Slashdot Mirror
Library to Require Fingerprint to Use PCs
FearUncertaintyDoubt writes "Three libraries in Naperville, IL, soon will start requiring patrons who use the library's PCs to provide a fingerprint scan. The article says, ' Library officials say the added security is necessary to ensure people who are using the computers are who they say they are. Officials promise to protect the confidentiality of the fingerprint records.'"
"Right now we give you a library card with a bar code attached to it. This is just a bar code, but it's built in," said Mark West, the library's deputy director.
To be fair that does come after this paragraph:
Naperville library officials said the technology cannot be used to reconstruct a person's actual fingerprint. The scanners, made by Naperville-based U.S. Biometrics Corp., use an algorithm to convert 15 or more specific points into a unique numeric sequence.
But it's still shockingly cavalier to describe the technology as "just a bar code". I have difficulty understanding a) why this seems like a good idea to anyone, and b) why this gentleman seems incapable of understanding people's worries about a fucking library requiring fingerprints!
Carousel is a lie!
Officials promise to protect the confidentiality of the fingerprint records.
What does that mean exactly? Doesn't the "Patriot" Act allow for law enforcement officials to easily obtain library records during investigations? I know that the ALA has spoken against the "Patriot" Act in the past but will they actually stop the LEOs from taking this information?
The three-library system this week signed a $40,646 contract with a local company, U.S. Biometrics Corp., to install fingerprint scanners on 130 computers with Internet access or a time limit on usage.
Library officials say the added security is necessary to ensure people who are using the computers are who they say they are.
$313 a computer seems like an awful lot of money for this. I'm not sure what they are trying to accomplish other than wasting taxpayer dollars.
Once a patron's fingerprint has been recorded, accessing a computer will require only the touch of a finger.
"Right now we give you a library card with a bar code attached to it. This is just a bar code, but it's built in," West said.
So patrons used to scan their library card and they could use the computer? There is no difference now except a database of information tied to a fingerprint that can easily be looked into by employees, LEOs, and possible thieves.
West said the library is requiring a fingerprint to set up computer access, although patrons who object could ask a staff member to log them on to a computer.
Are they going to make this perfectly clear to all patrons with a large sign in blinking neon? I doubt it. Make sure to give the staff a hassle. We need to hassle businesses (public and private) more so that these privacy intrusions cease. We will continue heading down the slope due to "ease" if people continue to stand down.
This really begs the question: Why do they need to know who that the person in front of the computer is who they say they are? What purpose does this serve?
"We take people's fingerprints because we think they might be guilty of something, not because they want to use the library," said Ed Yohnka, spokesman for the American Civil Liberties Union of Illinois.
A very apt response from the ACLU. The problem is that we're now into the notion that "everyone is suspect" and due to that, we're going in this direction. It seems like
I could very well imagine this being linked into god-knows-what. Imagine, for instance, having $100 in parking tickets due, and the library terminal refusing you connection to their services before this due is paid.
Finally, anyone who is really interested in doing something criminal will just subvert the system. It's not like it's particularly difficult to spoof a fingerprint scanner. Remember the stories about doing it with Jello? Also, remember the fingerprint scanner that could be defeated by blowing on it?
Just like limitations on guns, just like airport security, just like locks on our doors and car alarms, and just like so many other things, this is used to punish the law abiding citizen, and does nothing to deter the hardened criminal or terrorist.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
This is just ridiculous. Why do they even care who uses the computers at the library. Around here they don't ask you for anything. You just sit down and go.
They do politely ask you to limit yourself to ten minutes if there's a line.
There is absolutely no good reason for this and it's a clear step toward a totalitarian state.
Help I'm a rock.
Oh... Wait.
Yeah, I don't care if it's "ethical," I think I'd just download the book I wanted to read after my community pulled something like that.
/dev/random
The stored numeric data cannot be used to reconstruct a fingerprint, West said, nor can it be cross-referenced with other fingerprint databases such as those kept by the FBI or the Illinois State Police.
So before we get too many people who didn't RTFA saying that the government will be able to get people's fingerprints easily.. well, they won't. Before this a library card was required (it has your name on it), so essentially this will replace your library card as a method of keeping track of who is using the computer.
The difference, however, is that any decent criminal could get a library card with a fake name, but with this system they would have to provide a finger print (though TFA does say that it isn't always necessary, as an employee could login for them). The feds could probably create a system that would interpret the library's data to get files that they could cross-reference with their database. That, really, is the only danger.
So as it stands right now, this is pretty harmless. It's not really any different than using your library card. But, of course, they don't really make a case for why the finger print system is being implemented other than that it might be a bit easier to use.
CC Licensed Serialized Story and Podcast: Ingenioustries
$40,000 for a security system for a public library?
I'm getting flashbacks to high school where the librarian had anti-theft scanners installed, for a library used by less that 5% of the school population, with a meager, infrequently updated selection of books. In that case the trade-off was that the school would not be able to get a swimming pool and the library would cut back on buying new books.
Maybe she found a new job.
I am not usually a supporter of intrusive measures, but I can agree with this.
Library PCs are still accessible, but you need to identify yourself before you use it. It could track where you've been, but considering you using the computer in a public place, in a location that is supposed to be for doing research and learning, most people shouldn't be accessing anything questionable.
It is fairly common that library computers are used as tools for shady and illegal actions. Worried that the FBI might trace that kiddie porn back your IP address? Download it at the library. You need to launch the awesome new virus you wrote? Send it off from the Library. Need to research fertilizer bombs? You guessed it, library.
Before the internet, people read books. If you got the book at the library, they had a record of everything you ever read. Now, people get their information on the Internet. If you get that information from the library, now they have a record of it. It's just an extension of their old policy onto a new medium.
/. ++
So the problem only exists for children. Whatever solution we come up with should apply only to them.
Sure, you can't get their *fingerprint* from the points, but you have a unique identifier. I.e., if someone is investigating messages sent from that computer and they round you up as a suspect, they can take your "15 point" fingerprint and ID you.
I believe Bird-Person can arrange that.
When the PATRIOT act first came out, I remember seeing all these signs and posters around the local libraries, with quotes, explaining the abuses of that law. And, keep in mind, this is in Georgia!, on of the most Red states there is!!!
Ya know, it's ironic that "Red" is now good in America now!
For you youngsters, "red" Used to mean "Communist Fuckers".
Naperville library officials said the technology cannot be used to reconstruct a person's actual fingerprint. The scanners, made by Naperville-based U.S. Biometrics Corp., use an algorithm to convert 15 or more specific points into a unique numeric sequence. But there's nothing to prevent anyone from taking an actual fingerprint and converting it into one of these codes. Either from a crime scene or an old database.
autopr0n is like, down and stuff.
I see a huge problem there, but this is not the solution. It's a parent's job to monitor his kids as needed. It's not acceptable to turn that over to a filter. The real problem is irresponsible parents. The secondary problem is a library staff which is enabling them, with a foolish technological non-solution to a social problem.
Yes, I'm a parent, and yes, I give my kids the supervision they need, even in the library.
Please include your personal counter suggestion with any criticisms.
The solution is to tell those parents to watch their own stinking kids.
How about making sure that the computers the kids use have big screens, clearly visible to all? That would go a long way to facilitate the parental monitoring.
See what I've been reading.
The stored numeric data cannot be used to reconstruct a fingerprint, West said, nor can it be cross-referenced with other fingerprint databases such as those kept by the FBI or the Illinois State Police.
This is bullshit. Even if the library stores only a cryptographic hash of your fingerprint, IT CAN BE CROSS REFERENCED. Ex: The FBI finds a fresh fingerprint on the scene of an anti-government protest. They apply the library's hash function to it, look it up in the library database that they subpoenaed, and bingo, they have the dude's name.
soon there will be so many unsecured sources containing your "unique" data, that you just be able to grab someone else's when you want to be anonymous.
library officials discovered that many patrons logged onto library computers using library cards and passwords of friends or relatives... So there's the problem. Please include your personal counter suggestion with any criticisms.
If it is illegal for children to view the restricted materials, charge the person who gave them access with contributing to the delinquency of a minor. If it is not illegal, there is no reason to waste public funds trying to restrict minor's access to the material. Do they also prevent minors from looking at nude pictures in art books somehow?
Parents should not expect their children to be restricted unless they are present to enforce that restriction. There are always ways around these measures and many valid reasons to get around them. I have yet to see a filtering mechanism for the internet that does not block content that is both important for children to know and an unintended effect of the system.
These libraries should rethink their policy. Kids will still be able to bypass this with a gummi bear, a cd-rom, or a latex copy of their parent's fingerprint. Parents will be given the false impression that their children are safe on the internet, which they won't be since filtering never works properly and can be bypassed.
Here is the main problem with what the libraries are doing. They are asking patrons to trust them that the fingerprint data will not be saved or used against them. Even if all the patrons trust the people who work at the library now, this policy will sadly outlive them and they are being asked to trust all the people who will work at the library in future. Finally, they are being asked to trust that the federal government will not step in and start requiring this data at some point in the future. Basically, they are asking for a lot of people to entrust them and their technology and their policies to protect their freedom, all without a really really damn good reason to do so.
If you're worried about the government invading your library privacy, you probably SHOULDN'T BE GOING TO THE LIBRARY because they are RUN BY THE GOVERNMENT.
The "public" library system is a government agency. If you want privacy, then go to a damn bookstore like the rest of us. You can reasonably expect a private company to not share your information with the government but expecting the government not to share it with the government shows a fundamental disconnect in your paranoid reasoning.
How can you be paranoid about what the government will do with information you have to voluntarily give them?
...because some thug cut them off to gain access to the internet at the library, you insensitive clod!
If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
It's not so much a random number seeded by the fingerprint, as it is a hash of the fingerprint. Security of hashed personal data is an issue, the same way that security of a hashed password file is an issue. Yes, you can't reconstruct the original passwords from the hashed values, but if an attacker has the hashed values there are ways to compromise the system's security. In particular, someone with access to a true fingerprint database (i.e. police/FBI) should be able to apply the same 15-point process to it and generate numbers that can be matched against the library 'bar codes'. The fact that the 'bar codes' do not encode the entire fingerprint does not really do much to increase privacy protection.
Bet she uses your face for identification.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
That's nothing compared to what's right around the corner now. The gubmint has been fingerprinting foreign nationals entering the U.S. for some time now. In a short while they will also be fingerprinting them on the way out as well. In Iraq, the military routinely rounds up people in the streets and not only fingerprints them at the start of their detention, but does retinal scans on them too and takes pictures of them for entry into a database. This is happening on a large scale. The fact that none of these people actually has any connection to Al Qaida doesn't seem to matter.
All it takes is for Congress to give the word and the fingerprint-the-foreigners policy could be used on American citizens as well at the nations airports. That will happen within a few years, I have no doubt about it. Congress has already mandated a national ID card for everyone. U.S. passports will contain biometric information starting later this year. The military is gaining a lot of experience and knowledge in how to round people up and get them into The System en masse.
The price of freedom is eternal vigilance. Too bad Americans have been asleep at the switch for so long. We are already past the point of no return with respect to the loss of so many liberties we took for granted.
So, instead of creating a random number with the unix timestamp as a seed, they are creating a random number with your fingerprint as a seed. What is so shocking about that?....There is a difference between requiring fingerprints on record (actually having your fingerprint in a database somewhere) and using your fingerprint to create a random sequence of numbers.
This sure sounds innocent and I'm sure its meant to be, but there is certainly possible abuses which could occur. They store those 15 or more fingerprint points (after converting to a number presumably with some crpyto algorithum). When you want to log into a computer a finger print reader takes your fingerprint again and the same process (converting to numbers) happens. These are then matched up to verify who you are.
The problem is if each "encryption" of the "data" equals the same result then it CAN be used for otherthings. They don't need to actually store your fingerprint anywhere. Patriot-Act could let law enforcement use this database of numerical "fingerprints". All they have to do is feed thier database of fingerprints (or those from a crime scene etc) through the same software as was used to originally "encrypt" the library fingerprints, compare the numbers, and if the numbers match they got their guy. This doesn't require a REAL fingerprint. As long as everytime a fingerprint is put through the algorithim it gives the same result, having the ACTUAL fingerprint on file isn't much of an issue.
"reality has a well-known liberal bias" - Steven Colbert
What is so shocking about this is that I don't trust them. How can I be sure that they are telling me the truth and my entire fingerprint isn't stored in the system ?
How can I be sure that the system haven't been cracked and someone hasn't intercepted the picture of my fingerprint before the 15 points were extracted and the rest discarded ?
How can I be sure that they still only take 15 points or that another organization that jumped in the bandwaggon is also only using 15 points ? Read the fucking licensing agreemend before each time I put my thumb there ?
Slashdot anagrams to "Sad Sloth"
I think the article just explained this rather bizarre move.
Naperville library officials [...]
The scanners, made by Naperville-based U.S. Biometrics [...]
Both in Naperville. How coincidental. I wouldn't be terribly surprised if U.S. Biometrics wandered into the library offices and said "y'know, if you buy our fingerprint scanners we might be willing to donate a fat wad of cash to the library. We'll even discount 'em for you."
Why else would a library -- likely strapped for cash, as most are -- suddenly feel the need for (expensive) biometrics hardware out of the blue?
I'm missing your point completely. Your scenario is that I can decide to be a hacker. I hack into the FBI and get a list of everyone's fingerprint. I then hack into the library and get all the fingerprint hashes. I compare fingerprints to fingerprint hashes and I figure out who you are. And then...?
Wouldn't it have been a hell of a lot easier to just grab your name and address off the library's server when I was hacking that? Why mess with all the fingerprint junk?
As for concerns about 'hash security', isn't that what john-the-ripper is used for? Just because you can brute-force a password algorithm doesn't make it insecure. From the data provided, this is the equivalent of a 15-character password hash. The best password crackers can take months to crack 10-character password hashes. Then, even if they do figure out that a certain sequence of fingerprint identities matches up a specific hash - what? They somehow clone a finger and alter the dna to create your fingerprint so they can use the computer at the library?
What is the whole point!? I simply don't get it. This is *NOT* a case of the library storing fingerprints. This is a case of the library using fingerprints for a second or so to create a unique ID that cannot be converted back into a fingerprint.
The previous comment is purposely vague and generalized, but all of the facts are completely true.
It's a library. It's an information resource for citizens. Free access to information is a cornerstone of democracy. People's behavior changes when they know they're being tracked, whether they're doing something nefarious or not. The implications for law-abiding citizens and democracy itself are dire.
And what ever happened to that quaint phrase "presumed innocent until proven guilty". While the law on that has changed little, public attitude has turned 180 degrees. For hundreds of years municipalities and corporations have followed the principles and spirit of our founding fathers, even though they were not necessarily bound by them.
I do not want to live in any place where I'm presumed a criminal until I demonstrate otherwise. That is not a free state. That is a police state.
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
[Seems OT, but it honestly isn't]The last Star Wars prequel is one of the most inspiring things I've seen out of Hollywood in a long, long time. It gave me hope. The dialog is mostly sub-par (as usual), but the plot and morals are dead-on relevant to modern America. I don't think that we're past the point of no return yet; not when a mainstream movie like this can get away with such blatant satire of democracy and patriotism.
"We shall change into the first Galactic Empire for a safe and secure society."
"So this is how freedom dies - to thunderous applause."
""You're either with me or against me."
"Only a Sith deals in such absolutes."
(Anyone with functioning brain should realize that Lucas is saying that Bush is no better than a Sith.)
It's not that these sentiments are new or radical; it's that they're present in one of the best-hyped mass market franchises of all time. Joe Sixpack will watch this movie! With his kids! Hell, I almost wish that this movie was rated PG, so that more kids will see it. Sitheven puts it in the context of Judeo-Christian style morality, which should make it even easier for the unwashed masses to digest.
I don't think it's too late for us. We who actually recognize and remember the true spirit of America (distrust of and freedom from our government) would do well to recomend this movie to our more trusting, sheep-like friends. It's like 1984, but with enough explosions to keep the audience interested.
I still wish we could've seen Jar-Jar's bloody head was splattered against the camera, and I really wish Lucas would get someone else to do his dialog (Vader: "NOOOOOOOOOOOOOOOOOOOO!" *sounds of audience retching*), but if you can look past these flaws, it really is an awesome, insightful, RELEVANT movie.
i would be much more concerned with what the gov and its agencies do "legitimately" with the information. information sharing and scope creep is the name of the game in the usa these days. just think "total information awareness" and so on...
sum.zero
And this is important to know because...
Okay, they make the case that it identified the perp of a criminal act that included using the computer. A weak point, but I'll have to give them that one.
The stored numeric data cannot be used to reconstruct a fingerprint, West said, nor can it be cross-referenced with other fingerprint databases such as those kept by the FBI or the Illinois State Police.
Not unless the other police agencies start using the same system, in which case each should come up with the same unique identifying number, wouldn't you bet?
Officials promise to protect the confidentiality of the fingerprint records.
Don't know about you, but I'd feel a lot better if they stated just how long they planed to maintain these records, and how they would be destroyed afterwards. That is truly a missing piece of information in the original article.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I happen to live in Naperville only a few blocks from Nichols library. Does it seem like an invasion of privacy that they're going to keep some sort of fingerprint database? Well, yes. And I wouldn't put it past the local government of this self-important yuppie town to sell us, its citizens, out.
Then again, most of us of a certain age might be screwed anyways on this sort of invasion of privacy. Remember in the 80's when everyone was all paranoid about kidnappings? It was standard practice to have police fingerprinting days at local grade schools back then...but looking back, I can't view this as anything else but treating the younger generations as potential criminals.
How is the potential for abuse any different here, when an abuse of the system isn't likely to be publicized much in the same way other nasty aspects of this town--like rapes on the riverwalk near downtown. This is the town that you get a jaywalking ticket for getting hit in a crosswalk if you happen to be an African American College Student. Why would I beleive that the City isn't going to screw me with this in the future, given the opportunity?
And to answer your next question, yes, I am sick of this fucking town.
As for concerns about 'hash security', isn't that what john-the-ripper is used for? Just because you can brute-force a password algorithm doesn't make it insecure. From the data provided, this is the equivalent of a 15-character password hash. The best password crackers can take months to crack 10-character password hashes. Then, even if they do figure out that a certain sequence of fingerprint identities matches up a specific hash - what? They somehow clone a finger and alter the dna to create your fingerprint so they can use the computer at the library?
Heh, insightful my ass. Sure, brute-forcing the hash of a 10 character password might take a while, but what if someone chose a poor hashing algorithm (check out the FMS attacks on WEP? What if I have a dictionary of precalculated hashes for known passwords (FBI fingerprint database anyone)? Using a modern computer, I can do a hash-to-hash comparison of hundreds of thousands of entries a second. Check out my other posts as to how this could be used.
I think you're missing the point somewhat. Why is it so god damned necessary that the police be able to personally identify you based on library usage in the first place? I'd rather have that plausible deniability there - "It might not have been me, someone could easily have stolen my card." In fact, I'd much RATHER just have library access be completely and totally anonymous.
Oh, and on another note - is it just me or is the invocation of Child Porn becoming a new Godwin's Law? Is there an epidemic of people stealing library cards to surf for child porn in public or something? ;)
what expectation of privacy do you have when accessing public equipment that is the subject of a legal investigation?
You need a library card, and ID, to check out a book at a library. You need this because the library does not have unlimited resources so they need to get their books back. But you've never needed to show an ID simply to read at the library. Ever. Until now.
Ya see, they got these things called logs. They track wherever you go on the web (really. I swear.). Since they have your exact ID time coded with the logs they can tell everyplace you've visited and thus every place you've read and thus eveything you've shown interest in.
Surfed for info on: Gay marriage? It's in there. Communist ideology? It's in there. Republican blogging? It's in there. Anti-semitism? It's in there. Yes, every web site you show interest in is now linked with your name, regardless of the legal status of that page.
They get this data, and retain it, regardless of whether or not a criminal investigation is in the works. They get to keep this data regardless of whether anyone ever commits a crime again... ever.
Sure, the cops can get a warrant to listen in on private converstations if there's probable cause (check out the fourth ammendment) but here the library is tracking your interests without a warrant.
Why exactly should law enforcement "rightly" have access to this info?