Slashdot Mirror

← Back to Stories (view on slashdot.org)

Biometrics, Ownership and Privacy?

Posted by Cliff on from the who-owns-the-data dept.

symbolic asks: "I just finished watching a small segment of World Business Review on PBS, where the topic of discussion the use of biometrics by employers to not only provide confirmation of identity, but as something to drive other parts of the operation - like tracking employee time. Briefly mentioned were face and iris scans, but as I was watching a picture of someone's iris, I realized that once an employer has captured a scan of your iris (or any biometric data), who has control over it? Does it become part of the cesspool of information trading that occurs between business and government entities? Will trading of someone's biometric information become as ubiquitous as their address or phone number. Is there any reason we should be concerned about this? I'd like to hear what others think about this." Ask Slashdot has previously approached the Biometrics topic for technical issues, but the privacy issue of such data has yet to be addressed. How do you feel about biometric data (or any data derived from your physical makeup, like your genome) being used as another commodity (like your address) in the corporate data exchange?

18 of 223 comments (clear)

  1. Yes! by casio282 · · Score: 3, Insightful

    Of course we should be concerned about this! You can change your phone number, your email address, your name, and even your social security number if you work hard enough. But you can't change your biometric data, so once it's in the wild marketplace or personal information, it's out there for good...

    --

    :wq
    1. Re:Yes! by RealisticWeb.com · · Score: 5, Insightful

      So why is that a problem? It is exactly the same to me as my finger prints. You can't change your finger prints (without scaring them) do you ever worry about who gets ahold of your fingerprints? No one does except a criminal. Do you wear gloves in all public places so one one can come by later and print you? Do you ever worry even slightly that a national database containing an image of your fingerprint will be comprimised by a cracker and used agaist you? No? I didn't think so. To me the fact that that they can't be changed is exactly what makes me not worry about it! If that information is sold it wouldn't be any different then the rest of my information that is currently being sold, except that you can't fake an eyeball! People can make fake credit cards, fake ID's and forge signitures, but what are they going to do, grow a synthetic eye from my DNA and hold it up to an eye scanner? Implant them in thier own eyes? You've got to be kidding. People who are going to get away with identity theft or even hacking/cracking for that matter are going to go for the most easy and fast way. Biometrics will be so hard to fake and do anything with, they are just going to try and swipe your credit card number the old fasioned way. I wouldn't get too riled up about this if I were you.

      --
      Sigs are out of style, so I'm not going to use one...oh wait..
    2. Re:Yes! by finkployd · · Score: 5, Insightful

      Can't fake an eyeball huh? Well, perhaps not. I possibly could, however, intercept the stream of bytes that represent your retinal scan. Now we have a problem, because you cannot revoke that identity. With any other form of authentication system, you can change your password, revoke a public key, etc.

      You are operating under the assumption that all eye scanners are in tightly controlled, protected areas. This is an unacceptable form of authentication for obvious reasons.

      Today I can log into my bank from home. If biometrics were to ever become widespread and replace password authentication (admittably a very problematic system), it is going to have to be accessable from everywhere (including your home computer). A biometric reader could easily come standard with a PC (or even handheld), but there better be a damn good method of protecting the biometric data in transit.

      Finkployd

    3. Re:Yes! by shylock0 · · Score: 2, Insightful
      An interesting idea. But ultimately one that probably wouldn't work. Retina images, like most biological imprints, have fractal-like resolution. Retina images aren't simple images. They are complex biological patterns whose level of resolution approaches the cellular level. Impossible to replicate? Probably not. But throw in a spectrometer and a thermometer along with the optical scanner, and you're pretty much guaranteed a counterfeit-free solution. You can't fake an eyeball, anymore than you can fake a stomach, or a heart, or any other human organ, to be identical to another.

      Basically, what B.D. Mills fails to realize is that biological systems -- and biological imprints -- have a level of detail that is nearly (though not totally) impossible to replicate mechanically. Biological systems are, by their very nature, pseudodigital, and not analog (like an inkjet print on a piece of paper). It is this pseudodigital nature that makes them so appealing.

      Which, as I'm sure pessimists will be quick to point out, does not make them perfect. But neither is any other system of identification that we, as human beings, have managed to devise. Even passwords are susceptible to truth serums -- or even just a fair bit of alcohol and a "trusted" friend. Like any system of identification, it is foolish to assume that biometic systems are completely reliable -- perfect -- because no system is or can be.

      --
      Statistically speaking, there's a 99.998% chance that my IQ is higher than yours. Get over it.
  2. Biometric data, and whatnot by abysmilliard · · Score: 2, Insightful

    While I'm sure that there will be a massive puscht to trade and sell biometrics about employees (and, looking down the road, consumers, should the technology be adapted for things like credit cards and ABMS), it sets off giant, giant alarm bells for me. I mean, while we have things like addresses and phone numbers being traded and sold by large companies, such details about a person are easily changed. The basic structure of your retina or your fingerprints, however, are things you're stuck with. I really can't see any technology coming along that will rewrite your retinal signature outside of expensive surgery. That leaves fingerprint and retinal data, at the least, even more personal and, to my mind, private than your name. You can change just about everything about yourself, statisticwise; eye color, hair colour, weight, musculature, name, address, phone number, SIN number, credit card number, employer, and so on But you're stuck with your body. Barring six-million-dollar-man bionics, the one you've got is the only one you're ever going to get. Having unique bodily markers floating about on an advertiser's list, or worse, a blacklist for potential hires or borrowers, in the case of employers or credit companies, seems....alarming I'd rather be anonymous than tracked for my own safety. Anonymity is a risk I'm willing to take.

  3. Identity-circumvention device? by Bollie · · Score: 3, Insightful

    Coloured contact lenses.

    It's not farfetched to think that some idiot in the wake of 9/11 might push a law making it illegal to wear them. Oh yeah, only after the law's been passed will things like this come to light...

    Just think, a DMCA for identity-circumvention devices. No more anonymity, because, it's good for you!

  4. Biometrics bother me... by boa13 · · Score: 4, Insightful

    ... because you can't change or revoke them. What if someone manages to get a copy of the binary data that characterize your iris? What if it gets circulated in some crackers circle? Will you change your iris? Or will you change your job? Or will you simply loose your work, since your iris is now unusable by your company?

  5. The biggest problem with biometrics. by oGMo · · Score: 5, Insightful

    Recently I watched a presentation by a biometrics group, so this is a bit familiar to me. By far the biggest problem, the question unanswered, is what to do when your information is compromised.

    See, you can change your credit card number, or your email address. You can even move someplace else. But you can't change your biometrics. Hopefully movies like Minority Report will provide some Good FUD about biometrics, so people realize that this information should be kept as private and closely-guarded as their own life.

    It's funny how people seem more willing to give out their fingerprint or retina than they are a number on their credit card. It may be hard to hack. It may be very hard to hack. It may be almost impossible to use. But as those in the security business know, nothing is impossible. And with biometrics, once you're compromised, that's it.

    --

    Don't think of it as a flame---it's more like an argument that does 3d6 fire damage

  6. Re:Well.... by jweb · · Score: 3, Insightful
    Yes, this is an issue. The biggest problem with biometrics as a unique identifier is that they don't tolerate failure well. If your retnia scan is compromised, there is no way to recover from the failure, short of an eye transplant.

    I haven't had any problems with ethical/nonethical use of my information yet.

    The key word here is yet. If a biometric national ID card comes into common use, you can bet that there are any number of corporations and script-kiddies who will find a way to use this information in a non-ethical way.

    --

    Think For Yourself. Question Authority.
  7. Physical info is different by pizza_milkshake · · Score: 2, Insightful

    In all seriousness, /. posted a link to a good article recently (the author's name escapes me) where he said that the big difference is that once someone has your physical/molecular data, they've got it forever. passwords, combinations, cc#'s and phone numbers expire. ss#s can even change. but your fingerprint and your dna won't. once someone gets your fingerprint data in an electric format, how do you ever recover from that? how will it ever be known whether the user is legitimate or not?

  8. Descriptors by Quixotic+Raindrop · · Score: 2, Insightful
    The data, in the aggregate, or the datum, in the individual, represent me. They are part and parcel of my being who I am, and as such are inseparable from me, regardless of how you define "me." In the US, at least (and, at least in theory), "[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated[.]" This, of course, only really applies to the Federal and State governments (via the 14th Amendment), but seems pretty clear: a person's "person" is inviolate. "We hold these truths to be self-evident: that all men are created equal, endowed by their Creator with inalienable rights; among these are life, liberty, and the pursuit of happiness." (Emphasis Added.)

    It is the person who is (or, perhaps, should be) most sacred. Kant reminds us that people cannot be used as means to any end, but only always as ends unto themselves; Rousseau points out that liberty cannot be given away, even if one wants to do so. Liberty::Human as Attraction::Gravity. You can no more separate the tendency of masses to attract one another from the masses themselves than you can remove freedom of the individual person from the individual person.

    With that in mind, it seems pretty clear that my iris, my fingerprints, my voice patterns, are mine. The FBI or state police may have a compelling interest to keep a database of criminals, and how to identify them, but it's pretty well established that these are pretty limited-use activities, and not available to the general business population. It is also pretty well established that those fingerprint records are not the property of the FBI, or any other agency, but that the FBI and other agencies can collect them as part of their routine criminal investigation activities. The FBI certainly doesn't own the fingerprints. Why would private companies be able to "own" retinal or iris scans?

    --
    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. (Einstein)
  9. Do you need to ask? by pla · · Score: 2, Insightful

    C'mon, you meant this as a rhetorical question, right?

    What do you *think* the slashdot crowd will respond to a question like that, when we overwhelmingly loathe even having companies able to correlate such trivalities as our names and email addresses?

    Offensive... I think that makes a good word. I find it offensive in the extreme that anyone but me profit from my personal information (and by that, I don't mean I would agree to it even if I *could* profit from it). Selling information about me violates an absolute of the idea of posessions in general - If I don't "posess" my own information, what the hell *do* I own?

  10. Re:Paranoia paranoia, everybody's coming to get me by martyn+s · · Score: 2, Insightful

    Well, it's kind of like this article that was up here a few months ago about bars that require licenses, and how they scan the barcodes on your license to collect demographic information.

    Just because this information has always been available, that doesn't mean that the situation isn't changing. Until now, all that information was useless because there was no way to extract any value from it.

    It's like, imagine I use a car service fairly often. I don't give my name when I call, but they have to come pick me up at my house. Well imagine I often go from A to B, and from B to C and from C to D and from D to B, etc. A, B, C and D all being fairly unique places. Until now, no car service could mine all that data to get anything meaningful from it. But imagine this car service company can now see that there is a person who often goes to and from a certain residence, and to and from a certain store. They also see that there is a person who goes to and from that store, often, and to and from a third place.

    It's not too hard to imagine that it would be possible to figure out who is going where.

    Just because it wasn't "secret" that you were going to a Gay and Lesbian meeting, you called up a public car service, and you didn't keep it a secret, that doesn't mean it's not dangerous that now all of a sudden people have the ability to extract meaningful information from all that data, information that until we would never have been able to mine.

    Even though the data source is the same public information that was always available, the end result is still bad: people will know things about you that you don't want them to know, and you won't be able to keep anything secret.

    Even though the method that they use to invade our privacy is legitimate and "legal" that doesn't change the end result: you will no longer have any secrets. Everyone will know.

  11. Re:Well.... by cosmosis · · Score: 3, Insightful

    The bottom line is this - making such divulgence of personal information compulsory. If it was voluntary that would be one thing, but each day we have to sacrifice more and more of our privacy and liberties in order to hold a job, make a living and not starve. I'm sorry but no one ever should be forced to obey a large system of rules and regulations just to stay alive - but thats how it is - and it tyranny pure and simple.

    --
    www.enthea.org
  12. One thing that has always bothered me by Nf1nk · · Score: 2, Insightful

    Biometrics is based off the trust that the machine that is doing the scanning of said body part is trusted. what happens when someone sticks a packet sniffer or similar between said trusted device and the box that handles the processing? could you take the packets that you captured, run them into the box at a later time and bypass the system (or empty an account). I know you could make this more difficult by encrypting the data before it hits the wire with a time based algorythem, but once again these are justs bits , and once you have a device that lets you emulate the signals given by a good box doesn't this make it trivial to break the system?

    --
    I used to have a cool sig, back when I cared
  13. Biometrics and being framed by MrIcee · · Score: 2, Insightful
    It strikes me that the more *personal* information that abounds in pure digital format, the easier it is to frame someone who is innocent, of whatever you would like.

    Unlike physical evidence... evidence based on biometric data can be introduced into the system AFTER the scanner itself. For example... as long as someone knows your iris or fingerprint, they could offer a digital file directly into the system, bypassing the sensor, that would make it look like you had used that system.

    It will be difficult for courts to find people innocent, if computers *record* your iris, fingerprint, etc... and show you accessed something illegally... even if there is no physical evidence.

    Guilt based on data is not a good solution to me.... and quite frankly scares me.

  14. Re:The solution - get a lawyer to draft an NDA by trapvector · · Score: 4, Insightful

    The only problem I can see here is that you would have to get Company X to agree to sign the NDA. Most people only give fingerprints/eye scans/whatever when Company X has something they want; for example, my thumbprint whenever I want to cash a check. I don't just run around getting retina-scanned and fingerprinted because I like it... there's something I want, and relinquishing a part of myself that can be sold (or worse, stolen) is a necessary evil that I bitch about whenever I get the chance.

    So, what's to keep a bank from denying your application for a bank card when you present them an NDA? Or what's to keep your company from firing you or limiting your security clearance because they want nothing to do with your silly legal agreement? I know if I presented any papers to the bank when I tried to cash a check, they would simply say, "I'm sorry, we can't sign this." And I would not have any money.

    Much like software license agreements - I think most people would be surprised to read the rights and priviledges they sign away when they click "I agree," but for the vast majority of people, it's just one more button to click before you get your free e-mail account or install your shiny new software. And the rules are such that unless you agree to THEIR rules, you're SOL.

    Rather than worry about their legal liability when they sell your eyeprint, I suspect most companies would just refuse to do business with you, especially when there is a veritable plethora of customers who don't know or care enough to defend themselves in that way. Maybe the rules are different; if not, they really should be.

  15. Re:Missed the mark by a mile by SN74S181 · · Score: 2, Insightful

    You're attributing way, way too much power to the office of the President. There are many levels and layers of government. In fact, the United States government was designed to insure that it didn't all hinge on one man or one single body of men.

    Hell, you can even take an active role and be elected yourself to have your voice heard. I'd recommend you drop the cynicism, first, of course.