Wednesday, September 18, 2013

The itty bitty fingerprint sensor

tl;dr: The fingerprint reader of the new Jesus phone is a bad idea, but not because of security or espionage problems.

Apple has shown exceptionally poor judgement with its choice of headline feature of its new iPhone 5s. If I had Apple stock, this would be to be a good time to be embarrassed about it. Not just because I believe that the screen is too small, the flash memory too stingy, the UI too flat, or because a fingerprint reader is a disastrous choice in itself, but because Apple seems to have lost its sense for taste and timing. You do not keep ahead of the game by making phones thinner and longer or blingy. And adding a feature that screams "privacy violation" in the middle of a mass surveillance affair outs you as a nutcase.
For quite a few years now, I am subjected to the considerable indignity of having to leave my fingerprints whenever I cross the border into the US. It is hard to say why I feel so uneasy about this. Maybe it has to do with the fact that I grew up in East Germany, and surveillance was a real issue back then. The contents of my book case, the conversations with my math teacher, the phone call to a family friend, or the occasional remark overheard by the over-eager snoopy daughter of the head-master all made it into my file and could decide about my academic, social and professional future.
To say that I am irked by the careless lies of our politicians (Friedrich, Pofalla and others) when it comes to the collaboration between the secret services of the US, Germany, UK, Sweden, France and so on, would be a grave understatement. I am deeply uneasy that the top echelon of German politics are apparently in cahoots with and puppeteered by a deep state that has spun wildly out of control.

We have known for quite a few years now that the US reads our diaries. Gmail, Dropbox, Skype, phone call metadata, bank transactions and even the iPhone's location data have all been known to be available to the whims of American secret services, courtesy of the patriot act and willing collaboration. The fact that Ed Snowden has brought this to the attention of some of the mainstream press does not create a new situation: if you do not want the American or German government in your communications, buy at least a Cryptophone. The only news is: our politicians are indeed aware of the problem and not willing or powerless to do anything about it.

How does the fingerprint reader of the new iPhone change the equation? I think it does not. First of all, the NSA and the German government already fingerprinted me. The phone will probably not even store a useful photograph of my paws, but a hash over an abstraction of some of the minutiae. Even if the NSA could whisk a scan of my thumb off my home button, it does not learn anything new about me. The NSA, the GCHQ, even the police can already bypass all standard security measures on my phone.

But what about all the obvious security problems? Are we not going to see thieves running around with stolen phones and a necklace of severed fingers to unlock them? (No.) Will kids pwn my phone with sticky tape and a glass I touched last week? (Unlikely.) Is someone going to find a serious flaw in the scanner or the unlock procedure? (Probably.) Update: someone just did; the classic tricks of the CCC seem to work with little modification.

So Apple has turned my finger into a password. If I loose this password, I cannot change or reset it. This sounds like a terrible idea, no? Actually, I do not think this to be an issue! Should someone steal my iPhone and somehow manage to read out its memory, they won't be able to do much with it. Even for casually unlocking my next iPhone, pressing a string of bits to the home-button won't help them much. Neither will they be able to go for a splurge in the iTunes store, because, well: the fingerprint is not a password. The fingerprint is simply a very specific way of pressing a button on a very specific phone. It won't work on another phone or device, and it won't work well for anybody else.

It is very easy for me to press the phone this way, and very awkward (although probably not impossible, given enough time and resources) for someone else. My co-worker or spouse is not going to read my SMS. A thief won't be able to use the banking app within the time it takes me to remote-disable the phone. The fingerprint reader will not make any application less secure than the flimsy passwords that I have chosen to be entered comfortably on the iPhone's shitty onscreen keyboard.

And no, the fingerprint won't make things easier for the NSA. The NSA has already got all my data on a platter, courtesy of Apple's willingness to comply with crazy American surveillance laws. The fingerprint won't make things easier for the police, because the police already bypasses my phone's security.

You may choose not to get another iPhone because Apple has shown very bad taste and timing in its choice for the headline feature. But you should not concerned about privacy issues that you did not have yesterday already.

One more update: Dustin Kirkland just points out that fingerprints should not be treated as passwords, but as user names. This is a very smart observation. Unlike a password, you cannot change it, and it is easy to obtain and probably already compromised. Like your user name, it is pretty unique. As an advantage to a conventional user name, it is quite difficult to enter for someone who is not you. If you see it as a means of authentication or a key to protect your data and identity, you are in trouble. The fingerprint is a convenient way of telling a device that you mean to use it, and it might keep your four-year old out of your appstore account. But it is not going to protect your sensitive data from a smart or physically threatening attacker.