Slashdot Mirror
Library to Require Fingerprint to Use PCs
FearUncertaintyDoubt writes "Three libraries in Naperville, IL, soon will start requiring patrons who use the library's PCs to provide a fingerprint scan. The article says, ' Library officials say the added security is necessary to ensure people who are using the computers are who they say they are. Officials promise to protect the confidentiality of the fingerprint records.'"
"Right now we give you a library card with a bar code attached to it. This is just a bar code, but it's built in," said Mark West, the library's deputy director.
To be fair that does come after this paragraph:
Naperville library officials said the technology cannot be used to reconstruct a person's actual fingerprint. The scanners, made by Naperville-based U.S. Biometrics Corp., use an algorithm to convert 15 or more specific points into a unique numeric sequence.
But it's still shockingly cavalier to describe the technology as "just a bar code". I have difficulty understanding a) why this seems like a good idea to anyone, and b) why this gentleman seems incapable of understanding people's worries about a fucking library requiring fingerprints!
Carousel is a lie!
Officials promise to protect the confidentiality of the fingerprint records.
What does that mean exactly? Doesn't the "Patriot" Act allow for law enforcement officials to easily obtain library records during investigations? I know that the ALA has spoken against the "Patriot" Act in the past but will they actually stop the LEOs from taking this information?
The three-library system this week signed a $40,646 contract with a local company, U.S. Biometrics Corp., to install fingerprint scanners on 130 computers with Internet access or a time limit on usage.
Library officials say the added security is necessary to ensure people who are using the computers are who they say they are.
$313 a computer seems like an awful lot of money for this. I'm not sure what they are trying to accomplish other than wasting taxpayer dollars.
Once a patron's fingerprint has been recorded, accessing a computer will require only the touch of a finger.
"Right now we give you a library card with a bar code attached to it. This is just a bar code, but it's built in," West said.
So patrons used to scan their library card and they could use the computer? There is no difference now except a database of information tied to a fingerprint that can easily be looked into by employees, LEOs, and possible thieves.
West said the library is requiring a fingerprint to set up computer access, although patrons who object could ask a staff member to log them on to a computer.
Are they going to make this perfectly clear to all patrons with a large sign in blinking neon? I doubt it. Make sure to give the staff a hassle. We need to hassle businesses (public and private) more so that these privacy intrusions cease. We will continue heading down the slope due to "ease" if people continue to stand down.
Initially, I was against this development, but after reading TFA, I actually feel al lot better aboout it, for a few reasons:
From TFA:
The library taking a stand like this gives me slightly more confidence in trusting them with biometric data...at least they won't give it up without the proper authorization, but this doesn't address the issue of data theft. The following quote, however...
Also from TFA:
It's important to note that most biometric systems work in this fashion. If each organization who wished to use biometrics were required to use their own, distinctive algorithm, the danger of other organizations using that biometric data for its own purposes would be greatly reduced.
Actually, there's just one thing in TFA that troubles me:
Come now, Mark...which is it...confidentiality or privacy? They can't both be your middle name...
^_^
____
~ |rip/\/\aster /\/\onkey
This really begs the question: Why do they need to know who that the person in front of the computer is who they say they are? What purpose does this serve?
"We take people's fingerprints because we think they might be guilty of something, not because they want to use the library," said Ed Yohnka, spokesman for the American Civil Liberties Union of Illinois.
A very apt response from the ACLU. The problem is that we're now into the notion that "everyone is suspect" and due to that, we're going in this direction. It seems like
I could very well imagine this being linked into god-knows-what. Imagine, for instance, having $100 in parking tickets due, and the library terminal refusing you connection to their services before this due is paid.
Finally, anyone who is really interested in doing something criminal will just subvert the system. It's not like it's particularly difficult to spoof a fingerprint scanner. Remember the stories about doing it with Jello? Also, remember the fingerprint scanner that could be defeated by blowing on it?
Just like limitations on guns, just like airport security, just like locks on our doors and car alarms, and just like so many other things, this is used to punish the law abiding citizen, and does nothing to deter the hardened criminal or terrorist.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
I'm sure there are going to be many cries of privacy invasion in regard to this. The library's published reason for taking this measure is:
...library officials discovered that many patrons logged onto library computers using library cards and passwords of friends or relatives. That realization, coupled with a new library policy that allows parents to install automatic Internet filters on their children's accounts, prompted the search for better computer security...
So there's the problem. Please include your personal counter suggestion with any criticisms.
I'm a big tall mofo.
So, if I go to this library with a fake ID and they take my fingerprints how are they going to make sure that I am who I claim I am, if they're not crossreferencing any other fingerprint databases?
The whole idea is just completely absurd.
In Soviet Russia, I ruled you
Oh... Wait.
Yeah, I don't care if it's "ethical," I think I'd just download the book I wanted to read after my community pulled something like that.
/dev/random
The Patriot Act requires libraries to turn over that sort of information to the feds when asked.
If someone says he and his monkey have nothing to hide, they almost certainly do.
Sure, you can't get their *fingerprint* from the points, but you have a unique identifier. I.e., if someone is investigating messages sent from that computer and they round you up as a suspect, they can take your "15 point" fingerprint and ID you.
I believe Bird-Person can arrange that.
Naperville library officials said the technology cannot be used to reconstruct a person's actual fingerprint. The scanners, made by Naperville-based U.S. Biometrics Corp., use an algorithm to convert 15 or more specific points into a unique numeric sequence. But there's nothing to prevent anyone from taking an actual fingerprint and converting it into one of these codes. Either from a crime scene or an old database.
autopr0n is like, down and stuff.
But it's still shockingly cavalier to describe the technology as "just a bar code".
As he states - it is a one-way algorithm. If I have your barcode off your library card, I cannot reconstruct your name, SSN, birthdate, and all that without going into the library's database. With the number-sequence that this system creates, I cannot reconstruct your fingerprint at all. I cannot reconstruct any of the data previously mentioned without going into the database. So, instead of creating a random number with the unix timestamp as a seed, they are creating a random number with your fingerprint as a seed. What is so shocking about that?
I have difficulty understanding why this seems like a good idea to anyone
Hmmm... I guess someone needs to go to your library, tell them that they are you - they can even print a fake barcode on any old library card since barcode techology is open and freely available to anyone and everyone. Then, they can surf for child porn on your account. When the feds come to your door, you can explain to them that it is a terrible idea for the library to go to every measure to ensure that patrons are who they say they are.
I have difficulty understanding why this gentleman seems incapable of understanding people's worries about a fucking library requiring fingerprints!
There is a difference between requiring fingerprints on record (actually having your fingerprint in a database somewhere) and using your fingerprint to create a random sequence of numbers. If you cannot see that, then you are forcing yourself to be blind to it.
The previous comment is purposely vague and generalized, but all of the facts are completely true.
In Soviet Russia, the Library checks out YOU!!!
In China, only old people go to the library to use computers.
1. Make fingerprint scanner
2. Con librarians into buying it
3. ???
4. PROFIT!
They can get my fingerprint when they pull my finger out of Cowboy Neal's butt.
Let's see.....Soviet Russia, Chinese old people, profit, Cowboy Neal reference. Now only if this would have been the first post....
Not true. Most libraries only have records of what you currently have checked out. They don't keep those records after the books are returned. The historical exceptions have tended to be totalitarian regimes like Stalinist Russia.
Fingerprinting library users is insanely over the top. If it was happening in my country, I'd be really worried.
...because some thug cut them off to gain access to the internet at the library, you insensitive clod!
If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
I grew up in Naperville and spent my childhood using the Naperville Public Libraries, and I visit often still because my parents live there. Now that I've moved, I have some perspective I didn't have when I lived there. Naperville is an interesting town. It's a land of burgeoning housing developments and SUVs piloted by soccer moms where people come to raise their kids and shield them from the outside world, because it's a very safe and insulated place. The police department really does have nothing better to do than issue traffic tickets and harass partying high schoolers for violating curfew.
Property values are high, and that keeps the riff-raff out. In the first Naperville neighborhood I lived in, the Chicago Housing Authority had a plan to build mixed-income housing. This was met with bitter resistance, under the guise of worry about gang activity and declining property values. This from a group of senior citizens for whom lower property values would save a lot of money in property taxes.
It's about the last place I'd expect a public outcry against anything claimed to be "for the children," privacy be damned. But maybe things have changed since I left. I hope so, but I'm not optimistic. So should there be such an outcry, I'd gain back a lot of lost faith in Naperville.
On the plus side for the Naperville Public Libraries, they were very receptive to my suggestion of installing Firefox on the same machines that will have the fingerprint scanners. Though that may have been because I said the popup blocking would suppress inappropriate popups, you know, for the children.
It's not so much a random number seeded by the fingerprint, as it is a hash of the fingerprint. Security of hashed personal data is an issue, the same way that security of a hashed password file is an issue. Yes, you can't reconstruct the original passwords from the hashed values, but if an attacker has the hashed values there are ways to compromise the system's security. In particular, someone with access to a true fingerprint database (i.e. police/FBI) should be able to apply the same 15-point process to it and generate numbers that can be matched against the library 'bar codes'. The fact that the 'bar codes' do not encode the entire fingerprint does not really do much to increase privacy protection.
That's nothing compared to what's right around the corner now. The gubmint has been fingerprinting foreign nationals entering the U.S. for some time now. In a short while they will also be fingerprinting them on the way out as well. In Iraq, the military routinely rounds up people in the streets and not only fingerprints them at the start of their detention, but does retinal scans on them too and takes pictures of them for entry into a database. This is happening on a large scale. The fact that none of these people actually has any connection to Al Qaida doesn't seem to matter.
All it takes is for Congress to give the word and the fingerprint-the-foreigners policy could be used on American citizens as well at the nations airports. That will happen within a few years, I have no doubt about it. Congress has already mandated a national ID card for everyone. U.S. passports will contain biometric information starting later this year. The military is gaining a lot of experience and knowledge in how to round people up and get them into The System en masse.
The price of freedom is eternal vigilance. Too bad Americans have been asleep at the switch for so long. We are already past the point of no return with respect to the loss of so many liberties we took for granted.
So, instead of creating a random number with the unix timestamp as a seed, they are creating a random number with your fingerprint as a seed. What is so shocking about that?....There is a difference between requiring fingerprints on record (actually having your fingerprint in a database somewhere) and using your fingerprint to create a random sequence of numbers.
This sure sounds innocent and I'm sure its meant to be, but there is certainly possible abuses which could occur. They store those 15 or more fingerprint points (after converting to a number presumably with some crpyto algorithum). When you want to log into a computer a finger print reader takes your fingerprint again and the same process (converting to numbers) happens. These are then matched up to verify who you are.
The problem is if each "encryption" of the "data" equals the same result then it CAN be used for otherthings. They don't need to actually store your fingerprint anywhere. Patriot-Act could let law enforcement use this database of numerical "fingerprints". All they have to do is feed thier database of fingerprints (or those from a crime scene etc) through the same software as was used to originally "encrypt" the library fingerprints, compare the numbers, and if the numbers match they got their guy. This doesn't require a REAL fingerprint. As long as everytime a fingerprint is put through the algorithim it gives the same result, having the ACTUAL fingerprint on file isn't much of an issue.
"reality has a well-known liberal bias" - Steven Colbert
What is so shocking about this is that I don't trust them. How can I be sure that they are telling me the truth and my entire fingerprint isn't stored in the system ?
How can I be sure that the system haven't been cracked and someone hasn't intercepted the picture of my fingerprint before the 15 points were extracted and the rest discarded ?
How can I be sure that they still only take 15 points or that another organization that jumped in the bandwaggon is also only using 15 points ? Read the fucking licensing agreemend before each time I put my thumb there ?
Slashdot anagrams to "Sad Sloth"
I think the article just explained this rather bizarre move.
Naperville library officials [...]
The scanners, made by Naperville-based U.S. Biometrics [...]
Both in Naperville. How coincidental. I wouldn't be terribly surprised if U.S. Biometrics wandered into the library offices and said "y'know, if you buy our fingerprint scanners we might be willing to donate a fat wad of cash to the library. We'll even discount 'em for you."
Why else would a library -- likely strapped for cash, as most are -- suddenly feel the need for (expensive) biometrics hardware out of the blue?
[Seems OT, but it honestly isn't]The last Star Wars prequel is one of the most inspiring things I've seen out of Hollywood in a long, long time. It gave me hope. The dialog is mostly sub-par (as usual), but the plot and morals are dead-on relevant to modern America. I don't think that we're past the point of no return yet; not when a mainstream movie like this can get away with such blatant satire of democracy and patriotism.
"We shall change into the first Galactic Empire for a safe and secure society."
"So this is how freedom dies - to thunderous applause."
""You're either with me or against me."
"Only a Sith deals in such absolutes."
(Anyone with functioning brain should realize that Lucas is saying that Bush is no better than a Sith.)
It's not that these sentiments are new or radical; it's that they're present in one of the best-hyped mass market franchises of all time. Joe Sixpack will watch this movie! With his kids! Hell, I almost wish that this movie was rated PG, so that more kids will see it. Sitheven puts it in the context of Judeo-Christian style morality, which should make it even easier for the unwashed masses to digest.
I don't think it's too late for us. We who actually recognize and remember the true spirit of America (distrust of and freedom from our government) would do well to recomend this movie to our more trusting, sheep-like friends. It's like 1984, but with enough explosions to keep the audience interested.
I still wish we could've seen Jar-Jar's bloody head was splattered against the camera, and I really wish Lucas would get someone else to do his dialog (Vader: "NOOOOOOOOOOOOOOOOOOOO!" *sounds of audience retching*), but if you can look past these flaws, it really is an awesome, insightful, RELEVANT movie.
i would be much more concerned with what the gov and its agencies do "legitimately" with the information. information sharing and scope creep is the name of the game in the usa these days. just think "total information awareness" and so on...
sum.zero
And this is important to know because...
Okay, they make the case that it identified the perp of a criminal act that included using the computer. A weak point, but I'll have to give them that one.
The stored numeric data cannot be used to reconstruct a fingerprint, West said, nor can it be cross-referenced with other fingerprint databases such as those kept by the FBI or the Illinois State Police.
Not unless the other police agencies start using the same system, in which case each should come up with the same unique identifying number, wouldn't you bet?
Officials promise to protect the confidentiality of the fingerprint records.
Don't know about you, but I'd feel a lot better if they stated just how long they planed to maintain these records, and how they would be destroyed afterwards. That is truly a missing piece of information in the original article.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Incidentally, same election shows Dubya carrying the township by ~3.5K votes out of 39K cast. They've certainly got their conservatives there, but it's a bit more balanced than you apparently think.
It's Illinois, the right votes Democrat just as often as they vote Republican. I mean, you have heard of conservative Democrats, right? Hell, the strongman of Chicago, Daley, is not exactly what I would call a 'liberal.'
Alan Keyes got whalloped everywhere because he's not from Illinois, and Obama is a better politician. But voting records aren't the final authority on the culture of a community.
And yes, I did leave ten years ago to a nearby city. If you want to call me a liar for pointing out what I went through as a kid in "the best city in America to raise children", then whatever. Suffice to say, way too many people are familiar with Linden Oaks than should be.
Naperville has problems on a scale that no other community I've lived in has had. For instance, heroin use has gone through the roof in the past few years. Already two people I've known have died from overdoses, three have been through rehab, and one was clinically dead. None of them are what you would call stereotypical drug users. Domestic violence was a huge problem, until all of a sudden you just stopped hearing about it. Nothing changed, just nobody reported it anymore.
Naperville has the money and the blinders to pretend that they don't exist, but you know as well as I do, that the place has some fucked up shit going on underneath the surface.
As for concerns about 'hash security', isn't that what john-the-ripper is used for? Just because you can brute-force a password algorithm doesn't make it insecure. From the data provided, this is the equivalent of a 15-character password hash. The best password crackers can take months to crack 10-character password hashes. Then, even if they do figure out that a certain sequence of fingerprint identities matches up a specific hash - what? They somehow clone a finger and alter the dna to create your fingerprint so they can use the computer at the library?
Heh, insightful my ass. Sure, brute-forcing the hash of a 10 character password might take a while, but what if someone chose a poor hashing algorithm (check out the FMS attacks on WEP? What if I have a dictionary of precalculated hashes for known passwords (FBI fingerprint database anyone)? Using a modern computer, I can do a hash-to-hash comparison of hundreds of thousands of entries a second. Check out my other posts as to how this could be used.
I think you're missing the point somewhat. Why is it so god damned necessary that the police be able to personally identify you based on library usage in the first place? I'd rather have that plausible deniability there - "It might not have been me, someone could easily have stolen my card." In fact, I'd much RATHER just have library access be completely and totally anonymous.
Oh, and on another note - is it just me or is the invocation of Child Porn becoming a new Godwin's Law? Is there an epidemic of people stealing library cards to surf for child porn in public or something? ;)
Now I know, the ACLU is a bunch of commie liberals, but let us not forget the very public rebuke Ashcroft et al. received because not only were their search warrant requests being rubber stamped by the judicial panel, but they were also full of errors (one agent was even barred from appearing before the court because he regularly included errors): "In virtually every instance, the government's misstatements and omissions in FISA applications and violations of the Court's orders involved information sharing and unauthorized disseminations to criminal investigators and prosecutors."
Now for some corrections (from Section 215 text):
In other words, they don't need the director's approval, and an "Assistant Special Agent in Charge" is a run-of-the-mill agent assigned to a case. So basically, the cleaning contractors and secretaries cannot request the warrants, but most everyone else can. These warrant requests go to:
This very close congressional oversight you suggest is really a semi-annual report by the attorney general to those committees to tell them the requests that were made, the number requested, and the number accepted, modified, and denied (this from the new 'Sec. 502 Congressional Oversight').
So we've established that you are technically correct that not just anyone can make the requests (as I mentioned, the cleaning crews and secretaries are excluded), and there is oversight (that rubber-stamps the requests, no matter how factually in error they are).
The PATRIOT Act is interesting reading. I suggest you read the text some time instead of getting the boiled down versions off of Fox News.