Apple does business in a lot of countries. Some of those countries have as close to fairly elected democratic representation as can be realized with actual human beings involved. (I won’t describe which.) Others may have elections but shade towards an overweening military or executive power that nullifies their value. Others still are outright totalitarian regimes, in which individual power is meaningless against the state’s control.
Apple sells into all those markets. And some of the security features it builds aren’t for those of us who live in countries that have—or purport to have—the rule of law, and checks and balances that allow for courts to intervene if the police or executive go too far.
This can lead Apple to implement mandatory features worldwide rather than make them options. If something is an option, a government could demand Apple disable the feature for its citizens. But if it’s mandatory and global, Apple can argue it’s a fundamental security feature designed to protect against theft, criminal intrusion, and other citizens.
Consider a restriction to Touch ID’s continuous use that I just uncovered. Apple didn’t intend for this addition to be a secret, but it somehow added it in September 2015 and didn’t document the change until a few days ago. (Apple confirmed the change for me.)
You can read about it in detail, but the gist is that on top of the 48-hour countdown between Touch ID uses before a passcode is required, the “new” change adds a separate timer.
After six days of unlocking with just Touch ID (and not restarting), the 48-hour clock is replaced with an eight-hour one. If you go eight hours or more between unlocking with Touch ID, you’re required to unlock with the passcode. As soon as you enter the passcode, the 48-hour and 6-day countdowns are reset.
Why add an eight-hour timer? Apple declined to offer any insight into why it was added, nor why it wasn’t documented until last week. I have some thoughts, mostly in the form of analogy.
A keep-alive interval
When I think about why Apple might implement these Touch ID limitations, I’m struck by two seemingly unrelated mechanical systems.
The first is the “dead man’s switch,” made famous in the original The Taking of Pelham One Two Three film (1974). Some machinery and technology is equipped with a switch that has to be pulled, held, or depressed continuously in order for a system to keep working. In many rail operations, including NYC Transit, a train operator has to apply pressure to a handle for the train to remain in motion. If the operator can’t perform the task, the train slows to a halt. This rarely happens, and occurred last in 2010 in New York.
The other is the night watchman’s clock. A night guard at a building would be obliged to make their rounds, and use a key attached to a number of stopping points or stations. Each key, when turned in the watchman’s clock, would register that they’d passed that point and when. It was a way of keeping people honest at their duties when a boss wasn’t around. (A version of this features in Fritz Lang’s M).)
Touch ID and its timeout rules have aspects of both of these concepts. To use Touch ID, you literally have to be alive, because of how Apple’s sensor uses conductivity. There are likely workarounds used by government agencies and criminal groups that can use either cadaver fingerprints or simulate a fingerprint that’s been recorded or lifted. But if that either approach is viable, the particulars are kept relatively secret. It’s not a general solution for any party who wants access to a locked phone without having the right person in front of it (and alive).
The timeout in that case works as a dead man’s switch. The iOS device doesn’t brick, but it does require a passcode. A passcode can be cracked, but a long passcode or passphrase is more difficult to break and remains beyond the reach of most parties who want access to a device, whether legally, extrajudicially, or criminally. (Perhaps Apple will add a high-level or corporate security option that, in fact, bricks a phone if you don’t use Touch ID for a period of time, even if the phone is turned on.)
But the timeout also serves as the watchman’s clock, ensuring that at certain intervals, you prove that you’re still the person who had the right amount of permission to set up the phone with a biometric marker. (One step better would be an automated email to someone else if you hadn’t used Touch ID in a certain period—a canary in a coalmine.)
What remains confusing to me and all the security experts and iOS writers I’ve spoken to is the scenario in which a phone or tablet repeatedly locks, and an authority or malicious party has to have someone on a less-than-eight-hour basis provide a fingerprint, by verbal or physical compulsion.
Surely, any party that wants the iOS device unlocked would, after unlocking it the first time with the fingerprint, set the automatic lock feature to Never, and keep it plugged it or otherwise charged. Only if the device locks unexpectedly, would a Touch ID scan be required.
In that case, why eight hours? I’m still puzzling it out. It might have a relationship to how intelligence services and police work that’s outside my ken.
In the U.S., we know a court can and will compel a Touch ID unlock by someone charged in a crime or convicted of it. The ability to require a password is more problematic, but someone can withhold a password, while with force they can’t withhold a fingerprint.
I spoke to Geoffrey King, the technology program coordinator at the Committee to Protect Journalists, a group devoted to reducing the danger to reporters worldwide and publicizing jailed and missing writers. Journalists and activists often receive the brunt of a government’s worst behavior in the interests in shutting them up and shutting them down. “We protect the people who anger everybody else,” King noted.
He couldn’t sort out the new eight-hour limitation, but he noted that any incremental, default change that improves the overall security of someone’s personal data is a positive. “Although it’s hard to quantify, this is likely to have an impact on journalists’ safety and we welcome this move,” he said.
King notes that in parts of the world, a reporter may be picked up by authorities and be asked to unlock their device. “It might be a polite request, but it’s a polite request backed up by the imminent threat of brutality,” he said. In those cases, it’s unclear whether a lockout would help, as someone may be subject to the same risk when they don’t provide a passcode that can be typed in.
It could be simpler
It’s possible I’m overthinking this. One reader suggested that the timeouts could simply be Apple’s way of ensuring people don’t forget their password. After 48 hours without unlocking a phone or six days without using a passcode, jogging someone’s memory ostensibly reduces the likelihood they forget their code. Apple can’t retrieve a forgotten passcode, and this might increase customer satisfaction.
But if that’s the case, I’d suspect Apple would have been happy to provide that as the main or sole reason as part of their newer openness in describing security measures. (This timeout is also a good way to find out which people you know routinely sleep less than eight hours a night and use their device right before they go to sleep and immediately on waking.)
It would be great to live in a world in which that innocent explanation is the whole story. But I can’t help feeling there’s a deeper reason beneath it.