Slashdot Mirror
Would You Submit Biometric Data to Join a Gym?
An anonymous reader asks: "I went to my gym (Rocky River, OH branch) yesterday and there was a huge line of people at the counter. When I went to the scanner to swipe my membership card, I noticed they were training people in the use of their new security system that requires the input of your thumb print. There currently a story on boingboing that mentions a tanning salon in Arkansas that is enacting a similar policy. I'm going to call the gym later today and see what type of security they have on their network. I guess we can look forward to a future where these sorts of personal services clubs require the submission of biometric data. I was wondering how the members here at Slashdot feel about the security risks involved in submitting biometric data to small private companies?"
I wouldnt be a member of that gym for much longer (or, any gym, really). I wonder if i can copywright my fingerprints, and then charge royalties for anyone who requires a print? that would be sweeet.
"Something's wrong with you...and I hope we never do meet again." - Deftones When Girls Telephone Boys
Once they've got your biometric data, how secure are they going to keep it? Unlike a password, it's not possible to change your biometric data if someone steals the gym's files and uses it to spoof other systems.
One line blog. I hear that they're called Twitters now.
I am fearful regarding theft of my fingerprint or any other biometric information since I KNOW that eventually, someone will steal it from anyone who collects it from me. But then, someone could easily get my fingerprint by following me around for a little while and picking up my trash. Same with DNA for that matter.
You'll have that sometimes...
Though I feel you are correct for being sceptical about the security of biometrics, I think that the convenience of using a thumbprint machine for entry into a gym is worth the sacrifice.
Better than having swipe-cards that fail after a single wash. (Thumbs are wash-proof!)
But using thumbs as positive I.D. for your bank account is a bad idea.
See?
If their customers take their business elsewhere, they'll soon drop the biometrics in favour of something a little more privacy-friendly. Who wants all those sweaty thumbprints all over the readers anyway? Gheesh!!!
The only solution is for you to copyright all your details, about yourself.
.. the hard part .. with the money and wherewithal to truly go to bat to protect us in times of violation. Call it a "DNA Cult" if you must, but I think its going to be truly necessary, sooner or later.
Someone should fire up a dot-com which allows people to copyright all biometric info about themselves. Yes, it would be a registry. No, it wouldn't be "Big Brother" - the purpose would be to allow any individual worried about protecting their information, to have legal grounds to stand on in pursuing action against any other party using that information inappropriately.
A 'clearing house', or 'group repository of biometrics' database, backed by serious corporate power, with the #1 purpose being the consistent and determined protection of individual members biometric info.
Someone, please do this. Give me a way of registering all of my private details, in a fully legal way, and assign me the copyright to all of that information. So that, from that point on, any other company that wants it, has to go through my corporate 800lb biometric ownership clearning house gorilla...
It might sound odd, but sometimes in life the way you fight something is to become it. We consumericans need to form our own corporations/organizations if we truly want to protect ourselves from other corporations/organizations hell bent on abusing biometric system information.
Something like the person who copyrighted their DNA, only bigger, better, with full disclosure, with teeth, and
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
I never submit any personal data to any company if it is not really required for the business I have with this company. I don't see why I should change this policy for biometrical data.
I work for (and attend) a State University. Our gym (in 2002) enacted similar policies and equipment. It was *optional* however, and was enacted for people who didn't want to have to carry around a membership-card or student/employee-ID just to be able to get into the gym (since most gym shorts don't have a pockets, and many people on campus just walk to/from the gym rather than driving or bringing a full bag and using a locker). It was an option for about one year, until they realized that the extreme costs of using the hardware and managing it (and its slight errors) far outweighed pleasing a minority of people who attended. It's good to see the technology developing, but I still prefer losing my identity to a bunch of little numbers on a card.
If they want your thumb, give them a finger.
One line blog. I hear that they're called Twitters now.
If there is no value, they don't need to collect it, do they?
Yeah, right.
If needed, it's easier to shed an ID, and get lost in the big mass of people in any world city and take on a new ID. When your fingerprints are out there, it's there for ever. I rather not cut of my fingers.
Perhaps your traveling can be tracked with ID (at borders and such), but at least you know it when you hand over your card. Prints can be found up to a few days after you have left, without you knowing it at all. Same for DNA.
ID cards? Yeah, sure, it has it uses.
Biometric data? Up yours!
And iris scans? Well, it depends on the range of the scans. If it's possible like in Minority Report, then once again: Up yours! If it close range, than perhaps yes.
I think before I submit my bio-data, I want to be sure the business has the new USHS Privacy Certification or License, and the system should be certified yearly.
In 1997, my YMCA switched their system over to require you to submit a 3D hand scan for entry. You would place your right hand on this little device and punch in a number, then this other thing would go around your hand.
No. And if the gym the wife and I belong to switches to biometrics, I'll demand a full refund of mine and my wife's membership.
Fuck 'em. We already own a treadmill and the wife's been wanting to buy an elliptical anyway.
Slowly things like this get introduced and the stupid sheeple submit en masse. The more people that stand up and argue with the un- and under-educated about such invasiveness, the better.
Sure, these things may not be so bad yet but this may just be the tip of the iceberg. Give 'em and inch and they'll take a mile.
Once these become the norm, it'll be easier for the government and so-called private "security agencies" to strip us of our right to privacy.
Religion is for people afraid of going to hell.
As far as I know, biometric devices store only a signature of your fingerprint (like a digest of key points), so the stolen data would be of little use. Moreover they care about security because they normally control access to places.
I would worry more about the other data they could hold on their machines, which could contain more sensitive personal information and could be stored in less secure machines.
There's still a lot of sensitive data (medical records etc.) stored in Access databases and similar by people not really expert on computer security, often in old not updated windows PCs... that scares a lot me more!
but you'll have to press your thumb in the box below to read my response.
. .....I
I..........I
I..........I
I..........I
I....
I..........I
Your unquestioning compliance in this matter would be greatly appreciated.*
Thank You,
The Management
* By supplying your thumb print, you agree to abide by our Terms of Service. You may request a copy of the Terms of Service directly from our Corporate Headquarters.
Some people have a way with words, and some people, um, thingy.
I can see using security like that on something important. Your bank account, private things ,etc.
But on a goddamn GYM?!
Hell, I have access to a USB dongle that will store passwords for websites, variable per user, and it identifies the user by the user's fingerprint.
ON A GYM?!
Who the hell is going to have significant problems if someone steals their identity to go to the damn gym?
If the gym has to be secure, fark the membership cards, and just have a database of people allowed in, and have someone at the front desk check their fuckin identification.
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
Damn those long-haired freak Founders and their crazy ideas. If only someone would've told them that innocent men have nothing to hide, they could've avoided making many unnecessary additions to the US Constitution.
Yeah, right.
You can't copyright facts. There's no creative process involved with recording the length of various things on your body.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
would be better spent BUYING an exercise machien - oh wait, I already did....
i could combine all of these details, format it in a certain way, trademark that format, use it in some fashion, copyright the use of that fashion, and ...
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
Alright, everyone take a deep breath here. The idea of a fingerprint to sign in at the gym is there as a customer convenience You don't have to carry a membership card into the place, and then find somewhere to stash it while you're exercising. This is actually a good thing.
And, as someone pointed out already, there is no security concern to be worried about. Even if someone copied their thumbprint database, I mean, what could you do with that? Nada...
This seems like madness. Unless your gym happens to be in the middle of a warzone, I can't see the need to have security at all. Who is this security to protect against?
it's supposed to be a tatoo or something. And it's on your right hand, or on your forehead.
sheesh, why do I always explain these things to people.
In the gym in question, it's clear that this isn't being done to heighten security; it's just to keep people from having to drag a gym id around. Also, it's much faster to slam your thumb on a pad than to hold out a card for someone to scan.
But here's how to implement a thumbprint-as-login system and keep people, including the paranoid freaks here at slashdot, happy.
1) Make it optional. Don't want to submit your thumbprint? Fine. Just make sure you always show up with your card.
2) Make it hashed, using a public key unique to that system. That way, the information stored is effectively useless. If a hacker gets in, all that they will be able to do is see a bunch of GUIDs. Whoop de doo.
I'm almost 100% that this is, in fact, just what is being stored. I mean, imagine actually storing a thumbprint. That's got to take up more space, and is really slow and inefficient for data lookup.
Someone more knowledgeable in biometrics, please rip me a new one if necessary.
Karma: Chevy Kavalierma.
Bring a simple contract to the manager and ask them to assume all liability for any financial losses you may incur as a result of their mishandling of your biometric information. If they sign it you should feel better. At least it might get them thinking.
:)
If that doesn't work, it's summer - you've got 'till fall to find another gym. If you need work to do, I've got trees to clear.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
They sold _you_ a membership - they want to know that _you_ are making use of it. What's the problem with you identifying yourself?
Personally, not having to carry around numerosu bits of plastic that don't actually identify me is going to be a relief.
My Journal
Pfft. Privacy my ass. If I wanted you'd fingerprints it would take me approximately 30 seconds to get them unless you're SO fucking paranoid you go everywhere in gloves. DNA, just as easy. And if you really were that interesting or valuable, they'd just take your fingers. Or your life. Or your identity.
You'd be surprised how fast your 93 character password would come out after 30 seconds with a rubber hose.
And to answer the question you've all been bleating about, why would they do this, it's so blatantly simple and obvious it's not funny. Because it's EASY. You walk in and touch the pad, and you're in. No cards to lose, no "lending" your card to a friend. It's a straightforward (and perfectly reasonable) accounting decision.
Watch out for the ones bleating the loudest. They're either so disillusioned that their insignificant little lives are of interest to anybody, or they've got something to hide.
I was wondering how the members here at Slashdot feel about the security risks involved in submitting biometric data to small private companies?
I'd feel fine about it as long as the small private company signed a contract guaranteeing that the information they have about me would only be used for very specific purposes, never disclosed to third parties and that they would post a bond for compensation should any such disclosure, deliberate or inadvertent, ever occur.
I'm sure they'd hem and haw and try to get out of signing such a form and say they just couldn't do it.
Then I'd say that I'd take my business elsewhere.
But by then they would know exactly why they were losing my business. And that awareness is what is so desperately needed among consumers and businesses that take these issues far too glibly.
"Provided by the management for your protection."
Maybe my parents could patent me as an invention... though the pool boy might have a claim.
Go ahead everybody and submit your fingerprints to as many minimally secure, relatively worthless systems as possible. Maybe we can devalue the damn things to the point that nobody would seriously think of using them to protect anything.
1) The thumbprint is the hardest one to match. Though 1:1 is very good, still....
2) This is a gym. How many jock boys have opposable thumbs?
And of course, we've got #3, in the tradition of Douggy Adams..
3) Scratches, scrapes, dead skin, flakes, etc. will make the image different enough to screw up the match. Add in sweat, gym chalk, bandages etc...
--- Jump!! Fire!! Bullet time!! - Lego version of the Matrix
Hey stupid mod, how could this be redundant? He said it first.
You know what redundant means don't you?
Yikes! Am I alone in being surprised how few people find this demand unreasonable?
Seriously folks, this for a gym membership, not admittance into NASA or the CIA.
If a non-essential or frivolous business like this demanded that kind of personal information I'd be out of the door in an instant, not because I worry about security, but because it's a wholly unreasonable demand to make of your customers.
Perhaps more importantly, every time that you allow a business to record unnecessary information about you you are hastening the day when every transaction, especially those involving government, will demand the same.
Then again maybe the bulk of the population would see an embedded RFID chip as a reasonable request to go to the gym, or Costco, or to walk into a Post Office or board an airplane.
Lest you think that all I will do is complain, I'll offer a solution that will allow them to monitor gym usage and which will probably also increase business.
Hire intelligent and motivated employees, pay them well, train them well, and encourage them to know your customers on a first name basis. Have them get to know the likes and dislikes of your customers, and greet each one by name witha cheery "Hello!"
They will do a better job of keeping strangers out, and will make your customers feel special and appreciated.
No machine can do that as well as a living breathing person.
Three Squirrels
I am fearful regarding theft of my fingerprint
Fingerpring? I'm fearful regarding theft of my finger!
Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
I'm handless, you insensitive clod!
I'd feel fine about it as long as the small private company signed a contract guaranteeing that the information they have about me would only be used for very specific purposes, never disclosed to third parties and that they would post a bond for compensation should any such disclosure, deliberate or inadvertent, ever occur.
There are three G's that explain why a contract is not good enough for me:
1. Bill Gates (or some other IT warlord) will eventually attempt to access your biometric info in an effort to "assist" you and organize your "identification profile".
2. I'm sure that governments are chomping at the bit to access these types of data stores in the name of "security". A contract won't protect against a search warrant!
3. The disgruntled employee who downloads everyone's biometric data to his USB dongle on his last day of work and posts them to a web site (and yes, that information can be used by bad guys).
"The mere imparting of information is not education." --CGW
They've had biometric turnstiles at Walt Disney World for at least three years now, first for Cast Members, then Annual Pass Holders, and now anyone with a multi-day ticket has their index-middle finger biometrics taken on their first day in the park. If the metrics don't match up on a subsequent day, the greeters will check the signatures on the tickets against a photo id.
Free messageboards and more! Your girlfriend's seen myWang
Whenever I use the gym towels, I discretely wack off into them when I'm done.
The lockers can be keyed to the biometrics. That should help defeat thievery, and serve customers to allow them to not carry around a badge or key while working out or playing sports.
Especially if it's as innoxious as a [almost publically available] thumbprint.
That said, it would be nice to hold biometric data under the same sharing rules as other medical info.
This will only be used to solve crimes, like who left semen on the bench press.
Everytime you look at porn a devil gets their horns.
If anyone is collecting sensitive information from you: SSN, biometric data, etc. you need to get a data retention and privacy policy in writing.
Will they transfer this data if the company is sold or goes out of business? Remember eToys had a privacy policy that went out the window during bankrupcy. Will they destroy the data when you cancel your membership. What security mechanisms and audit procedures do they have in place?
When you bring it up it may be the first time they have thought of it so be prepared to wait.
-weld
The fact that for a cash transaction for tanning right now, they still require the fingerprint sounds like the most stupidly conceived plan ever.
This is totally appaling, and not that different from businesses asking for things like your social insurance number for no good reason.
There is no business that I would ever provide this information to. Heck, I wouldn't give this to anyone but the police, and then even only if I was compelled. A gym or a tanning company? Not fsck'ing likely.
I've already decided if I need to get fingerprinted to enter the US they'll see exactly one finger followed by seeing my ass heading back the other direction.
Lost at C:>. Found at C.
To get into Sea World in Orlando with my annual pass I (usually) have to put my hand into some gizmo that measures my it--how far apart my fingertips are, etc. My last pass had my picture on it but my current one doesn't.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Everyone that steals your data (in other words - the people we worry about) does it for some sort of profit motive. I have found the perfect defense against this, and it has protected me well from any sort of charges in my name due to identify theft.
My plan? Have a credit rating bad enough that even if they get all of your data, they can't do anything with it.
For only $19.95* a month, I can show YOU how to safely protect yourself as well!
* Only cash accepted!
Wanna buy some?
<Rimshot>
No, but you could Trademark(TM) it all. TM your fingerprints. If anyone tries to use them, then sue them.
Ahh well.
In reality, this is like trying to stop the tide from coming in. You'd have better luck stopping the sun on it's ecliptic than trying to stop biometrics from becoming the defacto identification.
It will happen!
Eventually, your credit card, bank account, paycheck, network password, car key, and every thing else you can think of will be tied to your voice, fingerprints, or GATTACA-style DNA scans.
I'd rather you do it wrong, than for me to have to do it at all.
I've thought about this; it's a nifty idea but no current protection works.
:-) )
You can't copyright facts about yourself, which is what biometrics is based on, and for that matter most of what your privacy-sensitive information is.
You can't copyright the collection, because other people will independently collect it, and they can (and do!) claim their own copyright on the new collection.
Trademarks don't work, because they are mostly concerned with preventing other people from fraudulently passing themselves off as your business concern. Even if you could trademark your fingerprint, which is highly unlikely for a variety of reasons, it wouldn't stop people from storing and using it for almost anything they want.
Patents are obviously not a good fit.
Trade secret law is actually the closest IP protection of interest (the forgotten IP protection class here on slashdot), but your privacy-sensitive information suffers from being neither directly related to trade in the sense the name of the law implies (i.e., yes I know your ID at a business is related to trade but that's not what the law means, summaries always drop data), nor is it a secret anymore.
The bad news is, you need new law. The good news is, no aspect of the requisite law is new; you can get there with pieces of the trade secret law, added to copyright, and topped off with some of the protections in trademark. But there is no feasible way to do that under current law, not even with a highly experimental suit.
It's good thinking, though.
(This is a shortened version of the analysis at that first link. If you have some objection, you might want to try that link before replying; it may make your objection go away, it may make it worse, but it's worth checking
You can't copyright facts about yourself
the point is *YOU* are not doing copyrighting facts about yourself, THE COMPANY IS. NOTHING is stopping a corporation from collecting personal info, and then copyrighting it.
So then, a company which does -only- this - call it "The Peoples Marketing Agency, Inc." does havce a basis for coypright'ing the material...
Or?
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
3. Profit
Food not Bombs is a nice platitude but it breaks down when you notice that the Bombees are usually well fed
I'm against it. STRONGLY. And I'd find a new gym.
No, the original point was whether you can protect yourself by copyrighting (or trademarking, or something) your own data.
"The" company (boy, I wish it was a "the" company...) is also not copyrighting your data. Nobody can. What they can and do do is copyright the collection of data.
For further information, look up "compilation copyright", as this is a somewhat rich topic, and beyond the scope of a Slashdot posting.
I was wondering how the members here at Slashdot feel about the security risks involved in submitting biometric data to small private companies?"
Tin foil hat aside, I don't feel comfortable in submitting biometric data to anyone or thing.
I made an ambiguous statement; by "collection" I mean the noun, not the verb. Collection as in "library collection".
The same (cr|h)ackers interested in breaking into the gym's database would be even more interested in yours.
I recently visited a new hospital for the first time and was surprised at the amount of information required of me. It struck me that the one way to make them take a step back from all this rabid information gathering is to point out the risks associated with owning the data in the first place:
"The privacy notification laws in California require you to notify all parties who may have been compromised by any security breaches of your system. With the current state of affairs regarding Choice Point et al, we can expect this requirement to grow and affect more states. Is your company prepared to shoulder the extra liability incurred by maintaining all this additional information?"
Real nerds don't join gyms.
The timeclock is a finger print scanner. You enter a 6 digit "PIN" (That's posted on the wall behind the scanner) and put your finger on a little pad (The little pad is covered in the same kind of gunk that clogs up non-optical mice) and 8 out of 10 times it scans properly.
We used to have a system where you would swipe your ID card, but the managers got tired of people swiping each other in and out, so they switched to this.
Not a Twitter sockpuppet... but I wish I was.
. . . behind in the shower.
Works fine. YMCA does it.
Maybe someone can explain me what is a gym? Can I remote login to this? Do you need a ssh with finger print now to login? How does this work?
That hasn't stopped corporations... most programming algorithms are really mathmatical facts and are protected under patents AND copyright.
I work in the security/smartcard/biometric field.
Ask them if they store the image or just the template. If they store the image then I would be less likely to do it. If they just store the template then that would be OK in my book.
Although it is possible to sometimes reconstruct your fingerprint from a template, it is a non-trival operation and if you have people capable of doing something like that, they can do far worse things than get your fingerprint off some health club system.
Remember, you leave fingerprints on everything you touch anyway. I can wash something you touched with the proper chemicals and take a picture that will match your fingerprint anyway. Meh...
Smartcards solve this problem nicely because they allow you to carry your biometric data with you and it never gets sent to other systems. You then use it to unlock the card which then provides the identification information. This is a much better system from a privacy standpoint.
The ratio of people to cake is too big
Would You Submit Biometric Data to Join a Gym?
Sure, why not? I submitted biometric data to join Busch Gardens. They measured the distance between my fingers or something. See the story about it. Sure, it's not fingerprints, but what's the difference?
If anyone is collecting sensitive information from you: SSN, biometric data, etc. you need to get a data retention and privacy policy in writing.
Too late for that. The FBI already has a copy of my fingerprints. They got it when I signed up as an originator of electronic filed tax returns. Pretty much any other part of the federal or state government could get it if they wanted it, it's probably already in databases accessible to all of the federal government. If the government already has it, I don't see who's left to worry about. Anyone who knows me well can easily get it from something I've touched. I just don't see a potential harm.
I can't understand what's the problem in submiting biometric data... What could anyone do bad to u with that? U all seem paranoid....
You might leave fingerprints that could be mis-used!
do u think it's cool when u write like dat ? it looks stupid. just an fyi for u.
Frankly I would rather ride my bike than go to a gym but that is just me.
Riding a bike is good cardio exercise, at either fat-burning or lactic-threshold levels, but what do you do for strength training?
Trademarks don't work, because they are mostly concerned with preventing other people from fraudulently passing themselves off as your business concern.
And what would crooks use your thumbprint for, if not for fraudulently passing themselves off as you?
This is technology from the Army War College all planned out years ago. It is introduced incrementally to get people to accept it. Lazy sheeple will tell you how much "easier" it is and will find themselves locked in a cashless control grid as a result.t ml#biometrics
People can wake up to this Orwellian Nightmare that is being put in place by checking out the plethora if info in this archive.
http://www.prisonplanet.com/archive_big_brother.h
I believe gyms are a waste of time and giving thme anything only opens you to more "direct marketing" :(
D
DangerBlog
I wouldnt be a member of that gym for much longer (or, any gym, really).
Neither would I.
FalconShould there be a Law?
I was shown a nice system from a French supplier - not only did it provide a nice digital object for comparison, but it also store a TIFF version of the fingerprint for interoperating with other systems.
I'm curious how many of those that responded would be willing to use biometric-base authentication if they could be assured the biometric was converted into what we are calling a Biotope, cryptographically secure token that was non-unique (so you can have different ones for different applications) and which you could revoke like a digital credential? We've developed one and many of the biometric vendors keep saying privacy is not a concern.. This thread shows otherwise. If the source of the "approach" was open for review so that like PK, technologies could ensure its really secure. (Unlike the many posting here that believe the templates of existing biometrics are secure).