Slashdot Mirror

← Back to Stories (view on slashdot.org)

Do You Own Your Own Fingerprints? (bloomberg.com)

Posted by EditorDavid on from the unique-identifiers dept.

Slashdot reader schwit1 quotes an article from Bloomberg: These days, many of us regularly feed pieces of ourselves into machines for convenience and security. Our fingerprints unlock our smartphones, and companies are experimenting with more novel biometric markers -- voice, heartbeat, grip -- as ID for banking and other transactions. But there are almost no laws in place to control how companies use such information. Nor is it clear what rights people have to protect scans of their retinas or the contours of their face from cataloging by the private sector.

There's one place where people seeking privacy protections can turn: the courts. A series of plaintiffs are suing tech giants, including Facebook and Google, under a little-used Illinois law. The Biometric Information Privacy Act, passed in 2008, is one of the only statutes in the U.S. that sets limits on the ways companies can handle data such as fingerprints, voiceprints, and retinal scans. At least four of the suits filed under BIPA are moving forward... Under the Illinois law, companies must obtain written consent from customers before collecting their biometric data. They also must declare a point at which they'll destroy the data, and they must not sell it... "Social Security numbers, when compromised, can be changed," the law reads. "Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, [and] is at heightened risk for identity theft."

67 comments

  1. You don't own anything by Anonymous Coward · · Score: 2, Insightful

    The government can take your things, your land, and your life rather easily. You are just a pawn.

    1. Re: You don't own anything by Anonymous Coward · · Score: 2, Insightful

      A bit dramatic but yes, this is true. Ownership of anything is defined by power, and unless you have more power than the government you live under, they can take anything from you at anytime. Ownership is a myth...you only get to keep things as long as you keep paying and complying.

    2. Re:You don't own anything by Anonymous Coward · · Score: 0

      Your grasp of governance and politics is spectacular! What would we do without in depth and razor sharp analysis like this!!

    3. Re: You don't own anything by ooloorie · · Score: 4, Informative

      Ownership of anything is defined by power, and unless you have more power than the government you live under, they can take anything from you at anytime.

      No, ownership is not "defined by power", it is defined by mutual agreement. The more you define ownership by power, the more totalitarian society becomes.

    4. Re: You don't own anything by Anonymous Coward · · Score: 1

      Bad news, we need your land. You see, we want to put in a highway where your land is, so we are taking it. If you fight us on this, you will lose. If you physically fight us l, you go to jail. Now get out of your house pawn, we're destroying it tomorrow.

    5. Re: You don't own anything by WarJolt · · Score: 1

      DHS doesn't scare me. The ATF on the otherhand still does. They are way better at making someone dissappear.

    6. Re: You don't own anything by AchilleTalon · · Score: 0

      Do you have a little bird on your virtual lectern while you are writing?

      --
      Achille Talon
      Hop!
    7. Re: You don't own anything by Anonymous Coward · · Score: 1

      You forgot to mention the part about paying market value.

    8. Re: You don't own anything by Anonymous Coward · · Score: 1

      Oh yeah, that totally makes it worth it!

    9. Re: You don't own anything by Anonymous Coward · · Score: 1

      Worked great for David Koresh and his pals, right?

    10. Re: You don't own anything by Anonymous Coward · · Score: 0

      A minor setback... Next time, more tanks

      And to the asshole moderators, what? Too soon?

    11. Re: You don't own anything by cualexander · · Score: 2

      Bypasses have to be built!

    12. Re: You don't own anything by chuckugly · · Score: 1

      Ammo is fine, as long as no one in the thread mentions plutonium or uses the word "fissionable".

    13. Re: You don't own anything by Anonymous Coward · · Score: 0

      Tell it to the moderators. They seen to get "triggered" very easily by the tiniest "controversy".

  2. Of course you dont by Anonymous Coward · · Score: 4, Informative

    Once it's put into the system just assume everyone has access to it.

    Just because it's supposedly secure now doesn't mean someone wont in the future get in.

    1. Re:Of course you dont by Anonymous Coward · · Score: 0

      Shouldn't copyright apply to this? 70 years after authors death sounds familiar.

    2. Re:Of course you dont by redmid17 · · Score: 1

      Access by hackers wasn't the issue at hand. Learn to read.

    3. Re:Of course you dont by PatientZero · · Score: 2

      While that may not be the main point, that the law forbids companies from selling the data to others is meaningless due to hackers. I'm sure they'll use the latest security technology to protect the information, just as they with our passwords and credit cards.

      --
      Freedom to fear. Freedom from thought. Freedom to kill.
      I guess the War on Terror really is about freedom!
    4. Re: Of course you dont by Anonymous Coward · · Score: 0

      My fingerprint is my copyright protection mechanism... Your storage and analysis of it violates the DMCA.

  3. Yes by Anonymous Coward · · Score: 5, Funny

    I'll give you my fingerprints when you pry them from my cold, dead hands.

    1. Re: Yes by Anonymous Coward · · Score: 0

      OK, thanks!

    2. Re:Yes by fustakrakich · · Score: 1

      The way to do biometrics right is to leave an actual piece of your hand, say a fingertip. Then when you go to the bank, they can match it to the stump.

      --
      “He’s not deformed, he’s just drunk!”
    3. Re:Yes by Anonymous Coward · · Score: 0

      "Your proposal is acceptable."

  4. What counts as collecting? by AmiMoJo · · Score: 1

    Do café's need to get permission to take your entry glasses? Do photographers need permission to photograph a person's face and eyes?

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re: What counts as collecting? by Anonymous Coward · · Score: 0

      Second one.. Yes, you need permission in various European countries (Netherlands, Belgium, Germany, Austria, etc) to make photos of strangers.

    2. Re:What counts as collecting? by sittingnut · · Score: 1

      i, a non expert, do not see much of a difficulty here is separating various kinds of data.

      restrictions on use depends on definition of biometric data.
      in this context data that allows verification of identity is meant. seems lawyers would have not much trouble in coming up with a workable definition.

        i suppose even use of an identity photo in proper context (inside card or passport) should indeed need permission.

      --
      btw i do think use of biometric data to versify identity is, and always will be, highly insecure, by their nature.

    3. Re:What counts as collecting? by Threni · · Score: 1

      > Do cafÃf©'s need to get permission to take your entry glasses?

      When you're on their planet, yes.

    4. Re: What counts as collecting? by Anonymous Coward · · Score: 0

      Figures, they're all Nazi countries.

  5. Oh no! They would never "sell" your data. by fustakrakich · · Score: 1

    But unfortunately there was a "breach" the other night, and it's all gone*..

    The check is in the mail :-)

    *Same MO for weapons transfers in the middle east to the "rebels".

    --
    “He’s not deformed, he’s just drunk!”
  6. inb4 DMCA Takedown Notices by idbeholda · · Score: 1

    They'll accuse you of stealing your own identity.

  7. Depends on the country by prefec2 · · Score: 4, Informative

    In the EU the data is private and must be handled privately. It can also not been transported out of EU, except in other save countries. Surprisingly due to the PrivacyShield treaty the US is declared to be save. Unfortunately they have no such standards.

    1. Re: Depends on the country by Anonymous Coward · · Score: 0

      TTIP will take care of it.

    2. Re:Depends on the country by Kindaian · · Score: 4, Informative

      Also, the EU regulations state that the data should be handled just to fulfull the requirements of the service rendered.

      Additionally, if the data is exported to the US it still needs to comply with all EU regulations. The fact that the data moved to a different country has no bearings on what the companies can do with it (they still need to apply the EU regulations).

      And if they use 3rd party services for some internal processes that have access to the data, those 3rd party also need to comply.

      It is not a "out-of-eu regulation" free card.

    3. Re: Depends on the country by Anonymous Coward · · Score: 0

      Yup, only the wrong way

  8. Do you own your identity is the question? by Jack9 · · Score: 4, Interesting

    Currently, that appears to depend on where you live and the laws of that land.

    If a fingerprint is recorded as a pattern, can you own that pattern? The answer is no. Practically and legally in the US.
    Then an alternate pattern (approximation) will be used and so on...

    What about your DNA sequence? What about your hair after a haircut? The answer is no over a long enough time period. Nothing about you will be deemed to be owned by you until the state has ruled it so and then the state ignores that ruling anyway in the interest of convenience or justice or whatever reason dejour until the concept fades. Get used to it, make your money where you can in the meantime, copyright your fingerprints.

    --

    Often wrong but never in doubt.
    I am Jack9.
    Everyone knows me.
    1. Re:Do you own your identity is the question? by Fly+Swatter · · Score: 1

      If a fingerprint is recorded as a pattern, can you own that pattern? The answer is no. Practically and legally in the US. Then an alternate pattern (approximation) will be used and so on...

      Actually you can own a pattern, apply for a trademark using the print pattern. Then legally defend the hell out of it. Even the approximation of your pattern can be considered infringement on likeness of your trademark. IANAL

    2. Re:Do you own your identity is the question? by ooloorie · · Score: 1

      Trademarks allow you to identify your products. It is only "infringing" if people use your trademark to identifying other goods. Beyond that, you have no control over how your trademark is copied or stored.

    3. Re:Do you own your identity is the question? by Anonymous Coward · · Score: 0

      To the RIAA and the MPAA, it's ok. The mp3 files I shared are merely patterns.

    4. Re:Do you own your identity is the question? by Anonymous Coward · · Score: 0

      If you have to apply for it, you do not own it. Someone else does, and you are just a beggar for a handout.

    5. Re:Do you own your identity is the question? by tinkerton · · Score: 1

      In the US at least the state can demand you to give your fingerprints to them: http://www.androidcentral.com/...
      That doesn't mean you don't own if of course. But what is owning?

    6. Re:Do you own your identity is the question? by Anonymous Coward · · Score: 0

      Which is why you should register your fingerprint as a work of art - and gain copyright to it as well. Copyright cover all copying, it is not limited to "identifying goods". Try using your own mickey mouse drawing for anything at all - you can't due to copyright.

      The government has exceptions for itself, so they can probably still use fingerprints to identify you. But Apple & friends can't - if you have copyright . . .

      Similiar for retina scans - photographic art!

  9. no. already settled law in US. by turkeydance · · Score: 1

    your fingerprints AND your DNA are subject to collection/confiscation/confinement.

  10. So you gather fingerprints and DNA like a cunt.. by Anonymous Coward · · Score: 0

    Next day you died. Did it help you.

  11. Of course you do by Anonymous Coward · · Score: 0

    Fingerprints, DNA, etc. If companies abuse it you sue their face off.

    1. Re: Of course you do by Anonymous Coward · · Score: 0

      Face not ass. I see what you did there!

  12. it's clear for the public sector by ooloorie · · Score: 1

    Nor is it clear what rights people have to protect scans of their retinas or the contours of their face from cataloging by the private sector.

    Well, it is entirely clear what rights people have to protect their scans of their retinas or the contours of their face from cataloging by the public sector: none right now.

  13. What a bloody stupid question. Of course I do. by Anonymous Coward · · Score: 0

    What a bloody stupid question. Of course I do.

    Nuff said.

  14. They want the full biometrics by tinkerton · · Score: 1

    The FBI certainly has no intent to limit their access to just your fingerprints. See for instance https://privacysos.org/blog/fb....
    Got that link from this interview here http://scotthorton.org/intervi... .
    So I don't know what currently happens to the fingerprint you're using to log in but I'm pretty sure it's soon all going into a central database - and from there to other databases of people with nothing but the best intentions.

  15. The better question is why do people think they ar by hsmith · · Score: 1

    Authentication tools? If company X has your fingerprint data to "secure" your data (and does so poorly) - what happens when they get hacked and that data is used against company Y and Z? You can't request new fingerprint or biometric data

  16. Fingerprints should never be shared by AchilleTalon · · Score: 1

    Fingerprints should never be shared with any other party unless mandate by the law, like after being convicted of felony and being jailed.

    Actually, this whole race for biometrics security is flawn. What parties want, is a way to make sure you are who you claim you are. For that purpose, they do not need to store your actual fingerprints to compare and match. They just need a digital signature which you can conveniently produce from your fingerprints without sending the fingerprints or features of your fingerprints. The same way you can encrypt a password with a one-way function, you can encrypt your fingerprints + some credentials from the party requesting the digital signature. This way, the digital signature is not a sole function of your fingerprints. Each party will get a different signature depending on their own credentials. They will not receive the actual fingerprints neither and they will not be able to sell it to someone else.

    Just making a law to forbide selling, sharing, keeping longer than required fingerprints is not sufficient.

    Collecting fingerprints or any other biometric marker in first place should be forbidden.

    --
    Achille Talon
    Hop!
  17. Stop using them by markdavis · · Score: 4, Interesting

    >"Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, [and] is at heightened risk for identity theft."

    Which is why fingerprints should never be used for biometrics.

    Using fingerprints and allowing a third-party to have access to that data is unacceptable. Fingerprints are left everywhere and can be collected and accessed without your permission. Once collected, that data will NEVER be erased or restricted, regardless of claims or laws. They will like go or leak into huge databases and shared between various government agencies and used however they want for as long as they want. With every crime investigation, you will be searched without probable cause.

    There is only one safer and practical biometric I know of- that is deep vein palm scan. That registration data cannot be readily abused. It can't be latently collected like DNA, fingerprints, and face recognition can. You have to know you are registering/enrolling when it happens. You don't leave evidence of the biometric all over the place. When you go to use it, you know you are using it every time. And on top of all that, it is accurate, fast, reliable, unchanging, live-sensing, and cheap. If you must participate in a biometric, this is the one you should insist on using.

    Example: http://www.m2sys.com/palm-vein...

    We all need to realize that IT IS NOT EVERYONE'S BUSINESS WHAT WE ALL DO. And you can't trust latent biometrics with security.

    1. Re:Stop using them by Anonymous Coward · · Score: 0

      No. Biometric data should never be used. Anything that can be scanned will eventually be faked, and you can never change your bio after it has been leaked. It should never be used.

    2. Re:Stop using them by Anonymous Coward · · Score: 0

      I mean, just read the page. "Difficult to Forge". Oh, wow, "difficult". Since they won't claim "impossible ever", then it will be forged. Don't ever use biometric data for security.

    3. Re:Stop using them by markdavis · · Score: 1

      Yes, difficult to forge. And the full entry says:

      "Difficult to Forge Because vein patterns exist inside of the body, it is practically impossible to recreate someoneâ(TM)s biometric template. The sensor of the palm vein scanner needs the hand and blood flow to register an image."

      I am not saying we shouldn't use biometrics at all, that is probably unrealistic. And I am certainly not advocating we are forced to identify ourselves wherever we go (that is unacceptable to). But when biometrics are necessary, deep vein scan is perhaps the best in every way- privacy, safety, accuracy, cost, and security.

  18. There is no check, no repercussion by Anonymous Coward · · Score: 0

    As such it is a do-whatever-you-want for US companies.

  19. the parameters can also change. by swschrad · · Score: 3, Interesting

    lose a finger in an accident... heart attack alters the pacemaker path... lots of ways for biometrics to say you are not you any more.

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?
  20. No solution? Also no funny and no insightful by shanen · · Score: 1

    To answer the question of the original topical question with an actual solution:

    Yes, and you should own ALL of your personal information. You should be able to store it where you want it and ANY use of your personal information should be according to your preferences. Retention of someone else's personal information without their permission should be regarded as a crime, and when that information is held without permission by a government authority, it should be regarded as a violation of the Fourth Amendment (in America).

    Technically speaking, much of the personal information might require signatures by other parties (to insure that it is not tampered with), but the information should only be accessed and used in accord with your wishes. Requests for the information should require authentication of the identity of the requester and specification of the purposes to which the information will be used, and in most routine cases can be approved or denied by reference to your personal privacy policies. Once the approved information has been used and the purpose has been satisfied, then the copies should be deleted.

    Lots of uses of "should" there, but don't hold your breath. The big corporations will NEVER allow that to happen, and even though it is an anthropomorphic lie to attribute any human attribute or behavior to a corporation or government entity.

    So before I made that comment I searched for anything along those line. The article has been up for some hours and I think it's an important topic. Unable to find anything of relevance or even a single funny-moderated comment. Where have all the funny and insightful commenters gone? Long time passing...

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
    1. Re:No solution? Also no funny and no insightful by Bristol_92 · · Score: 1

      Of course we must keep our personal information in secret. But how protect it? Multiple antiviruses, VPN services and secure browsers assure us in absolute safety. Can we believe providers? And what we must do with fingerprints? Wipe fingerprints off any spot we touched? I think that in modern world a person can’t be invisible and feel secure.

  21. That's funny. by Anonymous Coward · · Score: 0

    > "Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, [and] is at heightened risk for identity theft."

    The very attribute that made biometrics so attractive -- uniqueness -- is exactly the reason why it should be rejected as criterion for establishing identities.

    Once you copy a fingerprint (actually, its data) there will be many "yous" everywhere.

    Of course, technical people would never think of that (engineers should be forced to go to a Philosophy College, if nothing more to stop them repeating as baboons that they understand logic better than other professionals).

  22. Ofcourse not, they are owned by Tyrell Corp by Anonymous Coward · · Score: 0

    But, as long as they don't find out I'm missing, I should be f....
    ... hold on, someone is at the door...

  23. Yes by stooo · · Score: 0

    Normally, with a question in the title, the broadly valid answer is "No"
    But this is an exception.

    --
    aaaaaaa
  24. Biometrics by XSportSeeker · · Score: 1

    The problem I always had with biometrics, specially in articles saying they should completely replace passwords and whatnot, is exactly that: they are uniquelly identifiable and non-exchangeable. We all know well enough that biometrics are far from being as secure as their evangelists will tell you, plenty of fingerprint scanners have been cracked, yet every now and then I'll read once again in some superficial, when not sponsored, article how biometrics are going to replace everything because they are impossible to replicate and whatnot. Yes, it's definitely harder for an attacker to get your fingerprint rather than guess your stupid "password" or "1234" password. And yes, there has been advances to prevent the most common types of attacks against fingerprint scanners. Here's the major flaw with biometrics though: if attackers ever finds a way to replicate it, that's it. You can't change your fingerprint, you can't change your iris, you can't change your voice speech pattern.... well, ok, you might be able to after some painful procedures, but you get what I mean. Do you own your fingerprints? Does it even matter anymore? At the very least, the government already has it, and last I heard, their security practices are not all that much reliable. It wouldn't surprise me the least to find out there are already leaks available for purchase on some darknet website for less than a bitcoin. It's easier to steal then than most people think. I mean, if people were really interested in compiling a fingerprint database with personal information, I can't imagine it'd be very hard to surreptiously install door handles in a bunch of public places with cameras that will take your fingerprints, a shot of your face, and then easily find who you are using some image/gps search. The only thing fingerprints are good for are convenient locks (having in mind that no lock is absolutely secure). For good security, you'll always need extra independent steps. It's always about making it hard enough for attackers that they will end up not bothering, going for the next easier target...

  25. 1st amendment -- freedom of speech by Anonymous Coward · · Score: 0

    It would seem that biometric information should be treated very similarly to any other set of facts. Why we do have restrictions like for libel, slander, obscenity, sedition, classified information, copyright , trade secrets, non-disclosure agreements, perjury, etc. It would seem that restricting these kinds of facts should be judged with heightened or strict scrutiny.
    * a compelling governmental interest
    * narrowly tailored
    * least restrictive means

    I'm not sure if the government has a compelling interest in abetting the fiction that biometrics can be reliable used as authenticators and not merely identifiers.
    I'm also not sure if it's narrowly tailored enough.. HIPPA is tailored for only some businesses for instance.

  26. Yes, we do by Anonymous Coward · · Score: 0

    And there fucking SHOULD be laws in place for all of it. It's time to end the separation of digital rights/real world rights. What a ridiculous yet important question! Surely we are not this incapable of moralistic and critical thought these days.