Phone biometrics like Touch ID aren't secure enough, warns intelligence expert

We don't know what companies do with our data

Update: Apple has contacted us about Sir John Adye's concerns over biometrics, and Touch ID in particular.

On its Privacy website it states that "the actual image of your fingerprint is not stored anywhere, and is instead converted to a mathematical representation of a fingerprint that cannot be reverse engineered into one. This mathematical representation is stored in a Secure Enclave within your phone's chip, and is never accessed by iOS or other apps, never stored on Apple servers, and never backed up to iCloud or anywhere else".

Original story follows…

We might think little of using our fingerprints to unlock our smartphones but Sir John Adye, the former boss of the UK intelligence and security agency GCHQ, has warned that there's not enough information about what happens with people's data,

For many people using features such as Touch ID on the iPhone 6, it is a convenient and secure way of unlocking our phones. However, as Sir John Adye points out, we don't know what mobile phone companies are doing with that sort of information.

He points out that "if you go to an ATM and put in your credit or debit card, that system is supervised by the bank in some way...But when you're using your smartphone... there's no physical supervision of the system".

More control and transparency

Sir John Adye's comments were made in evidence to the Commons Science and Technology Committee, which is examining the use of biometric technology.

Although many other phones use biometric data to secure themselves, such as the Samsung Galaxy S5, Sir John singled out the iPhone 6 due to the integration of biometrics with Apple Pay and other payment services.

"You can now use your iPhone 6 to make payments using biometrics on the internet and you've got to tick various boxes before you do so, but how many people are actually going read through all those boxes properly and understand what they mean when it goes in?"

However Apple's senior vice president of Internet Software and Service, Eddy Cue, has strongly defended the security of Apple Pay: "Security and privacy is at the core of Apple Pay. When you're using Apple Pay in a store, restaurant or other merchant, cashiers will no longer see your name, credit card number or security code, helping to reduce the potential for fraud. Apple doesn't collect your purchase history, so we don't know what you bought, where you bought it or how much you paid for it."

The Commons Science and Technology Committee is not only looking at how companies could be regulated when it comes to handling our sensitive biometric data, but also how to protect citizens from a new generation of identity theft.

It's a timely reminder that while we give our phones a lot of data about ourselves, we often don't know what companies do with that information.

Via the BBC

Tags