Slashdot Mirror
Would a National Biometric Authentication Scheme Work?
Ian Lamont writes "The chair of Yale's CS department and Connecticut's former consumer protection commissioner are calling for the creation of a robust biometric authentication system on a national scale. They say the system would safeguard privacy and people's personal data far more effectively than paper-based IDs. They also reference the troubled Real ID program, saying that the debate has centered around forms of ID rather than the central issue of authentication. The authors further suggest that the debate has led to confusion between anonymity and privacy: 'Outside our homes, we have always lived in a public space where our open acts are no longer private. Anonymity has not changed that, but has provided an illusion of privacy and security. ... In public space, we engage in open acts where we have no expectation of privacy, as well as private acts that cannot take place within our homes and therefore require authenticating identity to carve a sphere of privacy.' The authors do not provide any suggestions for specific biometric technologies, nor do they discuss the role of the government in such a system. What do you think of a national or international biometrics-based authentication scheme? Is it feasible? How would it work? What safeguards need to be put in place?"
. . . if there's a biometric "authentication" method that hasn't been cracked in the real world in ways that would be easy for the average clever crook to duplicate for a trivial amount of money. Fingerprint scanners are trivial - Mythbusters fooled a brand new, state of the art door lock with a xerox of a fingerprint, by licking it. Retina scanners have been cracked, facial recognition software is a joke with no punch line. What else is there?
And once a system has been cracked, it is totally useless, since you can't change your "password" on biometric stuff.
If history has taught us anything over the past few years, it's that putting guys from Yale in charge of things is always a great idea.
So let's let this wise man create a national biometric identification system. It sounds like a bad idea to me, but I'm just part of the rabble. I haven't had the benefit of his education and experience. I've never even been to a regatta!
Yes of course it would work!
Everyone knows that bad people are entirely willing to be completely honest, so obviously a system like this would mean we would know everything about them, and could stop all evil in the world.
It sounds interesting, but I am not for governmental control or involvement. Most here believe less government is better government. Why would we want to involve an entity that can't even balance a checkbook get its hands on something this complicated. I'm sorry but I don't see George W, Hilary Clinton, Barack Obama, or John McCain doing an adequate job at all except to hose it up and force regulation and compliance. Our current issues will not be solved with this. They will only take on a new twist.
I eat Karma for breakfast, lunch, and dinner. That's why I don't have any.
The sad thing is the social security was never meant to be used as an id card. That is what a passport is for. This why our current situation is so skewed.
I eat Karma for breakfast, lunch, and dinner. That's why I don't have any.
Biometrics is inherently flawed as an authentication system, because biometrics is a password you can't change. Once someone gets your password, or at least the numerical representation of it such as could be lifted from a compromised reader or database, you are toast. How are you going to change your retina scan to something new?
And never mind the demonstrated hackability of all but the premium readers.
Biometrics sound great at first blush, and to the common voter they seem foolproof, so this fad will get worse before it will get better. In fact, the authentication issue may have achieved the level of complexity as the net-neutrality issue, such that Joe Registered Voter cannot possibly understand it (even if he is the rare sort to spend an hour googling it before forming an opinion).
Meanwhile, text passwords plus certificates (where 'certificate' could be a smart card, or your cellphone's IMEI, or whatever) is still the answer for security. It's awful, to be sure, but it's much less awful than biometrics.
FATMOUSE + YOU = FATMOUSE
It would concentrate a lot of power in whoever is managing the information. /. poll? http://slashdot.org/pollBooth.pl?qid=1544&aid=-1
Have you looked at the response winning the latest
The only possibly better response than whatcouldpossiblygowrong would be cureworsethanthedisease.
I'm confident I'd vote against any nitwit pushing such a plan.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Perhaps not technically 100%, but you can expect a reasonable level of privacy/anonymity in public.
This could destroy that.
---- Booth was a patriot ----
The idea that every fingerprint is unique is a untestable hypothesis, since you'd have to fingerprint everyone ever born, right? We assume it's correct because we've never found examples of fingerprints that were identical.
So my question is this: if we were to fingerprint everyone in the US (all 300+ million of us)... does anyone think we might find that matching set? No one has ever done a fingerprint database of that size, right? With a quick search, I couldn't find out how many prints were in AFIS.
On the topic more directly, I'd say this would be nearly impossible. Ignoring the privacy concerns that people would use to try to stop thing going into effect... does anyone think we would be able to convince most/all of the 20 million or so illegal aliens in the US to do this? I would think you would run into the same problems in just about any other country, except somewhere like China.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Even the courts have found that anonymity is important component of freedom of speech. (Along with freedom of association.).
Why does all this scare me? Is it because I could be classified a 'problem individual' based on my political leanings? Is it because the Executive Branch reserves the right to pull American citizenship at will? Is it because even the Russians know the best way to deal with a recalicrant individual, no matter what his power base, is to tar him as a sex offender?
My other question is of course, if I'm out and about, living my life in a lawful manner, why should the government care about me?. Police aren't there to arrest the lawful, they're there to arrest the criminals after commission of a crime. Where is the mandate to surveil everybody in sight waiting for them to commit a crime?
Understanding the scope of the problem is the first step on the path to true panic.
It is dangerous to be right when the government is wrong.
Just like in the UK, it'll work until it's cracked. Or the RFID data from passports. It is no business of the government who I am, or where I am without probable cause by a signed affidavit. There's a sufficient majority that would make sure that a national ID system is never used in the US that it's moot anyway. And for Larry Ellison and others that want to try it, they'll get laughed at, again, and just as loudly.
The question isn't unique IDs, it's tyranny. We hack tyranny first.
---- Teach Peace. It's Cheaper Than War.
That turned out well, didn't it?
Understanding the scope of the problem is the first step on the path to true panic.
Well aside from the philosophical apprehensions one might have about such a system, biometrics, at least in current incarnations, are poorly suited for the job. It's not that hard to imagine such a system being built on the principle of the lowest bidder. There have been numerous discussions on here about how easy it is forge a print on a poorly implemented biometric system. I'll leave you to infer the problems that would quite probably ensue.
I got a catholic block.
Win a signed Stephen Carpenter ESP Guitar from the Deftones: http://def-tag.com/?r=0008781
The summary talks about a common misconception, and manages to create another.
Authentication is when you identify(as in Identity) yourself, when you want to(say, to enter your home), or to get that 5% rebate at that place you like to eat at.
Anonymity is when someone else wants you to identify yourself, and you refuse.
Imputability is when someone's done something and 1) you want to Identify them properly, and 2) do something about some of the people you identify(presumably because something they did was wrong)
Anonymity is something private citizens like, in part because they don't much like imputability. That is when they do something, and it's not tied to their Identity.
Forcing someone to authenticate themselves is something the police, for one, likes, because
1) It prevents them from being blamed for mis-identifying someone
2) If they catch you doing something, and impute it once you authenticated yourself, they're fairly sure they impute it in such a way, it will follow you for a long long time(if they can impute your "identity" more on that later.
However, it has its drawbacks
1) If you authenticate yourself with falsified credentials, you get someone else blamed for your acts
2) It doesn't deal with the fact that you may be unable(damaged or lost credentials)/unwilling to identify yourself/automated systems may mis-indentify you
It doesn't solve the question of "Identity" itself either. Like when the no-fly list(falling under imputability) lists names(which can be the same for two people), leading to the same result as a falsified authentication.
Just a quick summary:
Identity: Who you are
Authentication: Proving who you are
Anonymity: Not having to say who you are
Imputability: Blaming who you are
The four are interlinked, but often confused, as in the article.
People interested in laws like RealID need to pay a lot more attention to distinctions between all four. Until the authentication part can be more more foolproof, the imputability is scary(you can be blamed for stuff you haven't done), the anonymity, well it's scary to those who'd rather deal with people they can identify(and therefore impute, think contracts to keep it in the white hat sphere). And the Identity, well that's the real problem. If you have a single, centralized database, any single mistaken Identity becomes life-altering, if not actually life-threatening(correcting someone's id with falsified credentials in order to make their lives a living hell? Yes, it can do that).
Does that bother you a little? I know it does me.
It doesn't matter how strong your security system is, it will fail. What happens when it does? I can't get a new $BodyPart if some fraudster spoofs it.
How dare you be so modest!! You conceited bastard!!
Who is to be trusted with by biometric data? Who would have access? How would the software/authentication work? Who will write the software? Is it going to be proprietary? Will it be enabled in voting machines? Why should I trust the government agency/subcontractor to do all this correctly? It seems that whoever controls this biometric data would have A LOT of power, especially if its integrated into every little device out there. Consider the potential lack of transparency in, say, an election. Could some government employee, maybe just above the average capabilities of a TSA employee, tamper with election results? Also, if my biometric info is linked to my credit card, how hard would it for that person to go on a shopping spree. How could I prove it wasn't me? The whole thing wreaks...
we need a secure scheme that provides both authentication and anonymity as appropriate.
The question of when anonymity is going to have very different answers depending on who you ask. Most law abiding citizens would object to being ID'ed dozens of times a day as they go about their business, but for a "track the terrorist" system this is what would have to happen, and is what DHS would want. Right now it's too blatantly oppressive and logistically difficult to ID everyone who walks into the subway or drives through a toll booth, but with biometrics + cctv this becomes entirely possible. It has all the totalitarian control of "your papers, please" in an unobtrusive, easy to ignore package. There are plenty of times in daily life when it is appropriate to need to provide a secure ID, but they are always when the person being IDed is a willing active participant in the process. If simply being able to see a person is enough for them to be confirmed (and location updated) against a national database, then we all lose that bit of participation and choice. And is not the ability to be an active willing participant in the function of our government the very heart of our Democracy?
We are all just people.
The premise of the article - or at least the blurb - is wrong. It makes the claim we "have no expectation of privacy in the public space." But we do. Ever want to take a road trip to some town where no one knows you, just to get away, do some shopping, have dinner, watch a show, without having to deal with people who know you? Ever enjoy the feeling of being out, alone, in an unfamiliar city?
How's that going to sit when the desk clerk looks you in the eye as you walk up and says, "How you doing, Mr. LeParanoid, and how's that appendectomy scar healing up? Wife happy about that diamond necklace you bought last week?"
Or gives you a steely look because you're on The Sex Offender List (because you had the temerity to have sex with someone 3 days over some arbitrary line, or perhaps you pissed in a bush somewhere) and proceeds to treat you like a criminal as soon as your RF-enabled ID gets in range of his LittleDictatorsConsole(tm)? Sure, you can add biometrics to it so he's sure you're a sex offender or other malcontent antisocial. That'd all be real good, wouldn't it? After all, in this society, onece you're a criminal, you're permanently low class, you can't make up for it.
This whole ID mania needs to go away. It is a sign of a pervasive sickness among the rulers of this society. It is not a solution, or a potential solution, to terrorism, or any other problem we face.
I've fallen off your lawn, and I can't get up.
Yes, this system would work perfectly for spying on all political opponents (and blackmailable "friends") personal info, just like reported tonight at at the State Department, spying on Obama's passport file.
--
make install -not war
The article is right: anonymity is not privacy and privacy is not anonymity. However, anonymity is a form of privacy and should be protected within reason.
Another way of looking at it:
privacy: people not knowing what you've done.
anonymity: people not knowing who did X.
if you lose anonymity, you lose privacy in relation to X, and where X covers everything in the public sphere, you lose all privacy except in relation to those things that are not in the public sphere (Y). That's a lot of privacy to lose.
Last I checked (1999 or there abouts), there were 535 members of congress, of which 29 had been accused of spousal abuse, 7 had been arrested of fraud, 19 had been accused of writing bad checks, 117 had bankrupted at least two businesses, 3 had been arrested for assault, 71 couldn't get a credit card due to bad credit, 14 had been arrested on drug-related charges, 8 had been arrested for shoplifting, 21 were defendants in then-ongoing lawsuits. In 1998 alone, 84 were stopped for drunk driving.
After all, in this society, once you're a criminal, you're permanently low class, you can't make up for it.Sure looks to me as if we're quite happy to give people another chance.
We're all born with nothing.
If you die in debt, you're ahead.
Some of the basic premises stated in the article are just plain wrong. For example:
We have always enjoyed "the anonymity of the crowd." Walking down the street, minding your own business, with nobody having the right to interfere with your peacable enjoyment of your own "private space", and others, equally strangers, just doing the same.
Yep, Dick Cheney with a few drinks in him and a shotgun in his hand will certainly wipe that smile (and a layer of skin) off your face real quick.
Why is there the push for this? There isn't wide scale fraud, and there's no reason to believe that Bad Guys(tm) couldn't simply create a fake entry in a database, or that the biometric stuff would actually be used. California requires a thumbprint to get a driver's license (!), and yet you're never asked for it at a traffic stop. Why?
I have a suspicion. It's not for authentication at all. Others have already pointed out the inherent flaw in using nonrevokable certificates for authentication. (i.e. once someone has faked or corrupted your biometric data, you're fucked.) So what is a biometric data good for? The same thing that's good for when the government stores DNA sequences of everyone processed. It's a globally unique identifier. You can put multiple databases together easily. Name collisions are a thing of the past.
If you really think that government won't combine their databases, you're a fool.
Obscurity isn't security, but there is something to be said about making information, even public records, a bit harder to put together than to give a big data dump about everyone to everyone. Society has built on a certain level an anonymity existing, even when legally it doesn't exist. But it's all too obvious that people's expectations and behaviors don't always align with the letter of the law. And seriously, given the government's current cavalier attitude towards privacy and the law, do you really think that a simple law is going to stop them?
Can you be Even More Awesome?!
Authentication does not necessarily mean that those around me know who I am. Take a credit card transaction as an example -- the credit card company wants to know that I'm an authorized user of the card I hold. The merchant wants to know that my credit card company will pay them on my behalf. But the merchant doesn't have any fundamental interest* in knowing who I am -- only the credit card company does. So if I authenticate to the credit card company, and the credit card company authenticates to the merchant, we can all feel safe, and I can remain anonymous with respect to the merchant.
It's certainly possible to design the system to provide strong authentication for a variety of purposes without compromising privacy or even anonymity. Whether or not anyone will bother to do that/allow that to happen is debatable, but you shouldn't necessarily relate the ability to authenticate with an inability to provide privacy.
*I know they might like to know who I am for marketing purposes and whatnot, but they have no interest with respect to conducting a safe and reliable financial transaction.
I'm hosed if they chose retina scanning. I get drusen deposits http://www.medterms.com/script/main/art.asp?articlekey=10015 .
Fortunately, it's not macular degeneration. But those deposits form and dissolve over time. That would make retina scanning a problem for me.
For the companies selling the scheme. Just like electronic voting machines, DRM... For everybody else... eh
What?
Damn! That's incredible.
I mean, you've had those statistics memorized for nine years???
I only post comments when someone on the internet is wrong.
Actually, the premise is more right than you are in this particular matter. What you are describing here as privacy is actually what the blurb more correctly labels as anonymity. When one opts to go to an unfamiliar but public place to escape recognition, it is not to enjoy privacy, but anonymity. In order to enjoy privacy one would have to be alone literally, not just figuratively.
This statement makes the assumption that the adoption of a biometric ID system would grant private proprietors access to data beyond your personal identification. In a nation where the majority of stores and restaurants still use modems to process credit card transactions, I doubt many vendors are going to upgrade to the fully internet-capable point-of-service systems that would be required to take the limited ID information to which your eye or your thumb would yield access and simultaneously run a multi-dimensional search on that information. More likely that clerk will be lucky if he doesn't have to type the name that comes up from the scan into the hotel booking system to find your reservation.
No. You fundamentally misunderstand privacy. Privacy is not "being alone."
Privacy is the existence of social boundaries that we (generally) agree not to cross.
Examples: I invade a lady's privacy when I look up her skirts without her permission. I invade your privacy if I open your mail without your permission. I invade your privacy if I read your medical records without your permission. All of this can happen with you, me and the issue in question all out in the public space.
These are things we can do, but we agree not to do, because we recognize the fundamental right to privacy as existing in open society, not just in the home or when we are alone. Private means that you retain control by social convention over information which relates to your existence, and in turn, were I to obtain access by any means without your permission, I would have crossed the social boundary for that issue. That is the very core of "violating someone's privacy."
Anonymity is another social boundary. We have -- in the past -- recognized that others have the right to proceed about their day without having to inform others who they are and what they are doing. This boundary, like any other social boundary, can be crossed (violated, more like) by simple, easy actions on the part of invaders of privacy. But anonymity is not a thing unto itself, it is simply another facet of privacy.
The following should help you develop a better understanding of what privacy actually is: More on privacy.
I've fallen off your lawn, and I can't get up.
The more efficient ones imply insert THEIR data against your name in the database index:
UPDATE biometric_data SET identity = 'fake_value' WHERE name='Your Name';Its easy when you know how, and the go'mint computer can do zillions of transactions a second.
Sent from my ASR33 using ASCII
A driver's license is a certificate that says you can drive. It doesn't even need your name on it. You just need to have one in case someone questions if you have passed a test to drive. Having done so, of course, does not permit you to run a red light or drive over someone's baby in a stroller. Nor does not having a license prevent you from starting a car and driving off. As it turns out, the thing that really matters to society is how well you drive -- not the certificate at all.
A passport is a certificate that says you can cross the country's borders. I still have -- framed -- my grandfather's certificate from the US state department that allowed him, his wife, his minor dependents and a servant to do this. It did in fact have their names on it, but inasmuch as there was no way to assure that the people in the group were the people named therein, the fact remains that the certificate itself was the key issue. It is an over-sized paper, beautifully executed, has a wax seal and a ribbon. No pictures, very basic description of him, none of the others in his party. Nothing you couldn't forge. Yet he and his could travel. Amazing, isn't it? The question arises, why can't we travel this way today? What new thing has arisen that says "oh no, that's just unacceptable!" The answer to this lies only in the authorities claims that they can stop terrorists and threats of that nature, but we know that is not true and will never be true. They can certainly increase the inconvenience to us, though.
A dollar bill is a certificate that says you can have a cheeseburger. The important thing is not that it has your name on it, but that you have the certificate.
All plain paper or otherwise easily carried off certificates can be stolen under various sets of circumstances. The objective of linking a certificate to an individual's personal characteristics is to make that more difficult or (ideally) impossible.
As the value of a particular type of certificate goes up, the value of obtaining one goes up as well. For instance, people will steal $1 bills, but they won't counterfeit them. However, people will counterfeit $100 bills, even when the effort required is extreme, because the ROI is very high. Just ask the North Koreans, who are merrily producing our current $100 bils.
When this happens, the value of the certificate ceases to be that "it is what it is" but instead becomes "it does what it does." This is not a subtle difference. In the case of a passport, your legitimate passport will probably get you across the border both ways (assuming you're not on one of our secret police's lists) but what it will *not* do is prevent others from getting across the border or prevent others from using ID's derived from yours with different data. One requirement here is breach of the data, but we know from repeated experience that no database is secure in the face of sufficient corruption, and so that is the least of the obstacles at hand.
In the end, the certificates -- passport, license -- serve as standard locks. That is, if you're a legal, compliant citizen, you'll have nice, valid copies and you won't attempt to get around them. Criminals, government agents (but I repeat myself), and corporate spies (department of redundancy department) all will also have these certificates as well, but they'll be illegitimate in the sense that the ID actually identifies who it says it does. Reasons will range from the apparently good intentioned (witness protection program) to the clearly malign (gonna fly that plane into that building, praise [diety.])
In the end, the certificate is required to transact normal life. Because it will be the standard required by those in power. Even though the protective ability is illusory.
Now let me turn to what happens if your certificate is lost. In the case of money, you can get more at some rate you are well aware of; the trick is not to carry too much of it or allow any one credit or debit card to carry enough to wound you fatally in the financial
I've fallen off your lawn, and I can't get up.