Biometrics in smartphones need more control - ex-GCHQ boss
- Published
The former boss of government communications agency GCHQ has warned over the use of biometric data in mobile phones and devices.
Sir John Adye said he had security concerns over methods like fingerprint recognition used in Apple's iPhone 6 and other devices to check identity.
"I don't know what happens to my personal data when I use it on a smartphone," he told MPs.
Apple has defended the security and privacy of its systems.
Sir John, who headed GCHQ between 1989 and 1996, chairs a company which is developing biometric technology for identity recognition.
He said the increasing use of biometrics was a positive step but warned that it was not clear enough what was happening to people's data.
"If you go to an ATM and put in your credit or debit card, that system is supervised by the bank in some way," he said in evidence to the Commons Science and Technology Committee, which is examining the use of biometric technology.
"But when you're using your smartphone... there's no physical supervision of the system."
"You need to design security methods... which are going to be strong to protect the interests of the individual who is using the phone and the relying party at the other end... the bank or whoever it is, who is providing a service to them."
Sir John singled out the Apple iPhone 6 which allows users to make payments and access services using a fingerprint.
"You can now use your iPhone 6 to make payments using biometrics on the internet and you've got to tick various boxes before you do so, but how many people are actually going read through all those boxes properly and understand what they mean when it goes in?"
"I think Apple has done some good things. They appear to have a good system at the moment for protecting their operating system so it's difficult for anyone outside to penetrate it and retrieve data from it.
"But how long will that last, because the criminals... are very inventive at finding ways in, and although you can protect it in that way on the device itself, what happens if the device is lost or stolen?"
Apple says it uses the most technologically advanced fingerprint security and puts security and privacy at the core of the "Apple Pay" system.
Sir John also called for more transparency in the way personal information may be passed on to third parties.
Fake fingers?
"I don't know, although I'm quite experienced in this area, what happens to my personal data when I use it on a smartphone for proving my identity. Is Google going to use that data to target advertising at me? Is some other commercial company or maybe some hostile foreign government going to use it to target me in some other way? I don't know," he said.
Another witness, biometrics engineer Ben Fairhead, was asked about the risks that biometric data such as fingerprints could be faked.
"There's a whole science around anti-spoofing and all sorts of methods you can employ to work out 'Is this finger... made of flesh and is there blood pumping around it?,'" he told Labour MP, Pamela Nash.
But even this technology was open to "spurious results", he said. "If for example, you haven't got much blood flow to your fingers, maybe the system doesn't think your finger is alive."
"It still ends up being an arms race, or an arms, legs and fingers race, between you and the attackers," he said, adding that cybercriminals were adding iron filings to fake fingers to mirror the conductivity of human skin.
The committee also examined the increasing use of biometrics by governments, in border controls and public services.
MPs heard claims that there needed to be better oversight of the entire industry.
- Published22 November 2012
- Published9 September 2014
- Published15 May 2012