updated 11:08 pm EDT, Wed May 14, 2014
Letter to Korean company poses 13 questions about fingerprint security of device
United States Senator Al Franken has issued a letter to Samsung, questioning the security of its newest device, the Galaxy S5, in regard to its fingerprint scanner. Franken hopes that the company will be able to shed light on the privacy concerns surrounding the scanner, specifically approaching the use of a permanent fingerprint as a security measure. Franken was also responsible for a letter sent to Apple addressing similar concerns in 2013 over the Touch ID reader in the iPhone.
The Senator, who serves as a chairman on the Senate's Judiciary Subcommittee on Privacy, brought up a number of concerns about the device that has been plagued with issues in its fingerprint scanner. Not long after its release, the Galaxy S5 was found to be susceptible to the same fake print trick as the iPhone 5S. However, there is a large difference between the fingerprint security of the iPhone and the Galaxy S5. Samsung's phone allows for repeated attempts to unlock the device without a prompt as pointed out by Franken.
Another portion of Franken's concern comes from the ability to use the fingerprint scanner in other applications like Paypal. By using a fingerprint for authentication, there can be more long term ramifications if someone's fingerprint was obtained.
"This means that you can use the Galaxy S5 fingerprint scanner to send money on Paypal and access your password app; unfortunately, it likely means that bad actors who spoof you fingerprints can do that, too," writes Franken.
Thirteen questions are posed in the letter to the electronics company that Franken asks are replied to within a month of receiving the letter. Several of the questions revolve around the storage of the fingerprint data, including its security and access by remote or third parties. It is also asked that the company details any future plans with the scanning technology, in addition to, providing any information pertaining to Samsung allowing the scanner to be used by any further third party apps.
The last four questions in Franken's letter address privacy concerns for the classification of the fingerprint data as "contents" or any sort of customer record as defined under the Stored Communications Act or "tangible things" under the USA Patriot Act. His most pointed question is saved for the end when he asks the company if there is a "reasonable expectation of privacy" to data provided to the scanner.
At the end Franken admits that he isn't attempting "to discourage adoption of fingerprint technology for consumer mobile devices." Instead, he wants to ensure that there are proper, secure safeguards in place when used. This includes having a public record on how biometric information is treated by companies.
It should be mentioned that the Galaxy S5 doesn't store a fingerprint directly, but rather converts identifying characteristics of the print into data that the phone uses to then unlock the phone. When setting up the scanner for use the prompts outline this, but they gives no explanation of how, where or in what format the data is stored.