In September 2013, Apple, Inc., introduced the next iteration of its popular iPhone line: the iPhone 5S. Apple’s new flagship device boasts “Touch ID” technology as one of its revolutionary new features. This new technology allows users to instantly authenticate themselves by merely touching the home button located on the front of the phone. While Apple is not the first manufacturer to implement biometrics technology into a consumer cell phone, it will undoubtedly be the first to bring the technology into the mainstream.
Importantly, in the wake of the ongoing NSA spying revelations and accompanying controversy, many Americans are developing a heightened sensitivity as to their digital presence. These concerns are especially relevant since, in the Fourth Amendment context, courts have routinely held that individuals possess no reasonable expectation of privacy in their fingerprints.
In less than two months’ time, Apple has placed a biometrics device in the pockets of millions of Americans.
Biometrics is defined as “the measurement and analysis of unique physical or behavioral characteristics (as fingerprint or voice patterns) especially as a means of verifying personal identity.” Each individual has a unique fingerprint, thus making fingerprints a particularly accurate method of identification. There is evidence to suggestthat societies as far back as ancient Babylon—thousands of years ago—used fingerprints to authenticate documents. The use of fingerprints as a biometric identifier gained traction in the United States’ criminal justice system in the early 20th century.
Apple is not the first company to include a fingerprint scanner in a mass-market consumer good. Computer manufacturers, including both Hewlett-Packard and Lenovo, have built fingerprint scanners into personal laptop computers. Motorola released a cell phone in 2011 that also included a fingerprint scanner.
What differentiates Apple’s iPhone 5S launch from previous manufacturers’ attempts is the swift and widespread adoption rate of the iPhone 5S. In the first weekend following Apple’s release of the iPhone 5S, the company sold over nine million new devices. Demand for the iPhone 5S has continued to outpace supply, as Apple’s website currently indicates estimated shipping times of two to three weeks for each iPhone 5S model. Thus, in less than two months’ time, Apple has placed a biometrics device in the pockets of millions of Americans.
As more and more Americans come to rely on fingerprint technology, it is quite possible that other manufacturers will follow Apple’s lead and implement the technology in their own devices. For now, Apple appears to have taken appropriate steps to implement the technology responsibly. Still, there remain unanswered questions. Will future manufacturers implement the technology responsibly? What are the consequences of an individual’s digital fingerprints falling into the hands of a third party?
An individual has no reasonable expectation of privacy in his or her fingerprints.
In the context of Fourth Amendment search and seizure cases, courts have held that an individual has no reasonable expectation of privacy in his or her fingerprints (see, for example, Rowe v. Burton). According to the Supreme Court of the United States in United States v. Jacobsen, a Fourth Amendment search occurs when “an expectation of privacy that society is prepared to consider reasonable is infringed.” As Justice Harlan first explained in Katz v. United States, an individual’s reasonable expectation of privacy is dependent upon two components: (1) the individual must have a subjective expectation of privacy, and (2) that expectation must be one that society is prepared to recognize as reasonable. Justice Stewart delivered the opinion of the Court, noting that “[w]hat a person knowingly exposes to the public … is not a subject of Fourth Amendment protection.”
There is growing concern about the status of personal privacy in the United States.
Earlier this year, Edward Snowden leaked information detailing widespread national surveillance conducted by the National Security Agency (NSA) as part of the NSA’s PRISM surveillance program. The details and extent of that surveillance program are still not completely known, and many other surveillance programs have since been reported on from the thousands of documents Mr. Snowden obtained and subsequently leaked from the NSA. In any event, there is growing concern about the status of personal privacy in the United States. A July 2013 Washington Post-ABC News Poll indicated that seventy-four percent of all adults (across party lines) believed the NSA’s surveillance program intruded on privacy rights.
Apple, which did not participate in the PRISM surveillance program detailed in the Snowden leaks, has joined other tech companies in an effort to increase transparency. For its part, Apple recently released a report detailing government information requests received by the company. In the United States, Apple received 1,000 to 2,000 requests for information from law enforcement agencies. Of those requests, Apple complied with zero to 1,000 of them. These numbers are expressed in ranges because there are gag orders in place prohibiting companies like Apple from disclosing the exact number. Even prior to the recent NSA controversy, Google had an entire webpage regarding transparency and government requests for information. Many technology companies (including Apple and Google) have signed a letter (pdf) urging Congress to pass the Surveillance Transparency Act of 2013.
“Passwords are secret and dynamic; fingerprints are public and permanent.”
The release of the iPhone 5S prompted at least one lawmaker to inquire further into the details of the “Touch ID” technology. Senator Al Franken, Chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, penned a letter to Apple, noting that “[p]asswords are secret and dynamic; fingerprints are public and permanent.”
In his letter addressed to Tim Cook, Apple’s CEO, Senator Franken posed a series of questions regarding the availability of users’ fingerprints to the government or other third parties. While there has been no public response from Apple, the company has posted an information page, which attempts to assuage any potential privacy concerns.
Seemingly, Apple has taken the necessary steps to protect users’ fingerprint data from the prying eyes of the government or third parties.
Many of Senator Franken’s questions can be answered by understanding the technology in the iPhone 5S. For one, no image of a user’s fingerprint is stored on the device. Rather, users’ fingerprints are translated into complex mathematical representations.
According to Apple, it is impossible for a third party to reverse engineer an image of a user’s fingerprint. Moreover, even the mathematical representations that comprise the fingerprint data are encrypted and stored in the “Secure Enclave,” which is “walled off” from the rest of the device chip. Also on the Touch ID information page, Apple assures users that “fingerprint data is never accessed by iOS or other apps, never stored on Apple servers, and never backed up to iCloud or anywhere else. Only Touch ID uses it and it can’t be used to match against other fingerprint databases.” Seemingly, then, Apple has taken the necessary steps to protect users’ fingerprint data from the prying eyes of the government or third parties.
The type of hack demonstrated in Germany is neither of the same type nor of the same degree as those contemplated by Senator Franken and other privacy advocates.
Shortly after the release of the iPhone 5S, a hacking group in Germany captured international attention following the group’s claim that it had successfully hacked the iPhone 5S fingerprint scanner. This claim, however, requires some qualification. The group was able to “hack” the fingerprint scanner by photographing an iPhone owner’s fingerprint that had been left on the glass surface of the iPhone. Using this image, in conjunction with an artificial finger, the group was able to create an artificial fingerprint and gain access to the iPhone.
The type of hack demonstrated in Germany is neither of the same type nor of the same degree as those contemplated by Senator Franken and other privacy advocates. The primary concern regarding Apple’s Touch ID technology is whether third parties (including the government) have the ability to gain access to a digital image of an iPhone user’s fingerprints stored within the device itself. Based on the underlying technology in Apple’s device, it does not appear at this time that such a feat is possible.
Notably, the hack demonstrated in Germany goes to another issue entirely: device security. While important, this issue is experienced on a more individualized basis (i.e., an individual whose iPhone is stolen and then “hacked” to gain entry into the device). This type of hack, while potentially serious, does not have the far-ranging consequences that would be associated with a hack enabling third parties to access digital images of a user’s fingerprints.
It is important that companies implement the technology responsibly so as to protect users’ fingerprints, and consequently protect users’ personal privacy.
Even if Apple is adequately protecting users’ fingerprints now, query what the future may hold. For instance, Senator Franken’s letter posed the question as to Apple’s future intentions for the technology. Additionally, as this technology becomes more popular among other consumer electronics manufacturers, the question remains as to whether those manufacturers will similarly implement adequate security protocols.
Unauthorized access to users’ fingerprints has differing consequences depending on the nature of the party receiving access. In the hands of a third party hacker, the extent of the danger is limited only by what that third party is willing and able to do with a digital copy of an individual’s fingerprint.
In the hands of a government agency, the consequences are just as uncertain. For instance, if an agency such as the NSA actually had access to the fingerprints of every iPhone user, it could build an extensive fingerprint database. While a national fingerprint database does already exist—the FBI’s Integrated Automated Fingerprint Identification System—the database is overwhelmingly used for criminal histories and suspected terrorists. The notion that a government agency could stockpile fingerprints of many—perhaps eventually all—unsuspecting American citizens is especially concerning in light of case law suggesting that individuals have no reasonable expectation of privacy in their fingerprints. These fears could be tempered by efforts already underway to increase transparency and government accountability regarding NSA surveillance programs and other government requests for data.
As this technology becomes more widely adopted, it is important that companies implement the technology responsibly so as to protect users’ fingerprints, and consequently protect users’ personal privacy.