Biometrics and User's Rights?

cornjones asks: "Does anybody know anything about biometrics and user rights? I am supposed to give a handscan to my building for gym access. I don't really have a problem w/ this persay but I want some sort of assurance as to what the scans will be used for (and that they will be deleted fully when I leave). It may be a bit paranoid right now but these scans don't change over your life and the trend is towards these scans being used for more and more applications. I talked to the VP and he said he would sign a privacy doc if I could find one. I did a little searching and I haven't found anything good. Does anybody know of any groups or papers on protecting the use of biometric identifying information?"

Let Me Write One For You.

[bellings]

I've written one you can use for free:

We, the undersigned, will remove all identifying biometric information about you from our databases when your employment terminates.

We further agree not to share any identifying biometric information about you with any third party.

Signed
...............
Dated
...............

Umm

[GreyWolf3000]

Here in Texas we've had mandatory thumb-scanning for a few years now. A lot more information than most people realize is already in databases even before you count the more modern biometrics.

In South Carolina I believe, they had a law that allowed the DNA samples taken from newborns to be kept indefinately. The samples are used to detect and aid in fighting diseases, but the hospitals were dealing with and giving the samples to rather dubios corporations with nerving ties to the government. Thankfully, a Republican state senator labored long and hard and finally set a limit on how long this data could be kept and who dealt with it.

It seems that a number of politicians on both sides are starting to speak up about bioethics and civil liberties in general at state and local levels--however the future looks bleak from Washington.

Re:Umm

[GreyWolf3000]

Just a quick correction-the mandatory thumb scanning is for getting a drivers license, and has been the subject of a huge amount of controversy.

Holy Shit

[seigniory]

Dude, stop! Not everyone is out to get you. Not everyone wants the leftover DNA from your underpants. Your Thumbprint means nothing. If someone really REALLY wanted to fuck you over, they'd have done so already. Wait until they ask you for a universally accepted method of identification before freaking out. I've never had to sign a lease or car loan by thumbprint yet, so it obviously isn't binding yet. Fox Mulder does not exist. Scully is hot. Good night, you folks have been great.

Re:Holy Shit

[ShaunC]

Not everyone is out to get you. Not everyone wants the leftover DNA from your underpants. Your Thumbprint means nothing.

As much as I wish I could believe this, I don't; depending on where you live, your thumbprint can mean a great deal and law enforcement is chomping at the bit to get it.

No, I'm not some paranoid delusional. They've tried to pass a law here where anyone who buys or sells any item at a pawn shop would be required to provide their fingerprints to the pawn shop. The fingerprints would then be turned over to the police (who, no doubt, would put them into the NCIC database). Yes, that's right; private transactions between private companies and private individuals would require fingerprints turned over to the cops. We aren't talking guns here, we're talking CD players, cubic zirconia rings, gold necklaces, all the various stuff you find in pawn shops.

The "logic" behind this proposal is that thieves often fence stolen goods at pawn shops; thus pawn shop customers often purchase stolen goods, either intentionally or unintentionally. By requiring that every pawn shop transaction be accompanied by fingerprints, stolen property and those responsible for its theft could supposedly be tracked down more easily. At the same time, the police could add to their fingerprint database of "persons of interest" - that eerily Doublespeak new category which means "they're not even a suspect but we're watching them anyway."

Well, that's a grand idea at first glance. The problem is that pawn shops have plenty of legitimate customers as well - think eBayers - who aren't doing anything wrong and do not deserve to be treated like criminals. It would be easier to track down stolen property if every transaction required you to donate a blood sample. It would be easier to track down stolen property if a law was passed requiring a Lo-Jack device in every tangible good. Hell, it would be easier to track down stolen property by forbidding anyone but the government to sell things to the public. Just because something makes crimes easier to solve, doesn't mean it's a good idea!

My point is that, at least in the USA, people are supposed to be innocent until proven guilty. We're supposed to be protected from unwarranted search and seizure. I'd certainly consider mandated fingerprints at the pawn shop to be unwarranted seizure of those fingerprints. Unfortunately there are a lot of people out there who believe that the ability to solve/prevent crime trumps all other rights. There are a lot of people who believe that outlawing guns will stop murder, or that making non-DRM-compliant computers illegal will stop piracy. You get the idea.

Wait until they ask you for a universally accepted method of identification before freaking out.

And then what? Either you provide that ID or you don't get hired? Either you provide that ID or you can't buy gas for your car to get to the job you don't have anyway? Either you provide that ID or the grocery store charges you more for food than they charge those who do provide that ID? Think fast: which one of those is already taking place? Who do you think is getting access to your purchase records from the grocery store? I'll save you the trouble, and quote from the article (emphasis mine):

The saga began with a misguided fit of patriotism mere weeks after the World Trade Center and Pentagon attacks, when a corporate employee handed over the records--almost literally, the grocery lists--to federal investigators from three agencies that had never even requested them. In a flash, the most quotidian of exchanges became fodder for the Patriot Act.

Still not concerned about private companies having your personal data? s/grocery store/your company/g and s/grocery lists/biometric information/g if you don't see the problem. Suppose one day someone in your company's HR department decides to "fight terrorism" by donating every employee's retina scan to the FBI - that's not a problem? It's going to happen sooner than later. Believe me, I never thought I'd see the day when grocery stores tracked individuals' purchases, much less the day when the entire database was willingly handed over to the government.

Further, a lot of biometric devices (and even manual techniques like fingerprint dusting) are susceptible to forgery. Perhaps not as much as they used to be, but still plenty enough to make me nervous. As biometrics become more pervasive, what happens when the grocery store requires your thumbprint, or voiceprint, or retina scan, etc. in order to check out? Suddenly they have a copy of the very "key" that gets you into your office at work, disarms your home's security system, authenticates your bank transactions, and even puts you at the scene of a crime. Sorry, but I'll keep my thumbprint to myself.

If someone really REALLY wanted to fuck you over, they'd have done so already.

No, if someone really REALLY wants to fuck you over, you aren't going to know about it until it happens. If someone wants to try it on me, I'd prefer that they not have access to my fingerprints, my grocery bills, or anything else that's my own goddamn business.

Shaun

Re:Holy Shit

[shdragon]

I hope this isn't a troll as I'll respond as though it's not.

IMO, brushing off those whom are trying to warn you of the dangers of freely giving up your privacy is a slippery slope. Sure, YOU may not care that ABC Company has individually identifiable information on you. This, however, is not to say that someone else does not. Now let us say that ABC Company gets bought out by XYZ Company. Each has seperate data on you. After the acquisition, Now *1* company has twice as much data. Who is to say that THEY will be as responsible with your information?

Increasingly a disturbing trend (IMO) among corporations is to guide (force) their customers to do things they way THEY want, not the way the market wants. A recent notable example of this include grocery stores and the "Plus Customer" cards. At first, it was only one store. So I exercised my freedom to shop elsewhere. Now, EVERY grocery store (in my area at least) has such a system in place. Now by default, I must submit to their will. Yes, I realize that it is entirely possible to give false information, but I find the entire situation that I have to LIE to a grocery store to buy goods or pay ENORMOUSLY (sometimes 2x as much) inflated prices frightful.

I value my privacy very much. Having worked at a bank for many years, I can tell you the amount of "trivial" data life-altering (mortgages, loans, close your acct, etc) decisions are made off of, you should concerned to.

So before spouting off about everyone not being out to get you, please consider hard what you are giving up as you can NEVER reclaim it.

User rights to biometric data

[HotNeedleOfInquiry]

I worked for a time in the security industry with hand scanners, retinal scanners, fingerprint scanners and mantraps that weighed the occupant. To my knowledge, you have no property rights to your biometric data. Here in California, we're forced to provide a fingerprint to get a license. No negotiation, no substitutions - no fingerprint, no license. I think the reasoning goes like this: We know your hair color, we know your eye color, we can ask your weight, what's the difference if we take an image of the swirls on your fingertip. Unless you can make the argument that the biometric data is somehow health related and falls under the rather draconian privacy laws of such, you're probably out of luck.

Re:User rights to biometric data

[JimBobJoe]

We know your hair color, we know your eye color, we can ask your weight, what's the difference if we take an image of the swirls on your fingertip.

I agree that this is the reasoning...and it was established by the US Supreme Court sometime in late 1960's--that fingerprints were just another thing to be measured on the body. That was used in the basis of the California Supreme Court decision in the mid 1980's that protested the California driver's license fingerprint requirement (mandatory 1982, optional 1977. One of the great things discovered in that decision is that while the fingerprinting was optional from 1977 to 1982, the DMV nevertheless lifted fingerprints from the applications signed by those drivers who declined to be fingerprinted. That to me indicates just an unimagineable level of dishonesty and poor ethics.)

At any rate, the odd thing was that the Californa Supreme Court decision was based on the concept that the fingerprints were needed to protect the integrity of the photo driver's license document. Indeed, the court specifically cited that in 1982 2000 fraudulent licenses were issued by the DMV. However, 100,000 fraudulent licenses were issued by the DMV in 2000--and the DMV never really explained how fingerprinting was meant to stop fraudulent license issuance. Nor did the DMV ever get to explaining what to do with individuals whose fingerprints were unreadable (which I think offers a great way of introducing an equal protection situation, since a person could go through the complex process of becoming fingerprintless.) Finally, California is the only state I know of which has made the California DL/state ID card "officially recognized identification" which is just one step below mandatory identification, and fingerprints are required for either.

Some day, I hope to put that alltogether and have a lot of fun at the DMV's expense. :-)

Privacy?

[__aafkqj3628]

Soon privacy will just be a buzzword that you will lauch at (like .NET or M$) as everybody will know everything about you, your children and your children's children.

With regard to today's world, here in NZ the only really mandatory way to give ID is a photo and/or a signature and I'm fine with that. We don't have amazing crime rates that would really warrant biometric scans.

Off the hook had a show a bit back about this being mandatory in stores and the question really boils down to - After you press your hand/finger on this pad, where and for how long will it be stored?

I think that if the scan will just be used for ID and then dumped, then it's ok, but in your case your scan is actually stored somewhere else for comparison.

Simply - Get used to it, soon DNA scans, retinal scans, dental scans and psycological scans will be required before you walk ouside to verify that you're not a "threat" to the outside world.

The problem with biometrics

[Kj0n]

The biggest problem with biometrics - as I see it - is that you only have one set of biometric data. This means that when a handscan is used to identify you at both the gym and at the place you work, this data can be linked. It will be possible for two organisations to cooperate and see if they have any members in common. A big brother-like environment is not far away, when the government starts getting interested in the biometric data collected by various organisations.

Of course, you have the same problem when you give your home address or phone number, but these things can be changed, while changing your handscan is not easy to do.