U.S. Senate Democrat Al Franken demands answers from Apple CEO Tim Cook over iPhone 5s’ Touch ID

“The iPhone 5s, released Friday, has a built-in fingerprint scanner, which will function as an alternative to conventional passwords,” Andrea Peterson reports for The Washington Post. “Some privacy advocates are concerned about how Apple plans to handle this highly sensitive data. Apple says it will only store the data collected via Touch ID on the device in an encrypted format rather than in a centralized server. Apple will also block third-party apps from accessing Touch ID.”

“But Sen. Al Franken (D-Minn.) wants details about Apple’s plan for the data collected by the system,” Peterson reports. “Thursday he sent a letter to Apple CEO Tim Cook asking some tough questions about the fingerprint system, and noting how fundamentally different biometric identifiers are from previous ID methods.”

“Franken wants to know more about the technical possibilities of Touch ID and how Apple plans to use it,” Peterson reports. “For instance, if it’s possible to convert or extract locally stored fingerprint data in a format that could be used by third parties, and whether that can be accomplished without physical access to the phone. And what diagnostic information, if any, the iPhone 5s transmits about the Touch ID system to Apple and third parties. And he wants assurances that Apple will never share the fingerprint data or the tools needed to get them with commercial third parties.”

Read more in the full article here.

Franken’s letter to Apple CEO Tim Cook is here.

MacDailyNews Note:

[Thanks to MacDailyNews readers too numerous to mention individually for the heads up.]

Related articles:
Motorola, T-Mobile respond to U.S. Senator Al Franken over Carrier IQ use – December 21, 2011
AT&T, HTC, Samsung, Sprint respond to U.S. Senator Al Franken on Carrier IQ – December 16, 2011
U.S. Senator Al Franken presses wireless companies and hardware makers for Carrier IQ answers – December 5, 2011
Apple, AT&T, Sprint, T-Mobile USA sued over alleged Carrier IQ use – December 5, 2011
Phone ‘rootkit’ maker Carrier IQ may have violated U.S. federal wiretap law in millions of cases – December 4, 2011
Carrier IQ is misunderstood, not evil – December 3, 2011
U.S. Congress Democrat Markey calls for FTC investigation of Carrier IQ software – December 3, 2011
Apple will remove Carrier IQ; how to block it on your iPhone now – December 2, 2011
U.S. Senator Al Franken wants answers from companies who install Carrier IQ software on smartphones – December 1, 2011
Senator Al Franken! Paging Senator Al Franken! – December 1, 2011
Video shows secret software on millions of Android, BlackBerry, and Nokia phones logging everything you do – November 30, 2011
U.S. Senate Democrats Franken, Blumenthal introduce mobile privacy bill – June 15, 2011
Recap of Apple and Google’s testimony before Senator Al Franken’s mobile privacy hearing – May 10, 2011
Apple, Google to face U.S. Senator Al Franken’s subcommittee in mobile privacy hearing – May 9, 2011
Apple’s Bud Tribble to testify in U.S. Senator Al Franken’s Judiciary Subcommittee hearings on mobile privacy – May 6, 2011
Steve Jobs: Apple isn’t tracking anyone; looks forward to testifying before Congress – April 27, 2011
Apple releases Q&A on Location Data: ‘Apple is not tracking the location of your iPhone’ – April 27, 2011
U.S. Senate Democrat Franken to hold mobile privacy hearing; Apple, Google summoned – April 26, 2011
Steve Jobs on iOS location tracking: We don’t track anyone, but Droid does – April 25, 2011
Android phones regularly transmit location data to Google ‘at least several times an hour’ – April 22, 2011
U.S. Senator Al Franken demands answers from Apple’s Steve Jobs over iPhone tracking – April 21, 2011

112 Comments

  1. What about all the HP computers and other brands that do the same fingerprint recognition/entry? Guess we better ask the what they have been doing with them for YEARS!

  2. Why must it sound so dramatic? Could the Senator simply interact with Apple to get it the information? Really, seems more Hollywood and I know the questions are very important ones. However, since we touch our phones, the prints can be easily lifted of the glass of the devices. So, this form of theft requires only the most basic skills. Just seems overly dramatic.

    1. Except that the iPhone’s fingerprint sensor replies on scanning sub-dermal layers as well, or weren’t you paying attention. A simple fingerprint lift will just not work the way you imply.

      =:~)

      1. Yes I am aware of the sub dermal scan, scar tissue, and algorithm. However, this is a very technical trade of theft. My concern is the action of demanding instead of quietly interacting with the company. Seems the Senator is less concerned on the repercussions of how people can spin this into a point where a greater harm is done. A persons indentiy can easily be done by lower tech methods. It is done daily and can pop up again in the future. This could be a new vector, but my point is this- Why demand publicly on something he has few answers for. Should they not compile, understand, and if Apple stonewalls or is not cooperative, then demand publicly? Seems a little self serving.

      1. It’s a bad thing because the gubmint is already very intrusive. The gubmint should leave us all alone and allow us to run our own affairs. We do not need the most reprehensible people in our country looking over our shoulder. We have a Constitution to protect against such things, but it only works if you follow it.

  3. He’s just picking on Apple, like a hit whore.

    These questions should have been asked from day one, when finger print sensors first became available.

    I went on a trip recently, almost all immigration desks have finger print scanners, across Europe and America. However, maybe because of my passport origin, they never asked me to use it.

    Actually, you would be surprised at the “mental” abuse some foreign citizens get, across the world, unless they are from the “special” countries. Also learned that Austrian officers, don’t tolerate stupid. 🙂

  4. My guess is Al just got a new iPhone and can’t figure out how to set it up.

    Tim to Al – Touch ID is an alternative to typing in a passcode. It also validates iTunes purchases instead of typing in your passcode. We don’t discuss future plans for technology.

    It’s doesn’t scan or store a ‘fingerprint’ per-say but rather creates a conductivity map of your finger. At the level of detail this sensor is that will provide a unique enough signature it’s very unlikely to be unlocked by another random person. But I haven’t seen what the likelihood is.

  5. OMG what a TechTard is Al Franken. Apparently, he’s illiterate. Apple most carefully and explicitly say EXACTLY what happens to the Touch ID data. Here’s where, Mr. TechTard illiterate Al Franken, directly from Apple at their site on YouTube:

    OR, you can watch it at Apple’s website here:

    http://www.apple.com/iphone-5s/videos/

    OR, I found it copied over 20 times on YouTube. Do a search for “Apple – iPhone 5s – The new Touch ID fingerprint identity sensor”.

    All fingerprint information is encrypted and stored inside the secure onclave in our new A7 chip. Here it is locked away from everything else, accessible only by the Touch ID sensor. It’s never available to other software and it’s never stored on Apple’s servers or backed up to iCloud.

    *rant*
    While this Demo-dummy is proving his incompetence, the Neo-Con-Job / Tard Party SCUM in the US House of Representatives are threatening to bankrupt the USA over The Affordable Care Act, which they snidely call “Obamacare”. Treasonous.

    To hell with BOTH worthless political parties ruining the USA. Die.

    May actual REPRESENTATIVE, MODERN, constitutionally LITERATE political parties rise out of your fetid ashes. /rant

    1. Since you seem to know so much about it, maybe you can answer the questions I have and can’t find elsewhere:
      What type of encryption algorithym does it use?
      How secure is it – how many bits?
      Is the encryption one-way or two-way: does the stored fingerprint have to be unencrypted to compare it to the unlocking print, or is the encrypted form of the unlocking print compared to the encrypted form of the stored print?
      If the latter, is there an unencryption key? Does Apple know what the key is? Does the NSA?
      Thanks, I appreciate the answers.

      1. EXCELLENT QUESTIONS! And I have zero data so far about any of it! It’s clear that Apple is holding these cards close to their chest.

        I can chatter on about the best currently available encryption system Apple SHOULD be using. But I don’t know what they actually are using.

        If, as they say, only the Touch ID process can access the encrypted data, theoretically this is hack-proof and it wouldn’t matter if they told the world about their specific encryption system. But the hacker community is wise, curious and persistent. It would bash away to find out how to simulate the Touch ID process and attempt to grab the encrypted data. Whether it could then UNencrypt the data is another matter. I very much doubt they could, IF Apple has used the basic encryption it has had built into the Disk Utility application for years now. It’s 256-bit encryption that would, theoretically, take more than a human lifetime to crack with any computer system imaginable today.

        BUT, we know there is a lot more to encryption than simply the encryption system used. Is the Touch ID using a password to access the encryption and decryption of the data? Is it something obvious like the word ‘admin’, which is used on quite a few WiFI routers, allowing them to be easily cracked by any script kiddie level hacker? We shall see.

        In the meantime, I fully believe Apple’s lock down of the Touch ID system such that there is zero chance of data leakage. We know hackers are bashing away at this security system as I type. We also know Apple allowed a ludicrously easy security hole into iOS 7 whereby finessing the Home button will let any hacker into a significant swath of the phone’s data. Blunder deluxe. Humbleness in computer security is required at all times. Anyone bragging about having perfect security is only setting themselves up to be first in line to be hacked, and typically they will be. Such as the remarkably primitive level of computer security we have today, despite ambitious standard best practices.

        1. It is precisely this bug in ios 7 that people should be VERY suspicious of how secure this data will be. Al Franken is totally correct to be concerned of this technology and apple’s answers are vague at best. In this age of data espionage, the burden of proof that this is a secure system is on apple. I sure as bell won’t be touching it with a ten foot pole.

          1. I disagree that Apple was vague. Franken really did pull a boner of deliberate ignorance. Finding out exactly what he wanted to know was DIRT easy and he fracked it up. Shame on him and politicians like him.

            But yes, expecting whopping security holes in even something that sounds as locked down as Touch ID is typically a GREAT idea. It is also a concept that flies WAY over the head of the likes of Al Franken. Such hacking concerns were NOT what he was ranting on about.

            Somewhere around here I went into a more detailed diatribe about how to hack Touch ID and how it is currently top-of-the-list on hacker’s radar this week. It’s going to be interesting what they shake out about the Touch ID system. Meanwhile, Apple is wisely keeping their cards close to their vest, not wanting to give hackers any help.

            1. Except, as I pointed out, none of the important questions have been asked, much less answered.

              In any event, there is a dead easy way to access your data: it involves a hammer and a machine that scans flash memory. It does kind of ruin the resale value of the iPhone though.

            2. I agree that important details, from a techy’s POV, have not been answered. They’re not going to be answered either, as I explained.

              As for the hammer, cathode and anode method: From what Apple said, the data doesn’t go into flash memory. It has to work something like PRAM, which is not the same as Flash. I suspect the data is wiped if the iPhone is factory reset. Picking up the data transmission would still be possible. But if it is kept encrypted, what’s the point?

              However, if the data is transmitted in and out of the A7 chip in the clear, ooo wouldn’t that be naughty?!

              Damn, that would be bad. Get to it hackers!

              IOW: Wait and see what shakes out as the hackers bash at Touch ID.

            3. Very few people want your fingerprints. If they do, they can lift it from anything you touch. Many more people would want your email, contact list, personal information that is stored in the clear on your memory. Hence the hammer and the reader.

            4. Well, it would be VERY difficult to merely use a lifted fingerprint and get it to work as a fake that would work with Touch ID, if it does what Apple says it does. It is NOT merely a pattern recognition system.

              Apple are saying Touch ID requires a living finger in order to log in the user. I joked somewhere around here about consulting with ‘Herbert West, Reanimator’ for ideas on how to make a dead finger appear to be alive enough to trigger the Touch ID system. To my chagrin, simply keeping the severed finger in an isotonic solution at 98.6ºF is insufficient for login functionality. Darn.

            5. Well, either they
              a) want your phone
              b) want the data off your phone, or
              c) want your fingerprint.

              B is where the hammer comes in. C they can get off anything you touch. A is a hella lotta trouble for $500 (probably the max it would fetch fenced).

        2. ” Is the Touch ID using a password to access the encryption and decryption of the data?”

          Derek, I think this is the key unanswered questions. More specifically, Is there a decryption key? I don’t see any reason to even allow the data to be decrypted. I also don’t see many of the other commentators understanding anything about security, ne?

            1. Apple has already started off on a bad note with 7 betas of ios 7 that allowed this security hole to slip into the public release. This in itself should be enough evidence that apple shouldn’t be trusted when they say this data is secure.

            2. Actually, after my experience studying modern software security, I question ALL software systems. The coding languages we are currently stuck with are GUARANTEED to screw up memory management. Sometimes I think it is humanly impossible to write modern code that doesn’t have some kind of buffer overrun catastrophe built in. Then I realize that if humanity ever does write an AI system (artificial intelligence) it is GUARANTEED to be utterly insane. I don’t means Skynet insane. I mean incoherent, can’t tie its own shoes without blowing a circuit insane.

              Therefore, the Apple Home button security blunder in iOS 7 is merely an inevitability. And yes, no software system should EVER be trusted as truly secure. I don’t care WHO wrote it.

            3. The stored print does not have to ever be decrypted, if they went that way. The unlocking print is encrypted and compared to the stored print data. The end result is that it would be nearly impossible to recover the stored fingerprint, even if you accessed the data.

            4. If what you are saying was truly true, it wouldn’t need a secure enclave in the first place. Obviously apple is worried that the data COULD be reverse engineered.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.