Why Are People Worrying About the NSA Stealing Their Fingerprints?
Oct 1 2013
There's nothing like a gimmick to draw consumers in. Orange have their movie deals, GG Allin had repeatedly smearing himself in his own shit on stage and now the new iPhone 5S has a fingerprint sensor, apparently to provide greater convenience both for locking the phone and making purchases online.
Much has already been made of how this new security technology is far from secure; Apple claimed that it wasn't possible to fool the sensor with a fake print because it only responds to "living tissue". Four days after it was released, the German hacker collective Chaos Computer Club (CCC) fooled the sensor with a fake print transferred off a piece of paper – i.e. a material that is clearly not living tissue. In fact, speaking to CCC representative Dirk Engling, he told me that, "The hardest part about the hack was actually getting hold of an iPhone 5S."
An inevitable worry to arise out of that is how the sensors might be exploited by the authorities. Considering the NSA already seems to view smartphones as a gateway to the public's photos, contacts, emails, messages and pretty much anything else they want to see that is stored on your phone (including location and browsing history), perhaps we shouldn’t be so excited about a pocket-sized tracking device that's also storing the biometric parameters of your fingerprint.
Apple have assured us that your fingerprint data is secure on the phone and never comes into contact with the Apple cloud, meaning the fingerprints of iPhone users – or "zombies", as the NSA affectionately refers to them – are supposedly perfectly safe. So is there any way that the technology could actually be used as a form of state oppression, or is this just another case of internet paranoia trumping any kind of logical thought? Is a fingerprint sensor, in the hands of law enforcement, actually less secure than a passcode locking all the data on your phone away from the police's prying eyes?
I was told by the Association of Senior Police Officers (ASPO) that, under Section 49 of the Regulation of Investigatory Powers Act 2000, "authorised persons" – such as law enforcement, security and intelligence agencies – have the power to request that an individual or group discloses protected or encrypted information that could "prevent or detect crime for the purposes of national security".
This includes "a key to the protected information" – in other words, your passcode. And although a drawn-out process of legal to-and-froing might eventually tire you into unlocking your phone, that's the only way they'll be able to get the passcode out of you – it's not like they can rip it from the filing cabinet in your brain where you store all your passwords.
However, when biometric locks come into play, you might not even get the chance to appeal, as it’s entirely possible for your prints – which you are legally required to present – to be emulated and used to unlock your phone. For the moment, the police's power to do so is suspended in a legal grey area. In the same way that privacy laws don't protect against domestic drone use, it appears that legislation hasn't yet caught up with the new security technology.
"We have no set of rules for this yet – there is no convention on what happens and what can be done," Sam Smith from privacy-rights organisation Privacy International told me. "Can the police technically force you to unlock your phone if it’s fingerprinted? The police would argue that they can, but they don't get to unilaterally make the rules."
That said, perhaps the paranoia about police being able to access your devices with a copied fingerprint is already hugely outdated. According to Val Swain from NetPol, a police watchdog group, this kind of thing has already been going on for years: "The police routinely download information from mobile phones when anyone is taken into custody, using an ACESO device. This claims to be able to access data from smartphones, including Blackberry devices, even when they are password protected.
"It is not clear whether the use of fingerprint locks on mobile phones would be a significant hurdle for the police, or whether the ASECO reader is – or would quickly become – capable of by-passing the requirement for a fingerprint," she continued. "We would need more technological data in order to know that." And due to the interest of private sector companies in creating this kind of technology, Val suspects "an answer to Apple's fingerprint technology will not be far behind".
Val then outlined what she feels is far more important than the fingerprint sensor issue: the aftermath. “The real issue is the ease with which the police obtain and retain vast amounts of data from mobile phones, and the use they make of it," she stressed. "Almost any type of data can be kept, including contact lists and social networking data. Data can be retained even if a person is not charged or convicted of any offence."
Of course, that's only going to happen if you get yourself arrested. And it's relatively easy to avoid that if you try to avoid openly dealing heroin or smashing up bank clerks with baseball bats. So, as usual with basically anything spawned on the internet, the hysteria is mostly unfounded; for the vast majority of users, the technology really will just be an effective, convenient way of protecting your iPhone.
In fact, the most important thing to take away from the debate is how much biometrics might continue to be adopted by other technological brands and products. Apple say your fingerprint scan isn't going anywhere other than your phone's internal memory – and there's been nothing to disprove that since the phone was released.
But if the sensors proliferate through other kinds of cheaper technology that are less concerned with security, you could end up sending a digital version of something that uniquely identifies you out into the expanses of the internet. And coupled with the fact that there are only – at best – weak laws currently in place to stop that kind of data from being exploited, there's no way of knowing how that could be used by governments, corporations and police forces around the world.
Follow Joseph on Twitter: @josephfcox
More stories about keeping yourself protected from technology: