Thumbs up or thumbs down?
Apple launched its new iPhones this month, and the most significant long-term enhancement could be that it brings the biometric fingerprint scanner to the mass market.
Most phones these days can be locked when not in use, and to unlock them you need to enter a PIN code, typically a four digit number. It offers some protection to your phone's contents if it is lost or stolen, but it still takes time to enter the PIN code, and so a lot of people simply don't bother. We also know from banking studies that people are bad at choosing random, hard to guess, PIN codes.
Apple has addressed this issue by building a fast fingerprint scanner onto the front of the new phone which allows the user to scan their fingerprint and register it with the phone as an unlock code. When that has been done, the user can use the same finger to very quickly unlock their phone, although they can also use the plain old PIN code if, say, they have cut their finger and have sticking plaster on the finger tip. Users can also use their fingerprint to authorise purchases from the iTunes and the App store, as an alternative to entering their password.
Convenient as this sounds, some people worry that fingerprint scanning is a security risk, including Senator Al Franken, who is chairman of the USA's Senate Judiciary Subcommittee on Privacy, Technology and the Law. He has written to Apple CEO, Tim Cook, asking how the iPhone Touch system will protect privacy. He points out that whilst people can keep passwords secret, they cannot so easily keep their fingerprints secret, and if someone finds out your password you can change it, but not so with your fingerprints. He goes on to claim "if hackers get a hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life". He is right to ask the questions, but may not have fully understood how the technology works.
The form of fingerprint scanner found in the iPhone doesn't scan the whole fingerprint, it doesn't transmit an image of the fingerprint to Apple or anyone else, and it doesn't store an image of the fingerprint inside the phone. It scans a portion of the print and converts key features into numeric values which are scrambled together and encrypted to form a numeric code unique to the phone. It is this number which is stored, not an image of the print, and the algorithm which creates this numeric representation is designed so that you cannot reverse engineer an image of a fingerprint from the stored number, or match your fingerprint to any other fingerprints stored in any other system. The only place that reversing this code to a print is going to be possible is in the minds of TV police series script writers, who are probably typing up the idea already.
The same method of deriving a digital signature from a fingerprint is at the heart of of a dispute involving cleaning staff on London Underground. Currently, cleaners sign in manually on a sheet of paper at the start of the shift. The management wants to replace this with a fingerprint reader check-in system, which would be easier to use, avoid confusion and mistakes in handling written signatures, and would guarantee the person signing in is who they say they are. The cleaning staff and the RMT Union have voted for action against this plan, claiming it has been bulldozed in by the management, and that the fingerprinting of staff is a draconian measure and an infringement of their civil liberties.
Explaining the security of the one-way algorithms at the heart of these systems without resorting to pages of mathematics is difficult, so it is not surprising that people are suspicious of this technology and its possible misuse. As people become more used to fingerprint scanners in consumer products such as the iPhone, they may be more willing to accept it as an assistive rather than an invasive technology.
25th September 2013
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content. If you would like to receive the newsletter direct to your inbox each month, please SUBSCRIBE here. It is free, and you don't get added to any other mailing lists. It uses best-practice confirmed opt-in only, and you may unsubscribe at any time.