Fake fingerprints: The latest tactic for protecting privacy
The Identity pad – a project to create artificial and reusable fingerprints – addresses the security and privacy risks associated with the growing use of biometric technology.
Courtesy Mian Wei
When Apple introduced its fingerprint sensing Touch ID technology for the iPhone in 2013, it hailed the innovation as a boon for consumer security. After all, the password alone isn’t the most robust protection for all the personal information on your smartphone.
Carmakers and banks have also introduced similar fingerprint scanning technology as a way of preventing car theft and financial fraud, too.
But as fingerprint scanning quickly becomes mainstream, the technology certainly isn’t hacker-proof, either. Since as early as 2002, security researchers have shown that governments, criminals, and anyone else with the right material can spoof fingerprints to access digital devices and authentication systems. And unlike personal identification numbers and passwords, fingerprints are practically impossible to change.
So what if there was a way to create removable and disposable fingerprints to unlock smartphones or get into cars? This way, consumers could safeguard their biometrics from companies that may want to stockpile that data, or from malicious hackers looking to steal that information to sell it on the digital black market or use it to steal someone’s identity.
Industrial design student Mian Wei imagines a future in which our biometric information becomes so valuable that people will want to obscure it from view, and mitigate the risks of leaving their fingerprints where someone else might replicate them.
“I think fingerprint theft might become a really big problem,” Mr. Wei said. “If you go to Starbucks and take out the trash, you get a hundred [cups] with fingerprints, and they all have names on them.”
To solve this Digital Age security dilemma, Wei created Identity, a wearable finger prosthetic that can be used on fingerprint readers without revealing the user’s actual fingers or thumb.
Now a third-year student at the Rhode Island School of Design (RISD) in Providence, Wei says he wanted to create a way for people to use fingerprint readers without worrying about surveillance and identity theft. He says this isn’t an abstract problem, either. Hackers stole some 5.6 million fingerprints as part of last year’s Office of Personnel Management breach – many of which could presumably be used to unlock their owners’ smartphones and other personal devices.
In China, where Wei is from, citizens sometimes register their fingerprints for identification cards and it’s commonplace for people to lock their homes with fingerprint readers. “I think of the danger of fingerprint sensing as something we missed because of our craving for technological advancement,” he said.
Wei debuted his small, disposable finger prosthetic in May at a year-end RISD student exhibition. The Identity pad is made from a conductive silicone-based material, containing fibers that form an impression that will be accepted as a fingerprint on any consumer-grade fingerprint sensor.
An iPhone is only the most common example. Users simply wrap the slightly sticky material around their finger and touch it to a smartphone's sensor to enroll a false fingerprint. To change prints, you can simply replace the prosthetic and repeat the process with the new one.
In Passcode's testing, the Identity pad worked on both an iPhone 6S and a Nexus 5x running the latest versions of iOS and Android, respectively. Wei has only produced 70 fingerprint-spoofing pads for display purposes, and he doesn’t have a price in mind yet (though he says he’s talking to a design company about mass production).
Wei’s work fits into a growing category of art and design work that addresses digital privacy and security issues such as CV Dazzle, a series of makeup patterns designed by artist Adam Harvey to fool facial recognition algorithms, Heather Dewey-Hagborg’s Invisible, a chemical spray used to obscure the DNA traces left behind on glassware and other objects, and the Whitney Art Museum exhibit displaying the work of filmmaker Laura Poitras, who helped publicize the Edward Snowden documents.
“But to me, most of them are not 'normal' enough,” says Wei of many other privacy-focused art projects. “They are not something people would use on a daily basis. I decided to do something that not only designers or hackers would understand, but other people, too.”
Wei’s project is coming at a time when biometric privacy is getting much more attention from tech advocacy and civil liberties groups, as well.
A coalition of privacy groups have called for more oversight on the FBI’s Next Generation Identification biometric database, for example, which holds hundreds of millions of fingerprints and face recognition photos – a vast majority of which belong to Americans who have never been suspected of a crime, according to a new report from the Government Accountability Office.
Courts have also recently ruled that fingerprints aren't covered under the Fifth Amendment's protections against self-incrimination: Unlike with a passcode, police can force suspects to unlock a phone with a fingerprint if arrested, without a warrant.
But someone using Wei’s Identity pad could skirt the issue entirely by discarding the false fingerprint, which is the key to unlocking their device.
“If a defendant is compelled legally to touch their finger to a fingerprint reader to unlock a device and that doesn't unlock the device, there is not a lot the prosecution can do short of compelling the technology provider” to hack the device, says Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology.
It’s likely only a temporary advantage. The Identity pad exploits the fact that fingerprint readers aren't yet smart enough to tell a real finger from a rubber prosthetic, says Mr. Hall. That might not be a bad thing, he added, since it creates additional incentive for manufacturers to improve the technology to avoid forgeries.
“Of course, there's every reason this would spark an arms race between spoofing fingerprints and detecting spoofed fingerprints,” said Hall.