WASHINGTON – One of the highlights of the iPhone 5S, the fingerprint scanner, is facing two concerns that may take a little shine off Apple’s cool new feature. Privacy advocates have raised concerns over how Apple plans to handle this highly sensitive data.
And many consumers who ran out to pick up the new iPhone when it went on sale Friday may find themselves at odds with their information technology departments. Few companies and government agencies allow their employees to use fingerprint IDs to unlock iPhones being used for work. It may take months or longer before these businesses adopt the new technology.
The iPhone 5S is the first Apple device with a built-in fingerprint scanner on the home button. Instead of entering a four-digit code, a user needs only to place their finger on the button to unlock their phones. Apple says it will only store the data on the device in an encrypted format rather than sending it to its own servers. Apple will also block third-party apps from accessing what the company calls “iTouch ID.”
Last week, Minnesota Sen. Al Franken sent a letter to Apple CEO Tim Cook noting how fundamentally different biometric identifiers are from previous ID methods. “Passwords are secret and dynamic; fingerprints are public and permanent. If you don’t tell anyone your password, no one will know what it is. If someone hacks your password, you can change it — as many times as you want,” Franken wrote. “Let me put it this way: if hackers get a hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life.”
Franken wants to know more about the technical possibilities of iTouch ID and how Apple plans to use it — as well as what diagnostic information, if any, the iPhone 5S transmits about the iTouch ID system to Apple and third parties. And he wants assurances that Apple will never share the fingerprint data or the tools needed to get them with commercial third parties.
Another important question is whether Apple considers fingerprint data to be the contents of communication or a subscriber identity under the Stored Communications Act. This is particularly important because content data require a warrant to be released to law enforcement, but a subscriber ID or number needs only a subpoena. Similarly, Franken asks if Apple considers fingerprint data to be subscriber information that the company could be compelled to share by the order of a national security letter.
Besides privacy concerns, many companies will probably want to run their own tests on the system before adding it to a list of security measures required for employee devices. Chris Hertz, the chief executive of the IT firm New Signature, said that he expects it will take businesses between three and six months to begin adding fingerprint data to their existing protocols.
That is certainly the case for Dave Frymier, chief information officer for Unisys, who said that while his firm has discussed letting employees use their fingerprints as a form of identification, Unisys will have to thoroughly test the sensor first. But overall, including fingerprint technology may be better for company security, Frymier said. Even when firms require passwords or four-digit pins on their devices, he said, employees still often choose codes that are easy to crack.