What will Apple do with your fingerprints?
It is a uniquely modern question prompted by the dovetailing of Apple’s new technology, which uses a fingerprint-based Touch ID to unlock the latest iPhone, and the heightened focus on government intrusion and surveillance of emails and communications, as demonstrated by the National Security Agency scandal.
Apple’s iPhones can read fingerprints. Presumably, somewhere, somehow, that information is stored – perhaps just on the phone itself. Apple itself is saying the right things, pointing out that individual fingerprint data is encrypted and kept “inside a secure enclave.”
But there are a few reasons to worry. To wit:
1. Does anyone trust encryption anymore?
Time was, saying something was encrypted gave an added dose of safety. But the joint report by ProPublica, The Guardian and The New York Times suggested the NSA found a way around that issue. “For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about the NSA for the United Kingdom’s Government Communications Headquarters “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”
So, saying something is encrypted now doesn’t mean it’s not accessible, just a little harder to unlock. And still, in the government’s own words, “exploitable.”
2. Will the iCloud be next?
Apple is saying that fingerprint data won’t be accessible to the iCloud, but we aren’t too far away from the technology being more widespread. A fingerprint, after all, replaces a password. While fingerprints could be locally stored on a phone, it doesn’t take a big intellectual leap to see that biometric data captured in a larger, more global database.
Such a database is vulnerable. Apple itself is one of the companies that was a feeder for the government’s PRISM program. That program mined chats, emails, photos and documents. Now, presumably, there will be a biometric database to tap.
3. Fingerprints aren’t as unique as you think.
You might think it doesn’t matter that someone has your fingerprints. After all, if you travel, you’re used to giving a print, banking uses the technology and many kids still get fingerprinted for safety. What’s the problem, you might argue, if your prints could be matched to a government database. It’s not like you’re committing a crime.
Truth is, science has yet to prove that fingerprints are unique. In fact, even fingerprint matches in criminology are less about exactness than about a pattern of similarities. In the case of the new iPhone, that could mean someone with similar prints might be able to open your phone. Down the line, though, it could mean that your prints turn up wrongly in an investigation. That could happen now, given the government’s own database of fingerprints. But the chances rise the more print information is stored and available.
4. There is already too much information about you out there.
Databases are filled with information that is less quantitative and more qualitative. Apple has your fingerprints, but Facebook has your face, and its database of facial recognition data that presumably can be used to match you to, say, a video camera somewhere.
Perhaps fingerprints won’t go the way of all the other data about you. Perhaps there is nothing to worry about, and folks can focus on other technologies, like the 64-bit speed, new case and different colors of the new iPhone.
But the world has changed. Time was, you needed to protect your credit card and Social Security numbers. Now your fingerprints are at someone else’s fingertips. That’s reason to pause.