Slashdot Mirror

← Back to Stories (view on slashdot.org)

Would You Submit Biometric Data to Join a Gym?

Posted by Cliff on from the your-body-is-no-longer-your-own dept.

An anonymous reader asks: "I went to my gym (Rocky River, OH branch) yesterday and there was a huge line of people at the counter. When I went to the scanner to swipe my membership card, I noticed they were training people in the use of their new security system that requires the input of your thumb print. There currently a story on boingboing that mentions a tanning salon in Arkansas that is enacting a similar policy. I'm going to call the gym later today and see what type of security they have on their network. I guess we can look forward to a future where these sorts of personal services clubs require the submission of biometric data. I was wondering how the members here at Slashdot feel about the security risks involved in submitting biometric data to small private companies?"

18 of 190 comments (clear)

  1. How secure is their security? by AndroidCat · · Score: 3, Insightful

    Once they've got your biometric data, how secure are they going to keep it? Unlike a password, it's not possible to change your biometric data if someone steals the gym's files and uses it to spoof other systems.

    --
    One line blog. I hear that they're called Twitters now.
  2. It's...um...bad by tha_mink · · Score: 4, Insightful

    I am fearful regarding theft of my fingerprint or any other biometric information since I KNOW that eventually, someone will steal it from anyone who collects it from me. But then, someone could easily get my fingerprint by following me around for a little while and picking up my trash. Same with DNA for that matter.

    --
    You'll have that sometimes...
    1. Re:It's...um...bad by sartin · · Score: 3, Insightful

      But then, someone could easily get my fingerprint by following me around for a little while and picking up my trash.

      Yes, but following you around is labor intensive and targets you specifically. For less effort (at most small business networks I've seen), a hacker could recovers hundreds or thousands of fingerprints (or other biometric data). This change in scale changes the nature of the problem and removes control from you. Without the biometric data stored in the business computer, the paranoid can wear gloves or dab their fingertips with various substances to disrupt attempts to get fingerprints. That control is gone when the data gets stored on computers owned by various businesses.

    2. Re:It's...um...bad by Anonymous Coward · · Score: 1, Insightful

      The problem with that is that while a password is a discrete data set, the technology we have right now prevents any two thumbprint scans from being exactly the same. Scans need to be compared, you can't just hash them.

    3. Re:It's...um...bad by metamatic · · Score: 2, Insightful
      It's more like a hash. Unless the people that designed the security sytem didn't have a clue, they wouldn't store reversable fingerprint information at all.

      Well, the problem is I have to trust on blind faith that it's a hash, and that it's different from the hash used by other companies.

      It doesn't matter if my fingerprint is hashed to an opaque 0x0116632c51bde43 if every other system made by the same manufacturer will accept that hash as representing my fingerprint. I'm still screwed, because I can't change my fingerprint and can't change the hash.

      Think of hashed fingerprints as a PIN tattooed on your finger...

      --
      GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
  3. thumbs are useful by chewy · · Score: 3, Insightful

    Though I feel you are correct for being sceptical about the security of biometrics, I think that the convenience of using a thumbprint machine for entry into a gym is worth the sacrifice.

    Better than having swipe-cards that fail after a single wash. (Thumbs are wash-proof!)

    But using thumbs as positive I.D. for your bank account is a bad idea.

    See?

    1. Re:thumbs are useful by EnronHaliburton2004 · · Score: 2, Insightful

      I think that the convenience of using a thumbprint machine for entry into a gym is worth the sacrifice.

      Sacrificing your deeply personal information for the convenience of a simple consumer product is plain dumb. Aren't you concerned with security? This is plain sleezy, and it wouldn't suprise me to see "24-hour Nautilus" (Sleezebags) use this scheme in a couple years.

      The gym isn't doing this for your convenience. They do it to prevent people from sharing memberships, which is fine, but not when they resort to invasive tactics.

      Better than having swipe-cards that fail after a single wash.

      What if the thumb print machine breaks? I bet the gym bought some cheap thumb print machine out of the Tiger Direct catalog...

      My gym just requires me to flash an ID card. If someone else borrows the card for a day, they don't care too much, and don't require some fascist technique to verify my identity.

      --
      94% of Repubs and 21% of Dems voted to renew the Patriot Act
    2. Re:thumbs are useful by Bradee-oh! · · Score: 2, Insightful

      There are other ways to prove identity without sacrificing such fundamentally private information. e.g. At my gym you walk in, they scan your card's barcode, and your PICTURE shows up on the screen and, believe me, they look at you and confirm.

      If any argument is made that "well, a hacker could break in and change the picture on record," then you need to realize that it would be exactly as difficult for a hacker to break in and change the thumbprint on record.

      The difference is my thumbprint is my own business whereas I already show my face by walking through my front door into public.

      --
      "This is Zombo Com, and welcome to you who have come to Zombo Com" - www.zombo.com
  4. Copyright (C) Yourself. Right now. by torpor · · Score: 2, Insightful

    The only solution is for you to copyright all your details, about yourself.

    Someone should fire up a dot-com which allows people to copyright all biometric info about themselves. Yes, it would be a registry. No, it wouldn't be "Big Brother" - the purpose would be to allow any individual worried about protecting their information, to have legal grounds to stand on in pursuing action against any other party using that information inappropriately.

    A 'clearing house', or 'group repository of biometrics' database, backed by serious corporate power, with the #1 purpose being the consistent and determined protection of individual members biometric info.

    Someone, please do this. Give me a way of registering all of my private details, in a fully legal way, and assign me the copyright to all of that information. So that, from that point on, any other company that wants it, has to go through my corporate 800lb biometric ownership clearning house gorilla...

    It might sound odd, but sometimes in life the way you fight something is to become it. We consumericans need to form our own corporations/organizations if we truly want to protect ourselves from other corporations/organizations hell bent on abusing biometric system information.

    Something like the person who copyrighted their DNA, only bigger, better, with full disclosure, with teeth, and .. the hard part .. with the money and wherewithal to truly go to bat to protect us in times of violation. Call it a "DNA Cult" if you must, but I think its going to be truly necessary, sooner or later.

    --
    ; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
  5. Re:No. Thank. You. by tha_mink · · Score: 2, Insightful

    " I wouldnt be a member of that gym for much longer (or, any gym, really). "

    But then, someone could steal your fingerprint without the trouble of hacking some system simply by getting you to hold on to something, for example, a frosty beer or maybe even your gym card.

    --
    You'll have that sometimes...
  6. Then you have to ask by Safety+Cap · · Score: 2, Insightful
    If it is that easy to steal, what is the value in collecting it in the first place?

    If there is no value, they don't need to collect it, do they?

    --
    Yeah, right.
  7. This country was founded by criminal lovers by Safety+Cap · · Score: 3, Insightful

    you'd only really need to be worried if you planned to commit a crime; for non-criminals there's really nothing to worry about.

    Damn those long-haired freak Founders and their crazy ideas. If only someone would've told them that innocent men have nothing to hide, they could've avoided making many unnecessary additions to the US Constitution.

    --
    Yeah, right.
  8. Re:Copyright (C) Yourself. Right now. by GigsVT · · Score: 3, Insightful

    You can't copyright facts. There's no creative process involved with recording the length of various things on your body.

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  9. Not big brother by brian6string · · Score: 3, Insightful

    Alright, everyone take a deep breath here. The idea of a fingerprint to sign in at the gym is there as a customer convenience You don't have to carry a membership card into the place, and then find somewhere to stash it while you're exercising. This is actually a good thing.

    And, as someone pointed out already, there is no security concern to be worried about. Even if someone copied their thumbprint database, I mean, what could you do with that? Nada...

  10. The right way to do it by greenhide · · Score: 2, Insightful

    In the gym in question, it's clear that this isn't being done to heighten security; it's just to keep people from having to drag a gym id around. Also, it's much faster to slam your thumb on a pad than to hold out a card for someone to scan.

    But here's how to implement a thumbprint-as-login system and keep people, including the paranoid freaks here at slashdot, happy.

    1) Make it optional. Don't want to submit your thumbprint? Fine. Just make sure you always show up with your card.

    2) Make it hashed, using a public key unique to that system. That way, the information stored is effectively useless. If a hacker gets in, all that they will be able to do is see a bunch of GUIDs. Whoop de doo.

    I'm almost 100% that this is, in fact, just what is being stored. I mean, imagine actually storing a thumbprint. That's got to take up more space, and is really slow and inefficient for data lookup.

    Someone more knowledgeable in biometrics, please rip me a new one if necessary.

    --
    Karma: Chevy Kavalierma.
    1. Re:The right way to do it by anthony_dipierro · · Score: 2, Insightful

      So your gym uses biometrics too. I wonder if the slashdot crowd has a problem with this.

  11. Re:wtf by Anonymous Coward · · Score: 1, Insightful

    biometrics are LESS SECURE. Repeat this, over and over again. They are trivial to steal (especially fingerprints or DNA - you leave them everywhere) and impossible to change! Lose an ID - get a new one (at my university that deactivates the old one). A password is compromised - change it. Try that with a fingerprint!

    so repeat after me - biometrics are LESS SECURE.

  12. Re:At the risk of being offensive... you clowns! by avi33 · · Score: 2, Insightful
    If I wanted you'd fingerprints it would take me approximately 30 seconds to get them unless you're SO fucking paranoid you go everywhere in gloves...You'd be surprised how fast your 93 character password would come out after 30 seconds with a rubber hose.

    ...or you could just offer the gym's counter-jockey $200 for a backup of everyone's name, thumbrint, ssn, mother's maiden name, and password. The point is, they don't need any of it, for 'ease of entry' or any other reason.

    Maybe the thumbprint is superfluous for identity theft at the moment, but it could be valuable in a couple years if bank x starts using a thumbprint as part of their security procedures.

    I notice that you valued your privacy enough to submit this comment as an AC.