have concerns about neither, at least to any great degree. Meanwhile, governments have begun the discussion with these companies about what data they collect and the terms of their use, while for the most part, concerns about data collected by the US government has been largely directed at that government, and less so to the private sector.

In any case, I am not aware that Apple are under any greater cloud than any other company by their user base or by any particular investigative body over the US authorities’ allegations that they, and other companies, provide data through the PRISM programme.

That said, regarding the finger print scanner on the iPhone 5s, this would be an inefficient means whereby the NSA could gather finger prints, as this would be, at best, a woefully incomplete sampling (and a biased demographic), not to mention that, should the NSA or any other intelligence agency want your finger prints, there are substantially easier and more direct means to obtain them; not to mention that, if they are going to bother to access your personal data as part of an investigation (rather than simply scan your data as part of the big data stream), they already know your identity, and the finger print is somewhat redundant as an identifier.

Concerned parties can choose not to upgrade, but biometrics, as security measures, are in our future.

Lee Dronick

As Wab says you don’t have to upgrade to the iPhone 5S. What is still unknown, to us, is if the Touch ID feature is an option or not. If it is an option then don’t use if you have concerns.

gnasher729

Someone wrote: “I couldn’t care less what NSA gathers on me for I have nothing to blame myself for.”

I have no reason to believe that isn’t true. On the other hand, while you may not have done anything to blame yourself for, you might very well have done things that you don’t want others to know. And I’m 100% sure that you have done things in your life that could be turned and twisted and misinterpreted in a malicious way in a way that is damaging to you.

Bosco (Brad Hutchings)

How do you ensure that you’re not using the fingerprint scanner, Lee? Do you need to put some kind of cover over your home button now? Or would you suggest only pressing the home button with a pencil eraser?

The broader point is this. Apple doesn’t get to have 18% of the smartphone market (declining to 13% in 2014) and go on with the attitude that since they fart rainbows and Lucky Charms, they are exempted from scrutiny when they bring some new technology online to that small segment of a giant market they reach which raises very obvious privacy and security concerns. To pretend otherwise is silly.

Lee Dronick

What Imsaid

  What is still unknown, to us, is if the Touch ID feature is an option or not.

Let me rephrase that so that there is no misunderstanding.

What is still unknown, to me, is if the Touch ID is required or not to unlock the iPhone.

 

wab95

Charlotte:

Your article, and much of the discussion that has followed it takes me back to my childhood, a part of which I spent in East Africa. Bear with me.

Before I was shipped to boarding school, I attended a local day school in a somewhat remote region of Uganda. One day, a photographer came to the school at the invitation of the headmaster. Before long, there was a palpable disquiet amongst the student body, which only increased once the headmaster made clear that we would all have to photographed. Individually. Consternation overtook my classmates, to a person. Some strenuously protested, but once it was clear that this was school policy, they relented. While some merely submitted to the camera with dull resignation, others made exaggeratedly angry faces into the camera.

Unable to contain myself any longer, I asked my mates what the fuss was all about. They informed me that the camera was infernal technology that would steal their souls, deprive them of a free afterlife as they would be imprisoned onto the paper, and that it would likely shorten their lives. And why the angry faces? These might scare away the evil spirits in the camera that might snatch and imprison the soul.

I realised that the gulf separating my world view from those of my mates was, at that moment, too great to span with a rational, science based conversation. Their fears, though by reasoning were unfounded and irrational, were nonetheless very real to them, and based on deeply held, even if convoluted, belief. I accepted that only through time and exposure (no pun intended with photography), would my classmates become more comfortable with this technology.

The current discussion, though not not as far afield, is in my small opinion, of similar calibre. That one can proffer the opinion that a biometric scan of one’s finger on a handheld personal device, a scan that today is not a gold standard used in forensics, would somehow be uploaded and be used in a remote surveillance system by professionals to identify you as an individual, and that this would be something of value to the intelligence community, simply unmasks fear of an unfamiliar technology, conflates biometry and forensics, personal security and personal investigation, and lacks an explanatory rationale - why a finger scan, and what added benefit would that give to a spy that they aren’t already getting in spades? It ranks alongside the conspiracy theory of community in a developing country in which I conducted a clinical trial, in which a vocal few alleged that we were collecting blood samples from people so that we could pool it all together and sell it to blood banks in America so that we could get rich. It’s not why we collected blood specimens (we were looking for immune responses to the intervention), it’s not a blood bank worthy specimen, and it’s not how one gets rich. In that small, illiterate community, wiser, cooler heads prevailed, and the trial was completed.

I am equally confident that, in time, people will become comfortable with biometry, appreciate its distinction from forensics, and even if they never understand surveillance and intelligence gathering methodology, appreciate that their biometric scan on their personal device is not how remote surveillance is done.

Hagen

I find it fascinating that issues like these only seem to come to the fore when a company like Apple decides to use them. A few questions I’d love to see answered:

1) What format is the data actually saved in? From the sounds of it, the data is a proprietary format that’s likely incompatible with any other fingerprint method, especially the NSA. (counterpoint: that’s a software problem… which can be solved with sufficient coding resources)

2) Since this technology came from Apple’s purchase of AuthenTec, what sort of data security—and public scrutiny—did AuthenTec have concerning its previous products?

3) I recall IBM (and subsequent Lenovo) computers coming with a built-in fingerprint scanner, presumably to be used in similar ways as the iPhone’s implementation. What was the prevailing reaction to that: optimism, caution, fear, or ennui?

Hagen

The fingerprint scanning feature most certainly CAN be turned off, and the phone will revert to the same passcode coverage that it’s always used.  I believe you can also set it to use both the fingerprint AND a passcode if you so desire, though I haven’t been able to confirm that.

Note, too, that the iPhone 5s can work with multiple fingers, so your family members can also be authorised to use it. Alternatively, use a different finger (like your ring finger) as a subtle extra layer of security.

Lee Dronick

Hagen, that is what I suspect. For example in cold weather you would want a way to unlock, and use, it with a stylus or touch sensitive gloves. Also mentioned in a differnt story that around the house I don’t need to lock the iPhone.

iJack

“In this day and age, consumers ARE NOT as concerned about personal secrecy that so called analysts and “experts” like to say they are.”

So ‘consumer concern’ is the measure by which we should/should not allow our own government to collect personal data on us?

This is only one of several stupefyingly dumb comments here today. And you guys that trot out the old, ‘if-you-have-done-nothing-wrong-you-have-nothing-to-fear’ saw, should really be ashamed of yourselves, or at least read a goddamned newspaper once in a while.

gnasher729

IJack: When someone says “if-you-have-done-nothing-wrong-you-have-nothing-to-fear” what they really mean “complaining about privacy information shows that you are some miscreant who has something to hide”. It is a personal attack against anyone complaining.

But just as an example, if you have done nothing wrong you still have to fear that by bad coincidence you have the same name as someone who is connected to terrorism, and that innocent fact alone means you may get searched regularly in an invasive way on every flight, or you may not even be allowed to fly. Even though you have done nothing wrong.

Lee Dronick

First off I need to say we are not being spied upon, well most of us are not. It may be semantics, but the fact remains that our online activity is not being spied by government agencies. Not even surveillance is a good word for it, something less than that. Anyway if the metadata suggests that you “warrant” a closer look then you may be spied upon. Communicate and associate with terror and hate groups, be they foreign or domestic, visit and linger on their web sites then you need to be wary.

I have often used the analogy of a traffic cop watching vehicles go by. Almost every car gets a look, but most of them don’t get a second one. Now someone will counter that “They are coming into our homes!” No they are not, the so called spying occurs when you leave home and are on the information super highway.

Does this situation have the potential for abuse? Yes it does. Is there danger from not spying on internet traffic? Oh hell yes. There needs to be a balance, and the bar may need to tip one way or the other depending on the situation. Anyway bitching about it online does little except allow you to vent. Contact your Representative and Senators.

iJack

@gnasher ~ That was pretty much the point of my post, but thanks for ‘translating.’ 

May all the nay-sayers live long enough to see their denials come back and bite them in the ass.

ibuck

To me, the “nothing to hide” crowd seem naive and clueless, and would have been excellent German citizens in the late 1930’s. Just because YOU believe you have nothing to hide doesn’t make you innocent or harmless to those seeking to increase their power. Your friendship with someone, your union membership, political views, your membership in the ACLU, can result in undesired circumstances. In Hitler’s time, people were loaded on a train and disappeared. Now in the US, you may lose your right to vote, or be searched / detained at the airport. Don’t think it can’t happen to you: it IS happening now.

In Germany they came first for the Communists, 
and I didn’t speak up because I wasn’t a Communist. 
Then they came for the Jews, 
and I didn’t speak up because I wasn’t a Jew. 
Then they came for the trade unionists, 
and I didn’t speak up because I wasn’t a trade unionist. 
Then they came for the Catholics, 
and I didn’t speak up because I was a Protestant.
Then they came for me, 
and by that time no one was left to speak up. 
— Martin Niemoeller (1892-1984), German Protestant Clergyman 

What to do? Protest (speak up) to your elected reps. And don’t vote for those promoting any law that takes away the voting rights of any citizens.

bbh

I somewhat comforted that the general tone of comments here echo my feelings. What’s all the media fuss about? One touch for on/off is a BIG leap forward. Does anybody really believe the “guvmint” can’t get or doesn’t already have your fingerprints?

And, if you are one of the paranoid ones, DONT USE THE FINGERPRINT OPTION.

Rob Del Genio

Before Snowden brought NSA out of the closet, I’d have thought the fingerprint password was cool. No more. Common sense tells me we need to take matters into our own hands to protect what little is left of our privacy. What can we do?  For starters, well for God’s sake, don’t give away your fingerprint. Then hurry up and replace your profile picture on Facebook with an image of a pet or a lamp. Then, stop storing stuff on Dropbox, iCloud, etc. Take it down and stash everything in a CloudLocker (www.cloudlocker.it), which works just the same but it’s private and stays in your home where they still need a warrant to see inside.

Log-in to comment