On Wed, Sep 11, 2013 at 1:13 PM, Jerry Leichter <leich...@lrw.com> wrote:
> On Sep 11, 2013, at 9:16 AM, "Andrew W. Donoho" <a...@ddg.com> wrote: > > Yesterday, Apple made the bold, unaudited claim that it will never save > the fingerprint data outside of the A7 chip. > By announcing it publicly, they put themselves on the line for lawsuits > and regulatory actions all over the world if they've lied. > > Realistically, what would you audit? All the hardware? All the software, > including all subsequent versions? > > This is about as strong an assurance as you could get from anything short > of hardware and software you build yourself from very simple parts. When it comes to litigation or actual examination, it's been demonstrated again and again that people can hide behind their own definitions of terms that you thought were self-evident. For example, the NSA's definition of "target", "collect", etc., which fly in the fact of common understanding, and exploit the loopholes in English discourse. People can lie to you without actually uttering a demonstrable falsehood or exposing themselves to liability, unless you have the ability to cross-example the assertions. I don't have a precise cite for the Apple claim, but let's take two summaries: first, from Andrew "Apple made the bold, unaudited claim that it will never save the fingerprint data outside of the A7 chip". Initial questions: does this mean they won't send the data to third parties? How about give third parties the ability to extract the data themselves? Does the phrase "fingerprint data" include all data derived from the fingerprint, such as minutiae? second, from Macworld<http://www.macworld.com/article/2048520/fingerprint-sensor-in-iphone-5s-is-no-silver-bullet-researchers-say.html>: "the fingerprint data is encrypted and locked in the device’s new A7 chip, that it’s never directly accessible to software and that it’s not stored on Apple’s servers or backed up to iCloud". Similar questions: is the data indirectly accessible? Is it stored on non-Apple servers? Etc. Unless you can cross-examine the assertions with some kind of penalty for dissembling, you can't be sure that an assertion means what you think or hope it means, regardless of how straightforward and direct it sounds. - Tim
_______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
