Privacy Advisor

The Privacy Questions Raised by Apple’s New Biometric Login

October 16, 2013

By Lindsey Partridge, CIPP/US

Unless you were hiding under a rock or were in a coma, chances are you caught the news announcing the release of the new iPhone 5s. Perhaps the most newsworthy piece of the new mobile device is its fingerprint sensor, allowing for biometric securing of what’s becoming one the most personal devices people own. Many people oohed and ahhed, and techies lined up to place their orders. Others immediately set their sights on cracking the biometric sensor. For me, it was nothing but privacy alarms. To understand why, we need to do a quick primer on biometrics.

Biometric Data: What Makes You, You

Biometric data elements are obtained by measuring the “biological or behavioral characteristic(s)” of an individual for recognition or identification purpose, which, according to an Intech-Open piece, can also be used for online recognition. Biometric data elements include facial features such as the distance between your eyes, etc.; fingerprints; iris prints; voice patterns, and retinal prints. These elements are unique to each of us—and inherently personal. This is why, when used for identification purposes, like purchasing an item from the iTunes store on your home network or entering a secured area, they can be used for identification or verification purposes.

Verification v. Identification 

While verification and identification are related processes, they are technically different. Verification involves the use of a single-template, single-user system—whereby the biometric imprint is checked against the template on file. Much like a key fits into a specific lock, the templates match to unlock the system.

Identification involves collecting biometric data and creating a template comprising the markers contained within, which are then coupled with the individual’s related biographical data. This is then compared to the existing templates on file. The identification templates are used in two possible data modes: Open-set and Closed-set.

An Open-set is sometimes considered a “watch-list.” In an Open-set, it is not known whether the individual’s information is in the system. An example of this would be a latent fingerprint found at the scene of the crime when it is run against the existing templates in the criminal database. The investigators are unsure of the print’s status until a definitive match or lack thereof is determined.

A Closed-set is what is used for identification purposes on most systems, like the iPhone 5s. When the system is set up, you can enroll “trusted” users into the phone’s database by scanning their fingerprint. When you or another party places a finger on the sensor, it runs the template against those that are already in the system. If there is a match, it unlocks. Generally the user is known to be in the system, so this involves a fairly short confirmation turnaround.

The Core Concern Over Apple’s Fingerprint ID Technology

So, now that we’ve got the terms and definitions down, let’s look at what Apple is doing. Apple is, unquestionably, an innovative company. From phones to tablets and laptops, theirs is the top-of-the-line standard to meet. While innovative, however, even the late Steve Jobs admitted, “Sometimes when you innovate, you make mistakes.” Is the new fingerprint technology on the iPhone 5s an innovative success or a mistake?  

According to their announcement:

    […] Touch ID uses a laser cut sapphire crystal, together with the capacitive touch sensor, to take a high-resolution image of your fingerprint and intelligently analyze it to provide accurate readings from any angle. Setting up Touch ID to recognize your fingerprint is easy, and every time you use it, it gets better. The Touch ID sensor recognizes the touch of a finger so the sensor is only activated when needed, preserving battery life. All fingerprint information is encrypted and stored securely in the Secure Enclave inside the A7 chip on the iPhone 5s; it’s never stored on Apple servers or backed up to iCloud. Touch ID can also be used as a secure way to approve purchases from the iTunes Store®, App Store or iBooks Store.

Apple’s design page explains the layout of the Capacitive fingerprint sensor through a layered diagram (below).

So it reads and recognizes your fingerprint; does that mean someone could steal it and have a copy?

As it turns out, they cannot obtain your fingerprint from the iPhone. Thanks to some lovely explanations by Discovery and Bioelectronix.com, this process is understandable. People will just have to amputate your finger to unlock your phone, or—well, we’ll get to that.

When you place your fingerprint on the home button, the stainless steel detection ring signals to initiate the sensor, allowing the capacitive single touch sensor to scan the fingerprint. Once the fingerprint is scanned and the ridges and valleys are recognized, it converts the biometric data into binary code which is cross-referenced with the codes stored in the A7 chip when you first set up the phone.

However, the Chaos Computer Club has already claimed that they have obtained access to the phone by fooling the fingerprint recognition system with a forged print. Basically, instead of cutting off your finger, they just grab it off a drinking glass. The group’s spokesman, Frank Rieger, released a statement regarding their justification for hacking the phone:

    "We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token."

Whether or not it puts to rest the hopes of the biometric enthusiasts remains to be seen, but one thing is certain: Biometric identification triggers the Big Brother vibe in even the most enthusiastic of techies—and for good reason. When the uniqueness of identification is coupled with the result of a recent appeals case where the Justice Department defeated privacy advocates in a Fourth Amendment case, many iPhone users are sure to take a step back.

In the Fifth Circuit case IN RE: Application of the United States of America for Historical Cell Site Data, the 2-1 decision held that historical cellphone location data is a business record, and as such, it is not subject to Fourth Amendment protections. The data in question, they ruled, is covered by the Stored Communications Act (SCA), 18 U.S.C. §§ 2701-2712, and is not content-based but rather location-based. This means that if you are in the midst of a robbery and unlock your iPhone 5s to text someone, investigators do not need to show probable cause to obtain a warrant to acquire the record of your location.

A warrant for the locational data under the SCA may be obtained by a showing of “specific and articulable facts.” The justification for this comes down to your personal choice to carry your cellphone. In US v. Skinner, the Sixth Circuit held that there is no “reasonable expectation of privacy in the data given off” by a “voluntarily procured” cellphone. This case seems to be separate itself from US v. Jones—where the court held that the warrantless placing of a GPS tracker on an SUV constituted an unlawful search—by looking at choice. You choose to activate your phone to send text messages or make phone calls. In the original case, the Department of Justice sought access to the location of the phone in its idle state as well, but it found that cellphone providers do not record this data.

In coupling the government’s right to access where our cellphones are located with the identification features of our—biometrically-personalized—iPhones, we are one step closer to a world without anonymity. This de-anonymization occurs when you activate your phone with a biometric identifier and, say, download an application or send a message; the identifier activates the phone, allowing you to send a message, by triangulating you between local towers, which allows the government to obtain your location at the time the message was sent. Which they could do before. The difference now is the verifiable identity based on your biometrics. No longer can you claim you lost the phone or lent it to a friend who later sent a message while in the midst of a robbery.

The phone is now in a very real way more “you” than it was before.

While the biometric identification of the iPhone is nifty and practical, especially for those of us who forget our passwords, it does move the privacy line, especially when the fingerprint also enables downloads from iTunes. How many of us download items at home or while we wait for our kids at the park? A consumer’s daily routine is easily track-able, and when it is stored as a business record on the company server, it is also hack-able.

Had the CPO been consulted, would he or she have suggested that designers hold off on the biometric sensor until more jurisprudence can be established? Probably not. The process of, and choices for, unlocking the iPhone 5s are much like the Fifth Circuit case: It all boils down to personal choice; even the simplest of users can bypass the biometric sensor for the standard PIN should they so choose.

However, being fully transparent might indicate an explanation to users that when they use biometrics to unlock their phone, Uncle Sam knows where they are.