Tales from Another Reality: Security is now a problem

by Uluroo — January 11, 2018

You know security? That thing that's so important to people? Although it may seem like a paradox, that thing you thought was so great is actually terrible at the same time. Allow The Register's Mark Pesce to explain.

"Smartphones' security enhancements just make them more dangerous."

Say whaaat?

Over the holidays I bought Apple’s newest, shiniest face scanner.

We've already reached space-time conundrum #2 (the first was the headline) in the first sentence; as the iPhone X is Apple's only face scanner available, it is automatically the newest and shiniest regardless of how new or shiny it is, making "newest" and "shiniest" somewhat redundant here unless you have access to a wormhole, in which case please contact Uluroo so he can purchase it from you.

For the first fortnight - and periodically since then, that constant lift-and-scan felt weird.

In a good way? Like, good for the user experience? Because lots of people have been saying that it feels weirdly good. But no, that's not what Mark is talking about.

As though my smartphone had suddenly become too intimate, too familiar.

Uluroo doesn't know about anyone else, but having a phone that knows what he looks like seems like a better premise than having a phone that stores his fingerprint. This may have something to do with the fact that literally everyone who sees Uluroo can see his face, whereas nobody who sees Uluroo can see his fingerprint.

Except, however, for the instances in which Uluroo does not want to be seen because he's on official business. Or, in similar instances, where his fingerprint is forcibly scanned against his will.

No, Uluroo is not a criminal. He's talking about Disneyland, of course.

It started with passcodes - which many people didn’t even use, to begin with. Then, as it became clear that an unlocked smartphone could leak dangerous data, we began locking them behind PINs.

Even that basic layer of safety proved too hard for many people - either unable to remember the PIN or unwilling to spend time typing it in, over and over and over - so a few years back the devices added fingerprint readers.

True, fingerprint scanners added convenience. But part of the reason systems like Touch ID were added was for security.

As the device acquired the necessary sensing and computational capacities, designers could raise the bar on access control.

Uh, yeah... because that's why fingerprint sensors were put there in the first place. It's not like designers were like, "Hey, let's add fingerprint sensors for a better user experience!" and someone else mentioned, "Hey, you could also make the phones more secure!" Mark is talking about these two ideas as though one came before the other, but they were intertwined from the start. Fingerprint sensors were chosen as the way to add convenience because they were secure, not the other way around.

The smartphone, now seen as safe and secure, became the home for a range of data that had formerly only lived in highly-protected data centres...

First of all, correlation is not causation. People didn't just start storing more personal data on their phones because they were more secure (because even then, not all phones had the aforementioned security benefits, and some still don't today). It was a result of the increasing place smartphones had in our lives.

And anyway, smartphones are highly protected data centers. Just look at current iPhones. They're so secure even the government has trouble cracking them. So this data Mark mentions a) didn't move to phones because of the added security and b) didn't migrate from more secure to less secure systems. The rise of smartphones as our most personal computers (take that, PCs!) was not just a result of the hardware, it was a societal change.

Suddenly the accidental loss or unlocking of a smartphone became a very serious matter, far beyond the loss of a wallet or keys - or anything else we’ve ever carried around with us everywhere.

Space-time causality breakdown #3 as iCloud and other data backup systems have apparently been wiped from history.

Meanwhile, in the universe commonly known as Our Reality, said systems allow users to not lose as much because of accidental losses (are there intentional losses?). In that case, you're only losing the hardware, not the data, and you can remotely wipe the device if it's been stolen.

It’s as if each of us bears our crown jewels in our pockets, relying on the big padlock we’ve placed upon the device to protect us from thieves.

Except that your crown jewel is not your crown jewel, it's a magic portal that allows you to see your crown jewel, which is safely stored in a magical cloud (see where Uluroo is going with this?). And your magical portal can be destroyed remotely. So really, you're carrying a method of interaction with your data, and you don't have to put all the data in one place.

Also, has Mark forgotten about the security enhancements he mentioned earlier and conveniently forgot?

"As smartphones get more secure, we risk too much by storing too much on them!"

"What security?"

Smartphones have enormous utility value, but that’s created a kind of gravitational warp around them. They’re too dense with value, requiring increasingly careful handling and ever-stronger locks.

Uluroo doesn't understand what you can do to handle your smartphone more carefully other than not dropping it off a cliff and using a case and screen protector (which people have been doing for ages). And these "ever-stronger locks" do exist. One of them is called Face ID. Do you remember that? It's on Apple's newest, shiniest face scanner, the iPhone X.

So to FaceID™ [sic], because Apple claims fingerprints aren’t nearly unique enough.

Silly Apple! Face ID is 20 times more secure than Touch ID but what do they know about this device that they have spent years designing?

It may be that my mug is more unique than my thumb...

It's actually not! Your fingerprint is actually more unique! But Face ID does better at scanning your face than Touch ID did scanning your fingerprint, and it's also better for the user experience, which is one of the reasons these security enhancements are put in place at all.

... but maybe we should be asking ourselves how much safety we need?

Remember all that stuff I just said about how our digital lives need more protecting with ever stronger padlocks? You can forget about that now, because why should we have this security in the first place and j;adksfkja;dfs;afhs;fafkdsj

Already we know that a clever 3D print job can fool FaceID some of the time.

Some of the time. It hasn't happened in the real world yet, but time to panic! Did you know that Touch ID could be fooled by Play-Doh? It's true! But did it happen to anyone in the real world (by which Uluroo means did any users experience Play-Doh raids on their devices)? Should users be worried? Uluroo doubts anyone would go to the trouble of doing what it would take to unlock an iPhone X unless the target were a celebrity or political figure.

That will only grow easier as the technology becomes better understood.

It is only reasonable to assume that Apple will cease to make improvements to iPhone security and Face ID will remain exactly the same over the next several years.

The arms race of security ratcheting ever upward, will continue to demand ever more invasive scans to determine our authenticity.

Quick question: Which is more invasive, the device that scans your face, which everyone can see, or the device that scans your fingerprint, which almost nobody can see? And what makes Mark assume that Apple and other companies would create more invasive scans? All the security advancements until now have happened to improve both security and the user experience.

In about a decade or so - advances in microfluidics will allow Apple to embed a rapid DNA analyser - a la GATTACA - inside iPhone XX.

Uh...

I can already imagine Tim Cook’s keynote, touting the “one in a billion” uniqueness of DNA. A thousand times better than that silly and so-easily-spoofed FaceID! You’re gonna love it!

Introducing Tongue ID! To easily authenticate your identity, all you have to do is lick your iPhone XX once, and your saliva is scanned! That's it! Just one lick! Apple, the company that cared about the user experience, is now dead.

Will we love it? Or will we be so afraid of our digital selves falling into the wrong hands (particularly those closest to us) that we’ll simply submit to any indignity to protect ourselves?

If you look at Apple's record of introducing secure and user experience-conscious devices, you will discover that this is a false dilemma and that Apple would never make us submit to the indignity of Tongue ID or Blood ID or whatever user experience nightmare Mark is setting up.

We’ve always had to be careful when transporting objects of great value. It may be that we decide the wiser course is simply not to transport them at all.

Sorry, I can't send that email right away because my very-risky-to-carry device with its very-undignifying security system is currently locked in my basement, where it's safe.

As phones become more secure, they do not become more droppable. If anything, we'll just use more protective cases.

My new iPhone feels as though it sits right on this side of that abyss, asking us how far we’re willing to go - and how much we’re willing to surrender - to be secure.

This is a false dilemma. Please go back and try again.

Benjamin Franklin famously said, “Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.”

This is a very good quote that has nothing to do with what we're talking about. When you unlock your device, you don't sacrifice essential liberty or get temporary safety; you spend less time unlocking a more secure smartphone. Does this make sense?

With every scan of our faces and our fingerprints, we need to ask ourselves whether we really feel any safer. ® [sic]

Uluroo isn't sure what that ® is doing there, but whatever, he's including it in case it's a coded message that means "Today's opposite day! I meant the opposite of everything I just said!"

This last sentence is obviously meant to be very inspiring-sounding, but it makes no sense. You scan your face and fingerprint so that you are safer. If you don't feel safer (say, if you own a Samsung phone with crummy facial recognition), you shouldn't be using that security system.

Mark set up security as the reason for the risk behind our digital lives. Then he forgot that these same systems are what protect our digital lives. Then he asked why we even bother with security anyway.

Seems kinda weird that you think the lock on your door is the reason you have so much stuff in your house. Then you panic because you forgot you have a lock on your door and oh, no, your house is no longer secure! And then you say, "Why even have the lock anyway?"

Security is what it sounds like: secure. People have secure devices because of what they keep on their phones, not the other way around. And in case you were still on the fence, Mark, security is, in fact, a good thing. At least in our reality.