Fingerprint-reading Iphone seen as protection against NSA spying

By Todd Shields and Allan Holmes
Courtesy of the Associated Press

September 13, 2013 (c) 2013, Bloomberg News.

WASHINGTON — Apple Inc.'s use of fingerprint scanning in its new iPhone models could lead more device makers to adopt the authentication method as a successor to passwords — and that's fine with privacy advocates.

The introduction coincides with the rise of cybercrime and revelations that the National Security Agency has intercepted Internet communications and cracked encryption codes on devices including the iPhone.

Apple said that on the new iPhone, information about the fingerprint is stored on the device and not uploaded to company networks — meaning it wouldn't be in data batches that may be sent to or collected by U.S. intelligence agencies under court orders.

"They're not building some vast biometric database with your identity associated with your fingerprint that the NSA could then get access to," Joseph Lorenzo Hall, senior technologist with the Washington-based Center for Democracy & Technology, said in an interview. "That's a good thing."

The iPhone 5S uses a sapphire crystal to read a user's fingerprint to unlock the phone, Apple said Sept. 10 as it unveiled the model that's to go on sale Sept. 20 in stores.

Apple's use gives the technology an endorsement that will probably lead other mobile phone makers such as Samsung Electronics and HTC to include biometrics in their products, said Avivah Litan, a technology analyst at Gartner Inc., the Stamford, Conn. -based research company.

"This is an inflection point because companies are looking for better ways to authenticate users," Litan said in an interview. "This is an important milestone."

Before Apple unveiled the iPhone 5S, stocks of biometric makers were on the rise in anticipation the phone would incorporate fingerprint authentication. Over three weeks, shares of Precise Biometrics, a maker of authentication equipment in Lund, Sweden, increased 69 percent and Fingerprint Cards, another Swedish maker of biometric security solutions, moved up 52 percent.

Biometric identification systems, including voice and iris scans, usually are harder to defeat than passwords, which can be stolen or deciphered.

Biometrics could be used in mobile applications for banking and online buying in about 18 months, Litan said.

"Banks and e-commerce companies are taking advantage of these technologies and are already experimenting," she said.

Jennifer Lynch, a staff attorney with the San Francisco- based Electronic Frontier Foundation's digital rights group, said there aren't regulations surrounding the collection of biometric data.

If companies don't adequately safeguard information they may face action by the Federal Trade Commission, which monitors fair business practices, Lynch said.

Apple, by not pulling fingerprint information into its databases, is making it "extremely difficult" to steal information stored on the device, Anil Jain, a computer scientist at Michigan State University who conducts biometrics research, said in an interview.

A hacker or intelligence agency would have to break into the smartphone, find a way into the secure chip where fingerprint information is kept, download and decrypt the scrambled data, and then recreate an image of the print.

"It's a pretty complicated process," Jain said.

Nothing is quite hack-proof, he said. "If you spend enough resources on it, anything is possible."

The German magazine Der Spiegel on Sept. 7 reported the NSA cracked encryption codes to listen in on the 1.4 billion smartphones in use worldwide, including the iPhone.

"I'm sure that someone with a good enough copy of your fingerprint and some rudimentary materials engineering capability — or maybe just a good enough printer — can authenticate his way into your iPhone," wrote security researcher Bruce Schneier, in a blog before the iPhone 5S was unveiled. "But, honestly, if some bad guy has your iPhone and your fingerprint, you've probably got bigger problems to worry about."

No two fingerprints are alike, which helps make them a strong security feature, Dan Riccio, Apple senior vice president for hardware engineering, said in a video the company released to explain the technology.

"It's never available to other software, and it's never stored on Apple servers or backed up to iCloud," Apple's Web- based sharing system, Riccio said.

Teresa Brewer, an Apple spokeswoman, didn't say whether the company could gain access to the fingerprint data. "All fingerprint information is encrypted and stored securely in the Secure Enclave inside the A7 chip on the iPhone 5s; it's never stored on Apple servers," Brewer said in an email.

Not everybody is sanguine about fingerprint capture.

"It reflects unquenchable thirst for swallowing as much consumer data as possible," Jeffrey Chester, executive director of the Center for Digital Democracy, a Washington-based privacy group, said in an interview.

"This whole notion that people's body parts can be added to the data profile is troubling, and it needs to be looked at," Chester said. "Will the data be used to unfairly discriminate when you interact with a health app, for instance?"

_ With assistance from Adam Satariano in San Francisco.

bc-apple-privacy