Modern field guide to security and privacy

Fake fingerprints: The latest tactic for protecting privacy

The Identity pad – a project to create artificial and reusable fingerprints – addresses the security and privacy risks associated with the growing use of biometric technology.

Courtesy Mian Wei
Artist Mian Wei designed the Identity pad with that to safeguard users' biometric data.

When Apple introduced its fingerprint sensing Touch ID technology for the iPhone in 2013, it hailed the innovation as a boon for consumer security. After all, the password alone isn’t the most robust protection for all the personal information on your smartphone.

Carmakers and banks have also introduced similar fingerprint scanning technology as a way of preventing car theft and financial fraud, too. 

But as fingerprint scanning quickly becomes mainstream, the technology certainly isn’t hacker-proof, either. Since as early as 2002, security researchers have shown that governments, criminals, and anyone else with the right material can spoof fingerprints to access digital devices and authentication systems. And unlike personal identification numbers and passwords, fingerprints are practically impossible to change.

So what if there was a way to create removable and disposable fingerprints to unlock smartphones or get into cars? This way, consumers could safeguard their biometrics from companies that may want to stockpile that data, or from malicious hackers looking to steal that information to sell it on the digital black market or use it to steal someone’s identity. 

Industrial design student Mian Wei imagines a future in which our biometric information becomes so valuable that people will want to obscure it from view, and mitigate the risks of leaving their fingerprints where someone else might replicate them.

“I think fingerprint theft might become a really big problem,” Mr. Wei said. “If you go to Starbucks and take out the trash, you get a hundred [cups] with fingerprints, and they all have names on them.”

To solve this Digital Age security dilemma, Wei created Identity, a wearable finger prosthetic that can be used on fingerprint readers without revealing the user’s actual fingers or thumb.

Now a third-year student at the Rhode Island School of Design (RISD) in Providence, Wei says he wanted to create a way for people to use fingerprint readers without worrying about surveillance and identity theft. He says this isn’t an abstract problem, either. Hackers stole some 5.6 million fingerprints as part of last year’s Office of Personnel Management breach – many of which could presumably be used to unlock their owners’ smartphones and other personal devices.

In China, where Wei is from, citizens sometimes register their fingerprints for identification cards and it’s commonplace for people to lock their homes with fingerprint readers. “I think of the danger of fingerprint sensing as something we missed because of our craving for technological advancement,” he said.

Wei debuted his small, disposable finger prosthetic in May at a year-end RISD student exhibition. The Identity pad is made from a conductive silicone-based material, containing fibers that form an impression that will be accepted as a fingerprint on any consumer-grade fingerprint sensor.

An iPhone is only the most common example. Users simply wrap the slightly sticky material around their finger and touch it to a smartphone's sensor to enroll a false fingerprint. To change prints, you can simply replace the prosthetic and repeat the process with the new one.

In Passcode's testing, the Identity pad worked on both an iPhone 6S and a Nexus 5x running the latest versions of iOS and Android, respectively. Wei has only produced 70 fingerprint-spoofing pads for display purposes, and he doesn’t have a price in mind yet (though he says he’s talking to a design company about mass production).

Wei’s work fits into a growing category of art and design work that addresses digital privacy and security issues such as CV Dazzle, a series of makeup patterns designed by artist Adam Harvey to fool facial recognition algorithms, Heather Dewey-Hagborg’s Invisible, a chemical spray used to obscure the DNA traces left behind on glassware and other objects, and the Whitney Art Museum exhibit displaying the work of filmmaker Laura Poitras, who helped publicize the Edward Snowden documents.

“But to me, most of them are not 'normal' enough,” says Wei of many other privacy-focused art projects. “They are not something people would use on a daily basis. I decided to do something that not only designers or hackers would understand, but other people, too.”

Wei’s project is coming at a time when biometric privacy is getting much more attention from tech advocacy and civil liberties groups, as well.

A coalition of privacy groups have called for more oversight on the FBI’s Next Generation Identification biometric database, for example, which holds hundreds of millions of fingerprints and face recognition photos – a vast majority of which belong to Americans who have never been suspected of a crime, according to a new report from the Government Accountability Office.

Courts have also recently ruled that fingerprints aren't covered under the Fifth Amendment's protections against self-incrimination: Unlike with a passcode, police can force suspects to unlock a phone with a fingerprint if arrested, without a warrant.

But someone using Wei’s Identity pad could skirt the issue entirely by discarding the false fingerprint, which is the key to unlocking their device.

“If a defendant is compelled legally to touch their finger to a fingerprint reader to unlock a device and that doesn't unlock the device, there is not a lot the prosecution can do short of compelling the technology provider” to hack the device, says Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology.

It’s likely only a temporary advantage. The Identity pad exploits the fact that fingerprint readers aren't yet smart enough to tell a real finger from a rubber prosthetic, says Mr. Hall. That might not be a bad thing, he added, since it creates additional incentive for manufacturers to improve the technology to avoid forgeries.

“Of course, there's every reason this would spark an arms race between spoofing fingerprints and detecting spoofed fingerprints,” said Hall.

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.