Linked by Thom Holwerda on Wed 11th Sep 2013 22:16 UTC
Apple

Apple's new iPhone 5S, which comes with a fingerprint scanner, won't store actual images of users' fingerprints on the device, a company spokesman confirmed Wednesday, a decision that could ease concerns from privacy hawks.

Rather, Apple's new Touch ID system only stores "fingerprint data", which remains encrypted within the iPhone's processor, a company representative said Wednesday. The phone then uses the digital signature to unlock itself or make purchases in Apple's iTunes, iBooks or App stores.

In practice, this means that even if someone cracked an iPhone's encrypted chip, they likely wouldn't be able to reverse engineer someone's fingerprint.

This seems relatively safe - but then again, only if you trust that government agencies don't have some sort of backdoor access anyway. This used to be tinfoil hat stuff, but those days are long gone.

I dislike the characterisation of privacy "hawks", though. It reminds me of how warmongering politicians in Washington are referred to as 'hawks", and at least in my view, it has a very negative connotation.

Permalink for comment 571905
To read all comments associated with this story, please click here.
fingerprints leads to bad security
by hakossem on Thu 12th Sep 2013 06:08 UTC
hakossem
Member since:
2005-07-15

There are three problems with fingerprints:
- privacy
- accuracy
- replication

Fingerprint identification is not done by comparing the pictures but by identifying number of features of the fingerprint and tested it against the fingerprint that has been just scanned.
Apple doesn't need to store the pictures, just the features they look for in each fingerprint.

But they don't need to store the picture to have a security risk. Any security agency that scan for fingerprints use similar algorithms. The question is does Apple look for the same features than those agencies. If it is possible to make apple's fingerprint database compatible with let say the FBI database, we can assume it will be done if it isn't already.
Even if Apple use only some of the characteristics of the agency, they might integrate it and use it.... or simply had a new comparison program to test the prints against apple database.
Even if Apple doesn't store the pictures of the fingerprints, we can be sure it these databases will be available to US security agencies.

Accuracy is another problem. There are 2 kinds of accuracy problems.
The first is when the computer doesn't recognize you (false negative). This is the lesser problem, you just rescan your finger.
The other is when the computer recognize you as someone else (false positive).
Experts at a tribunal do make many errors: 0.1% of false positives and 7.5% of false negative (http://content.usatoday.com/communities/sciencefair/post/2011/04/fi...)
I remember than a few ago I read that laptops that did have fingerprint has password did had around 1% of false positive and 1% of false negative.
Even if apple system is good enough to have 0.01% there is still a risk that it will recognize you as someone else. How does apple ensure that you are not paying for someone else?

The last problem is that fingerprints are a password you let on every items you touch. The fact that most people cannot read it, doesn't mean that none can. In fact the methods to reproduce a fingerprint is easy (just look at mythbuster). If you lose your iphone, you need to assume that in the next couple of hours people will have duplicate your finger print and enter into your iphone.

My point is that using fingerprints to unlock a door, a computer or a smartphone is a bad bad idea

Reply Score: 4