It wasn’t too long ago that Apple first introduced Touch ID. The secure minded BlackBerry users guffawed at the idea. First of all, we’ve seen fingerprint scanners on devices before, so it was once again, Apple bringing old tech back as something new. And then of course, as iPhone users rejoiced at this new ‘security feature’, we of course thought of amazing ways to bypass this ‘amazing security feature’, such as, just waiting for the user to go to sleep. Of course it didn’t take long for the feature to get a true hack, the first weekend in fact. And then the iPhone users who had been preaching security the week before suddenly changed the tune to it merely being a matter of convenience. Things change quickly when you’re an iPhone apologist.
Of course, as arguments abounded about Touch ID in online forums, one argument kept occurring. Why, we asked, would we allow Apple to have our fingerprints? This company who’s security is much more akin to a Swiss cheese than Swiss bank accounts. And yet, we were told we were wrong. That Apple did not have access to these fingerprints. That they secured them. That they were hidden away inside the phone, where other apps could not get to them, and that they’d never touch the cloud. In fact, Apple on their website.
“Fingerprint data is encrypted and protected with a key available only to the Secure Enclave. Fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data. The Secure Enclave is walled off from the rest of the chip and the rest of iOS. Therefore, iOS and other apps never access your fingerprint data, it’s never stored on Apple servers, and it’s never backed up to iCloud or anywhere else. Only Touch ID uses it, and it can’t be used to match against other fingerprint databases.”- Apple
It was a battle that couldn’t be won. Both sides were at a deadlock. After all. Apple said it in black and white.
And then soon, Apple brought about Apple Pay. And the same explanation is given. Apple doesn’t actually have your credit cards.
“With Apple Pay, instead of using your actual credit and debit card numbers when you add your card, a unique Device Account Number is assigned, encrypted, and securely stored in the Secure Element, a dedicated chip in iPhone, iPad, and Apple Watch. These numbers are never stored on Apple servers. And when you make a purchase, the Device Account Number, along with a transaction-specific dynamic security code, is used to process your payment. So your actual credit or debit card numbers are never shared by Apple with merchants or transmitted with payment.” –Apple
And of course, iPhone users are happy.
How quickly things change! You see, Apple has applied for a new patent. A patent named “Finger Biometric Sensor Data Synchronization via A Cloud Computing Device and Related Methods”. And what is this for? Why, it’s for doing exactly what it sounds like. It allows the user’s fingerprints to be synced between multiple devices, via the cloud. And not just any cloud. The iCloud. You remember iCloud right? The cloud service which seemed to be the repository of so many celebrity nudes during “The Fappening” Don’t forget, Apple says, ” iOS and other apps never access your fingerprint data, it’s never stored on Apple servers, and it’s never backed up to iCloud” and yet we have an application for a patent to do that very thing!
Should we be surprised? Of course not. Should Apple users be upset? Should they question the trust that they’ve put in Apple? Of course! Apple has asked people to buy in to Touch ID with a promise. A promise that their biometrics are safe and secure within the phone, and will never be in the cloud, as they’re applying for a patent to place them in the cloud!
And the final question. Will iPhone users revolt or buy in. Unfortunately, I think they will buy in. If history has taught us anything, it is that iPhone users are all to willing to give up privacy, security, and functionality in order to carry an iPhone. And Apple is doing what they do best. Adding convenience at a cost of security. You see, with the new synchronization, Apple users will not need to set up their touch ID multiple times. If they do it on the iPhone, then it will already be their on their iPad. And looking deeper in to the patent, it appears that the ultimate goal will be to allow people to pay at a retailer without even using their device. They will be able to pay at an Apple Pay terminal with just their finger, meaning they may get a few more seconds of battery life out of their iPhone or Apple Watch. iPhone users will more than likely forgive Apple for lying to them about where their biometric information will end up, in order for this added convenience.
Apple also states within the patent, that the information won’t be stored in the cloud. It makes a point that the information is collected momentarily and transferred over. Perhaps we should ask Mary E. Winstead if she believes this? After all, as her very personal photos were being traded around the internet, she tweeted “Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this” Deleted from her device? From her iCloud? They were still there to be stolen though.
And now the questions that must be asked. Apple is still promising that they will not place your biometrics in the cloud, as they are working on a method that will do just that. How long before people’s financial information is placed in the cloud, for convenience? And how long before Apple users realize that this convenience has put them at risk?
source: NY Daily News