German Data Protection Expert Warns Against Using iPhone5S Fingerprint Function

dryriver writes "Translated from Der Spiegel: Hamburg Data-Protection Specialist Johannes Caspar warns against using iPhone 5S's new Fingerprint ID function. 'The biometric features of your body, like your fingerprints, cannot be erased or deleted. They stay with you until the end of your life and stay constant — they cannot be changed. One should thus avoid using biometric ID technologies for non-vital or casual everyday uses like turning on a smartphone. This is especially true if a biometric ID, like your fingerprint, is stored in a data file on the electronic device you are using.' Caspar finds Apple's argument that 'your fingerprint is only stored on the iPhone, never transmitted over the network' weak and misleading. 'The average iPhone user is not capable of checking, on a technical level, what happens to his or her fingerprint once it is on the iPhone. He or she cannot tell with any certainty or ease what kind of private data applications downloaded onto the iPhone can or cannot access. The recent disclosure of spying programs like Prism makes it riskier than ever before to share important personal data with electronic devices.' Caspar adds: 'As a matter of principle, one should never hand over any biometric data when it isn't strictly needed. Handing over a non-changeable biometric feature like a fingerprint for no better reason than that it provides 'some convenience' in everyday use, is ill advised and foolish. One must always be extremely cautious where and for what reasons one hands over biometric features.'"

Re:He is not an expert...

[Glock27]

It highlights the need for Apple to tell us exactly how the fingerprint security works, which was a part of the point of the original article.

Apple has revealed enough detail:

According to an unnamed spokesman at Apple, the fingerprint detector won't actually record images of your fingerprints.

and...

This is in line with what Apple said during the actual announcement, specifically that the information was stored "in the Secure Enclave inside the A7 chip on the iPhone 5s." The information would not be store on Apple's servers or in the iCloud.

From the WSJ [wsj.com].

FP readers dont capture your fingerprints

[mysidia]

They capture metrics based on your fingerprints

These are not cameras, that take an optical image; or collect data that can be used to reproduce your fingerprints.

The readers provide only enough data to authenticate the ridge pattern, by taking some simplified metrics that represent your pattern with a relatively high fraction of uniqueness.

See the citeworld article [citeworld.com] for more information about the iPhone's reader; apparently, this reader will be harder to trick than most laptop readers from Authentec have been in the past.

If they were worthwhile; then this seems worthwhile.

It's certainly a better idea to have fingerprint + 4-digit passphrase than a 4-digit passphrase.

Long passphrases are inconvenient; more convenient security means the bar is raised: people's risk will go down.

Also, since the reader requires live skin, it cannot be faked easily ---- it may reduce thefts of these devices by pickpockets and the like.

Re:Also it stands to reason

[ceoyoyo]

No, actually. What you think of as your "fingerprint" is a pattern in the layer of dead skin, the epidermis. That pattern is created by patterns in the dermis, the living cells underneath the epidermis. That's why if you wear away your fingerprints, unless you do serious damage to your finger pads, they'll grow back the same as they were.

The sensor in the 5s uses a low frequency RF signal to read the fingerprint from the dermis, not the surface. That kind of sensor is much more reliable and easier to use than older ones, and can't be fooled by masks or dead fingers. Fujitsu has some notebooks in Asia that already have them, and Microsoft has demonstrated them as well.

Re:Also it stands to reason

[Anonymous Coward]

Here's the relevant patent. [uspto.gov] It's measuring your fingerprint by capacitance. It's only "subdermal" in that the epidermis doesn't register on a capacitance sensor, but the dermis does.

The "subdermal patterns" are the same patterns as your ordinary fingerprint. I'm pretty sure that part is just thrown in to make the whole thing sound magical or futuristic.

I don't know what your "low frequency RF" stuff has to do with anything, though. More magic, I suppose.

Re:Also it stands to reason

[Trax3001BBS]

But because of that the privacy concerns raised are pointless. Casual use is exactly where biometrics are useful, they are very convenient but don't provide any real security.

In the USA the privacy concerns are very real.

* The Patriot Act allows for the ue of backdoors for counter-terrorist investigations.

* Vendors are legally and commercially prevented from acknowledging their backdoors.
Defense will not be able to prove their existence.

* Users of Mobile devices and cloud stroage sign off on their rights to data scanning. There is no opt-out option.

a few lines from http://www.techarp.com/article/LEA/Encryption_Backdoor/Computer_Forensics_for_Prosecutors_(2013)_Part_1.pdf [techarp.com]

Showing that in the USA, Apple can't make the claim that biometric data is never transmitted over the network'