Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Case Against Biometric IDs (nakedcapitalism.com)

Posted by EditorDavid on from the unique-identifiers dept.

"The White House and Equifax Agree: Social Security Numbers Should Go," reads a headline at Bloomberg. Securities lawyer Jerri-Lynn Scofield tears down one proposed alternative: a universal biometric identity system (possibly using fingerprints and an iris scan) with further numeric verification. Presto Vivace shared the article: Using a biometric system when the basic problem of securing and safeguarding data have yet to be solved will only worsen, not address, the hacking problem. What we're being asked to do is to turn over our biometric information, and then trust those to whom we do so to safeguard that data. Given the current status of database security, corporate and governmental accountability, etc.: How do you think that is going to play out...?

[M]aybe we should rethink the whole impulse to centralize such data collection, for starters. And, after such a thought experiment, then further focus on obvious measures to safeguard such information -- such as installing regular software patches that could have prevented the Equifax hack -- should be the priority. And, how about bringing back a concept in rather short supply in C-suites -- that of accountability? Perhaps measures to increase that might be a better idea than gee whiz misdirected techno-wizardry... The Equifax hack has revealed the sad and sorry state of cybersecurity. But inviting the biometric ID fairy to drop by and replace the existing Social Security number is not the solution.
The article calls biometric identification systems "another source of data to be mined by corporations, and surveilled by those who want to do so. And it would ultimately not foil identity theft." It suggests currently biometric ids are a distraction from the push to change the credit bureau business model -- for example, requiring consumers to opt-in to the collection of their personal data.

18 of 146 comments (clear)

  1. Or... by msauve · · Score: 5, Insightful

    Perhaps the proletariat shouldn't have to worry about it at all, and those who rely on identity (banks, mortgage companies, etc.) should be forced to assume all the liability and burden of proof when they get it wrong. And that includes being liable for libel if they incorrectly report against someone's creditworthiness.

    Just as copyright infringement isn't "theft," so too is there no real identity theft - the problem is on the other side, with those who accept numbers as a convenient but unreliable "proof" of identity. Their problem, not ours.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:Or... by Bing+Tsher+E · · Score: 2

      And what the heck is wrong with paying a 'credit verification fee' rather than just freeloading on the back of all of society?

      Yeah. I know. LOTS of the heck is wrong. If you're a credit card company or a huckster who sells 'easy credit'.

    2. Re:Or... by Anonymous Coward · · Score: 2, Informative

      What "credit verification fee"? Banks, mortgage companies, etc. elsewhere are already liable for such things elsewhere without a "credit verification fee" or increasing the cost of borrowing

      What you consider infeasible is actually the normal way of doing things in most of the world. It works well.

    3. Re:Or... by JohnFen · · Score: 2

      Replace that with your Biometric Passport.

      Most Americans don't have a passport, and many can't get one.

  2. The dangerous biometrics by markdavis · · Score: 5, Interesting

    Fingerprints and DNA should not be used for biometrics. Period.

    Using fingerprints or DNA and allowing a third-party to have access to that data is unacceptable. Not only because the government and big business should have no need to track what people are doing but because they should not have fingerprint registration data (which will be horribly abused) .

    Stand up for your rights, people... and the rights of your children. Once you give this data to the government or big business, it will NEVER be erased or restricted, regardless of claims, policies, or laws- it will go into huge databases and shared between agencies and used however they want for as long as they want. Even worse, with every crime investigation, you will be searched without probable cause. It is a genie that can't be put back into the bottle.

    Fingerprints are something you leave all over the place all the time. They are easy to lift, copy, and forge. Easy to fake, easy to use to frame people. Time after time they have been shown to be poor for security and yet very effective at tracking people.

    DNA is even worse. Like fingerprints, you leave it all over the place all the time. Samples can be lifted and planted and analyzed. DNA is more than a means to ID, it contains very sensitive information about you.

    Iris scan is better than DNS or fingerprints- there is no leaving your iris image all over, and it doesn't say that much about you. But your eyes (iris,
    not retinal) could be scanned without your permission by any high resolution camera pointed at your face, even your own.

    There is only one safer and practical biometric I know of- that is deep vein palm scan. That registration data cannot be readily abused. It can't be latently collected like DNA, fingerprints, and face recognition can. You have to know you are registering/enrolling when it happens. You don't leave evidence of it all over the place. When you go to use it, you know you are using it every time. And on top of all that, it is accurate, fast, reliable, unchanging, live-sensing, and cheap. If you must participate in a biometric, this is the one you should insist on using.

    Example: http://www.m2sys.com/palm-vein...
    More info: https://en.wikipedia.org/wiki/...

    We also need to realize that IT IS NOT EVERYONE'S BUSINESS WHAT WE ALL DO. The first step in securing freedom is privacy. When you are tracked, you are losing your freedom, whether you realize it or not. You should not have to positively ID yourself for ALL transactions. A good example is age verification. There is an important place for anonymity and semi-anonymity in a free society.

    1. Re:The dangerous biometrics by Junta · · Score: 4, Funny

      Yep nothing like a credential I leave behind on any surface I touch.

      It's funny, there's a room at work that (in part) is secured by a fingerprint reader. it's about 10 feet from a door that you can see the fingerprints clearly left behind as people push the doors open on the way to the fingerprint reader.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    2. Re:The dangerous biometrics by Anonymous Coward · · Score: 4, Interesting

      There is only one safer and practical biometric I know of- that is deep vein palm scan. That registration data cannot be readily abused. It can't be latently collected like DNA, fingerprints, and face recognition can. You have to know you are registering/enrolling when it happens. You don't leave evidence of it all over the place. When you go to use it, you know you are using it every time. And on top of all that, it is accurate, fast, reliable, unchanging, live-sensing, and cheap. If you must participate in a biometric, this is the one you should insist on using.

      Vein matching has been used forensically, most notably to tie Khalid Sheikh Mohammed to the murder of Daniel Pearl.

      Forensic identification

      According to a 31,000-word investigative report published in January 2011 by Georgetown University faculty and students,[11][12][13][14][15] U.S. federal investigators used photos from the video recording of the beheading of American journalist Daniel Pearl to match the veins on the visible areas of the perpetrator to that of captured al-Qaeda operative Khalid Sheikh Mohammed, notably a "bulging vein" running across his hand.[4] The FBI and the CIA used the matching technique on Mohammed in 2004 and again in 2007.[3] Officials were concerned that his confession, which had been obtained through torture (namely waterboarding), would not hold up in court and used vein matching evidence to bolster their case.[2]

      Granted, this was using a bulging surface vein rather than a deep vein, but it was done by using images taken from a video. The point is that biometric data leaks and once out can not be retrieved or changed. It makes for a terrible password for that very reason.

      Deep palm vein matching may not presently have a known method for creating dummy fakes, but that does not mean it never will. Best to rule out biometrics for all authentication tasks and leave it solely for use in identification without authentication.

    3. Re:The dangerous biometrics by markdavis · · Score: 2

      >"Deep vein palm scan? What kind of expensive piece of equipment is that going to take every time I want to do a credit check on a potential customer? Jesus H. Christ. It needs to be simpler than that."

      I wasn't referring to using this for everyday transactions, precisely because we shouldn't have to use biometrics for such trivial things (it is dangerous). Biometrics should be reserved only for IMPORTANT ID, like interactions with the police, court, deeds, wills, sensitive medical care, etc.

      As for expense- a deep vein scanner is no more expensive than a fingerprint scanner, and it is just as fast. It is also almost as easy to use.

    4. Re:The dangerous biometrics by ShanghaiBill · · Score: 2

      Deep vein palm scan? What kind of expensive piece of equipment is that going to take

      A box with an IR light and two $5 CMOS cameras.

    5. Re:The dangerous biometrics by rtb61 · · Score: 2

      Let's not worry about the people, let's concern ourselves with the computers. The computer said so, should never ever be enough to identify some one. Just like that person being real and actual, not just virtual so the record of them actual, a real hard copy. To rely on biometric data, relies totally on the record of biometric data being associated with you. Alter that database link, associate someone else's biometric data with your legal identity and they become you.

      This limits prime record data to hard copy, extremely difficult to replace, many hard copies can be created and kept. Computerised biometric identification as the only identification is extremely dangerous. You could be legally killed ie your legal data associated with a deceased body and you legally become dead and now you have to fight the central database that all their biometric records of you are wrong (well, only one record, one signal bit of identity, that link from your biometric data to your legal identity data). Now for the cheeky minded, allow them to implement the system and then, heh, heh, erase all data, watch the chaos then with no manual system backing it all up. All being erases a rare probability, some records being accidentally being erased or altered a near certainty.

      --
      Chaos - everything, everywhere, everywhen
    6. Re:The dangerous biometrics by markdavis · · Score: 2

      >"I can almost guarantee that you have" [had searches done on a databases that contain your prints]

      Reply to self- just to clarify (since after I read my reply again, it might not be evident), every time ANY collected print is searched, it is compared to every print to which they have access. If your print is in one of those databases, you are being searched. And since the databases are shared, it is likely that at least high-level-agency searches will search through just about every database out there.

      The act of searching is already invasive, but in addition, the more prints and searches, the higher the probability of false positives. This is compounded with the number of searches, which goes up every year.

      Even with a true positive, it can place you in a position of having to prove your innocence because:

      1) A print doesn't mean you were there or touched anything if it was fake or a plant/frame.

      2) Even if you were there, it doesn't mean you were there when something of interest happened because there is no time reference.

      3) And either way, a print doesn't mean you actually did anything.

  3. Immutable Data by Anonymous Coward · · Score: 5, Insightful

    Any system that relies on immutable data for day-to-day identification is doomed from the start.

    That's the problem with the Equifax breach-- all the data I use to prove who I am-- SSN, driver's license, data of birth-- it's all been leaked. Biometrics doesn't change this-- except now my iris pattern, my thumbprint, my DNA-- they all get leaked-- but they still can't be changed once leaked.

    We need something resembling a distributed PKI setup so that I can carry an "id card" with a private key I can sign transactions with-- but I need to be able to regenerate that key relatively simply at any local government office (and revoke any old keys still floating around). Note this shouldn't be my "show badge to enter" type ID-- this should be used for taxes, voting, credit checks-- things that you might today use an SSN for.

    But this idea that we can have one identification that never changes, and is immune to data breaches, is just not feasible.

    This shouldn't be hard to do.

  4. Accountability is dead by MangoCats · · Score: 2

    Who in their right mind would stand up and be accountable for operations that exceed their personal fortune by factors of 1000s? What possible form of compensation could be adequate for such liability?

    Yes, corporate operations transparency and accountability are great measures to improve the current situation. Unfortunately, we're more likely to get gun control and single-payer health care passed first.

  5. Name vs proof. by gurps_npc · · Score: 3, Insightful

    ID has two steps: 1)Username and 2) proof of identity. Biometrics make for a great username/login. You always have them and they take no effort to 'remember'. They make for a horrible proof/password:

    1) They can't be changed if someone gets a hold of yours.

    2) You leave copies all over the place (fingerprints, DNA samples, pictures of your eyes).

    3) It is pretty easy to fake them.

    --
    excitingthingstodo.blogspot.com
  6. Re:MODERATORS ARE CENSORING POSTS... apk by mschwanke97402 · · Score: 2, Insightful

    You know of course that “The Moderators” are other SlashDot readers? I get “Mod Points” several times a month. I generally use mine to mod up insightful or truly funny posts. Occasionally, I’ll mod down someone who is really out of line. Is the alt-right active here? I’ve no proof but it would surprise me. I think that anonymity of most forums does bring out the angry and mean spirited without an organized conspiracy required.

  7. Re:Revalation 13 by dgatwood · · Score: 3, Informative

    Christians have been on the watch out for a one world government that controls all trade.

    Most Christians generally recognize that Revelation was about Emperor Nero, some two thousand years ago. How do we know this? Hebrew letters also have a numerical value, and the Hebrew letters for Nero's name sum to 666. The rest of the things in Revelation are also historical, mapping onto actual events not long after the time of Christ. There's no biblical support for the view that anything in Revelation is about the future (anymore). It's all ancient history (now).

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  8. Identification vs authentication by Aethedor · · Score: 4, Interesting

    Biometrics are often heard as the alternative for the password. To see if that's a good alternative, let's take a look at the characteristics of both username and password.

    The username

    • - It's not secret. It's often your name, e-mail address, employee number, etc.
    • - It's very common for people to have the same username at different systems. Specially at companies.
    • - Changing your username is not possible in most cases.

    The password

    • - It should be kept secret.
    • - For improved security, you should choose a different password for each system.
    • - Most systems allow you to change your password.

    Now, let's take a look at the characteristics of biometric information:

    • - They are not secret. You leave your fingerprints everywhere and with high resolution camera's it's not difficult to take your iris scan.
    • - Since you have only 10 fingers and two eyes, you will probably have the same biometric ID for many systems.
    • - You are not able to change any of your biometric information.

    Conclusion: biometric information is more like a username than like a password. So, the only way to properly use biometrics is to use it for identification, not for authentication. Giving biometric information to the government for authentication purposes, is dangerous. The government probably doesn't understand this topic very well, so they will probably use it in the wrong way (for authentication). Because they believe it to be more secure (thanks to all the sales talks of companies selling biometric stuff), you end up having an even more bigger problem than now in case of identity theft.

    --
    It doesn't have to be like this. All we need to do is make sure we keep talking.
  9. The serious problem with biometrics by JohnFen · · Score: 2

    The serious problem with biometrics is that if your "id" is stolen, you can't change it. You're simply screwed.