The Case Against Biometric IDs

"The White House and Equifax Agree: Social Security Numbers Should Go," reads a headline at Bloomberg. Securities lawyer Jerri-Lynn Scofield tears down one proposed alternative: a universal biometric identity system (possibly using fingerprints and an iris scan) with further numeric verification. Presto Vivace shared the article: Using a biometric system when the basic problem of securing and safeguarding data have yet to be solved will only worsen, not address, the hacking problem. What we're being asked to do is to turn over our biometric information, and then trust those to whom we do so to safeguard that data. Given the current status of database security, corporate and governmental accountability, etc.: How do you think that is going to play out...?

[M]aybe we should rethink the whole impulse to centralize such data collection, for starters. And, after such a thought experiment, then further focus on obvious measures to safeguard such information -- such as installing regular software patches that could have prevented the Equifax hack -- should be the priority. And, how about bringing back a concept in rather short supply in C-suites -- that of accountability? Perhaps measures to increase that might be a better idea than gee whiz misdirected techno-wizardry... The Equifax hack has revealed the sad and sorry state of cybersecurity. But inviting the biometric ID fairy to drop by and replace the existing Social Security number is not the solution.
The article calls biometric identification systems "another source of data to be mined by corporations, and surveilled by those who want to do so. And it would ultimately not foil identity theft." It suggests currently biometric ids are a distraction from the push to change the credit bureau business model -- for example, requiring consumers to opt-in to the collection of their personal data.

The dangerous biometrics

[markdavis]

Fingerprints and DNA should not be used for biometrics. Period.

Using fingerprints or DNA and allowing a third-party to have access to that data is unacceptable. Not only because the government and big business should have no need to track what people are doing but because they should not have fingerprint registration data (which will be horribly abused) .

Stand up for your rights, people... and the rights of your children. Once you give this data to the government or big business, it will NEVER be erased or restricted, regardless of claims, policies, or laws- it will go into huge databases and shared between agencies and used however they want for as long as they want. Even worse, with every crime investigation, you will be searched without probable cause. It is a genie that can't be put back into the bottle.

Fingerprints are something you leave all over the place all the time. They are easy to lift, copy, and forge. Easy to fake, easy to use to frame people. Time after time they have been shown to be poor for security and yet very effective at tracking people.

DNA is even worse. Like fingerprints, you leave it all over the place all the time. Samples can be lifted and planted and analyzed. DNA is more than a means to ID, it contains very sensitive information about you.

Iris scan is better than DNS or fingerprints- there is no leaving your iris image all over, and it doesn't say that much about you. But your eyes (iris,
not retinal) could be scanned without your permission by any high resolution camera pointed at your face, even your own.

There is only one safer and practical biometric I know of- that is deep vein palm scan. That registration data cannot be readily abused. It can't be latently collected like DNA, fingerprints, and face recognition can. You have to know you are registering/enrolling when it happens. You don't leave evidence of it all over the place. When you go to use it, you know you are using it every time. And on top of all that, it is accurate, fast, reliable, unchanging, live-sensing, and cheap. If you must participate in a biometric, this is the one you should insist on using.

Example: http://www.m2sys.com/palm-vein...
More info: https://en.wikipedia.org/wiki/...

We also need to realize that IT IS NOT EVERYONE'S BUSINESS WHAT WE ALL DO. The first step in securing freedom is privacy. When you are tracked, you are losing your freedom, whether you realize it or not. You should not have to positively ID yourself for ALL transactions. A good example is age verification. There is an important place for anonymity and semi-anonymity in a free society.

Re:The dangerous biometrics

There is only one safer and practical biometric I know of- that is deep vein palm scan. That registration data cannot be readily abused. It can't be latently collected like DNA, fingerprints, and face recognition can. You have to know you are registering/enrolling when it happens. You don't leave evidence of it all over the place. When you go to use it, you know you are using it every time. And on top of all that, it is accurate, fast, reliable, unchanging, live-sensing, and cheap. If you must participate in a biometric, this is the one you should insist on using.

Vein matching has been used forensically, most notably to tie Khalid Sheikh Mohammed to the murder of Daniel Pearl.

Forensic identification

According to a 31,000-word investigative report published in January 2011 by Georgetown University faculty and students,[11][12][13][14][15] U.S. federal investigators used photos from the video recording of the beheading of American journalist Daniel Pearl to match the veins on the visible areas of the perpetrator to that of captured al-Qaeda operative Khalid Sheikh Mohammed, notably a "bulging vein" running across his hand.[4] The FBI and the CIA used the matching technique on Mohammed in 2004 and again in 2007.[3] Officials were concerned that his confession, which had been obtained through torture (namely waterboarding), would not hold up in court and used vein matching evidence to bolster their case.[2]

Granted, this was using a bulging surface vein rather than a deep vein, but it was done by using images taken from a video. The point is that biometric data leaks and once out can not be retrieved or changed. It makes for a terrible password for that very reason.

Deep palm vein matching may not presently have a known method for creating dummy fakes, but that does not mean it never will. Best to rule out biometrics for all authentication tasks and leave it solely for use in identification without authentication.

Identification vs authentication

[Aethedor]

Biometrics are often heard as the alternative for the password. To see if that's a good alternative, let's take a look at the characteristics of both username and password.

The username

• - It's not secret. It's often your name, e-mail address, employee number, etc.
• - It's very common for people to have the same username at different systems. Specially at companies.
• - Changing your username is not possible in most cases.

The password

• - It should be kept secret.
• - For improved security, you should choose a different password for each system.
• - Most systems allow you to change your password.

Now, let's take a look at the characteristics of biometric information:

• - They are not secret. You leave your fingerprints everywhere and with high resolution camera's it's not difficult to take your iris scan.
• - Since you have only 10 fingers and two eyes, you will probably have the same biometric ID for many systems.
• - You are not able to change any of your biometric information.

Conclusion: biometric information is more like a username than like a password. So, the only way to properly use biometrics is to use it for identification, not for authentication. Giving biometric information to the government for authentication purposes, is dangerous. The government probably doesn't understand this topic very well, so they will probably use it in the wrong way (for authentication). Because they believe it to be more secure (thanks to all the sales talks of companies selling biometric stuff), you end up having an even more bigger problem than now in case of identity theft.