A lot of ink has been spilled over the past couple of weeks on Apple’s Touch ID. First, it was noted that a Los Angeles court ordered a woman to unlock an iPhone by providing her fingerprint. Soon after, it was revealed that Apple appeared to have changed Touch ID’s settings so that it would be “disabled” if an iPhone hadn’t been used in a while.
The former was not necessarily shocking – who among us has not been subject to trickle-down edumacation of the law via TV shows like Law & Order and CSI: Pick Your Series? – but the latter certainly induces some eyebrow raising.
Fingerprints are Not Protected Information
Legal experts will tell you that fingerprints are not “protected information,” in the sense that the courts can compel you to cough it up. This is unlike a password, which can be forced out of you, but only if certain conditions apply; otherwise, the government’s hands are tied.
It all comes to whether something is testimonial. From eff.org:
There are two ways in which the act of producing something is not “testimonial.” … the government is demanding that a person perform a physical act that does not make use of the contents of their mind. … it would be “testimonial” for the government to force someone to turn over a combination to a lock because then the person would be revealing something in their mind, and in turn, conveying a statement of fact the government didn’t know otherwise.
… a second way in which producing something is not testimonial… if the government can show with “reasonable particularity” that when it tried to obtain the requested material, it already knew what the material was and where it was on the computer. In other words, since turning over the data would not reveal anything to the government that it didn’t already know, no Fifth Amendment right comes into play…
Fingerprints squarely fall into the non-testimonial category. Likewise for blood, which explains the scenes in cop shows where a suspect is asked to “volunteer” their blood or the cops will execute their warrant for…wait for it… drawing the suspect’s blood.
If the courts are given a justifiable reason why a suspect’s fingerprints need to be compelled, they’ll generally agree to do so.
Criminals, Stick to Passwords? Convenience or Security
Of course, the outcome has led to quite the quotable remarks like “criminals should use passwords instead of Touch ID” and other biometric forms of accessing data.
The thing is, whether you’re a criminal or not, if you’re security conscious, you’re probably much more secure choosing the more inconvenient way of accessing your phone. Aside from the legal protection it affords, consider the following.
Let’s say that Touch ID is not only used to access your iPhone, it’s also linked to your banking app (they’re coming, I can assure you). It’s not difficult to imagine enterprising criminals who’ll knock out a person (physically or chemically or otherwise) and transfer funds easily by scanning the unconscious victim’s fingertips. With a password, such a scam is a harder proposition since it requires consciousness by all parties involved.
(Harder, and not impossible, because you can always threaten a person with physical violence. I’m reminded of a doctor who was tied to a tree and his antagonists demanded the password to his encrypted laptop).
Plus, there is always the possibility that a facsimile of your fingerprints can be used to hack access to a device. You can always create a more secure password; you can’t really create a security-enhanced fingerprint.
Is Apple Actively Trying to Foil the Government’s Actions?
As noted at the beginning, Apple has updated how Touch ID works. As macworld.com observed:
A previously undocumented requirement asks for a passcode in a very particular set of circumstances: When the iPhone or iPad hasn’t been unlocked with its passcode in the previous six days, and Touch ID hasn’t been used to unlock it within the last eight hours. It’s a rolling timeout, so each time Touch ID unlocks a device, a new eight-hour timer starts to tick down until the passcode is required.
This new policy has apparently been around since at least the San Bernardino encryption case that pitted Apple vs. the FBI.
The timing and nature of the new Touch ID policies from Apple is quite surprising. Could there be substance to suggestions that Apple is working to stymie the government’s efforts to access protected data?
Previously, such an argument was laughable. Self-appointed representatives of the government cried that Apple and other companies were working in concert to upend federal and state agencies from doing their job, and that encryption was a sure sign of this. Encryption is not for or against something or someone. You wouldn’t say a knife is “against” innocent people or “for” criminals, for example. Encryption just is; and just like a knife, it’s a matter of how someone decides to use it. The balance comes out in favor of good over evil, which is why encryption is not illegal (and neither are knives).
It made sense for Apple to relinquish as much control as possible over encryption and passwords, giving users the choice to do something about it and allowing Apple to walk away from the responsibility. Yes, iPhones come encrypted, but it’s up to each individual user to create a password, and thus securing their devices. If someone uses a weak password or doesn’t use one at all, it’s that person’s fault. Whereas if Apple has a backdoor or stores users’ passwords and later experiences a data breach, it’s on Cupertino.
Likewise, a user can choose not to use Apple’s cloud – a nuance that is lost on critics who cry hypocrisy at Apple’s different stance on data found in devices (can’t access it at all) vs. cloud servers (here you go, Mr. G-Man). Believe me, if Apple could find a way where they could provide cloud services that are untied from personal identifiers, they would. It’s technically impossible.
The government may have not have liked how Apple did things (why not give the users the choice to turn on the encryption in addition to applying a password?) but one could easily argue that it had the security of all users in mind. Accusations that Apple was actively trying to aid criminals rightfully fell on deaf ears.
Unlike the “10 tries and wipe the device” feature on iPhones, which could easily apply to a nosey twice-removed aunt or to a government branch hell-bent on accessing a device, this latest policy regarding Touch ID feels different. It’s hard to imagine as an application other than as a bulwark against legal actions. It certainly doesn’t protect one from choosing between access or violence, as in the case of the doctor who was tied to the tree. The eight-hour window makes it less than useful in cases where violence comes first and access comes second, as in the drug-and-print scam I envisioned.
Arguably, it could protect users living in repressive governments: with Touch ID’s usefulness crimped, a detainee couldn’t be subject to the kind of violence that would lead him to forget his password. But that’s assuming that person will not appear in front of a “kangaroo court.” Or that they don’t get the password first and then inflict the pain.
Apple’s latest security feature feels questionable at best – and pointedly ambiguous.
Related Articles and Sites: