WASHINGTON – Apple Inc.’s use of fingerprint scanning in its new iPhone models could lead more device makers to adopt the authentication method as a successor to passwords – and that’s fine with privacy advocates.
The introduction coincides with the rise of cybercrime and revelations that the National Security Agency has intercepted Internet communications and cracked encryption codes on devices including the iPhone.
Apple said that on the new iPhone, information about the fingerprint is stored on the device and not uploaded to company networks – meaning it wouldn’t be in data batches that may be sent to or collected by U.S. intelligence agencies under court orders.
They’re not building some vast biometric database with your identity associated with your fingerprint that the NSA could then get access to, said Joseph Lorenzo Hall, senior technologist with the Washington-based Center for Democracy & Technology. That’s a good thing.
The German magazine Der Spiegel on Sept. 7 reported that the NSA had cracked encryption codes to listen in on the 1.4 billion smartphones in use worldwide, including the iPhone.
The iPhone 5S uses a sapphire crystal to read a user’s fingerprint to unlock the phone, Apple said Sept. 10 as it unveiled the model that went on sale Friday in stores.
Biometric identification systems, including voice and iris scans, usually are harder to defeat than passwords, which can be stolen or deciphered.
Such systems could be used in mobile applications for banking and online buying in about 18 months, Litan said.
Banks and e-commerce companies are taking advantage of these technologies and are already experimenting, she said.
No two fingerprints are alike, which helps make them a strong security feature, said Dan Riccio, Apple senior vice president for hardware engineering, in a video the company released to explain the technology.
It’s never available to other software, and it’s never stored on Apple servers or backed up to iCloud, Apple’s Web-based sharing system, Riccio said.
By not pulling fingerprint information into its databases, Apple is making it extremely difficult to steal information stored on the device, said Anil Jain, a computer scientist at Michigan State University who conducts biometrics research.
A hacker or intelligence agency would have to break into the smartphone, find a way into the secure chip where fingerprint information is kept, download and decrypt the scrambled data, and then recreate an image of the print.
It’s a pretty complicated process, Jain said, adding that nothing is quite hack-proof: If you spend enough resources on it, anything is possible.
In a blog before the iPhone 5S was unveiled, security researcher Bruce Schneier wrote, I’m sure that someone with a good enough copy of your fingerprint and some rudimentary materials engineering capability – or maybe just a good enough printer – can authenticate his way into your iPhone.
But, honestly, if some bad guy has your iPhone and your fingerprint, you’ve probably got bigger problems to worry about.
Trends and concerns
Apple’s use gives the technology an endorsement that will probably lead other mobile phone makers such as Samsung Electronics and HTC to include biometrics in their products, said Avivah Litan, a technology analyst at Gartner Inc., the Stamford, Conn.-based research company.
Companies are looking for better ways to authenticate users, Litan said. This is an important milestone.
Before Apple unveiled the iPhone 5S, stocks of biometric makers were on the rise in anticipation that the phone would incorporate fingerprint authentication.
Over three weeks, shares of Precise Biometrics, a maker of authentication equipment in Lund, Sweden, increased 69 percent, and Fingerprint Cards, another Swedish maker of biometric security solutions, moved up 52 percent.
Teresa Brewer, an Apple spokeswoman, confirmed Riccio’s video remarks that fingerprint data is not stored on Apple servers (All fingerprint information is encrypted and stored securely in the Secure Enclave inside the A7 chip on the iPhone 5S, Brewer said in an email).
But she didn’t say whether the company could gain access to the fingerprint data.
Jennifer Lynch, a staff attorney with the San Francisco-based Electronic Frontier Foundation’s digital rights group, said no regulations govern the collection of biometric data.
But if companies don’t adequately safeguard information, they may face action by the Federal Trade Commission, which monitors fair business practices, she said.
And not everybody is sanguine about fingerprint capture.
It reflects unquenchable thirst for swallowing as much consumer data as possible, said Jeffrey Chester, executive director of the Center for Digital Democracy, a Washington-based privacy group.
This whole notion that people’s body parts can be added to the data profile is troubling, and it needs to be looked at, Chester said. Will the data be used to unfairly discriminate when you interact with a health app, for instance?