Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Are fingerprints PINs or physical artifacts?

Evan Schuman | Nov. 12, 2014
A judge’s ruling that a person can be forced to open his phone with his fingerprint ignores the fact that the fingerprint scan is just a substitute PIN, which can’t be required by law enforcement.

fingerprint detail on male finger
Credit: Frettie, via Wikipedia, CC BY 3.0

In security and privacy circles today, no good deed goes unpunished. Consider Apple's recent privacy initiative. Under its new encryption policy, Apple can't divulge confidential information about its customers' data, because only the consumer's credentials can unlock the data -- and those credentials are completely under the control of the customer. For added security, Apple layered biometric authentication (fingerprint) on top, so that people wouldn't have to type their passwords/PINs in public, exposing themselves to the dangers of shoulder-surfing.

A funny thing happened, though, as that policy ran into law enforcement and the courts. You've got the director of the FBI railing against smartphone encryption, claiming that it puts us all at greater risk from terrorists. And a circuit court judge in Virginia has ruled that although police cannot force suspects to reveal their passwords/PINs, they can be forced to apply their fingers to their iPhones and open them, against their will. There is a lot of legal history -- a.k.a. precedent -- for this, but an absolute absence of logic or rationale. When a fingerprint becomes a password/PIN, it must be treated as such.

Part of this history involves the traditions of the police, who have long been able to forcibly require suspects to dig their fingerprints into a police station inkpad. To them, the fingerprint reader on an iPhone feels the same. But in the IT world, the fingerprint used to unlock an iPhone is not a fingerprint so much as it is merely data reflecting a biometric scan -- just another way of authenticating. In other words, it's a password that's neither spoken nor typed.

But Judge Steve C. Frucci equated submitting to an iPhone biometric scan to "providing a DNA or handwriting sample or an actual key, which the law permits," according to The Virginian-Pilot. The Pilot further reported that Frucci wrote in his opinion that a "pass code, though, requires the defendant to divulge knowledge, which the law protects against." (Just as an aside, I have to wonder when Virginia judicial authorities are going to start putting their decisions and rulings online. I mean, when you're technologically outpaced by a branch of the U.S. government, it's a sad day.)

But consider this scenario. I have a physical key that opens a physical deadbolt on the front door of my house. Because certain family members (who I will not name; they know who they are) have a tendency to forget or lose their house keys, I've debated changing the lock to accommodate a PIN keypad.

Now, according to this weird legal distinction, I could be forced to give my key to the police, but not my lock's PIN. But hold on. Just as the iPhone's finger scan is simply a digital version of a password/PIN, that deadbolt's PIN is simply a digital alternative to my physical key. On what possible rationale should law enforcement treat the two differently?

 

1  2  3  Next Page 

Sign up for Computerworld eNewsletters.