Sen. Franken seeks data on privacy controls in iPhone 5s fingerprint tech

Lawmaker seeks answers to a list of 'substantial privacy questions' sent to Apple CEO Cook

A U.S. lawmaker wants to know whether the Touch ID fingerprint reader in Apple's iPhone 5S has adequate controls to protect the personal data of users.

In a letter to Apple CEO Tim Cook, Sen. Al Franken (D-Minn.) sought answers to a set of detailed questions on whether the technology includes controls for securing fingerprint data and whether the company has any undisclosed plans to share the data.

While Touch ID could improve certain aspects of mobile security, it also raises "substantial privacy questions" said Franken, chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law.

In the letter, Franken told Cook that he is "seeking to establish a public record of how Apple has addressed these issues internally and in its rollout of this technology."

Apple didn't respond to Computerworld's request for comment on Franken's concerns.

Apple's Touch ID is a fingerprint-based authentication system for the iPhone 5S, that allows up to five users register fingerprints on a single device. Apple says the technology is designed to make the iPhone a less attractive target for thieves.

Industry analysts have so far generally hailed the technology as a step forward in mobile security. Some analysts predict that it won't be long before the Touch ID feature is included on all Apple products.

In the letter, Franken acknowledged that Apple has taken measures like ensuring that fingerprint data is encrypted and only stored locally, and to block third-party access to Touch ID. "Yet important questions remain about how this technology works, Apple's future plans for this technology, and the legal protections that Apple will afford it," Franken said.

Unlike passwords that can be changed at will, fingerprints are permanent, Franken wrote. "You can't change your fingerprints. You have only 10 of them. And you leave them on everything you touch; they are definitely not a secret. If hackers get a hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life."

Franken asked Cook to explain how Apple will convert locally stored fingerprints into a digital or visual format that could be extracted and later used by Apple or third parties. "Is it possible to extract and obtain fingerprint data from an iPhone? If so, can this be done remotely, or with physical access to the device?" he said.

He also asked whether the iPhone 5S is designed to transmit diagnostic information about the Touch ID back to Apple or other third parties, and whether fingerprint data would be backed up on a user's computer.

He also sought information on how Touch ID interacts with iTunes, iBooks and Apple's App Store. "Can Apple assure its users that it will never share their fingerprint data, along with tools or other information necessary to extract or manipulate the iPhone fingerprint data, with any commercial third party?" Franked asked.

John Zurawski, vice president at Authentify, a vendor of voice-based authentication tools, said questions like thosed posed by Franken should be asked of any vendor of biometric devices.

Biometrics does offer a secure layer of authentication, he noted. "The ability to reverse engineer a fingerprint from its encrypted digital form would be very labor intensive," and probably not worth the effort for cybercriminals he said.

"The average consumer's credit and identity information may not be worth the computational effort required to reverse engineer," he said.

"I think many of Senator Franken's questions hit important areas," added Joe Schumacher a security consultant with Neohapsis, a vendor of mobile and cloud security services. "It is important for the consumer to understand how Touch ID communicates with Apple regarding use of the service, diagnostic information and interaction with other Apple applications."

The fact that fingerprint data is stored locally on the iPhone is a good thing from a security and privacy perspective, Schumacher noted.

However, Apple must clarify how the sharing of fingerprint data will proceed when Apple rolls out the technology to other devices. "Biometric fingerprint technology is a great form of identification but not the best form for authentication, at least not by itself," he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

Read more about mobile/wireless in Computerworld's Mobile/Wireless Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Mobile/Wirelessconsumer electronicsNetworkingsecuritywirelesssmartphonesSenamobileprivacyApple

More about AppleNeohapsisTechnologyTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place