Slashdot Mirror
Biometrics, Ownership and Privacy?
symbolic asks: "I just finished watching a small segment of World Business Review on PBS, where the topic of discussion the use of biometrics by employers to not only provide confirmation of identity, but as something to drive other parts of the operation - like tracking employee time. Briefly mentioned were face and iris scans, but as I was watching a picture of someone's iris, I realized that once an employer has captured a scan of your iris (or any biometric data), who has control over it? Does it become part of the cesspool of information trading that occurs between business and government entities? Will trading of someone's biometric information become as ubiquitous as their address or phone number. Is there any reason we should be concerned about this? I'd like to hear what others think about this." Ask Slashdot has previously approached the Biometrics topic for technical
issues, but the privacy issue of such data has yet to be addressed. How do you feel about biometric data (or any data derived from your physical makeup, like your genome) being used as another commodity (like your address) in the corporate data exchange?
Of course we should be concerned about this! You can change your phone number, your email address, your name, and even your social security number if you work hard enough. But you can't change your biometric data, so once it's in the wild marketplace or personal information, it's out there for good...
:wq
I think it's great. Instead of sending me spam via mail, fax and email -- now they can engineer ads based on my DNA.
ad: pizza -- you have an 18% chance of getting colon cancer and only 32.34 years left to live, wouldn't you like to spend some of it drinking a nice, cold, refreshing Pepsi?
While I'm sure that there will be a massive puscht to trade and sell biometrics about employees (and, looking down the road, consumers, should the technology be adapted for things like credit cards and ABMS), it sets off giant, giant alarm bells for me. I mean, while we have things like addresses and phone numbers being traded and sold by large companies, such details about a person are easily changed. The basic structure of your retina or your fingerprints, however, are things you're stuck with. I really can't see any technology coming along that will rewrite your retinal signature outside of expensive surgery. That leaves fingerprint and retinal data, at the least, even more personal and, to my mind, private than your name. You can change just about everything about yourself, statisticwise; eye color, hair colour, weight, musculature, name, address, phone number, SIN number, credit card number, employer, and so on But you're stuck with your body. Barring six-million-dollar-man bionics, the one you've got is the only one you're ever going to get. Having unique bodily markers floating about on an advertiser's list, or worse, a blacklist for potential hires or borrowers, in the case of employers or credit companies, seems....alarming I'd rather be anonymous than tracked for my own safety. Anonymity is a risk I'm willing to take.
With today's current politcal/corporate climate in regard to privacy, it seems fairly obvious that pretty much any information collected on someone (be it biometric or otherwise) will invariably end up being shared in one form or another. As soon as one entity decides a particular pieces of information is handy for keeping track of someone, others will follow; and where others follow, sharing begins. I expect to see an Iris.Net module out soon for Passport and I think my dog's pant pattern has been captured by bugged pellet in his dogfood which authorizes only him to eat that bowl of food.
The book, Database Nation by Simson Garfinkle delves into this little considered topic. He asserts that biometric information is not owned by the individual, but by the organization that collects your information. Similar to the fact that you do not own your name, you do not own your retinal pattern information.
Quite scary, if you ask me.
Coloured contact lenses.
It's not farfetched to think that some idiot in the wake of 9/11 might push a law making it illegal to wear them. Oh yeah, only after the law's been passed will things like this come to light...
Just think, a DMCA for identity-circumvention devices. No more anonymity, because, it's good for you!
... because you can't change or revoke them. What if someone manages to get a copy of the binary data that characterize your iris? What if it gets circulated in some crackers circle? Will you change your iris? Or will you change your job? Or will you simply loose your work, since your iris is now unusable by your company?
Myself, I wouldn't like it. But the company should like it even less. Think about something here: what's your company's policy on employees giving out the keys to restricted areas? It's probably a termination offense. Now, suppose the company uses biometric data to control access to restricted areas. Isn't giving out that data exactly giving out the keys to those restricted areas?
And if that biometric data is also required by law to be used for things like controlling access to bank accounts, where there's legal penalties for third parties who mishandle the access-control information, the company could face some nasty legal LARTs from employees if the company gives out access-control information for their bank accounts, Social Security accounts, driver's license records and such.
This should give the company legal people migraines for a while. :)
In Minority Report, when Tom Cruise's character was running away, he was bombarded by ads that would scan his eyes.
"Hello, John Anderton, you look like you could use a Guinness right about now."
"John Anderton, wouldn't you rather be driving a Lexus?"
After a little bit, all you heard was "John Anderton" over and over in many different voices. Spooky.
I for one feel safer knowing that all the people working at my bank have at least been through a fingerprint check with the FBI. And if a vault is broken into, and they find someones fingerprints, they have a bunch to check.
Now, I certainly hope they don't start selling the information for profit. That seems like it'd be a little harder to do with employee information. However, maybe a customer of a big store? Maybe a window shopper? It certainly has potential to be exploited in other areas.
-- these are only opinions and they might not be mine.
Same principles apply as if someone snapped a photo of you. Does the photographer or the model own the rights to the created image? The photograph is owned by the artist. The image of the model belongs to the model, and the photographer must get permission to publish. Permission is usually, "I wave all rights in regards to my image in this photo for the some quantity of cash." Once such permisssion is granted, the photographer is free to do as they like with the photo.
A steaming cup of soykaf would be real wiz right now.
It has the benefit of: If you iris print gets out, sue your employer for copyright infringement. If multiple people try using, call it piracy.
Accentuate the positive, don't waste your mod points on the negative.
Recently I watched a presentation by a biometrics group, so this is a bit familiar to me. By far the biggest problem, the question unanswered, is what to do when your information is compromised.
See, you can change your credit card number, or your email address. You can even move someplace else. But you can't change your biometrics. Hopefully movies like Minority Report will provide some Good FUD about biometrics, so people realize that this information should be kept as private and closely-guarded as their own life.
It's funny how people seem more willing to give out their fingerprint or retina than they are a number on their credit card. It may be hard to hack. It may be very hard to hack. It may be almost impossible to use. But as those in the security business know, nothing is impossible. And with biometrics, once you're compromised, that's it.
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
I haven't had any problems with ethical/nonethical use of my information yet.
The key word here is yet. If a biometric national ID card comes into common use, you can bet that there are any number of corporations and script-kiddies who will find a way to use this information in a non-ethical way.
Think For Yourself. Question Authority.
If you give anything out without legal guarantees to it's dissemination you can bet it will be distributed.
Even with legal guarantees they have to be on your terms otherwise they will just change the rules on you, i.e. Yahoo and your privacy settings...
Just give a retinal scan to your bank with their standard contract for a checking account and the next time you try to fly on a plane using a retinal scan you can bet with almost 100 percent certainty that you will be bombarded with offers especially tailored to how much cash (and or credit line available, etc.) you have in your checking.
The only way to get around this crap is for everyone to draw a line in the sand and refuse to give it.
Mankind has survived thousands of years without the need for this invasive type of "security" and I hope I never see this biometrics thing happen in my lifetime because I certainly feel as though my privacy has already been abused to no end.
I don't need another ad for another of ACME Inc.s crap.
Caution: Contents under pressure
Fact:
- Most of us leave finger prints all over the dishes each and every time we dine out.
- I'll bet almost every US citizen here had their fingerprints taken as grade schoolers as part of some Community Enrolement program under the auspices of "help us find your child if they're ever lost or kidnapped."
- Until there is some standard for data exchange between biometric devices, does it matter all that much who "owns" the data?
I do not dispute that the author has a point; I do dispute the question that is asked. In my mind the "who owns the data" discussion should be prefaced by a discussion of how biometric devices will interoperate between the users (you and I) and the Real World (gas pumps, VISA card readers and the like). It just doesn't make a lot of sense to discuss ownership issues utnil we have some idea the scope of the playing field.
After all, I'm not going to waltz down to the local Italian eatery and demand they wipe my finger residue off the glass before they clear the table as a means of respecting my "Biometric Personally Identifiable Property," now am I?
Cheers,
-- RLJ
In all seriousness, /. posted a link to a good article recently (the author's name escapes me) where he said that the big difference is that once someone has your physical/molecular data, they've got it forever. passwords, combinations, cc#'s and phone numbers expire. ss#s can even change. but your fingerprint and your dna won't. once someone gets your fingerprint data in an electric format, how do you ever recover from that? how will it ever be known whether the user is legitimate or not?
Secondly, biometric equipment is still too expensive to put into use for lower level employees.
And nobody thought lots of web camera's put everywhere would be a problem either. But guess what, they are hella cheap now......
No, I'm sorry, you can't DNA test me. Why not? I own the copyright on my DNA and it'd be an infringement for you to copy it on to your systems. Iris scan instead? No, I'm sorry, I own the rights to that too. Would you like to discuss licensing?
Do you own your finger prints? Do you own your signature?
No, you do not. Both can be digitized, misused, used against you.
I expect the same is true of iris scans.
The courts will probably mis-apply 17th century property laws to the issue. Oh, brave new world.
=brian
It is the person who is (or, perhaps, should be) most sacred. Kant reminds us that people cannot be used as means to any end, but only always as ends unto themselves; Rousseau points out that liberty cannot be given away, even if one wants to do so. Liberty::Human as Attraction::Gravity. You can no more separate the tendency of masses to attract one another from the masses themselves than you can remove freedom of the individual person from the individual person.
With that in mind, it seems pretty clear that my iris, my fingerprints, my voice patterns, are mine. The FBI or state police may have a compelling interest to keep a database of criminals, and how to identify them, but it's pretty well established that these are pretty limited-use activities, and not available to the general business population. It is also pretty well established that those fingerprint records are not the property of the FBI, or any other agency, but that the FBI and other agencies can collect them as part of their routine criminal investigation activities. The FBI certainly doesn't own the fingerprints. Why would private companies be able to "own" retinal or iris scans?
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. (Einstein)
C'mon, you meant this as a rhetorical question, right?
What do you *think* the slashdot crowd will respond to a question like that, when we overwhelmingly loathe even having companies able to correlate such trivalities as our names and email addresses?
Offensive... I think that makes a good word. I find it offensive in the extreme that anyone but me profit from my personal information (and by that, I don't mean I would agree to it even if I *could* profit from it). Selling information about me violates an absolute of the idea of posessions in general - If I don't "posess" my own information, what the hell *do* I own?
Well, it's kind of like this article that was up here a few months ago about bars that require licenses, and how they scan the barcodes on your license to collect demographic information.
Just because this information has always been available, that doesn't mean that the situation isn't changing. Until now, all that information was useless because there was no way to extract any value from it.
It's like, imagine I use a car service fairly often. I don't give my name when I call, but they have to come pick me up at my house. Well imagine I often go from A to B, and from B to C and from C to D and from D to B, etc. A, B, C and D all being fairly unique places. Until now, no car service could mine all that data to get anything meaningful from it. But imagine this car service company can now see that there is a person who often goes to and from a certain residence, and to and from a certain store. They also see that there is a person who goes to and from that store, often, and to and from a third place.
It's not too hard to imagine that it would be possible to figure out who is going where.
Just because it wasn't "secret" that you were going to a Gay and Lesbian meeting, you called up a public car service, and you didn't keep it a secret, that doesn't mean it's not dangerous that now all of a sudden people have the ability to extract meaningful information from all that data, information that until we would never have been able to mine.
Even though the data source is the same public information that was always available, the end result is still bad: people will know things about you that you don't want them to know, and you won't be able to keep anything secret.
Even though the method that they use to invade our privacy is legitimate and "legal" that doesn't change the end result: you will no longer have any secrets. Everyone will know.
sPh
The bottom line is this - making such divulgence of personal information compulsory. If it was voluntary that would be one thing, but each day we have to sacrifice more and more of our privacy and liberties in order to hold a job, make a living and not starve. I'm sorry but no one ever should be forced to obey a large system of rules and regulations just to stay alive - but thats how it is - and it tyranny pure and simple.
www.enthea.org
Biometrics is based off the trust that the machine that is doing the scanning of said body part is trusted. what happens when someone sticks a packet sniffer or similar between said trusted device and the box that handles the processing? could you take the packets that you captured, run them into the box at a later time and bypass the system (or empty an account). I know you could make this more difficult by encrypting the data before it hits the wire with a time based algorythem, but once again these are justs bits , and once you have a device that lets you emulate the signals given by a good box doesn't this make it trivial to break the system?
I used to have a cool sig, back when I cared
I'm wary of any entity that controls the rights to that data, since there is a precedent being set by companies like Verisign and Yahoo that do not value your right to privacy. Corporate entities have little fear of the law since the penalties they face for abusing their customer's privacy usually only affect the people who run them indirectly, and seldom result in more than fines to the company. Concurrently, allowing the government to outright control this system provides them with a means to abuse the power similar to corporations, but for different ends.
I think the only way to ensure protection for yourself and for those that need to use it is to setup some sort of government-funded clearinghouse whose sole purpose is to store the information and provide access to it to others who have been explicitly granted permission by those that provide the biometric data. This would not be unlike an authentication system like Kerberos which innately distrusts everything and will only grant limited-use tickets to use its data when properly authorized to. Then and only then, would I feel safe in providing this information.
Rule #1 -- Politics always trumps technology.
Even if there is no data intrinsic to the metric, its potential to be a perfect, perpetual, and inescapable key to all the data that *is* known about an individual is rather frightening.
But even if it isn't so perfect, if, as was argued in the New Yorker a couple weeks back, fingerprints (for example) can in fact "lie", there are still some chilling possibilities. The article may be describing a failure of the method rather than the theory, but it has already ruined countless (and perhaps uncountable) lives...With newer biometric technology, especially in a mass-market implementation where the hardware might not be top quality, and operators might not be the most highly-skilled, there is plenty of room for error. With consequences that could range from the simply embarassing to the really rather awful...
:wq
This just seems to be the most sensible extension of current patent/copyright law. These things (iris profile, genetic code, personality, interests, hobbies) are all an outgrowth of my initial programming (genitic), a certain ammount of random chance and the environment within which I was raised. My body's code is it's own!....The artistic pattern of my blue eyes is my own!...any trading of that information should be at my discression.
Considering that copyright has been extended automaticly to the artist of almost anything else(without necessarily having to label something directly as such), I deserve to hold these rights on my body too.
If I choose to "auction" off this information, that should be my legal right, but the default state should be "protected."
Moving away from this simply shows the hypocritical nature of "Intellectual Property." Seems that enforcing this right for the individual would help all those IP flakes make their claims consistant.
Either it applies to everyone, or they gotta come up with a better claim for why I shouldn't be swapping their information.
This story is a "red herring". Suppose a breakthrough law is passed, allowing all U.N. citizens to own their own biometric data. All of the sudden, consent forms appear everywhere, and you are required to consent to the ownership of your personal data. Persons rejecting this deal would not be able to do business with any of the institutions required in daily life (banks, drivers licenses, etc). Nothing would change.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Today's Sesame Street was brought to you by the number e.
Unlike physical evidence... evidence based on biometric data can be introduced into the system AFTER the scanner itself. For example... as long as someone knows your iris or fingerprint, they could offer a digital file directly into the system, bypassing the sensor, that would make it look like you had used that system.
It will be difficult for courts to find people innocent, if computers *record* your iris, fingerprint, etc... and show you accessed something illegally... even if there is no physical evidence.
Guilt based on data is not a good solution to me.... and quite frankly scares me.
One thing that deeply concerns me is that fact that unlike an Email address, a physical address, or a P.O.Box, one cannot simply change one's retina, fingerprint, or DNA (well, maybe in the future, but not for some time).
This means that once someone gets a hold of my biometric data, that there is nothing I can do but receive spam, sales calls, and god knows what else FOR THE REST OF MY LIFE!!!
This obviously is not a good thing from whichever point of view one decides to look at it.
So what is my proposed solution: Everyone I give my biometric data to has the right to use it for a specific purpose I have to agree to (i.e.: track my working hours and let me in into the building) and NOTHING ELSE. A law has to be passed and heavy fines should be given to those that break this simple rule.
In other words, you use my data for ANYTHING and you have to prove that *I* gave you permission to use it for such specific purpose.
Or can't it. Just because nobody's circumvented biometric security yet (that we know of) doesn't mean it can't and won't be done in the future.
For instance, while it may not be possible to change your biometric features, what's to stop someone from creating a copy of your features in a prothetic. Or you using a "fake" feature to operate anonymously.
ex: create a mask that has false eyes in it. The eyes have some specific person's (or some random) retinal and iris patterns flawlessly printed/etched in to the structures. Anyone putting this mask up to a reader would gain access to whatever you have access to.
Perhaps this might not work with the systems in place. I only know that it's just a matter of time before biometric information can be copied/cloned in some way. Anything that you can scan for security verification can and will be forged.
This would eventually lead to the worst kind of identity theft. You can get a new bank account, social security, and driver's license numbers, so currently rectifying identity theft is rather trivial. How would you change your iris pattern once someone has successfully cloned it and stolen your identity?
Article X: The powers not delegated... by the Constitution...are reserved...to the people
See this article. If someone can get your fingerprint, he can make a "fake finger" out of gelatin with your fingerprint on it, put it over his own finger, and then eat the evidence.
His magic box will steal your soul.
--Blair
It's HIPAA (Health Insurance Portability and Accountability Act), just so you know.
Finkployd
Teh only full of themselves is you from the simple fact that after all of your ranting you missed the basic and simple point of my argument - which is that we live in a system where the only real input any of us has is a single punch in a card once every four years!. That means that over a lifetime (say 60 adult years), we have only 15 punches of input that determines (if at all) our entire political climate. I and just about everyone I know had absolutely no say in the Patriot Act, the DMCA, the suspension of Habeus Corpus, the errosion of privacy rights, the copyright extension act, and thousands of other laws now on our books. To put it simply I'm living under a set of rules I an infinitesimal choice in. That's tyranny brother.
www.enthea.org
Disclaimer: IANAL, but I do take the trouble to read all the fine print.
NDA means "Non-Disclosure Agreement". These are common when corporations do business with each other, but rarely used by individuals. So far. We should change that.
What you can put in it is an agreement where the corporation agrees that all your personal information - name, address, biometric info, the details of the business you choose to do with the corporation, the name of your dog, etc. - explicitly remains your property. You can also say that the corporation has no right to sell, trade or otherwise disclose this information to any third party without your prior written consent except where such disclosure is required by law.
So what happens if the corporation breaches this agreement? Here's where your lawyer can get really nasty. You can set penalties in the agreement. You can set the minimum amount of money they must pay you as damages - $10,000 to $25,000 is a good figure - and stipulate that if actual damages are higher they must pay the higher figure. You can require the corporation to undo the damage at their expense, with more penalties if they don't comply within a certain fixed time. You know how hard it is to get off a list once you're on it? Make it THEIR problem - they do the damage, they fix it.
Muhahaha.
To save on legal bills, get your lawyer to draft a single standard agreement that you can use everywhere - your employer, the bank, anywhere you do business. Take back control of your personal information.
Of course, there's no guarantee that this will work - corporations think they have the right to sell your personal information for whatever they can get for it - but there's no harm trying. You might even make some money off it.
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
Someone else mentioned it, but I think it's worth another post. How does this differ from fingerprints? I'm not saying you should get over it because fingerprint information is already some common. I'm saying that we don't have to wait before biometric data becomes common enough to worry about. It has been a common means of identification for hundreds of years. It's only recently however, that the methods used to store, catalog, and compare fingerprints has advanced enough to make it a concern to large groups of normally law abiding citizens. So, let's put aside the "We'll deal with that when it gets here" attitude and let's discusss the problem that we have already.
THIS SPACE FOR RENT
Once you're no longer employed, they MUST toss it out. It makes no sense otherwise.
And if I was running a bank or other enterprise that needed security, I wouldn't buy somebody else's assurance that the data in the ID file was REALLY the individual's unless I could trust them even more than my own eyes, ears, sense of smell and research.
Okay, maybe AFIS system
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
A few years ago, someone where I worked had "photosensitive" glasses, that became dark when exposed to sunlight. His boss came in and noticed the glasses were dark. At 10:30 in the morning, this meant he had just came in from somewhere he shouldn't have gone to...
"Certainly, sir. I hope you didn't need that credit card, car loan, job, health insurance... etc." .sig file, a LOT of sacrifices must be made, to the point of being unbearable. That's the way the system is designed. More power to you if you can fight it.
In such ways do they steal our freedom, one "need" at a time... In order to follow the philosophy in my
Freedom: "I won't!"
Of course they will use it otherwise. Your bank
will get your biometric data which includes your
DNA and that will be shared with their insurance
co "for a better rate". They might already have
your DNA; were you in the military?
Sooner or later, they will check
it BEFORE you get hired. Sorry, you don't fit
the profile for the "benefit package".
Your data will be in the big Homeland Security
engines. See here, it says your are a terrorist
and this is YOUR eye scan. No, they won't be
able to cross reference it to your email, cc
purchases and cell phone locator. Where did
I put that swamp?
Or maybe your local supermarket will start using
it for checkout. Now your local police can pull
up a list of people who bought beer and cross
reference it with accidents that day. It's all
good, right?
I know what you're thinking, biometrics CAN'T change. Well, mine are changing. Specificly my retinal scan. If you look in to my posting history far enough, you'll learn that I have a retinal eye disease. As part of my disease, as the retina degenerates, the way it looks changes. As more areas get pigmented, I'd imagin that my retinal scan would be different.
Now, at the moment, I can still drive. If I were to have gotten a retinal scan when my license was issued, and a cop pulls me over now, I don't know if my ID would match up to my retina. What happens then? Do I get ticketed for having a fake ID? Do I get charged with a fellony? Do I get branded a terrorist? So perhaps, I have to go to court, and prove that I have Retinitus Pigmentosa. I don't mind having people know that, but some people don't want that information in the public record. What do people like me do in a situation like that?
There are exactly 42,935,718 letter sized sheets in a square mile.
Yes, I know that a lot of you seem to dislike the idea of unionism, but when employers start to pull this kind of crap wouldn't having the employees organised so that they can put pressure on employers to change policy (if they refuse to listen to common sense) be a good thing?
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
Western societies have used the signature as a mark of personal acceptance or identification on legal documents for centuries. I see today's discussion of biometric information ownership akin to discussing the ownership of the signature before establishing the fact that the signature is legally binding. Cart before horse, if you will.
Cheers,
-- RLJ