"Passwords are secret and dynamic; fingerprints are public and permanent," wrote Sen. Franken. "If you don't tell anyone your password, no one will know what it is. If someone hacks your password, you can change it—as many times as you want. You can't change your fingerprints. You have only ten of them. And you leave them on everything you touch; they are definitely not a secret. What's more, a password doesn't uniquely identify its owner—a fingerprint does. Let me put it this way: if hackers get a hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life."
He's certainly not the only one that has questions: a number of people have put in over $16,000 in bounty money, booze, and a "dirty sex book" as an incentive for hackers to break Touch ID.
He also has specific questions for Cupertino:
(1) Is it possible to convert locally stored fingerprint data into a digital or visual format that can be used by third parties?
(2) Is it possible to extract and obtain fingerprint data from an iPhone? If so, can this be done remotely, or with physical access to the device?...
(10) Under American intelligence law, the Federal Bureau of Investigation can seek an order requiring the production of "any tangible thing (including books, records, papers, documents, and other items)" if they are deemed relevant to certain foreign intelligence investigations. See 50 U.S.C. § 1861. Does Apple consider fingerprint data to be "tangible things" as defined in the USA Patriot Act?
The last question is germane to recent discussions of law enforcement and national security overreach. But given that the iPhone doesn't store fingerprint data in the cloud, the PATRIOT Act shouldn't come into play ( via arstechnica.com ).