Since the announcement of the new Apple iPhone 5s and the built in fingerprint scanning technology branded ‘Touch ID’ the discussion around security, data protection and privacy has been relaunched. It is an ongoing topic in the industry, both on the hardware side amongst producers of devices and the software side with developers of applications and services, but specifically for end users and consumers.
Until now, it was the password, or PIN, that protects and restricts access to the virtual world of data. This has led many of us to come up with creative procedures to create and remember a complicated sequence of letters, numbers and symbols in order to keep personal information secure. It has always been the debate as to how complicated these passwords need to be and how user-friendly this practice is, and often ‘better’ and ‘easier’ solutions for users were wished for.
Now Apple has implemented such a solution with their latest top of the range device. The iPhone 5s features a fingerprint scanner in the ‘Home’ button to uniquely identify a user (up to five different prints can be set up) and grant access. The ‘fingerprint identity sensor’ also allows users to shop on the iTunes Store, Apps Store and iBooks Store where the Touch ID approves purchases.
The new feature is branded by Apple as ‘convenient, highly secure and ahead of the future’. However, the technology and its implementation in mobile devices is nothing new. Motorola’s Atrix smartphone was introduced back in 2011, but also laptop manufacturers have trialled and implemented fingerprint scanner technology in the past decade [REF]. Other manufacturers, namely HTC, are gearing up to release gadgets with similar technology and features.
Although the technology is not new, it is the fact that it is being introduced on such a large scale that makes it a ‘hot topic’. According to TechCrunch, Apple has currently (2013) an estimated user base of 147 million iPhone users, plus about 48 million iPad users. Of the new iPhones (iPhone 5s and iPhone 5c), Apple sold 9 millions in just three days after their launch on the 20iest of September 2013. This is a new record, as previous implementations settled on a much smaller scale. This means that the iPhone 5s is already used by a large number of people. It could therefore be classified as ‘mainstream’ and ‘cultural commodity’. The introduction of this technology can therefore be expected to be used by a much larger customer base as any other similar implementation of biometrics so far.
In this context, the introduction of a unique and personal identifier, the fingerprint, is a smart move. Smart, because everybody knows and understands the idea of the fingerprint. It is in use as signature and plays an important role in crime investigation and law enforcement for over a century. Through its use in detective stories and crime thrillers it has also found its way into everyday culture. It is this very idea of the fingerprint as a unique identifier – ‘’your iPhone reads your fingerprint and knows who you are’’ – that Apple has turned into a selling point to the products advantage.
Image taken from fingerprintingscottsdale / Fingerprint identification plate.
It can be speculated that with the introduction of Touch ID, similarly to the introduction of the touch screen, Apple changes, once again, the way we access electronic devices and use the Internet. Whether this is intentional and whether the use of the fingerprint has played an main role in the development of the newest iPhone generation can only be speculated. A range of problematic aspects in connection to the use of this technology in electronic devices shall be discussed in the following. The points raised function only as an introduction since the topic is vast and might have implications that are yet to be discovered. We debate if the technology used in the iPhone 5s might even be the ‘End of the Virtual?’.
..Security concerns
Official concerns regarding the introduction of the Touch ID were raised amongst others by US Senator Al Franken (Chairman Senate Judiciary Subcommittee) in an open letter to Apple’s CEO Tim Cook (PDF, WEB). The letter states “…while Apple’s new fingerprint reader, Touch ID, may improve certain aspects of mobile security, it also raises substantial privacy questions for Apple and for everyone who may use your products”. Al Franken supports his concerns by saying that “Passwords are secret and dynamic; fingerprints are public and permanent”. This means, once someone has access to someone else’s fingerprint, this access cannot be reversed and the security token can not be changed. ‘’…if hackers get hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life’’.
Image taken from maskable / The Touch ID explained during the introduction of the new iPone 5s at conference key note.
In this context, Al Franken also questions the filing and transferring of the fingerprint data. He demands to know if the fingerprint data stored on the phone is also being transmitted electronically to either Apple or others, and if this data is being saved on computers used to back up the device (referring to the earlier iOS version that stored unencrypted location information recorded by the device in backup files on computers). He wonders further how iTunes, iBooks and AppStore and potential future services interact with Touch ID.
These practical concerns are connected to the only recently refreshed high level discussion on data privacy with information on mass surveillance programs leaked by Edward Snowden, an American computer specialist and former CIA and NSA employee, to the Guardian in May 2013 [REF ] regarding the secret PRISM program. Similar discussions have been on the table in recent years specifically related to social media and the challenged public/private practices in an online context (Neuhaus und Webmoor, 2012, earlier blog post on urbanTick, 2011).
It seems that Senator Franken’s concerns are not ungrounded. ‘Apple’s fingerprint scan technology has been hacked’ was announced by the Computer Chaos Club, CCC, only two days after the iPhone 5s had gone on sale. The claim was backed up with a video demonstrating that ‘fingerbiometrics is unsuitable as access control method’. This ‘hack’, however, focused on the physical reproduction of a fingerprint and did not bypass the new Touch ID technology. Despite this, the attack by CCC proves how easily the new security system can be tricked and everyone with a camera, scanner, printer and a good stock of graphite powder, glycerene, and wood-glue/super-glue/theatrical-glue can repeat the procedure.
The ‘iPhone touch defeat’ also proves that users’ fingerprints are not secret, meaning that anything touched by users will have fingerprints on it, including the new phone. Senator Franken has referred to this with the ‘fingerprint being public’. And here is the real flaw of the technology. If someone gets hold of the device, he or she has basically access to ‘the lock and the key’, as the phone will be covered with fingerprints that can be reproduced to unlock the security system. Even though the chances of guessing the correct fingerprint is 1:50’000 compared to 1:10’000 with a normal 4 digit numeric key (except 1234, source Apple), now that the ‘key’ is on the phone in the form of ‘touches’ this number is meaningless, or at least reduced to 1:10.
Another question raised by the introduction of Touch ID is the digital reproduction of the fingerprint. Apple has explained that the information is not stored as a digital image. Instead it is being translated by the device into a sequence of numbers (a mathematical representation of the fingerprint derived by an specific algorithm). This implies that the print can only, if at all, re-engineered with physical access to the device. This is being discussed extensively on tech blogs, for example on The Unoffical Apple Weblog (source TUAW). In reference to these statements, it seems only a question of time until the A7 chip inside the phone is cracked.
However, the main argument highlighted by Apple is not security, but convenience. ‘’You check your iPhone dozens and dozens of times a day. Entering a passcode each time just slows you down’’. It seems as if it is annoying for customers to input four digits, or on Android models a swipe pattern. In this context, the fingerprint scanner is put forward as the user-friendly solution. With just one touch the phone is activated, unlocked and ready to use. However, when considering the security concerns discussed above, it is questionable if winning a few seconds to start up the phone is important and desirable.
..Security versus convenience
CNet askes on its website: “Should we trade our biometric data and privacy for the sake of convenience?”. The answer to this question seems straightforward: Biometrics, or biometric authentication, can be useful, but it should not be used in mobile devices as the technology is not yet error-prone and these devices can easily be lost or stolen. This seems the common agreement amongst security experts (for example in Der Spiegel). In addition, as Schneier, then President of Counterpane Systems, argued in 1998, ‘’biometrics are unique identifiers, but not secrets’’. This means, they are easy to steal and reproduce. ‘’Once someone steals your biometric, it remains stolen for life; there is no getting back to a secure situation’’. So the big question a lot of people should be asking themselves is not how quick they can access their data, but what they are giving away when using Touch ID.
In this context, it seems important to repeat that Touch ID does not actually store an image of the fingerprint, and the data is not available to any other application other than Apple apps nor stored at Apple’s servers or backed up via iCloud. For now, at least. There is no guarantee that this will be the same in the future, especially as the prospect of a vast biometric database is the dream of any national security agency, marketing company and hacker community. This means third parties will pay a lot of attention to these developments and probably exert some force to get access to some of this data. It would therefore be important to know ‘how does Apple see the actual fingerprint data and how are they going to handle it, now and in the future?’.
Whilst there are regulations as to when third parties can be forced to hand over data in connection to crime investigation, it is a complicated matter with Touch ID as the technology enables new ways of ‘tracking’ people. For example, a user logging in with Touch ID does not only confirm his or her location, but also his or her identity. This means the iPhone 5s could act as a means of evidence – ‘I was here’. So far, Apple has stated that they do not share any information with others – although the technology can be used to verify purchases. The question is therefore, as Senator Franken asks: ‘’Does Apple believe that users have a reasonable expectation of privacy in fingerprint data they provide to touch ID?’’.
There might also be some legal implications for the user of the Touch ID technology. It has been pointed out, for example by Marcia Hofmann of Wired, that the shift from PIN as an ‘known’ key to a fingerprint as a ‘what we are’ key might strip users of the right to the in the US called 5th. This Amendment protects the individual from giving evidence against him/her self. At the moment, this only applies to things one knows, knowledge, thoughts, so on and not to things one has, keys, written notes (if you write down the password on a piece of paper) or is, biometrics. Hence, on trial a person can not be forced to provide the password to a device or to decrypt information since the password is something he/she knows. A key, however, would be something the person has and this object, according to current law, can be requested. The fingerprint belongs to the person, it is part of the human body, a thing, and hence it belongs do the category of information that can not be withhold. This means access to devices or data via fingerprint scan can be enforced. This fact, in connection to Touch ID, might mean that consumers need to give up on one of their basic (human) rights, the right to withdraw information.
..Personal data and biometrics becomes mainstream
A further concern connected to Touch ID is that biometrics are becoming mainstream. Currently, the use of biometrical authentication in the public sphere is limited. Its main use is in passport and immigration control, where retina and fingerprint recognition, actual or as part of a passport, is used to identify ‘travellers’ and reduce queues at border control. Here, the data is usually linked up with secondary information or other means of verification. For example, users of a retina scan machine need also to provide their passport for optical scanning. This means, the replication of a retina scan alone does not provide access to ‘free travel’.
However, the implications of ‘normalising’ biometrics and using biometrics in everyday applications are not only connected to the risk of individuals being permanently tracked and surveilled, but also to the risk of biometrics becoming unsafe. As Schneier argued, ‘’Just as you should never use the same password on two different systems, the same encryption key should not be used for two different applications’’. This means, it is not a good idea to use your thumbprint to access your mobile phone, open your front door and unlock your file cabinet at work, as data theft would automatically lead to a catastrophe.
It could therefore be said that biometrics are not safer than other security means. With Apple suggesting to customers that ‘’Your fingerprint is one of the best passcodes in the world’’ seems therefore misleading. The question really is how much consumers are willing to trade their personal information and data for the ultimate and smooth technology experience.
In addition, in today’s context the distribution of personal information is no longer directly manageable by the individual, as user information is being left behind with every move online and regular real world services. Shopping online, borrowing books at the local library, and visiting the GP, all activities leave a ‘digital footprint’. It has become complicated to the point where it is impossible for the user to understand and control what information is left behind when using a mobile device, especially when using online and server connected apps and services. These apps are often pre-installed on the device and updated automatically. Also, the companies behind those apps are often unknown and it is unclear what kind of information they collect, store and and how this information is used or shared with third parties.
In this context, the introduction of a truly unique identifier, the fingerprint, will not only add to the information left by users, but also add to the possibility of users being personally identified across the entire range of services. This in turn changes not only the discussion around online security but also online identity. Until now, users could ‘create’ their online identity by using a pseudonym and an avatar (an icon-sized graphic image). This ‘chosen’ identity could then be adjusted or changed, any time. In the beginning of the Internet, individuals would often create and use a whole range of online identities. This has changed. Nowadays users prefer online interactions supported by ‘authentic identity’ as reported by the Guardian. This means they want to know with whom they communicate.
This practice has been taken to a new level by Google with the Google ID, an unique ID tied to an individual/account which was introduced in connection to Google+ in 2011. Facebook uses a similar user identification. Both sites, Google and Facebook, make it difficult for users to create and use multiple accounts, and it can be assumed that through this the number of IDs per individual has been dramatically reduced. This of course makes it also a lot simpler for Google and Facebook, and their respective partners, to target marketing and individual advertisement. Despite this, users often create and use different accounts for their private and professional networking. With the new Touch ID, this will no longer be possible. They will have only one account.
How individuals are uniquely identifiable online through the use and manipulation of devices is being researched widely. Besides the PIN and the here discussed biometric identification, alternative methods to provide security, in particular in connection with mobile devices, is being developed under the umbrella term of “Implicit Authentication” (via Quarz). In this case, the security is based on an ongoing security check as opposed to the one-off security check at the start of a session, for example by unlocking the phone. The idea, for example focused on by researchers at the Palo Alto Research Centre, is that the individual user displays very specific, habitual characteristics in behaviour and usage or even movement pattern that can be used to continuously monitor the usage. This will allow to determine sudden change in which case the device will immediately shut down and deny access. Such parameters being researched include location and movement patterns, the way we walk, speed and style of data input on the device, activity pattern and timing, or the subtle way the user’s hand shakes.
These methods seem, as the research shows, to deliver reliable results. At the same time, however, this extends on the privacy discussion, as data is collected on users’ bio-sensorial functions. The technology also puts pressure on individual to profile themselves. The security of such a dataset is a very different issue again, including and extending into the field of personal health and medical information. Nevertheless it represents a big move towards the identification of ‘unique’ individuals and verifying much more than the Touch ID in itself does.
..The end of the virtual?
The introduction of Touch ID or alternative biometric/behavioural authentication methods will prevent users from creating different online identities, as the fingerprint is ‘THE ID’. This means it is really you, who bought that song on iTunes, uploaded that image on Flickr and accidentally deleted that file on Prezi. And it is the very same person who called the client on Skype and tweeted about Beyonce’s concert on Twitter. It is also the same individual who banks with HSBC, shops with Sainsbury’s and hangs out at the Barbican. The point is that ‘being online’ becomes very much like ‘being offline’. Events, happenings and activities become uniquely and reliable tied to users, the individual becomes authentic and unique. Is this the end of virtual?
When looking at the introduction of Touch ID it seems so. It really is the case of as Apple put it ‘’your iPhone reads your fingerprint and knows who you are’’. Subsequently any activity becomes real and unique, and also identifiable as such by online friends and fellow users as well as service providers and traders. However, as suggested by Apple, this does not only make your life easier, but also that of marketing and consumer related businesses. At the same time, it too makes the individual responsible for his or her online activities not dissimilar to the responsibility one enjoys in person as an individual in the real world. It will no longer be possible for users to hide behind one or multiple pseudonyms or avatars. This will certainly transform practice, as both, providers and users, will have to accommodate this ‘new authentic self’ and a completely new reality of online practice.
In many ways, this discussion is related to the ‘Internet of Things’ concept which has enjoyed raising attention over the past five years. Whilst the Internet of Things is about ‘real’ objects being connected to the web, to each other and to ‘users’, Touch ID is about ‘real’ humans. An interesting aspect raised by the Tales of Things project at CASA UCL was the fact that the ‘real’ object was required to access information. This means, access to content is based on ‘real world interaction’. With Touch ID, it is very similar. It requires me, the user, to unlock information (at least once, until may fingerprint has been ‘hacked’) and interact, both online and offline. This ultimately connects the online world to reality.
This means, with and through Touch ID the online experience becomes real in the sense that it confirms that the person logging in at this moment, at this location really is the specific individual and not someone else or a bot. At a first glance, this seems great. From a security and privacy point of view, however, this raises a whole bunch of new questions and concerns that need to be addressed to enjoy this ‘brave new online world’ with yet new possibilities for both users and services. For example, national agencies and businesses might be extremely interested in this kind of data as it is the ultimate proof of someone’s activities at a given time and location. Hence, this information on habitual activities individually verified seems much more desirable for ‘outsiders’ than the actual fingerprint. Touch ID reveals what, when and where a user has been, all confirmed by his or her own fingerprint whilst unlocking or just using the device – meaning the virtual has become its realest so far with consequences and possibilities we can only begin to speculate on.
Image taken from mymodernmet / Real life person and their avatars by Robbie Cooper.
..Summary
Since the launch of the new iPhone 5s by Apple, the discussion revolving around online security and privacy has been re-activated. Experts agree that with the introduction of Touch ID the use of biometrical data as a security measure in mobile devices needs to be regulated, especially in terms of storage, handling and exchange of the biometric data processed. However, when looking closer at the implications of the finger-scan-technology developed and introduced by Apple, it becomes clear that the technology not only influences the usage of our personal data, the law and rights users have, but also the way we are present online. Especially since the fingerprint, or any other to be implemented biometric or personal pattern based verification, is ‘THE ID’. With biometrical authentication, there is no way of hiding behind a pseudonym or an avatar. It is really you, the user, who activates and uses the device (at least once, before the device is ‘hacked’). This means, the new iPhone 5s links the virtual world with reality and brings them as close as they have not been before, almost merging them in practice and consequence. The online self becomes authentic. As speculated in the article, this could be the end of the virtual and the beginning of a new web and online experience where we meet real people, make real conversations, buy real goods, but also carry real responsibility.
Image taken from mymodernmet / Real life person and their avatars by Robbie Cooper.
Article written by Sandra Abegglen and Fabian Neuhaus
Simultaneously published on Everyday Click and urbanTick.
Read More
