iPhones, fingerprints and privacy

Iphone fingerprintThe latest iPhone, the iPhone 5S, launched last night with the usual ceremony. Slick, clever, sexy technology at its best. One feature stood out from the rest: ‘Touch ID’. As the Apple website puts it:

“[Y]our iPhone reads your fingerprint and knows who you are.”

Sounds great, doesn’t it? Perhaps…. but to people who work in privacy, particularly people who have been paying attention to the revelations of Edward Snowden, it should be ringing a lot of alarm bells too. This is a big step, and associated with it are a lot of risks, not just with the technology itself, but more importantly with the implications of this kind of technology. This isn’t just a new generation of iPhone, it’s a new generation of risk. There’s a long way to go before we really understand these risks – but we need to start thinking now, right from the outset.

Keeping our fingerprint data secure?

Apple have said that the biometric information (presumably some kind of distillation or sampling of a print rather than an image of the print itself) is stored ‘securely’ on the phone itself rather than sent to Apple or even stored on the cloud. That is certainly much better than the other way around, which would raise enormous and immediate security and privacy issues, but in the light of the Snowden revelations, and in particular the PRISM programme in which Apple was implicated, these assurances can only be taken with a pretty huge pinch of salt. The possibilities of backdoors into this data, or of hacking of this data cannot be easily dismissed – and there are those within the hacker community that just love to crack iPhones. Some will be itching to get their hands on the new iPhone and see how quickly they can get this data out.

Apple have also said that they won’t give App developers access to this data – and they haven’t so far – but they didn’t add the crucial word ‘yet’. Once this system is in common use, won’t App developers be clamouring to use it? Apple themselves understand that this could lead to a whole new raft of possibilities. “Your fingerprint can also approve purchases from iTunes Store, the App Store and the iBooks Store, so you don’t have to enter your password” Would that be the end of it? Hardly. As I shall expand below, this kind of system helps ‘normalise’ the use of fingerprints as an authentication system – of course it has already begun to be normalised, but building it into the iPhone takes that normalisation to a new level.

Why would they want your fingerprints?

Fingerprints have been used as a way of identifying people for a very long time – since the 19th Century at least – and it is that ability to identify people that is the key to both the strengths and the weaknesses of the system. Ostensibly, the idea of ‘Touch ID’ is that it helps you, the user, to control who has access to your phone, by checking anyone who tries to use the phone against a list of authorised users – you and those you’ve said can use it. Others, however, can use your fingerprints for many other reasons – the well known use of fingerprints for crime detection is just part of it. When dealing with data, though, the key point about a fingerprint is that it links the data to you in the real world. If someone gets your iPhone but doesn’t know that it’s yours, and they then check your print on that phone’s database, they can be ‘sure’ it’s yours, no matter how much you deny it. That in itself raises privacy issues (and no doubt begins the ‘if you’ve got nothing to hide’ argument again) but also raises possibilities of misuse.

Linking with other data

Once they know that a phone is yours, the possibilities to link to other information are immense, and growing all the time. Think how much data you have on your smartphone. You use it for your email. You use it to make calls, to send texts, to social network, to tweet – – so all of your communications are opened up. You have your photos on it – so add in a little facial recognition and another vast number of connections are opened up. You keep your music on it – so you can be profiled in a detailed way in terms of preferences. You probably access your bank account, perhaps have travel tickets in your Passbook. You may well do work on your phone – keep notes or voice memos. The possibilities are endless – and the fingerprint can form an anchor point, linking all this information together and attaching it to the ‘real’ you.

That’s part of the rub. Many people have already said ‘but the government already have this data, haven’t you ever entered the US?’ Yes, the US government have a database of fingerprints of all those of us who’ve entered the US in recent years – but this creates a link between that government database and pretty much all the data there is out there about you. It’s true, the authorities may well have already made that link – but why make it easier, and almost as importantly why make it normal and acceptable for that link to be made?

Normalising fingerprinting

This, to me, is the most important issue of all. Even if Apple’s security system works, even if there is no ‘function creep’ into greater uses within the Apple system, even if the fears over the NSA and other intelligence agencies are overblown (and they might be), the ‘normalisation’ of using fingerprints as a standard method of authentication matters. In the UK there was a huge amount of resistance to the introduction of a compulsory, biometric ID card – resistance that ultimately defeated the bill intended to introduce the card, and that played at least a small part in the defeat of the Labour government in 2010. We don’t like the idea that the authorities can say ‘your papers please’ whenever they like, and demand that we prove who we are. It smacks of police states – and denies individual freedom. We shouldn’t need to ‘prove’ who we are unless that proof is absolutely necessary – and in the vast, vast majority of cases it isn’t.

And yet, with systems like this, we seem to be accepting something very similar without even thinking about it. The normalisation of fingerprinting is already happening – the border-check fingerprinting is just one part of it. In many UK schools, kids are required to give their fingerprints in order to get food from the canteen – essentially for convenience, so they don’t have to carry cash around – and there has been barely a murmur of complaint. Indeed, it may be too late to stop this normalisation – but we should at least be aware of what we’re sleepwalking into.

Each little step makes the idea of fingerprinting more acceptable – and brings on the next step. If Apple’s Touch ID is successful, we can pretty much guarantee that other smartphone developers will introduce their own systems, and the idea will become universal. The idea has been there for a few years already – on laptops and on other devices. As is often the case, Apple aren’t the first, but they may be the first to bring it full-scale to the mainstream.

Just because it’s cool…

As I’ve written before – most directly concerning Google Glass (see here) – there’s a strong tendency to develop and build technology ‘because it’s cool’, without fully thinking through the consequences. ‘Touch ID’ in some ways is very cool – but I do have the same feelings of concern as I have about Google Glass. Do we really know what we’re opening up here? I’ve outlined some of my immediate concerns here – but these are just part of the possibilities. As Bruce Schneier said:

“It’s bad civic hygiene to build technologies that could someday be used to facilitate a police state”

I’m concerned that what Apple are doing here is part of that bad civic hygiene.  I hope I’m wrong. I am a fan of Apple – I have been since the 80s, when I bought my first Mac. I wrote this blog on an Apple computer, and have had iPhones since the first generation. My instinct is to like Apple, and to trust them. PRISM shook that trust – and this fingerprinting system is shaking that trust even more.

The biggest point, however, is the normalisation one. It may well be that we’re beyond the point of no return, and fingerprinting and other biometrics are now part of the environment. I hope not – but at the very least we should be talking about the risks and taking appropriate precautions. It may also be that this is just a storm in a teacup, and that I’m being overly concerned about something that really doesn’t matter much. I hope so. Time will tell.

23 thoughts on “iPhones, fingerprints and privacy

  1. Good post and fair warning, Paul. I did wonder whether it (finger-printing/biometrics) also opens up a new avenue of theft; presumably the fingerprint that opens the phone will also be present as an imprint on the glass or back of the device too given the owner uses the phone in their hand. If so, then it might not be too far out of the realms of possibility for someone to lift the print and create a copy which could then be used to open the phone and access content.

    I also wondered about whether there is some kind of back-door around the fingerprint access. There must be – what would happen if you had the relevant finger chopped off or disfigured in an accident? Presumably those clever bods in the Apple store would still be able to get into the phone without losing all your data….

    • Yes, I wondered about both of those: there just HAS to be a back-door or override system available, somehow. And the link between the physical world and the digital world is the main point here – so actual imprints will be there as well as the digital record. All kinds of possibilities. We need to be a bit more critical in our thinking.

    • I assume that for the time they will give the option to enter the password in case the print does not work. It would be wise to do that. I think they thought about the same problems that you did.

      • We’ll see – but defaults matter, not just options, particularly in terms of the normalisation. I hope they have thought it through – and taken the thoughts seriously, rather than just dismiss them as unimportant.

  2. I’d like to see a bit more technical depth in pieces like this. Namely, the mechanics of a system that remembers some information points locally in order to recognise them again – matching a presented print against a limited database – seems to me to be potentially rather different from a universal sample-and-codify routine enabling a presented print to be tied back consistently to the same individual regardless of device, geography or agency (such as the NSA).

    That may be a trivial point, and the standards for such digitisation very likely exist, but whether the iPhone uses them seems to be a critical technical distinction. If it doesn’t, and simply relies on its own scanning, point-identification and cipher creation locally, then it would seem to be several orders of magnitude less threatening than one in which a small packet of data could then go on to be reused for all sorts of nefarious purposes.

    • That’s a very fair point – and these are only my first ‘instinctive’ scribblings on the subject. I don’t think the details are out yet – and perhaps one of the most important points is for the details to come out. There’s much more to be found out, and much more to be written. Part of the reason I wrote this, though, was that the reports I’ve seen so far in the press haven’t even touched on the issues. Privacy and risk has barely been mentioned. I’d like it to be discussed, at least.

  3. I’d like to be able to set one atypical fingerprint (say the middle finger) as the unlock-trigger… and another fingerprint (say the usual index finger) as an ’emergency-wipe’. Then if ever under duress, a plausible-looking gesture actually fortifies the device against further access, and if you’re really ballsy, you turn to the person who was trying to compel access and say, “Oh, you wanted me to use THIS finger?”

  4. Just as companies passively track and store MAC addresses’ as you walk past hidden routers; Your fingerprint is now, more than ever, your own trackable unchangeable MAC address. This allows companies to build up and profile your digital identity across time and platforms – permanently attached to you, without you even knowing how it is used, or who ‘really’ has access to it.

  5. […] Disclaimer: I’m neither a security expert, nor an expert in biometric scanning technology. The purpose of this is not to deny absolutely a number of very valid privacy concerns, but aims instead to address some of the more hysterical “men in black are taking our fingerprints” commentary that I have observed. For a rational, and well-written counter opinion to mine, I’d recommend Paul Bernal’s piece, iPhones, fingerprints and privacy. […]

  6. “Only paper is safe”. The Kremlin understands this, that is why they bulk ordered a number of electric (not electronic) typewriters earlier this year.

  7. Normalisation of fingerprinting is a concern to me. My children’s primary schools asked for consent to take fingerprints to use the library. We resisted, and the alternative was … a library card. In my view, you should not be replacing library cards with fingerprints at a primary school.

    Now at their secondary school, fingerprints are used in the library, the canteen, and for registration, with a four-digit PIN as an alternative. I have reconciled myself to the utility of fingerprints – they not going to lose or forget their finger, and I understand that the system keeps a hash of a scan rather than a copy of the data, which is deleted when they leave – but nonetheless, I worry about them being conditioned to think it is normal to use fingerprints for such mundane tasks.

    It does not take too much imagination to envision this sort of thing to be extended to credit cards, and public transport, and entry to museums and other public buildings. For convenience and security, of course. Once we are persuaded of the “benefits” of fingerprints in these contexts, we will be less concerned about the state taking and using biometric data, and with pervasive CCTV and facial recognition software… Am I just sensibly concerned, or am I beginning to sound like a bit of a loon?

  8. Fingerprint access is not forced on users; it is an *optional* way to unlock your phone.
    Additinally, it’s worth noting that the use of fingerprints as ID in UK schools is not mandatory. A legal ruling last year made it dependent on parental permission.

    • Do we know that fingerprint access is not forced on users? If so, great – but even if not, the default is the key here, particularly in terms of the crucial normalisation issue. With schools, the ruling is there but what does ‘parental permission’ mean? A majority of parents in a one-off vote? In practice, for most parents, it seems to be pretty much obligatory – either you opt-out of using the canteen or library, or you give your fingerprints. Again, a theoretical right to object means very little if in practice people end up acquiescing.

      • This is a big issue for me as my son’s about to apply for secondary. I think he can opt out of the fingerprinting but I’m worried there will be peer pressure for him to opt in. My main worry is we don’t know how technology will develop and how governments will change in the coming years so I’m not keen to sleepwalk into this. Other parents don’t seem concerned and I’m not sure I have the arguments to convince them it’s a bad idea when really I’m only really going with an instinct against what I feel is an intrusion of privacy.

  9. While I understand people’s concerns, I personally see absolutely nothing wrong with the increase in fingerprint security because who cares if someone knows who you are from your fingerprint, there are millions of ways to find out who someone is and this is just another one of those ways. I personally and honestly don’t care if the government gets hold of my fingerprint or any other part of my data, unless I do something illegal it’s not like they are going to use for anything

    • It’s easy to have such a perspective if you trust the government and feel in a position of ‘no risk’. The trouble is, many people aren’t in that position – and by normalising fingerprinting, you put them at risk. Ultimately, anyone who refuses will be seen as ‘untrustworthy’, so will be marked out as a potential suspect. That’s very bad for huge numbers of categories, from dissidents and whistleblowers to activist – e.g. people campaigning against the current badger cull.

      History has shown that these systems can be and are abused – do we want to provide another weapon to be used in that way?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s