U.S. Senator Al Franken challenges Apple on Touch ID privacy implications

iPhone 5s first look

What are the privacy implications of the iPhone 5s fingerprint sensor? U.S. Senator Al Franken wants Apple CEO Tim Cook to answer that question and more. In a published letter to Cook, Franken writes that “important questions remain about how this technology works.” In addition, the senator wants the Apple chief to explain how the Touch ID sensor may be used in the future.

In response, Apple published online a document explaining that fingerprints obtained by the new iPhone 5s are walled-off from the iOS software and application developers…

While recognizing Apple “has worked hard to secure this technology and implement it responsibly,” Franken writes that the fingerprint technology developed by the iPhone maker “will surely pave the way for its peers and smaller competitors to adopt biometric technology, with varying protections of privacy.”

Among Franken’s concerns is will Apple protect the fingerprint data from government inquiries. Unlike the “contents” of email and other communications which require a warrant, “subscriber number or identity” can be obtained with just a subpoena.

“Does Apple consider fingerprint data to be the ‘contents’ of communications, customer or subscriber records, or a ‘subscriber number or identity’ as defined in the Stored Communications Act?” he asks.

The question gets at the heart of whether Apple sees the fingerprints stored as belonging to the iPhone owner or a record which the company maintains.

Touch ID securtiy breach

Although Apple’s support document isn’t an official response to Franken’s questions, it does provide some insight into the hardware protections afforded fingerprints.

“Touch ID does not store any images of your fingerprint. It stores only a mathematical representation of your fingerprint and compares this to your enrolled fingerprint data to identify a match and unlock your iPhone,” reads Apple’s support document.

It isn’t possible for your actual fingerprint image to be reverse-engineered from this mathematical representation.

The iPhone 5s includes something called Secure Enclave within the A7 chip.

Apple A7 chip (Secure Enclave 001)

The encrypted fingerprint data is only available to Secure Enclave, according to the company. That data is then used to verify fingerprints against that stored.

Fingerprint data is encrypted and protected with a key available only to the Secure Enclave. Fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data.

The Secure Enclave is walled off from the rest of A7 and iOS.

“Your fingerprint data is never accessed by iOS or other apps, never stored on Apple servers, and never backed up to iCloud or anywhere else,” according to Apple.

“Only Touch ID uses it and it can’t be used to match against other fingerprint databases,” noted the firm.

http://www.youtube.com/watch?v=TJkmc8-eyvE

This isn’t the first time Apple has had to answer security questions.

Most recently, the company denied its involvement in releasing user data to the NSA. As for Franken, back in 2011 CEO Steve Jobs came in for questions regarding the ability of the iPhone to track users.