The iPhone 5S just launched today, and fans are already happily scanning their fingerprints into the devices’s new Touch ID system. Apple (and science) claims it’s perfectly secure, but lawmakers aren’t so sure.
The Hill reports that Sen. Al Franken has sent Apple a letter regarding the fingerprint scanner technology in the iPhone 5S. As you would expect, he’s concerned that the the introduction of one’s fingerprint as a security gate could lead to privacy violations and even identity theft.
Too many people don’t protect their smartphones with a password or PIN. I anticipate that Apple’s fingerprint reader will in fact make iPhone 5S owners more likely to secure their smartphones. But there are reasons to think that an individual’s fingerprint is not “one of the best passwords in the world,” as an Apple promotional video suggests.
Passwords are secret and dynamic; fingerprints are public and permanent. If you don’t tell anyone your password, no one will know what it is. If someone hacks your password, you can change it—as many times as you want. You can’t change your fingerprints. You have only ten of them. And you leave them on everything you touch; they are definitely not a secret. What’s more, a password doesn’t uniquely identify its owner—a fingerprint does. Let me put it this way: if hackers get a hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life.
Franken is aware that the Touch ID system stores fingerprints locally in an encrypted format, and that it doesn’t allow third party apps to access said fingerprints. Still, he feels that Apple hasn’t done a good enough job yet at explaining exactly how it protects a person’s fingerprints from being compromised. He also worries that Apple pushing into biometrics will encourage other mobile device makers to embrace it, and those companies may not have the same commitment to privacy and security that Apple does.
At the end of the letter, Franken presents a list of 12 questions that he hopes Apple will answer. Some of the questions are pretty basic – like whether or not it’s possible to extract fingerprint data from an iPhone 5S – while others dive into the nitty gritty of privacy law – like whether or not Apple views fingerprint data as a personal identifier as defined by the Stored Communications Act.
The most important question of them all, however, may be the 10th. He asks whether or not Apple could be forced to hand over fingerprint data if it’s deemed necessary to an investigation:
Under American intelligence law, the Federal Bureau of Investigation can seek an order requiring the production of “any tangible thing (including books, records, papers, documents, and other items)” if they are deemed relevant to certain foreign intelligence investigations. See 50 U.S.C. § 1861. Does Apple consider fingerprint data to be “tangible things” as defined in the USA PATRIOT Act?
As you can imagine, some people already think that Touch ID is just a ploy set up by the NSA to get more people to hand over their fingerprint data. While I don’t think that’s the case, there’s a legitimate privacy concern here. Did Apple really make the right decision when implementing a fingerprint scanner into the iPhone 5S? Will it lead to a new wave of identity theft cases as hackers steal iPhones and extract fingerprints from the devices?
At this point in time, it’s hard to say. Franken is right to be concerned, however, and I’m sure many are waiting to see what Apple has to say in response to his letter.[Image: Al Franken/Facebook]