Apple's "Touch ID" fingerprint login - not everyone is cock-a-hoop about it

Filed Under: Apple, Featured, Law & order

Apple's triumphant announcement last week of the fingerprint scanner in the iPhone 5s didn't impress everyone.

Some Naked Security readers were amongst the sceptics, with @wjrcoop saying:

I'm stunned by the celebration of mediocrity all over the Internet by this. I had a biometric reader on my Dell notebook (like forever ago) and hated it.

And the interestingly-named keeglecrunch asked:

Isn't biometrics old news (like really old)? I have an old Dell laptop within arm's reach that has a thumb scanner on it that I've used a grand total of zero times.

Apparently, there may be yet another reason to be underwhelmed by the iPhone 5s: a lawyer named Marcia Hofmann, writing for Wired, offers the opinion that its fingerprint authentication might end up eroding a long-cherished legal right.

In this case it wouldn't be the government chipping away at your statutory protections, but technology itself.

The protection that Hofmann thinks might be at risk relates to self-incrimination.

Many jurisdictions give you some sort of "right to silence" - in the USA, it's usually known as the Fifth, because the Founding Fathers neglected to enshrine it in the original constitution, leaving it to be retrofitted in the so-called Fifth Amendment some three years later.

In the digital era, the issue of where self-incrimination ends hasn't always been obvious.

You can be compelled by a court to open a locked door, for example, so that investigators can search behind it. (Matters relating to search and seizure of your property are dealt with by the Fourth Amendment.)

But you can't, or at least not according to some US judges, be compelled to "open" a hard disk that has been "locked" by something you know, no matter how close an analogy you might draw between opening a cupboard and decrypting a hard disk.

Refusing to tell an investigator your password isn't like refusing to hand over a physical key, it's like declining to answer a question.

But what about password keys that don't come from something you know, like fingerprints?

Hofmann offers the opinion that since you can swipe your finger over the iPhone 5s scanner without giving any "testimonial statement" - in other words, revealing something you know - then you shouldn't expect Fifth Amendment protection against unlocking your trendy new iPhone.

→ Interestingly, you can give someone the key to decrypt your hard disk without ever actually telling them the answer to the question, "What's your password?" That's because most modern cryptosystems don't actually use your password as the key: they take your password and hash it up with a bunch of other data unique to your disk to produce a one-off decryption key. Nevertheless, it seems that the Fifth applies if a password is involved at some point.

Hofmann gives what she calls an easy fix: give users the option to unlock their phones with a fingerprint plus something they know.

But that misses the point of why Apple included the fingerprint scanner in the first place.

For many users, a fingerprint-based password means they can abandon the "something they know" part, which means they no longer have "something they have to remember and type in all the time."

Yahoo!'s CEO, Marissa Mayer, very disappointingly, spoke for very many phone users when she recently expressed her delight at the iPhone's fingerprint scanner: "I can't do this passcode thing, like, 15 times a day."

But Marcia Hofmann may have just given you a reason to decide that perhaps, now you think about it, you can do this passcode thing after all.

, , , , ,

You might like

32 Responses to Apple's "Touch ID" fingerprint login - not everyone is cock-a-hoop about it

  1. Larry · 379 days ago

    There is a 48 hour timeout for fingerprints. Any half way decent lawyer can delay for that long.
    http://www.idownloadblog.com/2013/09/11/apple-tou...

    "Apple imposes a 48-hour wipe procedure:

    In an interview Wednesday, an Apple spokesman pointed to other security features the company has added to the phone. Apple customers who wish the use Touch ID also have to create a passcode as a backup.

    Only that passcode (not a finger) can unlock the phone if the phone is rebooted or hasn’t been unlocked for 48 hours."

    • Paul Ducklin · 379 days ago

      Best hope the battery runs flat while your lawyer is playing for time, for double safety :-)

      By the time the contempt of court (or interfering with justice, or whatever the charge is in the US for not letting search-and-seizure go ahead) charges get on the table, you can offer to capitulate...or digitulate, at least...and swipe your finger...oh dear! Too late!

  2. James · 379 days ago

    In California police can do a warrant less search of your cell phone.
    https://www.aclu.org/technology-and-liberty/aclu-...

    • Paul Ducklin · 379 days ago

      But that doesn't get them in to encrypted stuff. For that they'd need to compel you to hand over the figurative keys, and that would need a warrant of some sort, would it not?

  3. Melissa · 379 days ago

    have we been watching too much CSI, SVU & NCIS? from the perspective of the criminals? Why would I ever even think that I am gonna need to protect any data that I have, particularly on my phone for goodness sakes, from the government. I am not in contact with the mexican mafia or the columbians (anymore) so what do I need to worry about here or hide? I hope this article only applies to a minuscule percentage of the population. This is a real stretch of something to talk about.

    • Paul Ducklin · 379 days ago

      Thing is, since you have nothing to hide, there's just no need for them to go looking, right? (Cuts both ways.)

      It may be a bit of a stretch, yes, but judging by the comments it seems to be an *interesting* stretch that is worth taking into account.

      You may as well know your rights in any jurisdiction you find yourself. Do you have to give your name and address to a cop who asks? Do you have to carry ID at all times? What rights do you lose if you are arrested? What rights do you keep? Do you have a right to remain silent? Can a court make inferences if you do remain silent?

      If they weren't important, they wouldn't be considered *rights*, they'd be privileges.

      • Nigel · 378 days ago

        Well, in a certain sense they ARE privileges, in that they are "granted" by the state. If they were truly rights in any natural sense, then they could not abridged.

        Alas, that's not the way the state works. What the state giveth, it can taketh away. In the U.S., constitutional "rights" are constantly under siege by a hopelessly confused and complicated tangle of contradictory laws that no mere mortal who has anything productive to do could possibly read, let alone understand, let alone comply with.

        But regardless of whether one calls them rights or privileges, they are important. I don't think it's a stretch at all to make an issue of them, especially in a blog that concerns itself with issues of security. After all, if we had no need to secure our lives, property, and well-being, we'd have no need for government.

        The cause for concern is not whether we need genuine government; rather, the cause for concern is whether political states actually provide it. As recent revelations increasingly reveal (especially in the U.S.), that's very much in question.

        • Paul Ducklin · 378 days ago

          I hear you. I guess I used the word "rights" because Amendments I-X (if my somewhat hazy knowledge of US constitutional history is correct) turned up in one batch, known as the "bill of rights," and were explicitly enumerated so that they might be considered "unabridgable" to prevent future governments getting a bit uppity in their sense of power. (Of course, that doesn't mean those Amendments are universally interpreted, unambiguous, or unreinterpretable, as Amendment II seems to show.)

          And, as always makes me smile, the fact that they are called Amendments implies that they are always themselves going to be subject to Amendment. (As in the case of XVIII and XXI.)

          • Nigel · 378 days ago

            I hear you back, Paul. And if my not-much-less-hazy recollection of U.S. constitutional history is correct, Amendments I through X were necessary in order to persuade enough of the original 13 states to ratify the Constitution. Many believed (quite rightly) that without those protections the federal state would have far too much power to undermine the rights enumerated therein.

            Alas, while in the case of The Bill of Rights the amendments process worked in favor of freedom, it has since then been used too often to freedom's detriment. Case in point: Amendment XVI. As observed by Daniel Webster (and echoed by Supreme Court Justice John Marshall) in McCulloch vs. Maryland (1819), "The power to tax is the power to destroy."

            The founders of the U.S. evidently recognized that principle in expressly forbidding Congress from direct taxation (including taxing income) in the Constitution. Along came the 16th Amendment, and there went the ball game. Since then, Congress has become masterful in the dark art of taxation as an instrument of destructive social policy, with the productivity and prosperity of the nation as one of the principal casualties.

            As to the relevance of constitutional issues to the security issues we discuss here, the connection is all too clear to anyone who has even a superficial understanding of U.S. history. Originally, the Constitution vested all power in Congress, not the executive or judicial branches. The emergence of something like the NSA "PRISM" scandal (which is under the control of the president) is a direct result of Congress gradually abdicating its constitutional authority to the executive.

            The NSA’s abuse of power occurs because it can. We can complain all we want, but nothing will change until Congress accepts the responsibility it should have been taking all along.

    • I agree with Melissa. Only miniscule percentage of population cares about privacy. Thinking is optional as well.

    • Machin Shin · 378 days ago

      This is one argument that really annoys me, the "If your not doing anything wrong then you have nothing to hide".

      Well, sure, I might not have anything on my phone linking me to crimes, that sure doesn't mean that I want random person digging around in it reading all my messages and looking at what is stored on it.

      Also, anyone in the USA that thinks they have "done nothing wrong" obviously has not taken a look at our laws lately. I can pretty safely say everyone in the US has committed a felony at some point. Probably without even realizing it. There in lies the problem, if the right people want you in jail then they will find some law to put you there.

    • Jack Wilborn · 378 days ago

      Being a retired law enforcement officer, I don't think I would take that stand. I've seen too many drug into things that they had no real reason to be. "Don't worry if you not doing anything wrong" ha ha ha...

      Jack

  4. VFAC · 379 days ago

    I am not sure if this works in the way Ms. Hofmann says. There is a difference between handing over your fingerprint and unlocking a device. If investigators have your fingerprint they will not be able to open the device as it requires the application of digit with blood flowing though sub-dermal tissue to unlock. In this way it is not the same as handing over a key. Forcing you to unlock the phone will therefore force you to reveal that you are able to unlock the phone, which reveals something that the investigators did not previously know (if you could open the phone) and could incriminate you. I think the rights of Americans are not adversely affected by this particular technology.

    • Paul Ducklin · 379 days ago

      Nice argumentation!

      Q. "Is this your phone, Sir?"

      A. "My lawyer has advised me not to answer than question."

      Q. "Would you unlock it for us with your finger?"

      A. "My finger? Let me tell you about my finger."

      [Sorry...Blade Runner reference there.]

      I like your reasoning - it's consistent. If you can't be forced to reveal your hard disk's key even though it's not the thing "you know" (but merely computed from it irreversibly, thus revealing you know the thing you know :-), then that probably ought to apply to a finger-swipe, by your points above. Or not...but it would be good if it were consistent in both cases. (So you can guess which way this is probably headed :-)

    • Jack Wilborn · 378 days ago

      Agreed with above, what the government is doing is completely out of line. If I were arrested and didn't get out of it first interview, I'd be in line for a lawyer and you should be also. I'm sure they will say your fingerprint is not something you can withhold, as in when arrested, you must let hem have your fingerprint. I could see where that wouldn't hold true in that you could withhold it...

      Jack

  5. Mitch · 379 days ago

    I find it dishonest for people to keep posting stories like these about Apple, when it is about fingerprint scanning and has nothing to do with Apple specifically.

    Please, this is a matter of honesty.

    • Paul Ducklin · 379 days ago

      Errrrrr, the story doesn't have to do with Apple *generally* (it is broadly about fingerprint scanning and self-incrimination), but it has a lot to do with Apple *specifically*, since it's Apple's brand new implementation of fingerprint scanning that:

      1. Gave Ms Hofmann pause to think about the legal ramifications, since fingerprint scanning has never been so centre-stage before.

      2. Caused Melissa Mayer to say she'd go for it instead, not as well as, a passcode.

      3. Aims to replace passcodes in regular use on a consumer electronics device, not merely augment them

      I think the angle of the story is pretty clear, and the connection with Apple undeniable, and for that matter, important.

      So I'm a little resentful of being called "dishonest", if you don't mind.

  6. peli · 378 days ago

    Other computer companies have such fingerprint scanner since a long time and nobody was ever taking about.
    If somebody doesn't like that figure than simple do not use it.
    The world is getting more complicated each day.

  7. Following technology advice from MM that would be really smart :). I suggest that some people should stop using smartphones, just stay with compatible phone istead.

  8. Brad · 378 days ago

    Haha, don't feed the trolls Paul!

    Good article.

  9. Cliff Jones · 378 days ago

    Ever see Gattica? Also, I heard a comedian remarking about the iphone "great... so now they're going to steal my hand, too!"

    I imagine there's back doors in all this, too. At minimum they can lift your prints off a glass of water they've given you.

    I never trusted fingerprint security, and I'm fundamentally opposed to 'biometric' ID in any form. (so long as present 'governments' persist)

  10. Nick · 378 days ago

    I also remember Dell`s efforts at introducing Biometrics! An appalling effort that never worked correctly.

    From those that have used the new iPhone 5s as opposed to those that haven`t even seen it, it works very, very well.

    Remember the early MP3 Players, "Smart Phones", Tablets? All abysmal, that was until Apple changed the whole game.

    Credit where it is due!

    • Paul · 377 days ago

      Sadly this isn't what this is about at all. But thanks for piping up anyways and spouting fanboy bull.

  11. Tony · 378 days ago

    CEO of a technology giant "can't do this passcode thing, like, 15 times a day"...thank the gods I closed my Yahoo account ages past.

  12. Guest · 378 days ago

    Could you not just use your toe to unlock the device. If you are forced to unlock the device, swipe your finger across the screen and... ...nothing, as the device will remember your toeprint rather than your fingerprint.
    Small hitch with this solution though is that you would have to be permanently on open toed shoes and you will look rather strange if you decide to unlock your phone in public, but your data will be secure because nobody's going to think to ask you to swipe your sweaty foot across the screen.

    • Paul Ducklin · 378 days ago

      Would be a great way of dissuading people from borrowing your phone.

      "I wouldn't put it too close to your ear."

      "Why, is the volume control stuck on loud?"

      "No, but I've got a touch of tinea just at the moment."

      Seriously, if you were going to go to those lengths to avoid potential abrogation of your 5A rights...I'd recommend just using a passcode instead. You could always type it with your toes once in a while just to be cool.

    • buck · 377 days ago

      Your idea reminds me of Maxwell Smart's shoe-phone.

  13. Jake · 378 days ago

    Forget unlocking my phone - my worry is, if the Police can access my iTunes account, I might find myself "buying" unwanted copies of "Don't stand so close to me", or even "Message in a bottle". Brutal.

  14. Randy · 377 days ago

    The fingerprint scan has to be stored as a key someplace in the iPhone. When PRISM hacks your phone they get your digitally perfect fingerprints as well. This could take identity theft to a whole new level.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog