Slashdot Mirror
Fingerprint Requirement For a Work-Study Job?
BonesSB writes "I'm a student at a university in Massachusetts, where I have a federal work-study position. Yesterday, I got an email from the office that is responsible for student run organizations (one of which I work for) saying that I need to go to their office and have my fingerprints taken for the purposes of clocking in and out of work. This raises huge privacy concerns for me, as it should for everybody else. I am in the process of contacting the local newspaper, getting the word out to students everywhere, and talking directly to the office regarding this. I got an email back with two very contradictory sentences: 'There will be no image of your fingerprints anywhere. No one will have access to your fingerprints. The machine is storing your prints as a means of identifying who you are when you touch it.' Does anybody else attend a school that requires something similar? This is an obvious slippery slope, and something I am not taking lightly. What else should I do?"
I've used biometric scanners like this in the past. Whatever it stores to recognize your fingerprint never leaves the machine. I don't know if that's what's going on here, but it seems perfectly reasonable.
Start looking for another job..
I'm sorry, I can't hear you over the sound of how awesome I am.
Its a time clock. Many jobs have them along with your address, phone number, date of birth, and social security number. Welcome to the working world. I could just as easily steal your fingerprints from your car door handle or the can you threw in the trash. After this fiasco don't expect the job offers to roll in.
Only the State obtains its revenue by coercion. - Murray Rothbard
As long as you are assured that your privacy is protected...this is a huge non-issue. Fingerprint scanners are the best (In terms of ease of implementation) way to prevent people from clocking in and out for each other, even though they are obviously easily defeated by anyone sufficiently motivated.
I checked into these before. The scanner records a description of your fingerprint, not the image. The description is used to match. It's a form of message digestion.
Most scanners of this type do not even record enough detail to qualify as evidence. Those that do must have their data shared with law enforcement, making them a hard sell as a biometric time card.
Same as the old one... My wife's workplace has this system. Works terribly but somehow it got past some CxO. Not sure if the privacy issue is a big deal however. You train the system in the system (if it's the same one). The print doesn't go out to the big Gov.
Not saying that they couldn't do that, but you do realize (being an aluminum foil shielded card carrying Slasdotter) that 'they' can get your fingerprints, DNA and bog knows what else without much of a problem these days.
Hell, at least it's pretty unlikely to show up on Facebook.
Faster! Faster! Faster would be better!
At Disney World, they require finger prints when you enter the park if you want to be able to re-enter or switch to another park (if you have a ticket that allows that). At least the government doesn't directly get them, but who knows what they're doing with them or how long they keep them. (This was several years ago; I don't know if it's changed.)
And friends, somewhere in Washington enshrined in some little folder, is a ,just walk in say "Shrink, You can get
study in black and white of my fingerprints. And the only reason I'm
singing you this song now is cause you may know somebody in a similar
situation, or you may be in a similar situation, and if your in a
situation like that there's only one thing you can do and that's walk into
the shrink wherever you are
anything you want, at Alice's restaurant.".
Use acid on your finger tips to remove the prints and use that for ID. The only problem is that you are now linked to hundreds of crimes where no traces of fingerprints were found. But at least they wont be able to identify YOU when they find your actual fingerprints somewhere.
The way that most modern fingerprint scanners work is by using matching algorithms. They scan your fingerprint and translate that into a numeric value and then store that. Not a copy of your fingerprint itself. This numeric value cannot be used to recreate your fingerprint but it can however be used to match the output that only your fingerprint will produce when scanned. To be perfectly candid its far easier to steal your fingerprints by stealing something you own than it is to take them from a fingerprint security/tracking system.
...when your boss starts asking to personally take samples of your reproductive DNA. Until then, there's nothing to be upset about.
Airplane Photos, Airline News, Planespotting Guides
Apparently what it is storing is a statistical summary of the biometric information (if that's not redundant). It doesn't store the fingerprints themselves anymore than an operating system will store your password. With the password, whatever you type in has to have a hash which matches the hash associated with your account. With the scanner, the summary generated each time you plop your hand on the scanner has to match (to a significant degree) the summary on file.
But, yes, if someone finds your fingerprints somewhere else, and they have access to this data, they can be reasonably certain it is you.
My other car is a 1984 Nark Avenger.
Apparently if you visit Brazil, Europeans and Brazilians go through one line. Americans, we can all step over here to get fingerprinted, retina scanned, etc.
Why? We do it to them, so they do it back. F.
Not many posts yet but I already see a LOT of posts pushing the idea of not working for this employer. This is not a solution. If we don't fight it and win, it will be adopted by more and more employers until it snowballs into something too big to fight. If we think this is a bad idea, it needs to be fought now while it's still in its infancy.
I am in the process of contacting the local newspaper...
Are you for real? Other than than the fact that they likely won't give a rats ass about this, you are treading on very thin ice. I'm not sure what it is you're planning on doing after graduation, but being labeled a well-known whistle-blower isn't going to do you much justice when you're out looking for a job.
We had one, after the first couple of weeks people started punching it instead of "punching in". They're supposed to also have a keypad so you can manually enter an access code, since the reader is known to be undependable.
If you want to mess it up, each time you stick your finger on it while it's "registering you" (it needs more than 1 scan), put your finger in a different position, different angle, or even use a different finger (people generally don't notice). After 5 failed attempts, they'll give up. Or, if they "insist" o "helping you" place your finger, tell them that as far as you're concerned, their broken machine is their problem, and that touching you is common assault and you'll file charges.
...that the next time a pompous administrator says in public "nobody has complained about that," you know that he is lying. Settle for not just knucking under without saying anything at all. Settle for knowing, if you do know, that your complaint has reached someone who sets policy and that you're not just making things hard on a bunch of other ordinary workers whose job is to keep things running.
This is not nothing at all, but it's a small thing.
You can't change the world through indignation. You really have only three choices. First, be docile and do nothing at all. That's often a good option by the way. Second, make sure your concerns have been heard, even if they are dismissed. Or, third, be prepared to devote at least a year or two of your life to the cause of fighting this thing.
If you feel that spending a year or two toward the goal of getting the university to stop using fingerprinting gadgets for access to work-study jobs is worth it, and is what you want to do with that chunk of your life, you can probably achieve your goal. I dunno how. Work through the union if there is one? Start a union if there isn't one? Make appointments and personally talk to one administrator after another, calmly, until you figure out how to get the policy changed? Personally work out an actual proposal, including costs and benefits, for alternative security, so you're presenting them with something positive and their work all done for them, instead of just saying "don't do what you're doing?" Find a faculty committee that's interested in the question that you can swing to your side? I dunno.
"How to Do Nothing," kids activities, back in print!
Wait till they start genetically testing everyone with DNA requests for security purposes.
Thats when the fun will begin.
Expect to be denied loans based on life span and proclivities to all sorts of diseases they find you will contract.
Effectively they can prevent your student loans/grants to save money as they certainly do not want to invest in anyone who won't be around long enough to pay back that 100K.
All sorts of monkey business is planned. If you have a kid right now, the blood of every baby born in US hospitals MUST be saved by the department of homeland security for a genetic test for identification.
-Hack
PS: NO, they DO NOT tell you about that last part.
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
I installed these at a client.
The issue was the employees would take an afternoon off to go to an appointment, and get buddy to clock them out at the end of the day - The emplyoee would then get paid for an afternoon they didnt work.
The time clocks have a fingerprint scanner. You place your thumb on the device as you punch out. Now buddy cant swipe out for you, and you cant defraud your employeer.
They also had biometric locks instead of prox cards on the doors. Much more convieient then having to remember a card the few days when i was on site.
Not the image anyway. They store the relative positions of specific details of your print. 2 minutes on Google would have told you this.
The question remains though whether you want them to hold a representation (of any kind) of any part of your body on file.
Deleted
If they want to check his presence, logging him in and out, there are other methods to do that. They don't need his fingerprints. It worked perfectly well with badges and/or company ID cards.
How exactly does an ID card verify his presence, rather than simply that someone possessing the card happened to run it through the machine?
And, yes, his fingerprints are all over the doorprint. Together with a gazillion of other fingerprints. And withoug registration that makes him one of the anonymous crowd.
As long as no one goes to the extraordinary effort of pre-emptively wiping the handle clean.
It's easy to ridicule people as paranoid. Instead, however, you should be thinking "why the heck are they requiring my fingerprints".
What I am comparing this to is, for example, using a social security number for identification, which seems to generate a large current of opposition here on slashdot precisely because it such a non-physical, easily reproducible security feature. I want anonymity as much as the next guy, but the one place I don't want it is in verifying my identity. (I would think most people could see the inherent contradiction in wanting both at the same time.) Ideally only one person will be able to gain access to things under my identity, that being me.
Fyi, pretty much any job working for the government or with children is much more invasive--you will actually have your prints submitted to a database for a background check, rather than simply having checksummed on the given machine. The latter doesn't seem that controversial to me.
When things get complex, multiply by the complex conjugate.
cut off finger? gummy bears can beat the system and the myth busters where even able to beat high tech lock with a copy on paper.
Of all the things in the world to worry about, a fingerprint reading timeclock is very close to the bottom of the list. Your fingerprints are not stored, nor are they uploaded to some evil master government database. You fingerprints are not DNA. They can't be used to predict if you'll get colon cancer by age 50. Quite frankly, they're not even private. You leave them all over the place every single day. I don't think this rises to the level of concern of someone taking a picture of you and putting it on an ID card. And we all know about how much evil has been done with misappropriated badge ID photos.
To login BonesSB would present a finger, the same information points would be measured, then hashed then the two hashes compared.
I am not saying that they did go to that extent, but they could have.
Let's get something clear here.
They are NOT finger printing him. They are having him clock on with a biometric finger print scan. There are certainly concerns with this sort of thing, but it's not the same.
Certainly there are issues with biometric scanning in regards to the quality of the scanners and what you do if your biometrics get compromised(which is possible), but biometric scanning is not the same as being fingerprinted. They'll only ever take one finger, and generally speaking the resulting hash probably won't even be useful outside the proprietary hardware it's running on.
As for looking for a new job, after making a huge fuss about this and accusing them of acting like a police state in the papers, they're more than likely to sack his ass anyway.
The purpose of this device is to keep people from cheating on their hours. You can get all Big Brothery all you like, but there is one and only one technology that can reliably ensure that people come to work and do the jobs they're paid to do.
It's called "management". The way it works is, you know your employees' names, you stop by their workstations, both to help them with problems they're having and to check to see that they're doing their jobs. You build up a culture of trust, so that when they need to leave work they *tell* you, and you arrange for them to make up the time.
Or you can treat them like condemned criminals, and let them be monitored by machines while you sit in your throne of an office eating donuts and browsing bmw.com. It's really up to you.
I am on federal work study right now and I have not had to submit my fingerprints for anything. You have a few options.
Accept that this is the way they track work study hours.
If you can afford it and the privacy concerns are too compelling, decline the work and let them know why in a formal letter. It may go directly to the waste bin but at least you made your reasons known.
Lastly, you can try to change the policy. Contact your student senate for some backing as they're the most likely to listen, although not the most likely to have power to change it. A couple of suggestions: Switch from bio-informatics scanning methods to plain old bar code badges, RFID chips or paper timecards.
My school does work study timecards on paper. It's probably the most likely to be abused, but it is convenient for everyone. I'd be more than happy to use an RFID token or bar code badge for clocking in and out. Wouldn't work very well for my specific job, considering I work from home, but in theory I would accept either.
Your ability to change the policy by force is pretty limited. Employment rights(especially regarding privacy) vary by state when it comes to work study. You could try to contact your local department of labor but it's unlikely they will give you anything other than a headache.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
I know this will surprise many slashdot readers but using your fingerprint as described by the poster for the purpose of clocking you in and out of work would be illegal in many countries accross Europe (with the possible exception of the UK). In France, for example, you can actually get fined by the data protection authority for doing so.
It's true that most of these devices don't store an image of your fingerprint but rather a "template" : a description of some special features of your fingerprint. But that doesn't change the problem.
Indeed, many data proctection authorities accross the EU consider that biometrics pose sevreall security and data protection issues and must therefore be used with caution. Fingerprint biometrics are of special concern, in particular when the biometric data (templates) are stored in a central database. The big problem with fingerprints is that we leave them everywhere, on all objects we touch. Someone can pick up your fingerprint and test it against the templates inside the database. (Sounds crazy or technically impossible ? It's much easier than you think : i've tested it myself, that's part of my job). There are other issues whith fingerprint biometrics that I won't detail here.
In the end data protection authorities in the EU consider that the use of a central fingerprint database is excessive if your only objective is only clocking people in and out. Instead, they encourage the use of a smartcard to store the biometric data : you show your finger to the biometric reader and it gets compared with the data stored in the smartcard. This solution offers the same benefits in terms of security but you keep control of your biometric data.
"This type of Orwellian"
Oh, holy shit! I'm as much concerned about privacy as any other next guy and then probably more, but this is crystal clear:
1) Do you think there's a need for authorization (you can go in, you can't go in)?
2) If yes, then you need authentication. As in you *need* authentication or else no one will be sure the authorized guy is the one meant to be authorized.
3) If you need authentication, then biometrics is quite a good candidate (while not absolutly great: once it gets tampered there's no easy replacement)
Privacy is not about nobody tracking your steps; it's about nobody tracking your steps except for really valid reasons and only for as long as those valid reasons stand valid.
Privacy doesn't seem to be the real issue here, unless they're selling your prints to the Feds. What I would like to know is: given the fact that these things don't work worth a damn, why would they be using a system like this in the first place?
I mean, if I had to use a fingerprint scanner for identification, I'm the kind of person who would fool with it just for fun. The only way they have been able to make them "reliable" -- that is, reliably accept your fingerprint and not lock you out -- was to loosen up the match criteria enough that they are much too prone to false positives, which in turn makes them easy to fool.
I would do things like clock in Susan for four hours when she is really on vacation in Hawaii, for example, just to see what happens. Or clock in Sam at 3 a.m. so that when he comes around at noon and scans, he's really clocking out. And so on. Consider it like friendly hacking... you are showing the owners that their system just doesn't work. It's a useful technique when they simply won't listen to reason.
Sheesh... this is the same as having public and private encryption keys. The private one is for you, the public one is... you guessed it, public, and cannot be used to reproduce or fake the private one. They only store enough data to verify your fingerprint again. VERIFICATION and IDENTIFICATION are two very different things. No privacy issue.
Move along, nothing to see here...
GEEZ! The Slashdoters sure can pitch a fit about nothing!
These devices only store a few numbers that were derived from the patterns of your prints. They don't store anything near the actual image. When you re-scan your finger to clock in it creates a new set of numbers and looks for a set that is statistically close to something it has in it's database. Usually you have to enter a PIN as well because these things do such a crappy job that without knowing where to start, it would have a terrible time figuring out which of the stored sets of numbers match up to the one you just scanned in. I'm not saying that some systems can't do a great job. I'm just saying that the kinds of systems they sell for time-clocks are usually pretty lame. Especially after they get beat around for a while. So all these time-clock units really do is determine if the clock-in scan is statistically close enough to the original scan to be more likely to be you than some other employee. The actual data stored is less personally identifiable than your name. Are you gonna complain if they ask you to give your name when you clock in?
I also seriously doubt that these things produce any form of standardized data that could be transferred to any other system. Heck, sometimes the scans won't match up just because you bought a slightly different model from the same manufacturer to replace a broken unit. Ever try to troubleshoot one of these systems? It is a nightmare.
So, you have nothing to worry about. "They" are more likely to track you by mere facial recognition via security cameras than by your fingerprints.
OK, I've actually never faked a fingerprint myself. But I've read about research on it in Bruce Schneier's blog:
http://www.schneier.com/crypto-gram-0205.html#5
Care to guess what the batting average of most fingerprint readers was against someone trying to fool them?
(Answer: the eleven commercial fingerprint ID systems, together, wouldn't defeat my son's blindfolded Little League team.)