Biometrics and User's Rights?

cornjones asks: "Does anybody know anything about biometrics and user rights? I am supposed to give a handscan to my building for gym access. I don't really have a problem w/ this persay but I want some sort of assurance as to what the scans will be used for (and that they will be deleted fully when I leave). It may be a bit paranoid right now but these scans don't change over your life and the trend is towards these scans being used for more and more applications. I talked to the VP and he said he would sign a privacy doc if I could find one. I did a little searching and I haven't found anything good. Does anybody know of any groups or papers on protecting the use of biometric identifying information?"

--like the others said...

[zogger]

..get your own contract, BUT, put cash money in there with a lot of zeroes. the info gets out, HE is personally responsible, and make him get bonded. make it 100 grand.

OR.....

personally I would never go to that gym, tell 'em why too, because it sucks.

This biometric stuff has got to stop, people have got to start saying NO or it will in fact be full total bigbrotherville within a few short years now. It's this smarmy creeping incrementalism. make a little compromise here, a little compromise there. People wonder when it will stop-big hint it's NOT going to stop until you say NO and make it stick. Stores do it, now government does it, it's obscene. Last month I go to buy a cheap car part, they want my full name address and phone number at checkout, or their computer won't work!. I tell the clerk to get $%^*ing stuffed, well, I didn't cuss but got close, and I'm LOUD in the store, tell (her in this case, who was the manager) that my receipt with the cheap car part they give me for the cash I give them is all they need and are gonna get or it's a big fat no sale and I never come back. I did the same at the dentists when they wanted two full pages of info including social security number that had zero to do with anything about some tooth. screw that. I insisted, got the dental work, paid cash, left. 99% of most people would just sheep it out and fill it all in. Phooie, it's not necessary, tell these bozos no or go someplace else. No more, and no damn thumbscan or retina scan or palm scan-zip nada ain't happening. I'm not giving any store or building-access my biometrics voluntarily, they can byte me. Not handing some doofus drone clerk my personal info either, they can byte me I'll find a work around.

Choose once choose wisely, you can exercise without going to some stoopid gym, vote your conscious always, you'll never go wrong long term that way.

good luck.

User rights to biometric data

[HotNeedleOfInquiry]

I worked for a time in the security industry with hand scanners, retinal scanners, fingerprint scanners and mantraps that weighed the occupant. To my knowledge, you have no property rights to your biometric data. Here in California, we're forced to provide a fingerprint to get a license. No negotiation, no substitutions - no fingerprint, no license. I think the reasoning goes like this: We know your hair color, we know your eye color, we can ask your weight, what's the difference if we take an image of the swirls on your fingertip. Unless you can make the argument that the biometric data is somehow health related and falls under the rather draconian privacy laws of such, you're probably out of luck.

Re:User rights to biometric data

[JimBobJoe]

We know your hair color, we know your eye color, we can ask your weight, what's the difference if we take an image of the swirls on your fingertip.

I agree that this is the reasoning...and it was established by the US Supreme Court sometime in late 1960's--that fingerprints were just another thing to be measured on the body. That was used in the basis of the California Supreme Court decision in the mid 1980's that protested the California driver's license fingerprint requirement (mandatory 1982, optional 1977. One of the great things discovered in that decision is that while the fingerprinting was optional from 1977 to 1982, the DMV nevertheless lifted fingerprints from the applications signed by those drivers who declined to be fingerprinted. That to me indicates just an unimagineable level of dishonesty and poor ethics.)

At any rate, the odd thing was that the Californa Supreme Court decision was based on the concept that the fingerprints were needed to protect the integrity of the photo driver's license document. Indeed, the court specifically cited that in 1982 2000 fraudulent licenses were issued by the DMV. However, 100,000 fraudulent licenses were issued by the DMV in 2000--and the DMV never really explained how fingerprinting was meant to stop fraudulent license issuance. Nor did the DMV ever get to explaining what to do with individuals whose fingerprints were unreadable (which I think offers a great way of introducing an equal protection situation, since a person could go through the complex process of becoming fingerprintless.) Finally, California is the only state I know of which has made the California DL/state ID card "officially recognized identification" which is just one step below mandatory identification, and fingerprints are required for either.

Some day, I hope to put that alltogether and have a lot of fun at the DMV's expense. :-)

Privacy?

[__aafkqj3628]

Soon privacy will just be a buzzword that you will lauch at (like .NET or M$) as everybody will know everything about you, your children and your children's children.

With regard to today's world, here in NZ the only really mandatory way to give ID is a photo and/or a signature and I'm fine with that. We don't have amazing crime rates that would really warrant biometric scans.

Off the hook had a show a bit back about this being mandatory in stores and the question really boils down to - After you press your hand/finger on this pad, where and for how long will it be stored?

I think that if the scan will just be used for ID and then dumped, then it's ok, but in your case your scan is actually stored somewhere else for comparison.

Simply - Get used to it, soon DNA scans, retinal scans, dental scans and psycological scans will be required before you walk ouside to verify that you're not a "threat" to the outside world.

Re:Holy Shit

[shdragon]

I hope this isn't a troll as I'll respond as though it's not.

IMO, brushing off those whom are trying to warn you of the dangers of freely giving up your privacy is a slippery slope. Sure, YOU may not care that ABC Company has individually identifiable information on you. This, however, is not to say that someone else does not. Now let us say that ABC Company gets bought out by XYZ Company. Each has seperate data on you. After the acquisition, Now *1* company has twice as much data. Who is to say that THEY will be as responsible with your information?

Increasingly a disturbing trend (IMO) among corporations is to guide (force) their customers to do things they way THEY want, not the way the market wants. A recent notable example of this include grocery stores and the "Plus Customer" cards. At first, it was only one store. So I exercised my freedom to shop elsewhere. Now, EVERY grocery store (in my area at least) has such a system in place. Now by default, I must submit to their will. Yes, I realize that it is entirely possible to give false information, but I find the entire situation that I have to LIE to a grocery store to buy goods or pay ENORMOUSLY (sometimes 2x as much) inflated prices frightful.

I value my privacy very much. Having worked at a bank for many years, I can tell you the amount of "trivial" data life-altering (mortgages, loans, close your acct, etc) decisions are made off of, you should concerned to.

So before spouting off about everyone not being out to get you, please consider hard what you are giving up as you can NEVER reclaim it.

What I did

[cornjones]

Hey all,
Unfortunately, I had to come up w/ a document before this story got posted, I am still very interested in any comments but here is what I submitted to them:
This agreement between (Owner) and (Tenant) was agreed to on ________________________.

The purpose of this document is to provide a fair use definition for the use of biometric information gathered by the Owner The original intent of this biometric information, in the form of a hand scan, is to validate the Tenant as being allowed to access the XXXXXXXX during the tenancy. This hand-scanner is a biometric device collecting biometric information and is subject to the following conditions:

1. Definition. Biometric is an adjective describing the ability to authenticate a user based on biological features. Therefore, Biometric information will be information based on biological features. A biometric device will be a device that collects biological features.

2. Scope Limitation. Biometric deployments will not be expanded to perform broader verification or identification-related functions than originally intended. Any expansion or retraction of scope will be accompanied by full and public disclosure allowing individuals to opt-out of system usage.

3. Limited Storage of Biometric Information. Biometric information will only be stored for the specific purpose of usage in a biometric system, and will not be stored any longer than necessary. Biometric information will be destroyed, deleted, or otherwise rendered useless when the system is no longer operational; the Tenant's user information will be destroyed, deleted, or otherwise rendered useless when the Tenant is no longer expected to interact with the system or upon termination of the lease, whichever occurs first. The Tenant will be provided with documentation describing how the data was destroyed, deleted or otherwise rendered useless.

4. Collection or Storage of Extraneous Information. The non-biometric information collected for use in a biometric verification or identification system will be limited to the minimum necessary to make identification or verification possible.

5. Protection of Biometric Information. Biometric information will be protected at all stages of its lifecycle, including storage, transmission, and matching. The Owner agrees to take all reasonable precautions against compromise with the biometric information.

6. Limited System Access. Access to biometric system functions and data will be limited to certain personnel under certain conditions, with explicit controls on usage and export set in the system.

7. Segregation of Biometric Information. Biometric data will be stored separately from personal information such as name, address, and medical or financial data.

8. Ability to "Unenroll". Owner has the right to control usage of their biometric information, and the ability to have it deleted, destroyed, or otherwise rendered unusable upon request. This includes all copies of the information on the "live" system and any backup systems.

9. System Purpose Disclosure. The purposes for which a biometric system is being deployed will be fully disclosed.

10. Use of Biometric Information Disclosure. Owner will disclose the uses to which biometric data are to be put, both inside and outside a given biometric system. Biometric information will only be used for the purpose for which it was collected and within the system for which it was collected unless the Tenant explicitly agrees to broader usage. There will be no sanctions applied to the Tenant should they decide not to agree to broader usage of his or her biometric information.

11. Disclosure of Individuals and Entities Responsible for System Operation and Oversight. As a precondition of biometric system operation, it will be clearly stated who is responsible for system operation, to whom questions or requests for information are addressed, and what recourse individuals have to resolve grievances.

12. Disclosure of Biometric Information Protection and System Protection. Tenant will be informed of the protections used to secure biometric information, including encryption, private networks, secure facilities, administrative controls, and data segregation.

Agreed to and signed:

Most of this came from hacking up the "Best Practices" Document at www.bioprivacy.org