Apple Patenting a Way To Collect Fingerprints, Photos of Thieves

An anonymous reader quotes a report from Apple Insider: As published by the U.S. Patent and Trademark Office, Apple's invention covering "Biometric capture for unauthorized user identification" details the simple but brilliant -- and legally fuzzy -- idea of using an iPhone or iPad's Touch ID module, camera and other sensors to capture and store information about a potential thief. Apple's patent is also governed by device triggers, though different constraints might be applied to unauthorized user data aggregation. For example, in one embodiment a single failed authentication triggers the immediate capture of fingerprint data and a picture of the user. In other cases, the device might be configured to evaluate the factors that ultimately trigger biometric capture based on a set of defaults defined by internal security protocols or the user. Interestingly, the patent application mentions machine learning as a potential solution for deciding when to capture biometric data and how to manage it. Other data can augment the biometric information, for example time stamps, device location, speed, air pressure, audio data and more, all collected and logged as background operations. The deemed unauthorized user's data is then either stored locally on the device or sent to a remote server for further evaluation.

Legally Fuzzy?

[konohitowa]

TFA doesn't say why this would be legally fuzzy.

Re:Legally Fuzzy?

[BitterOak]

TFA doesn't say why this would be legally fuzzy.

I don't see what's legally fuzzy about this either. Since when did privacy rights of thieves trump owner's rights to recover their property?

Re:Legally Fuzzy?

[BradleyUffner]

This could be abused to collect fingerprints from non-theives by allowing them access to the device. It could get legally fuzzy where children are involved.

Re:Legally Fuzzy?

[jtgd]

The FBI's dream come true — collect the fingerprints of every citizen.

You know it will happen.

Re:Legally Fuzzy?

[stealth_finger]

The FBI's dream come true — collect the fingerprints of every citizen.

You know it will happen.

or at least a thumb print.

Re:Legally Fuzzy?

This is *really* fuzzy. This means there's a private company gathering fingerprint data without the consent of the people whose fingerprints they're gathering.

Imagine this: you friend gives you his iPhone to hold for a second while he does something, and your finger is read by the Touch ID system. This means Apple now has your biometric data without your consent and your options to make sure it's deleted and/or not misused are very limited.

The adoption of this type of system would mean a lot of legal troubles for Apple in the EU.

Re:Legally Fuzzy?

[GuB-42]

Because the software doesn't know who is a thief and who is a legitimate user. It only track authentication errors.
It is probably legal but Apple has to be careful before implementing it especially if it is on by default.

For example, imagine you are drunk, you try to unlock your phone and fail (because you are drunk). The phone takes a picture of you and sends it to where you don't want drunk pictures of you to end up. If it is the default behavior, I think you can claim some invasion of privacy.

Re:Legally Fuzzy?

TFA doesn't say why this would be legally fuzzy.

Your 14 year old daughter tries to answer a text while changing out of her bathing suite at the pool, because her fingers are prune-ey the phone doesn't recognise her finger print so it snaps a photo of her and uploads it to your family iCloud account so you can identify the "thief" and because she was in a state of undress at the time you're now guilty of having kiddy porn on your iCloud account.

Re: Legally Fuzzy?

[rjstegbauer]

Well...There won't be an official web API for *me* to get *your* fingerprint data.

I believe that hackers will find that API though.

Re:Legally Fuzzy?

This is *really* fuzzy. This means there's a private company gathering fingerprint data without the consent of the people whose fingerprints they're gathering.

When you place you finger on the fingerprint scanner its consent.

Imagine this: you friend gives you his iPhone to hold for a second while he does something, and your finger is read by the Touch ID system.

You realize the Touch ID system is a special button at the bottom of the device? Not the touch screen? Someone holding the phone with a finger over the Touch ID is pretty far fetched.

The touch ID sensor is also the "home" button. Putting you finger on it is all but assured during normal operation of the device.

Re:Legally Fuzzy?

[konohitowa]

During normal operation of the device, it's not scanning fingerprints. It's only when it's locked.

Re:Legally Fuzzy?

[konohitowa]

I didn't find that in TFA.

chain of custody

[Joe_Dragon]

Apple may have to come very clean about how this works or it may not hold up in court.

Re:chain of custody

[Jeremi]

Apple may have to come very clean about how this works or it may not hold up in court.

I doubt it is intended to hold up in court. More likely the idea is to provide the phone's owner (perhaps in conjunction with the police) with information about who took their phone, so that they then know where to look to find more solid evidence.

Re:chain of custody

[ColdWetDog]

Well it's interesting since the iDevices don't store a fingerprint. They store a hash of the results of a fingerprint sensor. It's not like they can reconstruct a real fingerprint and send it to the FBI. For it to be useful in a forensic sense it the perp would have to put her finger on an 'Apple fingerprint hash device' whose internals were open enough to satisfy a well heeled defense team and Apple use the device to say this person was or was not the person who fingered the phone at a certain time. Sounds like a lot of hassle to go through for Apple just to add a bit of evidence to a criminal case for a couple hundred dollar device with a cracked screen.

Also sounds pretty clunky for a misdemeanor theft case. Mostly, police departments would like you to just talk to your insurance company and forget the phone.

Re: chain of custody

[artfulshrapnel]

Probably isn't intended for individual thefts. Instead it'd be an interesting way to associate a single individual with a large number of thefts.

Also if that individual has his own iPhone, they can compare the hashes and tell the FBI who has likely been pickpocketing folks at the such and such venue. Then they can just trail him and catch him in the act, or use it as probable cause to do a search of the location the phone is currently in.

It could also be interesting to assume the "thief" is acting in good faith. What if you using touch ID on a missing phone offered to give the original owner an anonymized way to contact you on your own device, so you can get their phone back to them?

Why do I feel like

[waspleg]

this will just be used to collect biometric data of anyone who touches the phone and then be coupled later with other data to mine for ad scum and other equally vile and nefarious purposes?

I think it's interesting that Tim Cook comes out as some big privacy advocate but iDevices have unique advertiser ids and they're doing shit like this. It's more like who-can-be-most-evil-first race to the bottom of totalitarian turn key nightmare waiting to happen.

Re:Why do I feel like

[PhunkySchtuff]

Oh, you mean the unique Advertising Identifier that's in every iOS device? Yes, that one that you can reset at any time?
https://support.apple.com/en-a...

Re: Why do I feel like

[GrahamJ]

If this is something you worry about (I do too) I sincerely hope you don't use Android or other Google products. Unlike Google, Apple has no incentive to collect and mine your personal information. They make money off hardware, not profiling you and selling your eyeballs to, literally, the highest bidder. Even the advertising identifier, which you can reset, is an attempt to reign in user tracking. Apple Pay generates a unique ID for each transaction rather than handing your information over to the store. Spotlight search hashes app information and stores it locally. They actually go out of their way to protect privacy, unlike many other businesses I can think of.

Re:Why do I feel like

[AHuxley]

Its a stingray (IMSI-catcher) with more options for anyone using the phone, on any network.
Voice prints, logs, text, images, remote mic on, gps, facial recognition and now fingerprints. Ready in a nice gov spy app from any local contractor.
Parallel construction will never be more easy to get unexpected fingerprints from any user on any cell phone connected.
It will all be sold as security for the consumer, the national security part been hidden deep in the fine print again.

Re:Why do I feel like

Run a script to spam resets. Try and overrun their history field. Best case scenario crashes the database.

Re:Why do I feel like

[AmiMoJo]

Is there an app to reset it every 5 seconds?

Privacy

[JBMcB]

A burglar in someone else's house has no expectation of privacy. A thief using someone else's property has no expectation of privacy.

Re: Privacy

[BlackSabbath]

Is that a legal opinion or a "common sense" one?
I don't have a clue what the law is on this matter and am genuinely interested.

Re: Privacy

[ArmoredDragon]

IANAL but I don't think you need to even get to the "right to privacy" legal theory. It's your device, and you can give it permission to capture and store biometric data and upload it to the cloud. If somebody picks up and uses your device, any information they give it, biometric or otherwise, becomes your information provided it isn't trademarked or copyrighted, and even if they somehow manage to do those things for their biometric data and likeness of their face, capturing it for your own personal use (submitting it as evidence, for example) would easily fall under fair use.

Re: Privacy

It can get fuzzy. Generally, from EU laws, the thief has rights to their own data. For example: I steal your phone, I wipe it and put my data in there, and that data belongs to me and cannot be disclosed to the original owner. Sharing of such data tends to require law enforcement requests. Same if someone is dumb enough to hack an online account and enter their personal details.

Re: Privacy

Not even close to the same thing. In one case the person is holding the phone in question in the other case... I don't know? You are stalking them?

Re: Privacy

[cjjjer]

When in outdoor public spaces where you are legally present, you have the right to capture any image that is in plain view.

However... When you are on private property, the property owner sets the rules about the taking of photographs or videos. If you disobey property owners' rules, they can order you off their property (and have you arrested for trespassing if you do not comply).

Re:Privacy

[Macdude]

And a thief who hurts himself breaking into your house shouldn't be able to sue you for damages but he can. In general taking a picture isn't an issue (although that might depend on what else is in the picture) but recording their voices would be.

Re:Privacy

So what of the good samaritan who finds the device and accidentally brushes the fingerprint reader in his efforts to return it to its rightful owner. Has said do-gooder accidentally given up his rights of privacy and biometric security in so doing? Will apple share this data with all the LEO's without said nonuser's permission?

Re:Privacy

[konohitowa]

You have to bring the lock screen up and then carefully hold your finger on the button while it scans. A simple accidental brushing of the scanner wouldn't suffice.

Re: Privacy

[JBMcB]

Guests in someone else's home do not have an expectation of privacy. I'd say a burglar certainly doesn't.

https://www.law.cornell.edu/su...

Not to much of a stretch extending that to a thief using someone else's computer/phone/etc...

Re:well..

10Kva? 10,000 VoltAmps eh? Quite shocking if the voltage is high enough. Somehow I think that starting with a 3.3V battery you are going to struggle to get 10Kva for more than a very short time.... Which is likely not to actually "kill" anything but the phone...

It's amps, not volts that kill you BTW, and you are going to need to apply a LOT of energy to some hapless thief's thumb to kill them. So if you crank up the voltage to say 10K Volts AC and can deliver 1 amp for a millisecond, you can shock them but You are more likely to just piss them off than harm them...

- Why do you keep so many of my biometrics?

[hcs_$reboot]

- Oops sorry, we thought you were a thief

Re:- Why do you keep so many of my biometrics?

[AmiMoJo]

It might be illegal in the EU, due to data protection laws. The police have specific exemptions for collecting evidence, but Apple doesn't.

ok. which one of you kids messed with my phone?

[turkeydance]

Timothy? you, again?

Old Software

So, since those little utilities of the 90s and 00s that used your web cam to snap a picture whenever someone logged in and/or every X minutes of computer usage weren't designed for cell phones, Apple is allowed to patent the same thing but on a mobile device.

That's not a brilliant idea

[Gadget_Guy]

How is this deserving of a patent? It's blindingly obvious to use the sensors available on a device to do their job? And activating the sensors has been done before, like activating a camera remotely or the feature built-in to phones now to get the GPS remotely. As soon as I heard about them adding fingerprint sensors to phones I immediately about how useful it would be to get the fingerprints of thieves.

Well, the police aren't doing it.

My dad's house just got robed a few weeks ago, some idiot stole some electronics and vandalized the place, the police told him there wasn't time or manpower to look for fingerprints. My dad found a good set around a door frame and photographed it himself, they told him they were not interested in pursuing the case because there were murders and drug cases much more important.
The FBI said if there wasn't anything stollen more than $50k, they wouldn't do anything.
He's a retired ex-vietnam vet now with a vendetta.
He was able to get a fingerprint search done through an alternate channel, and now has a name and last known address of the drug-head that did it. Fortunately for that idiot (who's currently wanted in two states for drug and parole violations), the last know address was bogus. The hunt continues though.
Don't mess with retired folks.
The police and FBI are not for the people.
My guess is that Apple isn't exactly for the people ether, but if they can remotely and completely disable stolen hardware, it's more business for them. I'm in favor of stolen goods usually getting bricked.

A perfect example of something unpatentable.

[queazocotal]

Given the idea (which is old) 'wouldn't it be nice to be able to find people who steal phones' - the idea of 'let's use all the sensors in the phone to do so' is what occurs to anyone with the tiniest modicum of a clue in under a second.
http://wiki.openmoko.org/wiki/...
http://wiki.maemo.org/User:Mar...
'What's working

        Geolocation info
        Network info
        Take screenshot
        List of running programs '
Are just a couple of the several year old things Ihappened to know of.

Anyone taping off their phone cameras already?

[wvmarle]

There have been several articles on /. about high-profile people taping off their laptop cameras as they're afraid of it being switched on without them knowing, recording whatever they're doing.

Laptop cameras have an LED to indicate they're active - some may be circumvented and switched on without triggering that indicator, sure, but not all and it's not that easy. Mobile phone cameras don't even have such an LED, there is no way to see when I look at my phone whether a camera is active or not. A camera, as there are two on my phone, as are on most smart phones.

Maybe we should start putting tape over our phone's cameras, just like we do with our laptops? Starting with the front-facing one? I'm sure phones are easier to hack, considering phone's OSes not being updated as much as they should be there will be lots of vulnerable phones out there open to attack.

Re:Anyone taping off their phone cameras already?

[tattood]

"Thieves thwart phone's anti-theft technology with masking tape and gloves. Story at 11"

Re:Presumption of Innocence...

[PPH]

Actually, I can presume anything I want about anyone I want. I just can't act on it. That's when the evidence has to be presented to a court (usually via law enforcement authorities, but that's not a hard and fast rule). The court can then issue warrants, if they believe the evidence constitutes sufficient justification for further investigation or arrest.

I have security cameras on the front of my house. They snap pictures of everything that passes in front of them. Should a burglary of my house or the neighbors occur, it is quite reasonable that the police/courts will base further action upon the stored video that might reasonably be related to the crime. Same idea with the iPhone.

#whatcouldpossiblygowrong

[Zanadou]

#whatcouldpossiblygowrong

WTF fingerprint reader design flaw?

I thought most fingerprint readers were by design not supposed to reveal a whole fingerprint image, only representative data for matching purposes (whorl/junction info). For legal purposes, don't they need to capture the true fingerprint image though, for later unimpeded matching? Otherwise the only way to match thief to data would be to have an iDevice ID machine at a police station for the perp to swipe prints with to see if the data matches. Unless Apple is offering to pregenerate their data from FBI fingerprint image databases...

Re:well..

[ArmoredDragon]

You can get a decent jolt with just a 3.3v battery and a transformer (like the kind found in radios, camera flash, etc.) It won't kill you, but if you aren't expecting it and are already in a tense state (like one might be while escaping after robbing somebody) it'll probably make you panic for a bit and make you drop what you're doing.

Hell, no!

When the iPhones first introduced the fingerprint reader we were assured that customer's biometrics were protected because they'd never leave the phone, that the phone itself only stored the algorithmic results of the user's fingerprints, not the fingerprints themselves. Now we're seeing this...

As for offloading the biometric data, Apple says server-side systems may be able to cross reference fingerprint and photo information with an online database containing information of known users.

Toxic devices

[moxsam]

So Apple products become toxic: Don't touch it! Don't point even! And you haven't seen enough of that one, before it saw you.

It's super-nice of Apple

[Maritz]

To lock out people who aren't their customers from anti-theft tech. Big hearted guys.

Re:well..

[stealth_finger]

Is that why they keep taking parts out, to increase battery size not for longer use but more potent zaps?

Re:Fuzz

[stealth_finger]

You need yourself a Magnavolt system.

https://www.youtube.com/watch?...

Re:Why

[Oswald+McWeany]

It's scary. National governments aren't allowed to collect data on us and spy on us (legally at least, we all know they do illegally behind our backs), but private corporations are allowed to collect data on us and spy on us all they want.

At some point there will have to be some major consumer rights movement to protect from this. The data collected on us doesn't just exist on the websites of whoever collects it, but also in the Russian hackers cloud storage, and everyone they sell their information to. The companies collecting our data hasn't been particulary good at defending it. Any level 1 shadowrunner can steal it.

Good

[Pascal+Sartoretti]

My iPhone was stolen recently; I put it in "lost mode" as soon as I could, and two days later it surfaced 1'000 km (and 2 countries...) away. I would have been nice if it could have captured the thief's fingerprint. As long as this feature is only actived in "lost mode", I don't see legal issues.

I don't think that such a feature would have a great impact on how many stolen iPhones are recovered; however, it may reduce the number of stolen ones.

Re:well..

[ColdWetDog]

Now you've cracked the glass screen.

Oh. Wait.

wrong finger

[bobmajdakjr]

i only have my thumb and middle fingers in my phone, on purpose, and still accidentally pointer finger it sometimes. boy is apple going to be surprised when i accidentally use my penis.

Cerberus for Android

[ScienceofSpock]

Cerberus (and probably others) has had the ability to take a photo on failed auth for at least a few years, and if I remember correctly, it's configurable as to how many auth attempts it takes before it snaps a photo.

Have you been messing with siri again?

[ebvwfbw]

Oh the jokes could just roll on and on with this one.