Apple’s “Touch ID” fingerprint login – not everyone is cock-a-hoop about it

fp-250

Apple’s triumphant announcement last week of the fingerprint scanner in the iPhone 5s didn’t impress everyone.

Some Naked Security readers were amongst the sceptics, with @wjrcoop saying:

I'm stunned by the celebration of mediocrity all over the Internet by this. I had a biometric reader on my Dell notebook (like forever ago) and hated it.

And the interestingly-named keeglecrunch asked:

Isn't biometrics old news (like really old)? I have an old Dell laptop within arm's reach that has a thumb scanner on it that I've used a grand total of zero times.

Apparently, there may be yet another reason to be underwhelmed by the iPhone 5s: a lawyer named Marcia Hofmann, writing for Wired, offers the opinion that its fingerprint authentication might end up eroding a long-cherished legal right.

In this case it wouldn’t be the government chipping away at your statutory protections, but technology itself.

The protection that Hofmann thinks might be at risk relates to self-incrimination.

Many jurisdictions give you some sort of “right to silence” – in the USA, it’s usually known as the Fifth, because the Founding Fathers neglected to enshrine it in the original constitution, leaving it to be retrofitted in the so-called Fifth Amendment some three years later.

In the digital era, the issue of where self-incrimination ends hasn’t always been obvious.

You can be compelled by a court to open a locked door, for example, so that investigators can search behind it. (Matters relating to search and seizure of your property are dealt with by the Fourth Amendment.)

But you can’t, or at least not according to some US judges, be compelled to “open” a hard disk that has been “locked” by something you know, no matter how close an analogy you might draw between opening a cupboard and decrypting a hard disk.

Refusing to tell an investigator your password isn’t like refusing to hand over a physical key, it’s like declining to answer a question.

But what about password keys that don’t come from something you know, like fingerprints?

Hofmann offers the opinion that since you can swipe your finger over the iPhone 5s scanner without giving any “testimonial statement” – in other words, revealing something you know – then you shouldn’t expect Fifth Amendment protection against unlocking your trendy new iPhone.

→ Interestingly, you can give someone the key to decrypt your hard disk without ever actually telling them the answer to the question, “What’s your password?” That’s because most modern cryptosystems don’t actually use your password as the key: they take your password and hash it up with a bunch of other data unique to your disk to produce a one-off decryption key. Nevertheless, it seems that the Fifth applies if a password is involved at some point.

Hofmann gives what she calls an easy fix: give users the option to unlock their phones with a fingerprint plus something they know.

But that misses the point of why Apple included the fingerprint scanner in the first place.

For many users, a fingerprint-based password means they can abandon the “something they know” part, which means they no longer have “something they have to remember and type in all the time.”

Yahoo!’s CEO, Marissa Mayer, very disappointingly, spoke for very many phone users when she recently expressed her delight at the iPhone’s fingerprint scanner: “I can’t do this passcode thing, like, 15 times a day.”

But Marcia Hofmann may have just given you a reason to decide that perhaps, now you think about it, you can do this passcode thing after all.