Apple Patents Collecting Biometric Information Based on Unauthorized Device Use

Apple applied for a patent earlier this year on collecting biometric information of an unauthorized device user. The obvious application is taking a copy of the fingerprint and photo of someone using a stolen smartphone.

Note that I have no opinion on whether this is a patentable idea or the patent is valid.

EDITED TO ADD (9/13): There is potential prior art in the comments.

Posted on August 29, 2016 at 6:27 AM • 32 Comments

Comments

DroneAugust 29, 2016 6:52 AM

"Note that I have no opinion on whether this is a patentable idea or (if) the patent is valid."

Hmmm... After just a few moments of thought:

1. Should not be patentable on the merits: The concept has repeatedly been in practice for years prior to the patent date reported, and not just for mobile phones. For example, I remember seeing this concept put into use as part of more than one commercial vehicle tracking system.

2. Is the Apple Patent valid? Gee dunno - does prior art no longer matter in the (increasingly corrupt and dysfunctional) U.S. Patent and Trademark Office?

Pocono ChuckAugust 29, 2016 7:27 AM

Let's assume for a moment the patent is valid.

Let's also assume I found a device on the ground (sort of akin to the Mr. Robot game, if you will).

Why would I use the fingerprint reader at all?

It's not my phone, so there's no chance my print will work.

RoastbeefAugust 29, 2016 7:38 AM

They're going to end up with lots of fingerprints of my 18 month old based upon my household usage.

PoconoChuck: On the iPhone the fingerprint read *is* the button.

Wade AhminittAugust 29, 2016 7:43 AM

I thought Apple doesn't have a copy of your print or the hash. It's internal.
Right? Wrong?

And, since when can you open a phone with a photo. Am I missing something?

I don't like saying this, because in general I like Apple stuff, but prints and pictures is standard police state ID data all over the world.

My 1984 slippery slope sensor is telling me we are very close to the bottom.

Clive RobinsonAugust 29, 2016 7:53 AM

@ Bruce,

Note that I have no opinion on whether this is a patentable idea or the patent is valid.

Even if it is a valid patent, is it legal?

In the US --where PII data collected belongs to the collector not the source-- it might be but in other places certainly not.

Unsprisingly, people living in shared accommodation have a habit of trusting they share with. Which means they often leave their phone unatended in shared areas. Thus it's not unknown for a person to pickup another persons phone by mistake. Currently this is not much of an issue, these things happen and usually cause no harm.

However with this "recording" of others PII, it's of little or no use if it stays on the phone. Therefore it is most likely to get sent to the "cloud" automatically.

Thus there are two areas of unlawful behaviour. Under privacy legislation, storing the PII on the phone makes it "an unregistered database" which has both civil and criminal sanctions. If sent into the cloud there is a whole bunch of other legislation that would come into play that again have criminal and civil sanctions...

But there is also the issue of where the recording of the PII occured. If in a public place or place where the phone owner is not autherised then there are other legislative issues...

But even if it was a criminal stealing the phone, would the PII be admisable in court? After all what is the chain of custody of the evidence?...

Pocono ChuckAugust 29, 2016 8:01 AM

@Roastbeef

Understood, but is the print reader always active, or only when you rest your finger on it?

Besides, I can use a pencil or stylus, or gloves.

AlexAugust 29, 2016 8:39 AM

"Note that I have no opinion on whether this is a patentable idea or the patent is valid."

You denied it, therefore you do.

CMRAugust 29, 2016 8:46 AM

Well this just makes it official. Not that they haven't already been doing this as an experiment. It's gathering other information, not just fingerprints, facial, and audio. It's capturing as much as the surrounding area as it can, like in Apples' pano feature in the camera. It targets the unauthorized user and baits them for sometime to gather enough information as it can. My question is; "Is this new bio-metric data collection only going to be utilized when a phone or device has been reported stolen?" "Or is this some new future government data collection intervention?"

BobAugust 29, 2016 9:00 AM

Maybe I should patent killing people too, then I can sue all the criminals! I'll be RIIIIICH! :P

(this is in reference to how all unauthorized access of a computing device is ILLEGAL anyway!)

tsavoAugust 29, 2016 10:20 AM

Capturing photos during instances of suspected theft has been around since USB cameras with desktops, carried forward with on-board cameras on laptops, and again with mobile security apps (i.e. Lookout). Attempting to patent the taking of photographs would be a stretch.

Attempting to capture biometrics during instances of suspected theft could be argued that photos themselves are biometrics, facial rec and pulling fingerprints from images. Key-logging software itself could be argued to be biometric capture.

It'd be difficult to believe the patent application would be approved, but strange things happen at the intersection of politics and money.

NFAugust 29, 2016 10:42 AM

The comments here are paranoid and inane. Apple has patented a feature that the owner of the phone would turn on, similar to the "Find My iPhone" feature. Look, if you steal my phone and you're dumb enough not to disable the camera and the fingerprint sensor, I'm more than happy to allow Apple to redirect the TouchID input from verifying against the Secure Enclave, to sending the raw data to be stored in an anti-theft database.

This feature makes all the sense in the world, nobody else is implementing it (why would they? Nobody else has built a communications device with similar functionality), and I can't wait for it to be implemented. We have to do more to crack down on the gangs that steal phones. Stealing a phone has to turn into a profitless and perilous activity, especially as more and more people continue to store sensitive material on their phones.

There is nothing 1984 about this. Robocop, maybe.

albertAugust 29, 2016 10:58 AM

@Drone, et al,

The USPTO isn't corrupt, per se. It simply ignores patentability rules. OK, maybe it is corrupt, but it's not like the NSAs unconstitutional data vacuuming.

It's a big money maker for the USG (and large corporations). Last I checked, over $700M/year. It may push over $1B.

How do you increase return? By awarding more patents! We got patents on math (compression algorithms, cryptography), and software in general. I've read that it's a problem within the mechanical arena as well.

The so called 'IP' lawyers are also cleaning up. The losers, as always, are us.

Nowadays, it's extremely difficult to assess patentability. You just don't know how they'll rule. It's that crazy. No use applying logic. 'Obvious' is no longer obvious to rational people.

. .. . .. --- ....

ab praeceptisAugust 29, 2016 11:08 AM

Let me free-wheel a bit ...

fb knows everything about our everyday lifes, friends, loves and hates, political leaning, income bracket, etc.

apple has our fingerprints and eyescans (come on! When they say image you didn't seriously think of an innocent photo, did you?)

nas has everything anyway - incl. lots of "trusted" corporations with frightening access inside.

1984 *was* fiction, after all. A romanticized optimistic version of 2024.

albertAugust 29, 2016 11:21 AM

@Clive,

Notwithstanding the crazy USPTO, the collection of fingerprints is not illegal, unless a warrant is not obtained (in cases where the prints are on private property). Police can obtain prints from a lost phone, or a stolen car, or any public place. As for chain of custody, this needs to be tested in the courts. Electronically reading, transmitting, and analyzing of fingerprints is already being done by LE, so legal accommodations would be needed to allow Apple to store collected prints. The LE/IC would love something like this.

. .. . .. --- ....

WhiskersInMenloAugust 29, 2016 2:01 PM

A patent idea does not demand deployment or sale.
Even if granted as a patent there is no requirement to build it.

It has impact in the grand scheme of law enforcement demands.
A patent keeps third party services from developing and selling
such services. Yes there is a way for the government and contractors
to use patents for 'Free' in some cases.
If Apple builds it they can set a price and establish what the reasonable
compensation by the government or contractors is.

A patent also establishes bounds from the likes of other hand
held device vendors.

In the end for this to be interesting such profiles must qualify
as reasonable cause for busting down doors, stopping vehicles
and making arrests.

Patent-ability... this is one of the wineglass/face (positive/negative)
space things. If you look at it one way it allows access, if you look
at it differently it can deny access and establish specifics for access.

The same good/bad allow/disallow profiling is used in active firewalls and more.
So was it really Russian agents that hacked the email of ....?

DNA and Fingerprints have a statistical framework to establish false positive
reports and arrests. This invention will need to establish a comparable
statistical framework play as a peer in court. A court order for "person with
brown hair" does not fly. I wonder how this will go.

The interesting bit is Apple has data from the positive side of the
"invention" and may know or be able to quickly determine the answers.

trsm.mckayAugust 29, 2016 2:53 PM

Easy prediction: privacy and bio-metrics will soon get way more complicated. We already have some peeks from cell phones with cheap audio and video digital capture. Now picture what happens when mixed reality devices like the Microsoft Hololenses becomes used commonly, with multiple cameras and microphones trained on both the environment and the user.

Aside about user authentication - Physical keys become even less of a security barrier, no longer needing pictures to be published somewhere, just an incidental glance. Same with passwords entered on mobile devices, already chancy in today's security camera happy environments - conventional passwords become almost worthless with prolific amounts of next generation Google Glasses. One minor benefit, it does bypass today's limited user authentication - where the security of authentication is proportional to the user hassle of the authentication method. Constant monitoring of eyes, voice, heartbeat, and other factors will make high quality user authentication unobtrusive to the user, so long as you don't account for the intrusion of constant monitoring.

Establishing clear ownership of the device, and the data it processes will become increasingly important. Devices created to vacuum up personal information will become increasingly better at this, and capturing incidental information becomes much easier.

Starting commercially - as a company, do you trust Microsoft or Google to properly handle your confidential information (given the number of companies using their hosted email systems, this was not an accidental example)? At least with these scenarios there are some ways to limit exposure, albeit much less effective than some people think. Now consider how much more extensive that trust is when dealing with cloud processing of mixed reality devices. The personal picture is considerably worse, as consumers have less power and information when dealing with companies. And when you start looking the potential abuses of governments, it makes 1984 seems like peep holes into meeting rooms.

If their is any chance of heading off this privacy disaster, it will probably require a cultural renegotiation of privacy. Some of it is awareness, too many people don't understand what they stand to loose. But there are other places where society should learn to accommodate as the private sphere becomes more public - increasing tolerance for homosexuality is a positive example (it used to be strong blackmail material, and now is considerably less so).

But speaking as a techie who creates the systems that contribute to the problem, there are things we can do to make the situation better (though some of this needs lots more work). Establishing methods and modes for ownership is a start - this is rather muddled at the moment with lots of competing owners, very few of which are the nominal owner/possessor of the device. Take cell phones for example: Apple/Google, Cell Carriers, Content Providers with DRM, and governments all stake claims for some level of control. Gets even more complicated in mixed use scenarios, if my mobile is going to contain company data how can they protect the data while not being allowed too much power over my private device (this issue, and the lack of a good solution, is why I tend to carry a personal and a company mobile).

We also need to do a better job data ownership. Perhaps homorphemic encryption has some promise when needing to send privacy impacting data for computation in a cloud (though given the successes at de-anonymizing data sets this is new area that needs to be done carefully with lots of skepticism). I remain somewhat optimistic that it could be done, but right now I see not enough motivation that it will be tried.

Ergo SumAugust 29, 2016 5:02 PM

@NF...

The comments here are paranoid and inane. Apple has patented a feature that the owner of the phone would turn on, similar to the "Find My iPhone" feature. Look, if you steal my phone and you're dumb enough not to disable the camera and the fingerprint sensor, I'm more than happy to allow Apple to redirect the TouchID input from verifying against the Secure Enclave, to sending the raw data to be stored in an anti-theft database.

Well, at least until we will learn that LE can simply ask Apple without court order, just an NSL, to turn it on for them. But that never will take place, right? Right...

Clive RobinsonAugust 29, 2016 8:16 PM

@ trsm.mckay,

Establishing clear ownership of the device, and the data it processes will become increasingly important.

It is one of my major concerns. It does however have a big fly in the ointments. Let us assume --as in some jurisdictions-- you have primacy over the data on the device you use, likewise any actions you take.

That is only a quater of the problem, what happens when I send you a message, I have just split my data/actions between my device and yours, who has data/action primacy over the copy on your device? In theory I retain primacy, --much as you would do by being an author of a book,-- but in practice I have no control over your device. But I might be able to use the court system to force you to be compliant with my wishes via contracts of one form or another.

But there is a flip side to this problem. Whilst I might be able to get you to ink an NDA etc which had data/action security, confidentiality and similar causes, I probably can not with those from whom you get service.

Which brings us to you point of,

Now consider how much more extensive that trust is when dealing with cloud processing of mixed reality devices.

This has multiple issues two of which are "use of suppliers cloud" may not be optional or apparent to a user. For instance think about Win10home and how few know or even understand what Micro$haft are doing with the "oh so secret" telemetry. Then look at other Micro$haft End User Licence Agreements, where they reserve the right to access any and all your data and actions, and hand them onto third parties. Likewise they reserve the right to destroy your data and applications as they see fit.

As we know music lovers have found that their music files on their devices are not their own if they subscribe to certain Cloud services.

I personaly have been against "Cloud Services" of all forms since the term was thought of. The fact that the misgivings that I and others have had about it have not just come true but have in somecase become worse than imagined has not stopped the apparent headlong movment in that direction by others. Be it knowingly and willingly or unwillingly and unknowingly appears not to matter, because certain corporate entities have decided that's the way it's going to be and the US Government for it's own ends has passed legislation to protect such actions.

Thus the question becomes "How does anyone stop their data/actions ending up on a cloud server in a jurisdiction where they have neither standing or recourse under law?".

I perhaps am lucky in that I do not require connectivity to external networks for much that I do with computers. And I also know how to ensure the computers I use for sensitive activities do not leak data/actions via less than obvious ways (ie how to "energy-gap" rather than the much weaker "air-gapping").

Our politicians and IC apparently worry about China / Russian / latest existential threat country and not just their data exfiltration but APT "Command and Control" of infrastructure, but for some reason do not turn a hair that the likes of Micro$haft are not just making it easy beyond belief to do, but are actively carrying it out...

In effect we have passed a tipping point, in that those with a legal duty of "privileged communications" can not in the traditional sense ensure it any longer when using computers in standard ways.

Thus what was only a few months ago concidered exceptional, extream or paranoid ways of using computers has become the only way open for those with a legal duty of confidence to use them... Something for which they are totaly and utterly unprepaired and in many cases unknowing of the requirments or procedures that are now required of them...

At the very least BYOD has to stop forthwith, and segregation of roles and seperation of resources has to be actioned to avoid significant civil or criminal liability...

gordoAugust 29, 2016 9:36 PM

Internet Balkainization is Coming
By Michael Anderson - ISSA member, Australia Chapter
Open Forum, ISSA Journal, April 2016

Some highlights:

National Security:
- "Firstly, with the cloud many institutions are eschewing their own infrastructure."
- "...the extensive spying....balkanizing data flows...."

Tax and Big Business Revenue:
- "Until recently it has been very profitable to appear to domicile in one country while extracting revenue in another."
- "...regional licensing along geographical and national boundaries with differing fees."

Bottom Line:
- "Cyberspace, although intangible compared to land, air and sea, will like them become balkanized."

https://www.bluetoad.com/publication/?i=296794&p=10

your fingerprint is mine nowAugust 30, 2016 12:08 AM

Android 6.0 (marshmallow) have support for fingerprint scanning in its api.
https://developer.android.com/about/versions/marshmallow/android-6.0.html
http://www.computerworld.com/article/2989973/android/android-60-marshmallow-faq.html
http://www.tested.com/tech/android/568905-everything-you-need-know-about-fingerprint-sensors-android/

Fingerprint sensor is not entire screen at this moment, but you see the trend, right? Of course your fingerprint will be sent to Google and NSA for "processing".

JojoAugust 30, 2016 4:17 PM

Well .... maybe Apple are looking for more revenue streams if their appeal against the EU ruling on their tax setup with the Irish government falls through. :-)

TatütataSeptember 2, 2016 10:03 AM

Lest I fall into a long-winded discussion about patent law for which this isn't really the ideal forum, I would limit myself to few observations:

1) This application isn't quite as recent as the press coverage would make one believe. Although it was indeed filed last April, it is a derivative of an earlier application filed 2012. It was filed as a "continuation-in-part", which is IMO something of an oddity of US patent law. This type of application roughly corresponds to "improvement patents" that were abolished in most foreign patent laws.

2) The two-member patent family can be seen here. From a cursory inspection, both cover roughly the same subject-matter, and I would have to study them in detail to figure out why this one was filed as a CIP rather than as a "divisional" or a "continuation". I find it interesting that Apple limited this family to the US only, rather than seeking worldwide coverage.

3) The earlier patent application published as US2014007223A1 was actually the one claiming the uploading of biometric information. Initially they wanted to transmit the fingerprints by the phone upon an identification failure, but during prosecution they modified it to perform this under instruction of a central location. A notice of allowance was issued, but Apple did not respond to it, and the file is currently marked as abandoned. I find this surprising.

4) The application which is the subject of this post is claiming something somewhat different than what is supposed implicitly in the above comments, namely is the management of data on the server:

1. A system for capturing biometric information for identifying unauthorized users, comprising:
at least one computing device, comprising:
at least one biometric sensor;
at least one processing unit, communicably coupled to the at least one biometric sensor; and
at least one non-transitory storage medium storing instructions executable by the at least one processing unit to: receive at least one instruction from at least one additional computing device to capture biometric information, wherein the at least one instruction is received based on potential unauthorized use of the at least one computing device; capture said biometric information without making said unauthorized user aware of said capture; receive the biometric information from the at least one biometric sensor; store the biometric information; and
purge at select times at least a portion of the stored biometric information according to a purging rule,
wherein the purging rule is based on at least one of:
a given number of unauthorized access attempts;
a given period of time;
a type of biometric information;
a determination whether the biometric information comprises a complete set of biometric information; or
an amount of biometric information associated with a type of biometric information.

I added emphasis on the word "purge" as I feel that it is the crux of the application. This is the kind of thing clever attorneys try to claim: figure out something one implementing some prior would have to do anyway, but wouldn't necessarily bother describing in details. Then cry "hindsight, ex post facto analysis" whenever obviousness is argued.

TatütataSeptember 2, 2016 10:47 AM

I posted a longish comment about 45 minutes ago. It appeared, but then disappeared. Any reason for that?

Core ProblemsSeptember 5, 2016 3:17 AM

It you are looking at getting into banking, considering you already deal with large numbers of financial transactions you would probably like to have people agreeing to you capturing and storing their biometric information. The benefits of convincing people to use "Apple Payment Protection" will likely help ensure you aren't losing north of $2,500,000,000 each year due to stolen token's/credentials. It can be marketed as added security and perhaps even profited from as an added Apple Care service or something, especially helpful when faced with paying a tax bill.

Knocking off paypass is very common and widespread and most people caught doing it probably haven't yet figured out how to do it without being caught later, or how to get other people to unknowingly do it for them.

Cobble biometrics together with voice recognition, WIFI analysis, geoloc, chatbots and get one of the MarkMonitor DNS and cert authority type gatemonitors to manage it and then you can wipe your hands of any responsibility as you aren't sure of commercial agreements they might have with other entities that you can't mention anyway if you did. Feed the stats all into a learning capable system for pattern and trend analysis, then see what profitable discovery emerges.

If a widespread framework to implement biometric identification commercially exists, there is likely a lot less backlash than when you enforce it through secret national security laws that people don't like even when/if they understand it. The public instead get more actively involved in law enforcement without realising it and you don't need to hand them a shovel when they'll pay for their own.

Jack BlackwellSeptember 8, 2016 9:44 PM

Heard about something like this in ATMs and e-govenment self service machines in Saudi !!?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.