I got a new Toshiba Portege a few weeks ago, the first machine I've owned that came with a fingerprint sensor. At first the system seemed to have been designed in a sensible way. The fingerprint template is encrypted and stays local. It is never released or stored in a remote database. I decided to try it out – to experience what it ”felt like”.
A couple of days later, I was at a conference and on stage under pretty bright lights. Glancing down at my shiny new computer, I saw what looked unmistakably like a fingerprint on my laptop's right mouse button. Then it occurred to me that the fingerprint sensor was only a quarter of an inch from what seemed to be a perfect image of my fingerprint. How secure is that?
A while later I ran into Dale Olds from Novell. Since Dale's an amazing photographer, I asked if he would photograph the laptop to see if the fingerprint was actually usable. Within a few seconds he took the picture above.
When Dale actually sent me the photo, he said,
I have attached a slightly edited version of the photo that showed your fingerprint most clearly. In fact, it is so clear I am wondering whether you want to publish it. The original photos were in Olympus raw format. Please let me know if this version works for you.
Eee Gads. I opened up the photo in Paint and saw something along these lines:
The gold blotch wasn't actually there. I added it as a kind of fig-leaf before posting it here, since it covers the very clearest part of the fingerprint.
The net of all of this was to drive home, yet again, just how silly it is to use a “public” secret as a proof of identity. The fact that I can somehow “demonstrate knowledge” of a given fingerprint means nothing. Identification is only possible by physically verifying that my finger embodies the fingerprint. Without physical verifcation, what kind of a lock does the fingerprint reader provide? A lock which conveniently offers every thief the key.
At first my mind boggled at the fact that Toshiba would supply mouse buttons that were such excellent fingerprint collection devices. But then I realized that even if the fingerprint weren't conveniently stored on the mouse button, it would be easy to find it somewhere on the laptop's surface.
It hit me that in the age of digital photography, a properly motivated photographer could probably find fingerprints on all kinds of surfaces, and capture them as expertly as Dale did. I realized it was no longer necessary to use special powder or inks or tape or whatever. Fingerprints have become a thing of “sousveillance”.