The scary side of Touch ID
In this, the inaugural Private i column, I want to freak you out just a little bit. In the coming weeks, this column will help Mac and iOS users understand the implications of the latest security exploits, privacy hacks, and encryption options, and how to protect themselves or take advantage of them, as the case may be.
But I want to start with Touch ID and why it’s a technology that needs more discussion as its use as an identity validation has broadened to other apps in iOS 8.
Fingerprint-based identification isn’t new, nor are biometric markers for authentication, like scanning one’s optic nerve or handprint or blood-vessel pattern or the like. They’re the thing of sci-fi movies made thoroughly real, routine, and boring with modern technology. Prior to the addition of Touch ID to the iPhone 5s, however, the vast majority of biometric ID was at fixed locations, like the entrance to a secure facility or even at my children’s after-school care program, where my fingerprint read by a USB-connected reader let me check them out from a Windows PC.
Some Android phones and other mobile devices had fingerprint sensors, and they have been built in or available as an add-on to laptops and desktops for years. In some industries, it was common. But the portable use was likely routinely in the millions, and often among those in particular industries. The iPhone 5s, 6, and 6 Plus, along with devices from other makers, will push usage past tens of millions today into the hundreds of millions. The convenience can’t be beat.
But here’s the thing. Someone might be able to coerce a password from you with a wrench, as in this xkcd cartoon, or under the threat of a lawsuit, imprisonment, expulsion (from a school or country), death, or other means. But it still requires that threat and your acquiescence. If the information that would be revealed is too private, personal, or damaging, you might persist through whatever civil, criminal, or violent process and never give it up.
Mobile fingerprint sensors change that equation dramatically. Instead of nonphysical or physical intimidiation or violence—whether for a good cause or ill—an individual or agent of others who want some of your information must only get ahold of your device, ensure it hasn’t been rebooted, and then be able to hold an appropriate digit still for long enough to validate one’s fingerprint. And you have to be alive, not necesarily cooperative, for Touch ID to work, because as Apple said at the iPhone 5s launch, the sensor uses conductivity to scan a “touch” subdermally.
Again, none of this is new as such. What has changed are two factors: first, as I noted, this fingerprint-based unlocking is about to extend out by an order of magnitude or even higher factors; second, iOS 8 leverages Touch ID to allow it to be used with other apps.
I’ve now upgraded and tested out AgileBits’s 1Password 5 for iOS and Panic Software’s Transmit iOS, both of which have Touch ID authentication options. I’m a big fan of both apps because of their use of extensions. I can bring up 1Password in Safari through Share and in other apps that have direct support, including Transmit iOS. (Other do as well and more are coming.) Transmit lets me save (via Share) and open (via Document Picker) to and from file servers.
Here’s a scenario I’m already commonly carrying out. I tap my Home button, then use Touch ID to unlock. I tap the Photos app, select an image, and tap Share. I select Transmit and unlock it with Touch ID and upload. Or I want to add a server in Transmit, I touch to unlock my phone, touch to unlock Transmit, use the process to add a connection and tap to use 1Password, and touch to unlock it. It’s very convenient.
But as I touch, touch, touch, I think about about Hong Kong and mainland China; about Afghanstan and Iraq; about Ferguson, Missouri, and police overreach and misconduct; and extrajudicial American operations abroad and domestic warrantless procedures and hearings about which we know few details. I think about the rate of domestic violence in this country.
Touch ID is a bit of magic, yes. Since an iOS update not long after it first appeared on shipping hardware, I’ve had few problems with it. But as a nonconsensual method of validating your identity wherever you’re carrying a device, coupled with software that likewise recognizes it, Touch ID requires a bit more thought than just registering your fingerprints.
Glenn Fleishman is the editor and publisher of The Magazine, a regular contributor to Boing Boing and the Economist, and a senior contributor to Macworld. He is currently crowdfunding an anthology that includes stories by several fellow Macworld contributors.