“The latest series of Apple’s iPhone will not only continue to cultivate numerous apps that track your location through GPS and transmit data directly back to corporations and government, but contain a fingerprint sensor that stores your fingerprint in order to purchase apps and unlock the phone for use,” Anthony Gucciardi writes for Storyleak.
“And that’s really just the beginning. As millions will most likely continue through the Apple food chain and purchase this phone, the NSA and bloated federal government at large will be beyond ecstatic,” Gucciardi writes. “Because after all, it’s a real dream come true for the Big Daddy government spy state. No longer will you actually need to be arrested to gather your fingerprints — we’re talking about millions nationwide willingly submitting their biometrics to a database that most certainly is accessible by Apple and big government.”
Gucciardi writes, “But don’t worry, the same company that has given away all of your chats and personal data through the NSA’s top secret PRISM program says that you’re perfectly safe… Of course Apple claims that the fingerprint scans will be ‘local’ on your hardware, but of course the NSA and FBI would not let such a precious database go to waste.”
Read more in the full article here.
MacDailyNews Note: According to Apple, “All fingerprint information is encrypted and stored within the secure enclave in our new A7 chip. Here it is locked away from everything else, accessible only by the Touch ID sensor. It’s never available to other software and it’s never stored on Apple servers or backed up to iCloud.”
[Thanks to MacDailyNews Reader “CognativeDisonance” for the heads up.]
Jeezus, what horseshit. The State government you got your driver license from has your thumbprint already, just use the same damn thumb on your phone.
Agreed. And so what? What are they going to do even they do collect this data? Frame you? Sorry, but the data saved is not the same thing as an actual print. It’s worthless to anything other the Touch ID sensor.
The government, has a photo of my face, my signature, they have my social security number, my blood type, my finger prints, and I’m pretty sure they can get a hold of my DNA even WITHOUT Apple’s help.
I’m much more concerned about REAL privacy issues.
Mac Daddy – YES YES YES so right
Thumbprint (or any other print) not required for a driver’s license here in Ohio.
Not for long; biometric data is going to be in both license IDs and passports.
Conspiracy theorists should be sterilized.
Do conspiracy theorists have sex?
They reproduce asexually. It has something to do with their very tiny ….. Uh …. IQs. Yeah that’s it ..IQ.
Or via secret cloning projects.
UFOs do the cloning.
Only one handed.
Doubt that they get access to the thumbprint if it never leaves the device and the read access is only granted to the button (a la ATM machines with their keypads).
It doesn’t take a conspiracy theorist to believe the NSA will attempt to gain access to this info. You’d have to have ignored decades (and especially the past 4 months!) of news to believe otherwise. The only question is how much Apple will resist subverting the privacy it supposedly has, remembering that the government can apply a LOT of pressure when it wants to.
Of course, getting an individual’s fingerprints isn’t hard, unless they wear gloves all the time (in which case, steal the gloves *grin*). But, collecting a bunch in one shot would be a lot more convenient than targeting an individual.
Personally, it doesn’t affect me, since to become an attorney you do a background check, so all ten of my prints are on file somewhere. Nevertheless, you don’t have to be crazy to think that the government could eventually get access to that info if it wants to.
It’s not access to the fingerprint that bothers me. It’s the idea that all online activity could now (in theory — but the NSA has been turning theory into constitutional-trampling reality at an astonishing pace), be keyed directly to a verifiable unique identity.
They can already read the email in your anonymously-named Gmail account, examine your browsing history, and read a transcript of your phone calls. But now they’ll be able to know that it was in fact you using the device.
Do you really think the NSA waits until your email, etc. gets to your iPhone to read it?
Touch ID has nothing to do with what the NSA will or will not be able to collect. This information does nothing to help it access accounts, get phone records, etc. It gets that data directly from the company: Google, Verizon, Yahoo, Apple, Microsoft, etc. etc.
Touch ID is to prevent people from being able to physically access your iPhone and to allow higher levels of security than a four digit code. Period.
Only if you choose to activate the touch sensor and program it your fingerprint, which is an option not a requirement of iPhone 5s use.
If you’re that concerned about the possibility of your actions online being positively linked to you, don’t exercise that option. Obviously.
Kind of hard NOT to activate the sensor when apple built it into one of the most important buttons on the phone.
It isn’t hard, Joe. If you are paranoid, just select “No thanks.” Or buy a 5C or a 4S. Or you can go Android and be certain that Google scans and shares every piece of data. Whatever…
No thanks isn’t a guarantee the sensor isn’t still storing data. As I said before mics and cameras can be enabled involuntarily by an interested remote party. Also, it is obnoxious that it is on the home button, again, a very vital function to the operation of the phone. As for a 5c or 4s, I already have a 4s. Buying a 5c doesn’t change the fact that apple already has plans to ram this crap down consumers throats in future iPads, phones, and likely macs.
Not to mention the 5c is overpriced, butt ugly, and made of retro 3G/3GS tacky plastic crap. No thanks. If that is how apple treats customers who don’t want to comply with their invasive privacy violating fingerprint scanner, then android may actually be worth switching to.
Then go.
My, we take a company offering new products as quite the insult! Please, oh please switch to android, as you sound like one already.
That’s on Android.
http://bgr.com/2013/08/02/fbi-android-microphone-hack/
microphones are on all phones and are mandatory to even use the phone for its primary purpose. Biometrics, not so much.
Yeah, I HATED when Apple forced me to buy my iPhone 5. Those bastards!
Replies on replies on replies on replies on replies on replies on chats.
I wonder if it will allow people to use it to dial an emergency number such as 911, or predetermined number if found to notify the owner, assuming the finder is honest?
You can already dial 911 on any locked iPhone. You just tap emergency call when on the number pad screen.
Apple’s RF sensor reads the sub dermal ridges of the finger, which although unique to that individual, will not have exactly the same pattern as a conventional fingerprint of the surface of the finger. Therefore it wouldn’t be possible to recreate an image of your conventional fingerprint from the data sampled.
Obviously a rational explanation will not cut any ice with the tin-hat conspiracy mob or the rabid Apple haters.
So we have one nutter going on about notebooks and Motorola smartphone have had this tech for years while other loons are saying that this tech is exclusively condemning its users to Govt surveillance. These conspiracy theorists and tech analysts, or is it paid Samsung apologists, really should get their stories straight.
Your print itself is not needed. The data created from your print is what is desired.
The data they went through a lot of trouble to try and protect within the CPU itself because they know that once someone has that data your thumb print is useless for securing anything.
I’m not big on the NSA conspiracy theories personally. I find it more odd that people were surprised to discover the NSA was collecting data on everyone even if it is wrong.
I find it odd that people think NSA wastes its time, money, effort spying on the average American. I believe the statement ‘Ain’t nobody got time for that’ fits here perfectly. Collecting data is one thing, actually USING any of that data is another.
Yet another misleading article regarding Apple’s approach to this.
The iPhone 5S doesn’t have a fingerprint reader. You couldn’t use the data from it to print out what someone’s fingerprint looked like. You couldn’t use the data from it to match it to a set of prints found on a glass, gun or scanned prints of an individual already in a conventional fingerprint database.
The sensor on the iPhone 5S uses a set of different criteria to identify a match to the person who configured it (or another set up user of the device). This criteria goes beyond the fingerprint itself and below the skin surface.
You can’t lift the prints off something or print out the prints from a database, or apparently even cut off the finger of someone and use it to unlock an iPhone.
Of course, the feature is optional for the truly paranoid, but really I have yet to hear a valid argument for concern however wildly speculated.
Oh, and Apple says the data isn’t being sent to their servers or anywhere else. This will be verified shortly after the iPhone 5S ships and people can test it and see what data is and is not being transferred from the device. Considering how easy this is to track, it would be unbelievably idiotic to claim you’re not sending data if in fact you are. Especially from a company like Apple which people tend to pay attention to.
The bottom line is that people who aren’t using PINs today or are using simple, easy to guess PINs, are likely to find themselves being far more secure than before.
Add this to another feature of iOS 7, that is that you can’t restore an iOS 7 device with Find My iPhone enabled, and need to get past both the device lock and enter your Apple ID to turn off Find my iPhone as well as restore, and you’ve got a pretty damn “fool-proof-ish” device when it comes to security.
Fool-proof-ish, as in some will always find a way to be foolish.
My only fear is my girlfriend getting me drunk and putting my thumb on the phone 😉
That is one excellent example of why fingerprint scanning is NEVER EVER used alone in security. It is merely a second added level of MULTI-FACTOR AUTHORIZATION. To use it as the SOLE method of authorization is IDIOTIC in the extreme and should never be allowed by Apple. They’ve committed a MASSIVE BLUNDER here by allowing it to be the only authorization method.
IOW: FAIL Job Apple!
And yes, anti-Apple trolls. This is what serious Apple fanbois do: They nail Apple for stupid blunders, as required. You’ll be hearing Apple being called out for this terrible decision from around the security community until the fix it and FORCE real multi-factorial authorization. Tough boohoo LUSERS that it’s ‘inconvenient’. It’s security. Deal with it.
And so on. I’m practicing my FAIL rant skills.
Don’t get drunk and pass out. Solves that problem, plus a whole lot more.
I like that!
It’s really up to individuals regarding how much they need and want to protect their data. Hopefully, with time, people will become aware of the importance of multi-factor authentication. But so far I am severely disappointed that even security pundits like Steve Gibson accept the use of fingerprints-only authentication on the iPhone 5S. And that’s after his work specifically teaching me the concepts of multi-factor authentication.
IOW: ‘Clunkity clunk’ is the sound of human progress.
According to you, one-point authentication through a passcode is just as idiotic. The only saving grace would be replacing one weak authentication method with another which, however, being convenient, is far more likely to be employed than the other, increasing the prevalence of locked screens from only 50% to essentially 100%.
Well, I get fast and loose with the word ‘idiotic’.
But you have summarized what I am hearing from many people at this point. Leo Laporte said much the same yesterday on ‘Security Now’ at TWiT.tv.
As someone who studies and writes about computer security, however, I find this swap out of passwords for fingerprint scanning to be profoundly disappointing. It is a severe FAILure of opportunity to actually improve security. All we get out of the addition of the fingerprint scanner on the iPhone 5S is ‘convenience’, which is NOT the point of security. It’s an entirely non sequitur subject. It is a capitulation to the “LUSERS” and their laziness. That’s pathetic and dangerous.
But ‘you can’t stop stupid’ and ‘the LUSER Factor is forever’, as I constantly remind myself. I never enjoy feeding my cynicism.
My iPhone ≠ NSA Headquarters. I find it perfectly acceptable to use this as a sole method of authorization. Exactly why wouldn’t it be? And if Steve Gibson doesn’t have a problem with it…. (Security Now!).
Here is how it will shake out:
An iPhone will be requested for data harvesting during discovery or a found iPhone will likewise be harvested for identity data during an investigation.
Until someone in Washington b-slaps the NSA, FBI, DHS and others we are going to be subject to the ever expanding police state. This will be exploited like every other tool of technology.
Don’t you feel better?
And just what will the NSA, FBI, etc. do with a partial fingerprint (it’s not even a fingerprint)?
Nothing. It’s completely useless data to them.
STUPID, PARANOIA INDUCING ARTICLE ALERT!
What an outright assh0le of FUD mongering bullshit. Manipulation in favor of NOT-Apple could not be more evident. Why bother arguing against what is nothing more than propaganda.
But if indeed user’s fingerprint data WAS actually leaked out of the user’s full control and privacy rights, you’ll hear my screaming the usual bloody murder routine.
IOW: F*CK you NSA for destroying citizen trust in its own government. It’s time to clean house in the USA.
For review, the 4th Amendment to the US Constitution:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
And as Benjamin Franklin clearly stated:
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.
Ohh, I hate the misuse of that Benjamin Franklin quote. Completely out of context.
Totally wrong. FAIL on your part. Pay attention.
Here is an idea. A found iPhone 5s or a stolen iPhone 5s can gather the persons fingerprint, and have it sent to the authorities in some way.
Ass-hat! Learn what you’re talking about BEFORE you speak!
So, Gucciardi is making stuff up to get hits?
Beyond imagining, innit?
Anyone who has ever served in a branch of the military has already been fingerprinted. Since I served in the Army, I’m sure it’s already in NSA, and who knows, maybe the CIA database. No big deal. 🙂
The DNA and any medical records are in a national database, as well. Finger prints are a known for federal agencies.
Sigh. And just what exactly would the NSA do with one partial fingerprint?
Exactly.
They can buy one Lady Gaga song before my fraud-detected-by-tasteless-acts detector kicks in and shuts down my iTunes account.
🙂
Well since I’ve travelled to the US as a British citizen lots of times and at immigration I have to have my photo taken and my fingerprint scanned, you’ve already got it. Personally I’m more concerned about the fact that Facebook knows everything about you and who you associate with, and Google reads your emails. My fingerprint is left on everything I touch, not much I can do about that, but I don’t use Facebook or Google and I trust Apple the most.
No one seems to care that businesses collect tons of data on the average person, and analyze, use, sell and share this info with other businesses on a daily basis. I’m not sure how they’ve no problem with this yet panic when they learn that the NSA has access to some of the same data. Disregard the fact that NSA doesn’t actually use ANY of this data unless extremely specific circumstances are met. And hey, what’s national defense compared to corporate profits?
Wow such vitriol against people concerned for their privacy. Short sighted people who willingly and gladly hand over their personal details are the morons.
But, I have a question for you folks – if there is no problem and being concerned is misguided, conspiracy theory crackpot stuff, why does apple go to such lengths to securely hold the fingerprint (or whatever it is) and publicly reassure customers that it’s never stored on a server or transmitted??? Eh?
They question of NSA/Gov privacy abuses and Apple’s biometric security system are two completely different arguments if Apple’s claims are true. And as mentioned above, it is going to be quickly apparent whether fingerprint data is being sent anywhere. If Apple’s claim that your personal data stays locked and sandboxed in secured area of the A7, then there is NO database for anyone to retrieve the data from. This conflation of the iPhone and the debate over NSA actions is irresponsible journalism. I hope Apple responds quickly and forcefully to lay these insinuations to rest.
As long as the device collecting this data is connected to the net, the assumption should automatically be that the data can be stolen from the phone. The leaked NSA docs already elaborate on what depths they are willing to go to gather data, and it isn’t like Apple is putting up much of a fight either. As soon as the NSA comes aknocking for this data, you can bet your ass Apple will fold like a cheap suit.
I disagree that the NSA would go after this information. As explained by Apple, it’s a unique piece of data attributable to your fingerprint. Given Apple’s acquisition of the company behind the technology, it’s unlikely any other company (*cough* Samsung *cough*) will be able to use the same algorithm, making the data not very useful to the NSA. Your PIN is arguably more valuable because you choose one (generally) that is memorable to you, and therefore gives clues to you, your personality, your history… things which can be triangulated upon and used. Your fingerprint, as known to the A7 processor, will not get someone into a secure facility, nor tie you to a crime scene.
If the sensor can repeatedly “retrieve” the data from my fingerprint, then it is not unfathonable that another sensor from another company could retrieve AND store the data the same way. I wouldn’t be surprised if it actually becomes a government mandate that it is stored in a consistent repeatable standard precisely to make retreiving it by the NSA or law enforcement much easier. For all you know, considering that IOS is a closed platform, the reference code apple produced or authentec created had governmental interference to guide it into alignment with a standard that will make compiling a national database much easier. I also wouldn’t be surprised to see something in the future that could deny legitimate users access to their phones as a result of improper designation of a law abiding citizen as a terrorist. Apples 1984 commercial was so far ahead of its time and very apropos for the new big brothe Apple that exists today.
But what you are describing is actually a bypass of some other fingerprint sensor, wherein you feed into it’s algorithm the data it thinks it would have gotten from the sensor itself. That implies physical access to the guts of the device which is way beyond what anyone is concerned with here. Apple has said they don’t store your fingerprint; rather, they are storing some compilation of information measured and inferred from subdural analysis, only for the purpose of confirming to the security framework that you are the person who presented the same finger to device during the training period. As much as you want to conceive of all manner of offshoots from this, it’s pretty clear that Apple is not storing enough data to recreate your fingerprint. So again, it’s useless information to any other system out there. Consider the data stored in the chip to be your public key and your finger is the private key. The presence of the public key does not allow you to recreate the private key.
Apple was very vague about how they are securing this data. To say they are keeping it in the A7 chip says little about how exploitable the data can be by a determined entity like the NSA that wants the data. To say this is even remotely like public key encryption is sort of silly. I think in the age of all these data breaches and again considering they are storing this data on a network enabled device, it is naive to believe any of this data is secure on the phone. The only true security is a phone that can’t capture the data in the first place.
Joe, why would the NSA, FBI or any other government acronym, give a rats ass about you and most of the other “nothing better to do” whiners who are all of a sudden coming to MDN?
the same reason the NSA is collecting any data at all. It is all about power and control. How much more naive do you have to be, to not see the implications of this kind of data getting into the wrong hands?
power corrupts. Absolute power corrupts absolutely.
Btw. It was never about collecting a single individuals data. That data by itself is worthless. It is the patterns that are seen when the data is matched up and seen from a global collective that causes it to be dangerous. These new sensors are going to make it not only possible to collect the data, but physically link it to a specific person.
Yeah, just waiting for the day NSA comes ‘aknocking’. That’s what they do, after all, spy against Americans. Surely there are no greater threats to America than all these pesky Americans.
I suspect Apple feels the lengths it went to are sufficient. The fact that some people will seek personal gain by trying to show how much smarter they are then Apple can be allowed to influence their communication strategy only so far. If you look at how “mac hack” has twisted the argument around you can see the beginnings of too much denial signaling guilt in the minds of some.
The vitriol is unfortunate. There are a lot of people who don’t understand technology even sufficiently to operate their TV/DVD/Blueray, etc. I think Apple goes to the lengths to explain it for two reasons: One, in the face of all this Snowden stuff, to reassure buyers that there is no more personal detail in what they need from your fingerprint than there is in your choice of PIN; and, two, to set a bar for other manufacturers so implementations don’t get progressively weaker and hurt the reputation of the technology. Some people, like Tim Cook, will fight battles based on principals rather than economics.
Remember earlier this summer when New York was going on about cell phone manufacturers not doing enough to make cell phone theft unattractive? I think the iPhone 5S with iOS 7 has pretty much nailed that issue. That’s Apple producing a forward-thinking product.
Because of people like you.
Not vitriol, just astonishment at what people expect to be ‘private’. Phone calls? Online chat sessions? Emails? Facebook posts? Browsing history? The stupidity of thinking these activities are in any way private seems to be pervasive.
Here’s a comic about yesterday apple Keynote! Have fun! 🙂
http://www.themaplekind.com/iphone-5c-5s-keynote-in-a-few-words/
I wish fingerprints were transferrable. I have had them done at least a half a dozen time by various federal and state agencies. I always ask why they can’t retrieve them from…
Follow-up by Bruce Schneier –
https://www.schneier.com/blog/archives/2013/09/iphone_fingerpr.html
I pity the fool that thinks the fingerprint data is not accessible to software. The same fool that thinks AES256 encryption doesn’t have a back door exploitable by the NSA.
Apple can release the design for public scrutiny if they want to prove otherwise.
Gary, what would software do with the fingerprint data? It’s not used anywhere else for anything. If you are a nefarious software developer you’re not interested in the fingerprint data, you’re interested in the boolean that is returned by the system: “Yes, this is Gary” or “No, this isn’t Gary.”
I don’t know why people make such a hullabaloo about
the NSA when you go to their Facebook pages and see
that they have already given lock stock and barrel to
Mark Zuckerberg.
I doubt that their is enough electrical power being
generated in the US alone to even begin the task
of “monitoring the web”, let alone recording web
traffic? Manufacturers would not be able to build
storage systems quickly enough to keep up with
such a ludicrous endeavor. Probably it would be
easier to keep track of an accurate count of the
grains of sand on every beach.
And yet, everyone is jumping up and down with joy to put yet another private identifier of themselves into a phone that will be easily exploited and had the data retrieved from. Now that is a genius idea there. NOT
Could you share the link you must have discovered between your first post on this article and this last one? The article that explains how you went from questioning the technology to having determined conclusively that it will be easily exploited?
And then you really need to go back and review what Apple said. When you type in your 4 digit pin to unlock your phone the Springboard has asked the system to present the lock screen challenge and awaits a callback that says it’s okay to proceed. This new ID system integrates into that. Nothing more. Have you read what all the other posters have noted about their fingerprints having long been in the databases, all for legitimate reasons?
Again, the “exploit” isn’t to share the fingerprint “data” to other phones, because that would just allow *you* to use them if you presented your finger to them, which is the opposite of what you’re worried about. When you set up a bank account, and they record your answers to secret questions, those answers are what identify you to the person at the bank. But if you steal my answers and go to other banks and present my answers to them they’re going to have escorted out of the building for being weird.
Whatever result Apple stores based upon the unique attributes of my fingertip is *worthless* anywhere else! That’s really all there is to this.
There used to be a time when the thought of collecting massive amounts of data in general would have been thought to be impractical and inconceivable, but yet. Here we are. The NSA is mining massive amounts of data. Wrt legitimate databases of fingerprints, that may be true but may not be digital and even then is no where near as extensive as the one the NSA could build from people voluntarily storing them on insecure network connected phones. Again, the only real security for this data would have been and still is to buy a phone that can’t collect the data in the first place and digitize it. Even in a case where apple could have put the sensor off to the side, they insidiously put it on the one function everyone needs to use to use the phone. The same sneaky approach will be on iPads and soon macs. As I said before, apple can take their touch id and shove it. Anyone dumb enough to submit their data to this crap, deserves the inevitable consequences that aren’t just probable, but at this point based on how aggressive he NSA is being, 100 % guaranteed.
Call your doctor—your meds don’t seem to be working.
I think Apple’s trying to do the right thing here, and the fact is is supposed to be embedded in hardware-only sounds impressive (although if it’s in hardware only, why does it say it is not available to OTHER software?). But the troublesome thing is whether the NSA will take a shot at getting this stuff. Probably they won’t be doing it this year or next, but it would hardly be surprising if in 5 years or 10, some nut at the NSA decides to apply the right pressure to get it all.
So… my first question is, can I turn it off?