Is flashing the peace sign in our Instagram photos now a security risk?

Richard Wallace

In 2011 riots swept through London and the UK, aided by the encrypted BlackBerry Messenger service known as BBM. This was probably the first widely-reported instance of technology being used specifically to avoid the detection of the authorities. Nowadays WhatsApp, an end-to-end encrypted platform since 2016, is fully mainstream; but anybody paying attention will have seen the government’s attempts to crack down on encrypted services as a response to alleged radicalisation and extremism.

And anyone who happens to follow Shotta Texts LDN on Instagram will know that WhatsApp is often a way for drug dealers to communicate en masse with their clientele. Mass encrypted communication is, to anybody looking to organise on a large scale without fear of detection, a big opportunity—sure, the police can still read personal messages on a confiscated phone, but wiretapping and interception is now impossible—even by WhatsApp itself.

Obviously the government doesn’t love this, as it centralises power with an unaccountable private company and prevents state snooping—which is, of course, a core part of the offering for an increasingly privacy-conscious public. But law enforcement is evolving on a technological level to avoid being outfoxed by the tech-savvy. A UK drug dealer was recently convicted based on a WhatsApp photo seized from another phone—a first in terms of using digital evidence to make a real-world conviction. The suspect’s fingerprint was visible in the photo (which showed a hand holding Ecstasy pills) and from there police were able to make a positive match with the suspect.

We’re used to people adapting technology to outrun the law—during prohibition bootleggers would adapt motor cars (then a reasonably new technology in mass-market terms) in order to outrun still-sluggish police vehicles (this gave birth to the grand American traditions of NASCAR and drag racing.) And of course, the law has to try to keep up—making this recent conviction a landmark in the ongoing war between innovation and law enforcement.

This “war” has had obvious battlegrounds over the years: the Dark Web was often used as a funnel for high-grade drugs, mail-order weapons and hired killings, and it was a coup for the authorities when the most infamous dark-web marketplace, Silk Road, was shut down in October 2013. But wars that happen at the bleeding edge of tech are harder to police; drug marketplaces spring up afresh, new tools and services are developed and in turn co-opted by criminal opportunists, and even where the law possesses the technical know-how and resources to take on digitally-skilled bad actors, it is often hamstrung by the myriad legal grey areas that arise when brand-new technology is involved.

Given these legal blind spots, private companies like WhatsApp are increasingly responsible for what people can and can’t do online (it’s purely down to companies whether they want to listen to governments when they demand back-doors and security hacks be built into encrypted services, as per the famous Apple example—often they refuse on ethical grounds, but it would, of course, be bad for business too. )

But an interesting question in the wake of this latest conviction is the role of the fingerprint in the digital age. Presumably it’s a quick fix for any aspiring criminal to simply leave their prints out of shot in future, but the presence of a finger in a photo is not just liable to get you thrown in front of a judge—as technology develops, it could leave you open to fraud as well. Increasingly we see fingerprint and even facial recognition used to unlock phones (on which are stored our Wallets, also fingerprint-activated, our locations and an increasing amount of our personal data and correspondence.) If someone was to take a putty mould of your finger, they could conceivably unlock your phone—and if that sounds like an unwieldy and inelegant means for fraud, consider the fact that, as written in The Verge, “a security researcher called Starbug…[constructed] a working model of the German defense minister’s fingerprint, based on a high-res photograph of the minister’s hand.” How will the police deal with this kind of fraud in the age of 3d printing?

What’s more, Japanese researchers have warned of the possibility of hackers stealing people’s fingerprint data from photos displaying the peace gesture. After intimate photos of celebrities were hacked from the Cloud a few years ago, we shared a brief moment of anxiety about how we share our bodies online—how to send and store intimate photos safely. But as facial and print recognition software gets increasingly sophisticated, will we have to worry about something as innocuous as a selfie or an innocent hand gesture? Will we have to audit our historical Facebook photos (for our own security, as well as for our dignity and future job prospects?) Will showing our faces online become a risky act, and how will that affect the online culture and behaviour we’ve always known, a culture often based around self-presentation, #squadgoals and personality?

It’s hard to say, but we can be sure that black-hat hackers are always looking for new ways to exploit us, and the police are always looking for new ways to tackle online crime head-on. After this most recent conviction, perhaps only one thing is certain: anybody on the wrong side of the law should think twice before they give a cop the finger.