In 2011, Senator Al Franken called on Apple and Google to participate in a hearing with the Judiciary Subcommittee on Privacy, Technology and the Law. Franken at the time had stated that technology had given us smartphones, tablets, and cell phones and yet allowed these devices to gather extremely sensitive information about users, including detailed records of citizens daily movements and location. The hearings were a first step in protecting consumers' privacy. Franken's statement also noted that "Recent advances in mobile technology have allowed Americans to stay connected like never before and put an astonishing number of resources at our fingertips." Little did he know that three and half years later his statement would be literally true? Franken is now asking Apple for clarity on privacy concerns with the use of their new iPhone 5S fingerprint scanner.
According to reports, Franken is on record stating that the fingerprint system could be potentially disastrous for users if someone does eventually hack it. While a password can be kept a secret and changed if it's hacked, he said, fingerprints are permanent and are left on everything a person touches, making them far from a secret.
In a letter to Apple's CEO Tim Cook he wrote: "Let me put it this way: if hackers get a hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life.'' Apple says it's not possible to convert a fingerprint from a police file into something the phone will recognize, as the sensor reads a sub-epidermal layer of the finger.
In light of the recent Prism controversy, Apple sent out a press release titled "Apple's Commitment to Customer Privacy," back on June 16, 2013. One part of their statement reads: "Apple has always placed a priority on protecting our customers' personal data, and we don't collect or maintain a mountain of personal details about our customers in the first place."
While Apple's statement may be true, a new report reveals that an extended ruling by a secret court backs the collection of phone data. The New York Times article is an interesting read about privacy and how the Patriot Act holds particular powers on accessing citizens phone records. It's because of these legal twists between intergovernmental bodies that Al Franken wants clarity from Apple about their use of fingerprint technology.
To what extent Apple's legal team visited the legal ramifications of their new technology isn't known at this time but we do know that Apple went out of their way in their new iPhone 5S video to clarify that no developer has access to your fingerprints; that Apple's own servers don't store your fingerprints and that your fingerprints are never backed up to Apple's iCloud service. We covered the main points of Apple's Touch ID in our September 11 report titled "Apple's Touch ID: An Invisibly Seamless Security Feature."
In the bigger picture, putting Apple's technology under a spotlight could be a good thing. Putting it under the fire of public inquiry could demonstrate to the public that Apple is going to extraordinary lengths in securing a user's sensitive fingerprint information. Learning about the types of questions that Franken will be or has asked Apple is quite intricate. It's almost as if Franken is helping Apple legally frame their technology correctly so as to thwart future attempts by differing intergovernmental agencies to obtain a warrant or subpoena for accessing any fingerprint records in the future. In part, Apple's logic to not hold customer fingerprint data on any of their servers may have been their strategy to work around such legal trappings.
The NY Times report noted that "Another important question is whether Apple considers fingerprint data to be the contents of communication or a subscriber identity under the Stored Communications Act. This is particularly important because content data requires a warrant to be released to law enforcement, but a subscriber ID or number only needs a subpoena. Similarly, Franken asks if Apple considers fingerprint data to be a "tangible thing" as defined in the Patriot Act, or subscriber information that they could be compelled to share by a National Security Letter.
While some of the answers to the system process questions seem to be implied by what we know about Touch ID so far, responding to Franken's letter will put Apple on the record on many of the most pressing questions about the technology. Franken wants a response from Apple within a month of receiving the letter. Hopefully we'll be able to get Apple's public response to these questions shortly thereafter.