Slashdot Mirror
Fingerprint Requirement For a Work-Study Job?
BonesSB writes "I'm a student at a university in Massachusetts, where I have a federal work-study position. Yesterday, I got an email from the office that is responsible for student run organizations (one of which I work for) saying that I need to go to their office and have my fingerprints taken for the purposes of clocking in and out of work. This raises huge privacy concerns for me, as it should for everybody else. I am in the process of contacting the local newspaper, getting the word out to students everywhere, and talking directly to the office regarding this. I got an email back with two very contradictory sentences: 'There will be no image of your fingerprints anywhere. No one will have access to your fingerprints. The machine is storing your prints as a means of identifying who you are when you touch it.' Does anybody else attend a school that requires something similar? This is an obvious slippery slope, and something I am not taking lightly. What else should I do?"
The way that most modern fingerprint scanners work is by using matching algorithms. They scan your fingerprint and translate that into a numeric value and then store that. Not a copy of your fingerprint itself. This numeric value cannot be used to recreate your fingerprint but it can however be used to match the output that only your fingerprint will produce when scanned. To be perfectly candid its far easier to steal your fingerprints by stealing something you own than it is to take them from a fingerprint security/tracking system.
Solutions like this are often used to prevent someone clocking-in for you. I used this type of solution at a sports club which used to go to, where you would enter your member number followed by you finger print. Chances are this is another closed system, so it the finger prints probably won't get much further than the database.
Jumpstart the tartan drive.
Apparently if you visit Brazil, Europeans and Brazilians go through one line. Americans, we can all step over here to get fingerprinted, retina scanned, etc.
Why? We do it to them, so they do it back. F.
Not the image anyway. They store the relative positions of specific details of your print. 2 minutes on Google would have told you this.
The question remains though whether you want them to hold a representation (of any kind) of any part of your body on file.
Deleted
Yup, exactly correct. Scanners will store a "hashed" version of your fingerprint based off of an algorithm. It just stores the "fingerprint" as a random string of data. The more secure versions store the hash on a Smart Card, which you have to authenticate against. The DoD uses this type of system on their ID cards for Contractors, Civilians and Military personnel. If you're worried about how bad this situation is, you need to watch a specific myth busters episode: http://www.youtube.com/watch?v=LA4Xx5Noxyo Nothing to worry about, no privacy being broken, etc.
Don't click here...
I am on federal work study right now and I have not had to submit my fingerprints for anything. You have a few options.
Accept that this is the way they track work study hours.
If you can afford it and the privacy concerns are too compelling, decline the work and let them know why in a formal letter. It may go directly to the waste bin but at least you made your reasons known.
Lastly, you can try to change the policy. Contact your student senate for some backing as they're the most likely to listen, although not the most likely to have power to change it. A couple of suggestions: Switch from bio-informatics scanning methods to plain old bar code badges, RFID chips or paper timecards.
My school does work study timecards on paper. It's probably the most likely to be abused, but it is convenient for everyone. I'd be more than happy to use an RFID token or bar code badge for clocking in and out. Wouldn't work very well for my specific job, considering I work from home, but in theory I would accept either.
Your ability to change the policy by force is pretty limited. Employment rights(especially regarding privacy) vary by state when it comes to work study. You could try to contact your local department of labor but it's unlikely they will give you anything other than a headache.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
Ask if the unit is FIPS 201 certified. If it is then you can be certain that no reproducible image leaves the unit. There's no more identifying data than a password or PIN that leaves the unit.
There are cheaper units on the market that centrally process the finger print image to speed up matching, which is open to abuse.
Disclaimer: I previously worked for a fingerprint / time-clock manufacture that produced FIPS compliant devices.
Area51 - We are watching...
Sheesh... this is the same as having public and private encryption keys. The private one is for you, the public one is... you guessed it, public, and cannot be used to reproduce or fake the private one. They only store enough data to verify your fingerprint again. VERIFICATION and IDENTIFICATION are two very different things. No privacy issue.
Move along, nothing to see here...
If "the system," being time-clock or Federal database, uses a specific, formulaic derivation of your fingerprint to establish identity, then storing that formula result is, from a privacy perspective, equivalent to storing your fingerprint. It's a means of identifying you, personally, by extracting your hash from a database of all hashes based on the hash of an unknown fingerprint. That the algorithm is one-way (ie: you can create the hash from the fingerprint, but not the fingerprint from the hash) is irrelevant. Maybe if the has space is small enough that many fingerprints give the same hash value - ie, the has provides sufficient uniqueness for a population of 50 or 100 employees, but not is not unique over a population of 1,000 or 10,0000 - although that seems to compromise its value as an employee identifier.
I have been using a finger print scanner to clock in and out of my jobs for the past 10 years. As the IT guy at some of these jobs, I know that its not actually storing the full image of my finger print. It stores a few critical points to make sure it has it and not the full image. But if someone really wanted your finger print, it would be easy for them to lift it off the door knob when you enter your office, or from a coke can you throw into the trash or from your keyboard when you get up to goto the bathroom or anything else you touch in a given day. It would be much easier than hacking the time clock or a server to get your finger print.
OK, I've actually never faked a fingerprint myself. But I've read about research on it in Bruce Schneier's blog:
http://www.schneier.com/crypto-gram-0205.html#5
Care to guess what the batting average of most fingerprint readers was against someone trying to fool them?
(Answer: the eleven commercial fingerprint ID systems, together, wouldn't defeat my son's blindfolded Little League team.)