Fingerprints have become the access of the future, setting everyone’s weary, password-riddled mind at ease. But on the other hand, it’s not all thumbs up.
Everything from phones to ATMs are asking for our thumbprints these days as a sign of identity. And it’s true, with that comes some real security that’s easy to remember and use. But that doesn’t mean it’s without its own set of challenges.
To be fair, there’s a lot of rewards to having fingerprints unlock a phone or other secure device: Security is literally at your fingertips, and it’s convenient. In an age where experts have started doubting the password, andpushing for more length and variety in our security keys it’s a relief to be able to only swipe or hold your thumb up, gaining access and peace of mind. And thanks to the true encryption it can provide it’s paved the way for mobile payments.
But’s it presents some dangers too. Like the fact that if your information is compromised, it doesn’t leave a lot of places to hide. After all, the same characteristics that make fingerprints and other biometrics so secure is the same thing that makes them so intrusive, asAaron Bartell wrote for TMT Perspectives back in 2012:
If your password is hacked, you can change it. The same can’t be said of your fingerprints. As Dave Aitel, CEO of Immunity Inc. (a penetration testing company), explains in a USAToday guest essay, if a hacker were ever to steal your fingerprint, it would be compromised forever. This is not a hypothetical concern; hacking communities are already offering cash rewards for the first person to bypass the 5S’s fingerprint security, and it is not difficult to imagine similar efforts to obtain the fingerprint data itself. Bottom line, even with each of your fingers having a different print, you still have a very finite number of replacement options. (Yes, toes also reportedly work, but that’s not a very practical solution.)A more remote, though no less serious, concern about the fingerprint scanner is the fact that itpotentially limits a user’s ability to maintain anonymity online. If a person’s access to the Internet is predicated on fingerprint authentication – for example, if it is required to unlock her phone before launching the browser – it could create a much more definitive, personal connection between her and her activity online (sites she visits, content she uploads to or downloads from the cloud, apps she uses, etc.) than a trail of IP addresses or invented screen names. (As the father of a young child, it’s hard to look at this as a negative when I think about things like online predators, but the fact is that this is a privacy issue affecting everyone, good or bad, who uses the technology.)
But the question isn’t just about hacked databases (which often contain a zero-knowledge proof anyway). It’s also about the law.
Courts and law enforcement officials don’t seem to be shying away from compelling people to unlock their phones with a fingerprint. The unanswered question hanging in the air is whether a Fifth Amendment right is even being violated. So far not all courts agree. Biometric data has been held up as an indicator of who you are (not, say, a testimonial of something you know) and as such courts have held that it isn’t covered by Fifth Amendment rights. But as TechDirt points out, the line is increasingly blurred:
The only prior case to raise this issue isn’t very instructive and a dataset of one is hardly an indicator of prevailing judicial winds. But the reasoning in the 2014 case draws a line between what the court considers “testimonial” and what is merely providing access.In 2014, a judge said Baust could be compelled to provide his fingerprint to open a locked phone but could not be ordered to disclose a passcode. The judge reasoned that providing a fingerprint was akin to giving a key, while giving a passcode — stored in one’s mind — entailed revealing knowledge and therefore testifying. Baust was later acquitted.But does that line even exist? It’s difficult to say it does when both fingerprints and passwords are virtually interchangeable, thanks to Apple’s Touch ID system. The fingerprint is the password. The difference is detained suspects can only retain one of these “keys” in their minds. The rationale used by the court presumes vocal utterances are the only way a person can provide incriminating evidence against themselves.
It’s a battle the FBI is staring down as it attempts to keep biometric data the agency collected away from privacy laws. Not to mention the fact that DARPA reportedly hopes to “extract behavioral and physical biometrics from a range of devices and vantage points” to better combat cyberterrorists. Apparently there’s hopes that by 2018the Pentagon would be able to feed information like biometric indicators from devices of suspected hackers into an algorithm that could build profiles to help identify those responsible for attacks.
In the immediate future all this might not change anything, and likely nor should it. Fingerprints remain one of the easiest and most secure ways to lock and unlock your electronics, ensuring your data stays only accessible by your hands. But in the longer term, this has the fingerprints of a bigger encryption fight all over it.
No comments:
Post a Comment