Sense and Nonsense About Biometrics

Apple’s Touch ID fingerprint scanner seems to have fueled an important but ill-informed and ultimately nonsensical debate about biometrics and privacy. The latest example is this muddled editorial in the Sept. 22 New York Times.

Fingerprint photoThe Times editorial, and a great deal of other discussion of the issue, errs in confusing two completely different uses of biometric data: authentication and identification.

The iPhone uses fingerprints for authentication. It scans your finger an checks if it matches previously recorded data (read this for a deep dive into how the  process works and why it is secure.) You can record up to five prints. If you want one of them to be your cat’s paw, fine. You can give your cat access access to your iPhone. The phone does not care who the print actually belongs to, just that it matches.

This is what authentication is about. You attempt to access a system claiming to be Mr. X. The system confirms that this is the same person (or cat) who previously  claimed to be Mr. X. It offers no warranty whatever that the person claiming to be Mr. X is Mr. X or, indeed, that Mr. X exists.

Authentication is relatively easy. It is still non-deterministic and, like any other statistical process, subject to both false positives (accepting a print it should reject) and false negatives (rejecting a print it should accept.) But a properly designed system with a good sensor, like Apple’s, can keep the rates of both types of error very small. And as long as the biometric data is stored locally and securely, as Apple maintains is the case with Touch ID,  there is no real privacy issue. In fact, biometric authentication can increase privacy by reducing identify theft.

Identification is what happens when the police find a fingerprint at a crime scene. The FBI lab must compare this unknown print to millions of known prints in its database in search of a match. The likelihood of both false positives and false negatives is much higher than in the authentication case and the quality of any match–the probability that it is not a false positive–may be low. (Good defense lawyers know how to challenge expert witnesses on the quality of fingerprint matches.)

Fingerprint matching is at least backed by decades of experience and a fair amount of science. Other forms of biometric identification, such as face recognition in  crowds, is far more problematical. As Adam Harvey pointed out in an Ignite talk at the Privacy, Identity, Innovation conference in Seattle last week, the current state of technology makes it all but impossible to capture useful biometric data without the cooperation of the target. You have to touch something, hold still for iris scanning, or at least look squarely into a camera with you face unobscured. At best, the data we collect from tens of thousands of surveillance cameras is good only for after-the-fact identification of suspects.

But the technology for on-the-fly biometric data capture is only going to get better. This, not Apple’s fingerprint scanner, is what poses the real threat to privacy and where the debate ought to focus.


Touch ID: A Big Deal If Apple Doesn’t Mess It Up

The Touch ID fingerprint reader could be one of the most important features of the new iPhone 5s. Although it will initially be used only to unlock the phone and to log into the iTunes Store, it has the potential to improve the security of a wide range of mobile purchases and payments. But first Apple has to convince iPhone owners that it will not be a new assault on their privacy.

A few weeks ago, this would not have been an issue. But Apple is introducing Touch ID in an atmosphere in which many of the most far-out paranoid fantasies about government snooping seem to have been confirmed. A sampling of Twitter reactions to the Apple announcement, and this New York Times Bits article suggest what the company is up against:

Twitter screenshot

The sad thing is that there is a well-understood way to implement biometric tests such as fingerprints that is safe and will prevent the sort of leaks these tweeters fear. And I suspect that Apple, which bought AuthenTec, the leader in fingerprint technology, in 2012, is following these procedures. The problem is that Apple refuses to say so.

Despite several requests, all I could get Apple spokespersons to do was reiterate marketing chief Phil Schiller’s statement that the fingerprint data was encrypted and stored in “a secure enclave” on the A7 processor that could not be accessed by any apps. The data is never uploaded to iCloud or other servers. This is good, but not nearly good enough.

Here’s how you are supposed to do it. First, and Apple says this much, the reader never makes a copy of your actual finger print. What is does is collect data on a number, perhaps as many as several hundred, points called “minutiae” that uniquely identify a print. The minutiae are reduced to a string of numbers. The next step is really important. The fingerprint data should be run through a mathematical function called a one-way hash, which produces an encrypted version that cannot be decrypted. Because it cannot be decrypted, the original fingerprint cannot be reconstructed from the data, protecting your privacy.

The way this works is that the next time you scan a finger, the process is repeated and a new hash is generated. The new hash is compared to the stored hash and if they match, you pass. The same procedure is used for the secure storage of passwords. It is even more important for biometric data, because, while you can always replace a compromised password, you cannot grow a new finger.

If Apple wants to sell suspicious opinion leaders on the security and integrity of Touch ID, the company is going to have to be a great deal more forthcoming about just how it is protecting fingerprint data, including providing details on the encryption or hash protocols used. Ideally, it would let security experts examine the actual code in hopes of identifying the all-to-common implementation errors that can undermine seemingly secure encryption.

We definitely need an alternative or supplement to traditional passwords to make our devices more secure and useful, especially in commerce and payment. Biometrics, such as fingerprints, are a good choice, but only if they can be handled safely and, even more important, people are convinced their use is safe. That is going to require more transparency than Apple is used to providing.

The good news is that in my brief hands-on tests, Touch ID worked flawlessly. It was easy to register my fingerprints (you can use multiple fingers) and once the prints were set up, the iPhone responded instantly to my touch. It is by far the easiest fingerprint recognition system I have used.

For the moment, Apple is not allowing third-party app developers to use Touch ID, but I think it is only a matter of time until Apple expands its use beyond login and iTunes. The potential is just too great.


An aside: I don’t worry in the least about the government getting my fingerprints, since I have been fingerprinted many times and my prints have been in the FBI database for decades. But the U.S. government isn’t the only snoop out there and I do worry about securing biometric data. as I said, once your fingerprint is gone, it is gone forever.