

 Senator asks if FBI can get iPhone 5S fingerprint data via Patriot Act - 6thSigma
http://arstechnica.com/tech-policy/2013/09/senator-asks-if-fbi-can-get-iphone-5s-fingerprint-data-via-patriot-act/

======
kevinpet
And this illustrates my problem with Franken and all the far left --
government agencies are trampling over Americans' privacy, and his issue is
whether a private company is taking sufficient safeguards to avoid making it
easier for the government to trample that privacy.

As opposed to, you know, getting government to stop abusing its power.

Half of his questions are "what's Apple's legal interpretation of our abusive
laws?" It doesn't really matter what Apple's interpretation is. What matters
is the secret court's secret decisions about what those laws mean. It's good
that Franken voted against renewing the Patriot act, but he should be sending
this letter to his colleagues that voted for it, not Apple.

~~~
rednukleus
In what world is Al Franken "far left"?

~~~
mikeash
In the current US political climate, where implementing a Republican health
care plan gets you branded a "socialist", obviously.

------
gdubs
It's not like a scanner that's taking a picture of a finger and storing the
image on a chip. From what I can tell, the biometric markers of individual
fingerprints are used as a hash to generate a strong password -- much stronger
than a user generated password. The fact is, the standard 4 digit pins that
most users use are not very secure. (From what I can recall of a recent
security seminar I attended.)

Given the privacy concerns that have been news lately, it's understandable
that this would raise some eyebrows, but when combined with something like the
iCloud keychain for generating strong online passwords, this could actually be
a great benefit to individual privacy.

~~~
eksith
It's possible the device is storing a second key of some sort as well as
regenerate each time a fingerprint is set. It may even regenerate it each time
a scan is done and reset the password.

I.E. hash( hash(fingerprint) + stored key ) = actual password.

~~~
joshstrange
IIRC I think I saw someone else saying that each fingerprint hash was hashed
with a key specific to each phone so that if you were able to extract the
fingerprint hash it would be unusable on the target's other devices. I cannot
find the source for this so please take this with a large grain of salt.

------
pvnick
Looks like the anti-spying-stories brigade is out in full force today flagging
this and the two stories about GCHQ hacking the Belgian telecom companies

------
crazygringo
I still don't understand all this uproar over fingerprinting.

Fingerprints are _obviously_ incredibly insecure. They're _obviously_
identifiable. How is this news?

Fingerprint readers on phones are like locks on doors -- they deter casual
people, but are totally worthless against anyone determined. But still pretty
useful for their convenience in most situations.

Fingerprint readers on phones are for preventing your mother or your
girlfriend or your son or your coworker from getting into your phone. And
nothing more. It does zilch against police/government/espionage/etc. But it
was never supposed to, any more than your front lock is supposed to keep a
SWAT team out.

------
eksith
It should be worth noting, taking someone's fingerprint and duplicating it is
surprisingly easy. In fact, a duplicate print has been used to open door locks
and even computer locks as the Mythbusters have shown :

[https://www.youtube.com/watch?v=3Hji3kp_i9k](https://www.youtube.com/watch?v=3Hji3kp_i9k)

~~~
prjw
Back in 2008, the CCC even stole and published a fingerprint of Wolfgang
Schäuble, who was the Minister of the Interior in Germany at that time.

[http://www.h-online.com/newsticker/news/item/CCC-
publishes-f...](http://www.h-online.com/newsticker/news/item/CCC-publishes-
fingerprints-of-German-Home-Secretary-734713.html)

~~~
gte910h
"Stole" is a pretty heightened word for something we leave on literally
everything we touch

------
wtvanhest
The answer to this problem is to create a technology which allows for easy
replication of fingerprints once you have a digital copy. Once that technology
exists it will completely remove the use and value of fingerprints since the
existence of a finger print won't prove anything.

3D printers could provide that system as long as they are precise enough to
print fingerprints at scale.

~~~
bradleysmith
That's an interesting solution.

re-create some super VIP's prints and plant them in undesirable places they
obviously did not go to; then publicize it. Render the whole 'fingerprint as
an identifier' thing with uncertainty and doubt.

I believe Objet/Stratsys still have the highest resolution printers at 16
micron layers and 30 micron-width droplets.

A quick google search says the papillary ridges of a fingerprint could be
safely assumed at between .020 and 2.0mm in height[1]; that might be printable
now.

Fun thought, anyway.

[1]-[http://answers.google.com/answers/threadview?id=216913](http://answers.google.com/answers/threadview?id=216913)

------
robbiemitchell
lol "Passwords are secret and dynamic"

Passwords are often static, shared, and relatively easy to crack.

~~~
JabavuAdams
That's not the point. The point is that the fingerprint uniquely identifies
you, and it's difficult to change.

It's like using your SIN as a secret.

~~~
mikeash
Well, it's currently pretty easy to change. I use my fingerprint in exactly
one place right now: as the unlock code for my new iPhone. (Yep, I stood in
line and everything.) If somehow my fingerprint got stolen, I could trivially
change the unlock code by switching back to a regular passcode and disabling
the fingerprint unlock.

I don't understand the big concern over this fingerprint sensor. I get the
idea of some concern on a theoretical level, but compared to the rest of any
smartphone's ready-made spying functions, like the ability to see where you
are at any point in the day, the ability to record or even transmit live every
conversation you have, the ability to steal every password you enter into the
device, etc. etc., fingerprint theft seems completely unimportant. So far,
I've yet to get a satisfactory answer to just what bad things would happen if
the NSA was, in fact stealing everyone's iPhone fingerprint data. I'd rather
they not, but it's minor compared to everything else that's going on.

~~~
r00fus
Furthermore, if Apple did it right, they'd store a hashed reading of the
fingerprint, and probably salt that with the device's ID or some private key
unique to the device (quite straightforward).

So that would mean that even if someone stole your print (say the stored
hash), it wouldn't work without the iPhone. At that point, in order to attack
someone's AppStore account with a fingerprint, it becomes 2-factor security...
and that "something to have" token can be revoked by remote wipe.

~~~
hrasyid
how do you verify fingerprint if you only store a hashed reference?

------
thabofletcher
That will be released on the iPhone 6.66

------
joshowens
We sat in our office and joked about this very thing when we watched the
announcement. Sad, really.

------
Raphmedia
"You have only ten of them."

Did anybody think of using toes yet?

~~~
r00fus
Yes. [http://reviews.cnet.com/iphone-5s/](http://reviews.cnet.com/iphone-5s/)

"The Touch ID-enabled home button feels invisible; it works with a tap, can
recognize your finger from many angles, and feels like it has less of a fail
rate than fingerprint sensors I've used on laptops. It's impressive tech. It
worked on all my fingers, and even my _toe_ (I was curious)."

------
mumbi
why isn't this on the first page? 42 points in an hour? I see something with
42 points in 2 hours on the first page.

