In a letter sent to Apple on Thursday, Franken asks Apple CEO Tim Cook all the important questions about the company’s fancy new fingerprint sensor, which is embedded in the Home button of the iPhone 5S. Can third parties use Touch ID data to recreate a user’s fingerprints? Will third-party app developers have access to fingerprint data? Can the FBI make someone unlock their phone? And so on.
If Cook responds to these questions in full – and he should – we will no longer have any lingering doubts and about the safety, security, and privacy issues that surround the sensor known as Touch ID.
“Passwords are secret and dynamic; fingerprints are public and permanent,” wrote Sen. Franken. “If you don’t tell anyone your password, no one will know what it is. If someone hacks your password, you can change it – as many times as you want. You can’t change your fingerprints. You have only 10 of them. And you leave them on everything you touch; they are definitely not a secret. What’s more, a password doesn’t uniquely identify its owner – a fingerprint does. Let me put it this way: if hackers get a hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life.”
In addition to addressing concerns about “hackers,” Franken delves into very specific questions about the ways in which law enforcement, including the FBI, can use our fingerprints, and the Touch ID unlocking mechanism against us.
For example, U.S. law allows FBI agents to force a person to turn over “tangible things” through the use of a court order. “Tangible,” in this case, means physical or digital items that you can see or touch. What the FBI cannot do, thanks to the Fifth Amendment’s protection against self-incrimination, is make someone reveal something they KNOW. This is an crucial distinction, as it relates to Touch ID. An FBI agent could not demand that you unlock your iPhone, if you’ve locked it with the 4-digit pin (which is still an option, BTW). But what about the fingerprint lock? A fingerprint is, after all, something you can see, and is not knowledge in the same way a 4-digit pin is – a point Electronic Frontier Foundation Staff Attorney Marcia Hoffmann recently drilled home at Wired.
While this will surely be an issue for the courts to decide eventually, Franken wants to get Apple’s take on the record, asking, “Does Apple consider fingerprint data to be ‘tangible things’ as defined in the USA Patriot Act?”
Franken even goes so far as to ask, “Does Apple believe that users have a reasonable expectation of privacy in fingerprint data they provide to Touch ID?” That term “reasonable expectation of privacy” is key – a legal phrase that defines what types of data or information law enforcement may access without search warrant under the Fourth Amendment. If there is no reasonable expectation of privacy, there is no search.
We’ll be waiting to see how Cook (i.e. Apple’s lawyers) answer these questions, which every Apple iPhone 5S customer deserves to know. However, for now, we’re not going to let ourselves get worked up. Apple has put a lot of effort into making our fingerprints safe. And besides, if the FBI wants our prints, they can get ’em – we leave them everywhere we go.
Read Franken’s full letter here.