Slashdot Mirror

← Back to Stories (view on slashdot.org)

Biometrics, Ownership and Privacy?

Posted by Cliff on from the who-owns-the-data dept.

symbolic asks: "I just finished watching a small segment of World Business Review on PBS, where the topic of discussion the use of biometrics by employers to not only provide confirmation of identity, but as something to drive other parts of the operation - like tracking employee time. Briefly mentioned were face and iris scans, but as I was watching a picture of someone's iris, I realized that once an employer has captured a scan of your iris (or any biometric data), who has control over it? Does it become part of the cesspool of information trading that occurs between business and government entities? Will trading of someone's biometric information become as ubiquitous as their address or phone number. Is there any reason we should be concerned about this? I'd like to hear what others think about this." Ask Slashdot has previously approached the Biometrics topic for technical issues, but the privacy issue of such data has yet to be addressed. How do you feel about biometric data (or any data derived from your physical makeup, like your genome) being used as another commodity (like your address) in the corporate data exchange?

20 of 223 comments (clear)

  1. Yes! by casio282 · · Score: 3, Insightful

    Of course we should be concerned about this! You can change your phone number, your email address, your name, and even your social security number if you work hard enough. But you can't change your biometric data, so once it's in the wild marketplace or personal information, it's out there for good...

    --

    :wq
    1. Re:Yes! by RealisticWeb.com · · Score: 5, Insightful

      So why is that a problem? It is exactly the same to me as my finger prints. You can't change your finger prints (without scaring them) do you ever worry about who gets ahold of your fingerprints? No one does except a criminal. Do you wear gloves in all public places so one one can come by later and print you? Do you ever worry even slightly that a national database containing an image of your fingerprint will be comprimised by a cracker and used agaist you? No? I didn't think so. To me the fact that that they can't be changed is exactly what makes me not worry about it! If that information is sold it wouldn't be any different then the rest of my information that is currently being sold, except that you can't fake an eyeball! People can make fake credit cards, fake ID's and forge signitures, but what are they going to do, grow a synthetic eye from my DNA and hold it up to an eye scanner? Implant them in thier own eyes? You've got to be kidding. People who are going to get away with identity theft or even hacking/cracking for that matter are going to go for the most easy and fast way. Biometrics will be so hard to fake and do anything with, they are just going to try and swipe your credit card number the old fasioned way. I wouldn't get too riled up about this if I were you.

      --
      Sigs are out of style, so I'm not going to use one...oh wait..
    2. Re:Yes! by finkployd · · Score: 5, Insightful

      Can't fake an eyeball huh? Well, perhaps not. I possibly could, however, intercept the stream of bytes that represent your retinal scan. Now we have a problem, because you cannot revoke that identity. With any other form of authentication system, you can change your password, revoke a public key, etc.

      You are operating under the assumption that all eye scanners are in tightly controlled, protected areas. This is an unacceptable form of authentication for obvious reasons.

      Today I can log into my bank from home. If biometrics were to ever become widespread and replace password authentication (admittably a very problematic system), it is going to have to be accessable from everywhere (including your home computer). A biometric reader could easily come standard with a PC (or even handheld), but there better be a damn good method of protecting the biometric data in transit.

      Finkployd

    3. Re:Yes! by Relic+of+the+Future · · Score: 5, Informative

      Just a nit-pick, but you can't reconstruct the patterns in a person's eyeball with their DNA, for the same reason that identical twins have different fingerprints. It's not something that's in the genes.

      --
      Those who fail to understand communication protocols, are doomed to repeat them over port 80.
  2. I think it's great! by pizza_milkshake · · Score: 5, Funny

    I think it's great. Instead of sending me spam via mail, fax and email -- now they can engineer ads based on my DNA.

    ad: pizza -- you have an 18% chance of getting colon cancer and only 32.34 years left to live, wouldn't you like to spend some of it drinking a nice, cold, refreshing Pepsi?

    1. Re:I think it's great! by SpinyNorman · · Score: 5, Funny

      I think it's great. Instead of sending me spam via mail, fax and email -- now they can engineer ads based on my DNA.

      Finally they can send the penis enlargement ads to those who need them!

  3. Database Nation by sydney · · Score: 3, Informative

    The book, Database Nation by Simson Garfinkle delves into this little considered topic. He asserts that biometric information is not owned by the individual, but by the organization that collects your information. Similar to the fact that you do not own your name, you do not own your retinal pattern information.

    Quite scary, if you ask me.

  4. Identity-circumvention device? by Bollie · · Score: 3, Insightful

    Coloured contact lenses.

    It's not farfetched to think that some idiot in the wake of 9/11 might push a law making it illegal to wear them. Oh yeah, only after the law's been passed will things like this come to light...

    Just think, a DMCA for identity-circumvention devices. No more anonymity, because, it's good for you!

  5. Biometrics bother me... by boa13 · · Score: 4, Insightful

    ... because you can't change or revoke them. What if someone manages to get a copy of the binary data that characterize your iris? What if it gets circulated in some crackers circle? Will you change your iris? Or will you change your job? Or will you simply loose your work, since your iris is now unusable by your company?

  6. Sharing of biometric data by Todd+Knarr · · Score: 4, Interesting

    Myself, I wouldn't like it. But the company should like it even less. Think about something here: what's your company's policy on employees giving out the keys to restricted areas? It's probably a termination offense. Now, suppose the company uses biometric data to control access to restricted areas. Isn't giving out that data exactly giving out the keys to those restricted areas?

    And if that biometric data is also required by law to be used for things like controlling access to bank accounts, where there's legal penalties for third parties who mishandle the access-control information, the company could face some nasty legal LARTs from employees if the company gives out access-control information for their bank accounts, Social Security accounts, driver's license records and such.

    This should give the company legal people migraines for a while. :)

  7. John Anderton by martyn+s · · Score: 3, Informative

    In Minority Report, when Tom Cruise's character was running away, he was bombarded by ads that would scan his eyes.

    "Hello, John Anderton, you look like you could use a Guinness right about now."

    "John Anderton, wouldn't you rather be driving a Lexus?"

    After a little bit, all you heard was "John Anderton" over and over in many different voices. Spooky.

  8. Already done with fingerprints. by slashkitty · · Score: 4, Interesting
    I work at a bank. They take your fingerprints and share them with the FBI. They do tell you this before they take them, so if your uncomfortable with that, you shouldn't work at a bank. I see no reason why they wouldn't start doing this with other biometric data when it becomes more standard.

    I for one feel safer knowing that all the people working at my bank have at least been through a fingerprint check with the FBI. And if a vault is broken into, and they find someones fingerprints, they have a bunch to check.

    Now, I certainly hope they don't start selling the information for profit. That seems like it'd be a little harder to do with employee information. However, maybe a customer of a big store? Maybe a window shopper? It certainly has potential to be exploited in other areas.

    --
    -- these are only opinions and they might not be mine.
    1. Re:Already done with fingerprints. by Alsee · · Score: 3, Funny

      I for one feel safer knowing that all the people working at my bank have at least been through a fingerprint check with the FBI. And if a vault is broken into, and they find someones fingerprints, they have a bunch to check.

      Yeah. And I feel safer knowing that all the people working at my local Megamart have at least been through a fingerprint, retinal scan, and DNA check with the FBI. And if they find a jar of spagetti sauce shattered on the floor in aisle 5, and they find someones fingerprints, they have a bunch to check.

      Perhaps you'd like to hear some of my other ideas that will help us all feel safer?

      -

      --
      - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  9. Your Eye, Their Data by Saxerman · · Score: 4, Interesting

    Same principles apply as if someone snapped a photo of you. Does the photographer or the model own the rights to the created image? The photograph is owned by the artist. The image of the model belongs to the model, and the photographer must get permission to publish. Permission is usually, "I wave all rights in regards to my image in this photo for the some quantity of cash." Once such permisssion is granted, the photographer is free to do as they like with the photo.

    --

    A steaming cup of soykaf would be real wiz right now.

  10. The biggest problem with biometrics. by oGMo · · Score: 5, Insightful

    Recently I watched a presentation by a biometrics group, so this is a bit familiar to me. By far the biggest problem, the question unanswered, is what to do when your information is compromised.

    See, you can change your credit card number, or your email address. You can even move someplace else. But you can't change your biometrics. Hopefully movies like Minority Report will provide some Good FUD about biometrics, so people realize that this information should be kept as private and closely-guarded as their own life.

    It's funny how people seem more willing to give out their fingerprint or retina than they are a number on their credit card. It may be hard to hack. It may be very hard to hack. It may be almost impossible to use. But as those in the security business know, nothing is impossible. And with biometrics, once you're compromised, that's it.

    --

    Don't think of it as a flame---it's more like an argument that does 3d6 fire damage

  11. Re:Well.... by jweb · · Score: 3, Insightful
    Yes, this is an issue. The biggest problem with biometrics as a unique identifier is that they don't tolerate failure well. If your retnia scan is compromised, there is no way to recover from the failure, short of an eye transplant.

    I haven't had any problems with ethical/nonethical use of my information yet.

    The key word here is yet. If a biometric national ID card comes into common use, you can bet that there are any number of corporations and script-kiddies who will find a way to use this information in a non-ethical way.

    --

    Think For Yourself. Question Authority.
  12. Re:Well.... by cosmosis · · Score: 3, Insightful

    The bottom line is this - making such divulgence of personal information compulsory. If it was voluntary that would be one thing, but each day we have to sacrifice more and more of our privacy and liberties in order to hold a job, make a living and not starve. I'm sorry but no one ever should be forced to obey a large system of rules and regulations just to stay alive - but thats how it is - and it tyranny pure and simple.

    --
    www.enthea.org
  13. The solution - get a lawyer to draft an NDA by B.D.Mills · · Score: 4, Interesting

    Disclaimer: IANAL, but I do take the trouble to read all the fine print.

    NDA means "Non-Disclosure Agreement". These are common when corporations do business with each other, but rarely used by individuals. So far. We should change that.

    What you can put in it is an agreement where the corporation agrees that all your personal information - name, address, biometric info, the details of the business you choose to do with the corporation, the name of your dog, etc. - explicitly remains your property. You can also say that the corporation has no right to sell, trade or otherwise disclose this information to any third party without your prior written consent except where such disclosure is required by law.

    So what happens if the corporation breaches this agreement? Here's where your lawyer can get really nasty. You can set penalties in the agreement. You can set the minimum amount of money they must pay you as damages - $10,000 to $25,000 is a good figure - and stipulate that if actual damages are higher they must pay the higher figure. You can require the corporation to undo the damage at their expense, with more penalties if they don't comply within a certain fixed time. You know how hard it is to get off a list once you're on it? Make it THEIR problem - they do the damage, they fix it.

    Muhahaha.

    To save on legal bills, get your lawyer to draft a single standard agreement that you can use everywhere - your employer, the bank, anywhere you do business. Take back control of your personal information.

    Of course, there's no guarantee that this will work - corporations think they have the right to sell your personal information for whatever they can get for it - but there's no harm trying. You might even make some money off it.

    --

    The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
    1. Re:The solution - get a lawyer to draft an NDA by trapvector · · Score: 4, Insightful

      The only problem I can see here is that you would have to get Company X to agree to sign the NDA. Most people only give fingerprints/eye scans/whatever when Company X has something they want; for example, my thumbprint whenever I want to cash a check. I don't just run around getting retina-scanned and fingerprinted because I like it... there's something I want, and relinquishing a part of myself that can be sold (or worse, stolen) is a necessary evil that I bitch about whenever I get the chance.

      So, what's to keep a bank from denying your application for a bank card when you present them an NDA? Or what's to keep your company from firing you or limiting your security clearance because they want nothing to do with your silly legal agreement? I know if I presented any papers to the bank when I tried to cash a check, they would simply say, "I'm sorry, we can't sign this." And I would not have any money.

      Much like software license agreements - I think most people would be surprised to read the rights and priviledges they sign away when they click "I agree," but for the vast majority of people, it's just one more button to click before you get your free e-mail account or install your shiny new software. And the rules are such that unless you agree to THEIR rules, you're SOL.

      Rather than worry about their legal liability when they sell your eyeprint, I suspect most companies would just refuse to do business with you, especially when there is a veritable plethora of customers who don't know or care enough to defend themselves in that way. Maybe the rules are different; if not, they really should be.

  14. Re:Missed the mark by a mile by cosmosis · · Score: 3, Interesting

    You're attributing way, way too much power to the office of the President. There are many levels and layers of government. In fact, the United States government was designed to insure that it didn't all hinge on one man or one single body of men.

    Have you been paying attention to the news lately? The precious seperation of powers you speak of no longer exist in any meaningful degree since our war on terrorism begun. The executive branch has made the largest power grab in American history. Already the executive branch no longer requires the oversight of the judicial branch it carrying out many of its policely duties. The 4th ammendent has already been nullified by the Patriot Act, no longer requiring a warrant or criminal investigation for you to be searched without notification. The first ammendement has come under increasing attack, people are being held (and even tortured) without due process, habeus corpus has been suspended, military tribunals are a reality, the army is now involved in domestic policing (against the law only 1 year ago), biometrics are being used to search and suspect us with out cause prior to the fact (facial recognition), and now the Bush Administration has called to combine 88 seperate agencies in the government into one large single "secret" domestic spying and policing force - a Super Gestapo.

    What am I missing? hmm. What are you missing?

    --
    www.enthea.org