Smartphones' security enhancements just make them more dangerous
Is that incriminating data in your pocket or are you just pleased to see me?
Over the holidays I bought Apple’s newest, shiniest face scanner. For the first fortnight - and periodically since then, that constant lift-and-scan felt weird. As though my smartphone had suddenly become too intimate, too familiar.
This is hardly the thin end of the wedge. It started with passcodes - which many people didn’t even use, to begin with. Then, as it became clear that an unlocked smartphone could leak dangerous data, we began locking them behind PINs.
Even that basic layer of safety proved too hard for many people - either unable to remember the PIN or unwilling to spend time typing it in, over and over and over - so a few years back the devices added fingerprint readers.
That marked a Rubicon of sorts, because crossing it subtly changed the balance of power between user and device. As the device acquired the necessary sensing and computational capacities, designers could raise the bar on access control. The smartphone, now seen as safe and secure, became the home for a range of data that had formerly only lived in highly-protected data centres: medical and financial (and sexual) datasets freely commingle within our devices. Suddenly the accidental loss or unlocking of a smartphone became a very serious matter, far beyond the loss of a wallet or keys - or anything else we’ve ever carried around with us everywhere.
It’s as if each of us bears our crown jewels in our pockets, relying on the big padlock we’ve placed upon the device to protect us from thieves.
A few months back, as I queued for a flight, I handed the check-in staff my smartphone, expecting they’d scan the QR code representing my boarding pass. They waved it away. “We’d prefer you scan your code yourself - just in case we drop it. People get very upset. They lose their whole lives.”
Smartphones have enormous utility value, but that’s created a kind of gravitational warp around them. They’re too dense with value, requiring increasingly careful handling and ever-stronger locks.
So to FaceID™, because Apple claims fingerprints aren’t nearly unique enough. It may be that my mug is more unique than my thumb, but maybe we should be asking ourselves how much safety we need? Where does this end? Already we know that a clever 3D print job can fool FaceID some of the time. That will only grow easier as the technology becomes better understood. The arms race of security ratcheting ever upward, will continue to demand ever more invasive scans to determine our authenticity.
In about a decade or so - advances in microfluidics will allow Apple to embed a rapid DNA analyser - a la GATTACA - inside iPhone XX. I can already imagine Tim Cook’s keynote, touting the “one in a billion” uniqueness of DNA. A thousand times better than that silly and so-easily-spoofed FaceID! You’re gonna love it!
Will we love it? Or will we be so afraid of our digital selves falling into the wrong hands (particularly those closest to us) that we’ll simply submit to any indignity to protect ourselves?
We’ve always had to be careful when transporting objects of great value. It may be that we decide the wiser course is simply not to transport them at all. At some point the danger of ubiquity overwhelms the usability of the device. My new iPhone feels as though it sits right on this side of that abyss, asking us how far we’re willing to go - and how much we’re willing to surrender - to be secure.
Benjamin Franklin famously said, “Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.” With every scan of our faces and our fingerprints, we need to ask ourselves whether we really feel any safer. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Samsung Galaxy Ace
- Trusted Platform Module
- Zero trust