[Cryptography] About those fingerprints ...

Tim Dierks tim at dierks.org
Wed Sep 11 13:44:23 EDT 2013

On Wed, Sep 11, 2013 at 1:13 PM, Jerry Leichter <leichter at lrw.com> wrote:

> On Sep 11, 2013, at 9:16 AM, "Andrew W. Donoho" <awd at DDG.com> wrote:
> > Yesterday, Apple made the bold, unaudited claim that it will never save
> the fingerprint data outside of the A7 chip.
> By announcing it publicly, they put themselves on the line for lawsuits
> and regulatory actions all over the world if they've lied.
> Realistically, what would you audit?  All the hardware?  All the software,
> including all subsequent versions?
> This is about as strong an assurance as you could get from anything short
> of hardware and software you build yourself from very simple parts.

When it comes to litigation or actual examination, it's been demonstrated
again and again that people can hide behind their own definitions of terms
that you thought were self-evident. For example, the NSA's definition of
"target", "collect", etc., which fly in the fact of common understanding,
and exploit the loopholes in English discourse. People can lie to you
without actually uttering a demonstrable falsehood or exposing themselves
to liability, unless you have the ability to cross-example the assertions.

I don't have a precise cite for the Apple claim, but let's take two
summaries: first, from Andrew "Apple made the bold, unaudited claim that it
will never save the fingerprint data outside of the A7 chip". Initial
questions: does this mean they won't send the data to third parties? How
about give third parties the ability to extract the data themselves? Does
the phrase "fingerprint data" include all data derived from the
fingerprint, such as minutiae?

second, from Macworld<http://www.macworld.com/article/2048520/fingerprint-sensor-in-iphone-5s-is-no-silver-bullet-researchers-say.html>:
"the fingerprint data is encrypted and locked in the device’s new A7 chip,
that it’s never directly accessible to software and that it’s not stored on
Apple’s servers or backed up to iCloud". Similar questions: is the data
indirectly accessible? Is it stored on non-Apple servers? Etc.

Unless you can cross-examine the assertions with some kind of penalty for
dissembling, you can't be sure that an assertion means what you think or
hope it means, regardless of how straightforward and direct it sounds.

 - Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130911/77f4c1de/attachment.html>

More information about the cryptography mailing list