Fake fingerprints: The latest tactic for protecting privacy
When Apple introduced its fingerprint sensing Touch ID technology for the iPhone in 2013, it hailed the innovation as a boon for consumer security. After all, the password alone isn鈥檛 the most robust protection for all the personal information on your smartphone.
Carmakers and banks have also introduced similar fingerprint scanning technology as a way of preventing car theft and , too.听
But as fingerprint scanning quickly becomes mainstream, the technology certainly isn鈥檛 hacker-proof, either. Since , security researchers that governments, criminals, and anyone else with can spoof fingerprints to access digital devices and authentication systems. And unlike personal identification numbers and passwords, fingerprints are practically impossible to change.
So what if there was a way to create removable and disposable fingerprints to unlock smartphones or get into cars?听This way, consumers could safeguard their biometrics from companies that may want to stockpile that data, or from malicious hackers looking to steal that information to sell it on the digital black market or use it to steal someone鈥檚 identity.听
Industrial design student Mian Wei imagines a future in which our biometric information becomes so valuable that people will want to obscure it from view, and mitigate the risks of leaving their fingerprints where someone else might replicate them.
鈥淚 think fingerprint theft might become a really big problem,鈥 Mr. Wei said. 鈥淚f you go to Starbucks and take out the trash, you get a hundred [cups] with fingerprints, and they all have names on them.鈥
To solve this Digital Age security dilemma, Wei created Identity, a wearable finger prosthetic that can be used on fingerprint readers without revealing the user鈥檚 actual fingers or thumb.
Now a third-year student at the Rhode Island School of Design (RISD) in Providence, Wei says he wanted to create a way for people to use fingerprint readers without worrying about surveillance and identity theft. He says this isn鈥檛 an abstract problem, either. Hackers stole some 5.6 million fingerprints as part of last year鈥檚 Office of Personnel Management breach 鈥 many of which could presumably be used to unlock their owners鈥 smartphones and other personal devices.
In China, where Wei is from, 听for identification cards and it鈥檚 commonplace for people to lock their homes with fingerprint readers. 鈥淚 think of the danger of fingerprint sensing as something we missed because of our craving for technological advancement,鈥 he said.
Wei debuted his small, disposable finger prosthetic in May at a year-end RISD student exhibition. The Identity pad is made from a conductive silicone-based material, containing fibers that form an impression that will be accepted as a fingerprint on any consumer-grade fingerprint sensor.
An iPhone is only the most common example. Users simply wrap the slightly sticky material around their finger and touch it to a smartphone's sensor to enroll a false fingerprint. To change prints, you can simply replace the prosthetic and repeat the process with the new one.
In Passcode's testing, the Identity pad worked on both an iPhone 6S and a Nexus 5x running the latest versions of iOS and Android, respectively. Wei has only produced 70 fingerprint-spoofing pads for display purposes, and he doesn鈥檛 have a price in mind yet (though he says he鈥檚 talking to a design company about mass production).
Wei鈥檚 work fits into a growing category of art and design work that addresses digital privacy and security issues such as , a series of makeup patterns designed by artist Adam Harvey to fool facial recognition algorithms, Heather Dewey-Hagborg鈥檚 , a chemical spray used to obscure the DNA traces left behind on glassware and other objects, and听the Whitney Art Museum exhibit displaying the work of filmmaker Laura Poitras, who helped publicize the Edward Snowden documents.
鈥淏ut to me, most of them are not 'normal' enough,鈥 says Wei of many other privacy-focused art projects. 鈥淭hey are not something people would use on a daily basis. I decided to do something that not only designers or hackers would understand, but other people, too.鈥
Wei鈥檚 project is coming at a time when biometric privacy is getting much more attention from tech advocacy and civil liberties groups, as well.
A coalition of privacy groups for more oversight on the FBI鈥檚 Next Generation Identification biometric database, for example, which holds hundreds of millions of fingerprints and face recognition photos 鈥 a vast majority of which belong to Americans who have never been suspected of a crime, according to from the Government Accountability Office.
Courts have also that fingerprints aren't covered under the Fifth Amendment's protections against self-incrimination: Unlike with a passcode, police can force suspects to unlock a phone with a fingerprint if arrested, without a warrant.
But someone using Wei鈥檚 Identity pad could skirt the issue entirely by discarding the false fingerprint, which is the key to unlocking their device.
鈥淚f a defendant is compelled legally to touch their finger to a fingerprint reader to unlock a device and that doesn't unlock the device, there is not a lot the prosecution can do short of compelling the technology provider鈥 to hack the device, says Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology.
It鈥檚 likely only a temporary advantage. The Identity pad exploits the fact that fingerprint readers aren't yet smart enough to tell a real finger from a rubber prosthetic, says Mr. Hall. That might not be a bad thing, he added, since it creates additional incentive for manufacturers to improve the technology to avoid forgeries.
鈥淥f course, there's every reason this would spark an arms race between spoofing fingerprints and detecting spoofed fingerprints,鈥 said Hall.
听
