Apple’s new Touch ID fingerprint scanner.
Has Apple managed the fine line between security and convenience? Some security experts aren’t so sure.
John Caspar, Hamburg commissioner for data protection and freedom of information, told German news magazine Der Spiegel that the use of biometric technology for the sake of consumer convenience could become a hackers’ treasure trove, granting them access to permanent data that cannot be deleted or changed.
Biometric technology is used to verify a person’s identity based on their physical or behavioral characteristics through digital means. Identifying features such as a fingerprint, retina scan, and facial features are key markers and are used in surveillance, laptops, smartphones, and passports.
These physical elements cannot be altered in the same way as a traditional password, and therein lies the worry associated with putting such data on a mobile device.
Caspar told the publication:
Biometric features you can not delete. [It is] lifelong. Fingerprints should not therefore provide for everyday authentication method, especially if they are stored in a file.
Apple’s Touch ID fingerprint scanner for the recently announced iPhone 5s — which already has Japanese consumers queuing up around the block — allows people to scan their fingerprint to access the iPhone and download media or apps from iTunes without the need to type in a PIN code.
The Cupertino, Calif.-based firm has attempted to soothe privacy worries associated with the use of biometric data in mobile devices by stating that information gathered by the feature, Touch ID, will only be stored on the device and will be encrypted rather than saved as an image of the fingerprint.
However, Caspar remains unconvinced, saying that while the iPhone’s fingerprint readings would only be stored on the device and not on centralized servers, cyberattackers who compromise a smartphone through malicious applications could still access the biometrics.
The IT commissioner said:
The current user is not in a position to control what his applications do with the information he puts in them.
While the technology may be quicker for consumers than traditional PIN codes, biometric scanning is still dogged with problems. Motorola first launched its Atrix smartphone with the technology, but reportedly dropped it as consumers complained of errors.
A report published on Elcomsoft’s blog highlighted a “huge security hole” with fingerprint-based security in laptops sold by companies including Acer, Asus, Dell, and Samsung.
And retina scanners used at UK airports were dropped following errors and slow processing rates.
The introduction of biometric data in the mobile device industry has also raised privacy worries in the United Kingdom, relating to its potential use as a way to track employees.
A British trade union, the London chapter of the National Union of Rail, Maritime and Transport workers (RMT) — which represents London Underground cleaners — has instructed its members to refuse to use biometric fingerprinting devices to clock in to and out of shifts.
The union says that such methods to keep an eye on staff activity is a “draconian attack on civil liberties” after receiving almost unanimous support for industrial action, short of strikes.
Fingerprint scanning may be a useful tool for businesses, but as Caspar told the publication, biometric data is a permanent feature of a person, and storing such data is fraught with risk:
Furthermore, [it is] the principle of data minimization.
If it doesn’t have to be there, remove the biometric data, no matter how convenient it might be.
Apple is not the only company looking at the potential of merging biometrics and mobile technology. In a recent images leak, the rumored HTC One Max appears to also come equipped with a fingerprint scanner on the back of the smartphone.
This story was originally published as “Apple iPhone fingerprint scanner raises security worries” on ZDNet.