Slashdot Mirror
The Case Against Biometric IDs (nakedcapitalism.com)
"The White House and Equifax Agree: Social Security Numbers Should Go," reads a headline at Bloomberg. Securities lawyer Jerri-Lynn Scofield tears down one proposed alternative: a universal biometric identity system (possibly using fingerprints and an iris scan) with further numeric verification. Presto Vivace shared the article:
Using a biometric system when the basic problem of securing and safeguarding data have yet to be solved will only worsen, not address, the hacking problem. What we're being asked to do is to turn over our biometric information, and then trust those to whom we do so to safeguard that data. Given the current status of database security, corporate and governmental accountability, etc.: How do you think that is going to play out...?
[M]aybe we should rethink the whole impulse to centralize such data collection, for starters. And, after such a thought experiment, then further focus on obvious measures to safeguard such information -- such as installing regular software patches that could have prevented the Equifax hack -- should be the priority. And, how about bringing back a concept in rather short supply in C-suites -- that of accountability? Perhaps measures to increase that might be a better idea than gee whiz misdirected techno-wizardry... The Equifax hack has revealed the sad and sorry state of cybersecurity. But inviting the biometric ID fairy to drop by and replace the existing Social Security number is not the solution.
The article calls biometric identification systems "another source of data to be mined by corporations, and surveilled by those who want to do so. And it would ultimately not foil identity theft." It suggests currently biometric ids are a distraction from the push to change the credit bureau business model -- for example, requiring consumers to opt-in to the collection of their personal data.
[M]aybe we should rethink the whole impulse to centralize such data collection, for starters. And, after such a thought experiment, then further focus on obvious measures to safeguard such information -- such as installing regular software patches that could have prevented the Equifax hack -- should be the priority. And, how about bringing back a concept in rather short supply in C-suites -- that of accountability? Perhaps measures to increase that might be a better idea than gee whiz misdirected techno-wizardry... The Equifax hack has revealed the sad and sorry state of cybersecurity. But inviting the biometric ID fairy to drop by and replace the existing Social Security number is not the solution.
The article calls biometric identification systems "another source of data to be mined by corporations, and surveilled by those who want to do so. And it would ultimately not foil identity theft." It suggests currently biometric ids are a distraction from the push to change the credit bureau business model -- for example, requiring consumers to opt-in to the collection of their personal data.
Perhaps the proletariat shouldn't have to worry about it at all, and those who rely on identity (banks, mortgage companies, etc.) should be forced to assume all the liability and burden of proof when they get it wrong. And that includes being liable for libel if they incorrectly report against someone's creditworthiness.
Just as copyright infringement isn't "theft," so too is there no real identity theft - the problem is on the other side, with those who accept numbers as a convenient but unreliable "proof" of identity. Their problem, not ours.
"National Security is the chief cause of national insecurity." - Celine's First Law
Any system that relies on immutable data for day-to-day identification is doomed from the start.
That's the problem with the Equifax breach-- all the data I use to prove who I am-- SSN, driver's license, data of birth-- it's all been leaked. Biometrics doesn't change this-- except now my iris pattern, my thumbprint, my DNA-- they all get leaked-- but they still can't be changed once leaked.
We need something resembling a distributed PKI setup so that I can carry an "id card" with a private key I can sign transactions with-- but I need to be able to regenerate that key relatively simply at any local government office (and revoke any old keys still floating around). Note this shouldn't be my "show badge to enter" type ID-- this should be used for taxes, voting, credit checks-- things that you might today use an SSN for.
But this idea that we can have one identification that never changes, and is immune to data breaches, is just not feasible.
This shouldn't be hard to do.
ID has two steps: 1)Username and 2) proof of identity. Biometrics make for a great username/login. You always have them and they take no effort to 'remember'. They make for a horrible proof/password:
1) They can't be changed if someone gets a hold of yours.
2) You leave copies all over the place (fingerprints, DNA samples, pictures of your eyes).
3) It is pretty easy to fake them.
excitingthingstodo.blogspot.com
You know of course that “The Moderators” are other SlashDot readers? I get “Mod Points” several times a month. I generally use mine to mod up insightful or truly funny posts. Occasionally, I’ll mod down someone who is really out of line. Is the alt-right active here? I’ve no proof but it would surprise me. I think that anonymity of most forums does bring out the angry and mean spirited without an organized conspiracy required.