The truth about what a product can actually deliver lies somewhere in between the hysteria and dismissive attitudes that accompany its launch. I believe the privacy implications associated with the fingerprint scanner arise from the collection and use of the fingerprint by Apple, third parties, or anyone else (law enforcement?). The issue of how well the fingerprint protects the data on the phone is a security control.
Let’s acknowledge that this is not the first time that technology devices have been sold with fingerprint scanning technology. My company-provided laptop seven years ago had a fingerprint scanner and you know what? It sucked. But this is the first time a fingerprint scanner is being incorporated into what will surely be such a popular device with consumers.
The newest member of the GTP IdPS team, Anne Robins, has some more information and thoughts on the technology behind the fingerprint scanner. Anne is such a recent addition that she doesn’t have a blog of her own yet, so I’m going to share some of her expertise here:
The Reader: The fingerprint reader has been cleverly located within the iPhone home button, which will make using the reader a very natural thing for users. A typical single finger reader would have a platen of approximately 30mm x30mm, but it would appear that the capture surface for the “Touch ID” is more like 12-15 mm square. This affects accuracy (less data points available per capture) and usability (finger positioning becomes more important). Apple seems to be addressing the platen size issue at enrolment with people reporting 20-60 seconds to enrol each finger as they are asked to move their finger around on the reader, almost doing a roll style capture, to ensure that sufficient data is captured at enrolment. The downside of integrating the fingerprint reader with the home button will be the robustness and utility of the reader in common usage conditions – dirty hands, phones in pockets and bags, food and goo on the device (http://cals.arizona.edu/spotlight/why-your-cellphone-has-more-germs-toilet). Data from large-scale fingerprint deployments shows that system performance is very strongly correlated with the quality of enrolment AND the quality of on-going captures (clean fingers and clean readers are a major part of this). I find it hard to believe that this situation will occur in common iPhone usage.
Multi-fingers, Multi-user and Multi-factor: The iPhone 5S will enable up to 5 fingers to be enrolled and that can be five of yours or up to five single fingers from different people. From a usability perspective it is certainly practical to have at least two fingers enrolled just in case you injure one and it isn’t able to be used on the reader. However, Apple seem to be also be targeting the iPhone user who shares their device with family members. Enrolling your child’s fingerprint to enable access could well be preferable to giving them your access code. However, if you have also enabled iTunes purchases using TouchID (the other promoted use case for the fingerprint reader), you have now enabled your child to make iTunes purchases, including app-in-app purchases without needing your iTunes password – all at the touch of a finger. A final comment here is that the addition of a fingerprint reader to the iPhone had the potential to improve security on the device – and you could argue that if some of the high proportion of people who don’t use an access code at all changed to using TouchID then that is an improvement – but providing this as an either/or option (you can use your access code OR your fingerprint) misses the opportunity to include an option to require your access code AND your fingerprint which would then be a much stronger two-factor authentication option.
Tuned for Usability and not Security: When tuning a biometric system, the options are to minimise the False Negatives (the number of times the correct person is not granted access) or to minimise the False Positives (the number of times an unauthorised person is granted access). It seems highly likely, that Apple will have tuned the TouchID system to have very low False Negatives – this would improve usability and reduce the likelihood of you needing to scan your finger multiple times to gain access. But the flipside of usability here is security. When your system is tuned for very low False Negatives, it means that it will be reporting correspondingly high False Positives – which means the chances of someone other than you gaining access to the device is increased. At what point does the chance of an impostor gaining access to your phone due to the high False Positive become at least as likely as someone guessing your access code (perhaps from the tell-tale smudges on the screen)?
As for the privacy issues, here are some of the questions that came to mind as I combed through some of the media coverage:
- Apple states that the data is encrypted and stored locally, not in iCloud or anywhere else, but where on the device is it being stored? Is it being correlated with things on the phone so that say, if an app’s data is accessed it’s a back door way of getting to the fingerprint? Is it associated with the IMEI or UDID?
- Can using the fingerprint somehow eliminate anonymity? I know this is a stretch, but let’s say somehow the fingerprint provides authentication. The fingerprint can be directly, and uniquely, traced back to a specific human being (especially if say, their fingerprints are on file somewhere, which are collected and stored all the time. I had to get fingerprinted at the local police station for a job at the YMCA in high school). What if someone was using the fingerprint to authenticate to an app that indicates a health issue whereas before it was a login/email address and password that could not be confirmed to be associated with a specific individual?
- Setting aside some of these questions, I can see a use case where the fingerprint reader could be used to enhance information protection, but again from a security perspective. (Swipe once to unlock the phone, swipe again to access an enterprise container, swipe a third time (or combine it with another factor) to access a specific document/file/app within the container.) This is certainly an increased level of protection for information stored on the device (or for apps that access sensitive information) rather than just the device passcode or a login and password combination.
- Usability is tantamount to the fingerprint scanner’s success. If the fingerprint doesn’t work efficiently enough, or feels like an extra burden to the user, they will reject it. If the users feel annoyed by it, and can deactivate it, then they can be creating information protection risk when we’re talking about enterprise data being stored locally on the device.
- Will the devices now be subpoenaed as a way of getting fingerprint evidence for criminal activity?
- From a security perspective, will the fingerprint reader help lower the iPhone as a crime target? If you have the fingerprint reader turned on, does that imply that there is no other way of unlocking the phone, or does it leave it so that either mechanism (a passcode OR the fingerprint) will work? (And why has Apple still not announced that they will brick stolen/lost phones!?!?)
- Corollary to the above question, can you jailbreak the fingerprint reader or, if the phone is jailbroken does that either disable the reader or expose the saved, supposedly locally encrypted scan of the fingerprint?
Some of these questions will be answered pretty quickly once the device ships, like the usability factor and how jailbreaking the device affects the reader. The privacy questions will probably take a little bit longer to come to light, but once they do, I have no doubt that they will garner a lot of attention.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.