Will biometrics grow up?

Ann Cavoukian has really thought about biometrics – and fingerprinting. As the Privacy Commissioner of Ontario, she hasn't hesitated to join the conversation we have been having as technologists – and has contributed to it in concrete ways. For example, beyond bringing the Laws of Identity to the attention of policy makers, she extended them to make all the privacy implications explicit.

Now she and Alex Stoianov, a biometrics scientist, have published a joint paper called Biometric Encrypton: A Positive-Sum Technology that Achieves Strong Authentication, Security AND Privacy. It is too early to know to what extent Biometric Encryption (BE) will achieve its promise and become a mainstream technology. But everyone who reads the paper will understand why it is absolutely premature to begin using “conventional biometrics” in schools – or pubs. The following table, taken from the paper, summarizes the benefits BE could hold out for us:

Traditional Biometrics:
Privacy OR Security
A Zero-Sum Game
Biometric Encryption:
Privacy AND Security – A Positive-Sum Game
1 The biometric template stored is an identifier unique to the individual. There is no conventional biometric template, therefore no unique biometric identifier may be tied to the individual. (pp. 16, 17)
2 Secondary uses of the template (unique identifier) can be used to log transactions if biometrics become widespread. Without a unique identifier, transactions cannot be collected or tied to an individual. (pp. 17, 25)
3 A compromised database of individual biometrics or their templates affects the privacy of all individuals. No large databases of biometrics are created, only biometrically encrypted keys. Any compromise would have to take place one key at a time. (pp. 23)
4 Privacy and security not possible. Privacy and security easily achieved. (pp. 17-20, 26-28)
5 Biometric cannot achieve a high level of challenge-response security. Challenge-response security is an easily available option. (pp. 26-28)
6 Biometrics can only indirectly protect privacy of personal information in large private or public databases. BE can enable the creation of a private and highly secure anonymous database structure for personal information in large private or public databases. (pp. 19, 20, 27)
7 1:many identification systems suffer from serious privacy concerns if the database is compromised. 1:many identification systems are both private and secure. (pp. 17, 20)
8 Users’ biometric images or templates cannot easily be replaced in the event of a breach, theft or account compromise. Biometrically encrypted account identifiers can be revoked and a new identifier generated in the event of breach or database compromise. (pp. 17)
9 Biometric system is vulnerable to potential attacks. BE is resilient to many known attacks. (pp. 18)
10 Data aggregation Data minimization (pp. 17)

I'll be writing about the basic idea involved in BE. But I advise downloading the paper since beyond BE, it provides an excellent and well structured discussion of the issues with biometrics in general.

Name that scam

Received this email from a reader.  Has anyone any idea what was going on? 

Yesterday afternoon, at approx 2:10pm, I started receiving emails (and phone calls) from a variety of websites, mostly financial (home loans, car loans, debt consolidation) but also other services (BMC music, TheScooterStore, Netflix).. claiming to be responding to requests from me (at their websites) for services or information. 

I’ve received about a dozen emails over the past 24hrs, and about the same number of phone calls at home and about half a dozen at work. 
So somebody is entering my name and personal information (home & work phone, work email, home address & home value – all relatively public info – so far nothing worse like SSN or other credit info) into a variety of websites and signing me up for various services. 

Some of these websites (I have spoken with several sales people on the phone) are part of marketing networks that either share or sell such information (leads) and I have tracked several of these down to a common source.. although it appears that are at least several root sources involved. 

My question is this: what is the scam? 

Its possible its just personal harassment and there is someone out there that is trying to give me a bad time or is playing a not-so-funny joke. 

It doesn’t feel like identity theft – they don’t seem to have private info, but instead seem to have assembled some relatively public info and are inputting that into a bunch of websites. 

Could this be someone trying to defraud a marketing network? If so, do you know how that works? 

Ever heard of anything like this before? (maybe this is a common thing?) 

Btw, at least some of the companies contacting me are legit (QuickenLoans for example, and they were quite helpful on the phone) so it seems the “fraud” is on the input side?

I asked the person who was the target of this attack how he knew for sure he had been speaking with people from QuickenLoans, for example.  It seems they just seemed credible, and helpful, so he never questioned their claims or asked to call them back.

It all reminds me of this.

Hong Kong teaches London about civil liberties

Seven hundred and ninety-two years after the Magna Carta, Britain has fallen behind Hong Kong when it comes to civil liberties.  It looks like the US could take a page from the colony's book as well.  This piece is from the register:

The Hong Kong privacy commissioner has ordered a school to stop fingerprinting children before it becomes a runaway trend that is too late to stop

The school, in the Kowloon District, installed the system last year but, under the order of the Hong Kong Privacy Commission, has ripped it out and destroyed all the fingerprint data it had taken from children.

 Roderick Woo, Justice of the Peace at the Hong Kong Office of the Privacy Commissioner, told El Reg he had decided to examine the issue immediately after the first school installed a fingerprint reader to take registers in his jurisdiction.

And, he decided: “It was a contravention of our law, which is very similar to your law, which is that the function of the school is not to collect data in this manner, that it was excessive and that there was a less privacy-intrusive method to use.”

In other words, he said, what better way is there for a teacher to take a register than to look around the class, note who's missing, and take down their names for the record. Measuring fingerprints seemed a little over the top for the task in hand, which translated into terms understood by privacy laws, means that the use of information technology was not proportionate to the task in hand.

He also looked at the need of schools to get consent from either pupils or parents before they took fingerprints at class registration. This is an avenue being considered by parents in the UK who want to challenge schools that have taken their children's fingerprints without parental consent.

Britain's Information Commissioner has said it might be enough for a school to get the consent of a child before taking its fingerprints.

Woo, however, decided otherwise: “I considered the consent of the staff and pupils rather dubious, because primary school's consent in law cannot be valid and there's undue influence. If the school says, ‘give up your fingerprint’, there's no way of negotiating.

“Also it's not a good way to teach our children how to give privacy rights the consideration they deserve,” he added.

That is another fear expressed by some parents opposed to their children being fingerprinted, even when the majority of the systems in use are much more primitive than those used in criminal investigations.

The Hong Kong Office of the Privacy Commissioner ordered the school to remove the fingerprint system in the hope it would discourage other schools from installing similar systems without careful consideration, and prevent a rush of school fingerprinting as has occured in Britain.

However, Woo did note that other schools could not fingerprint their children for other purposes.

“That's not to say I'm opposed to any fingerprint scanning systems. I will look at any complaint on a case by case basis. It's not an anti hi-tech attitude I take,” he said.

U.K. wants beerdrinkers’ fingerprints

More news from the the U.K. biometrics front.  Here is a piece by Rogier van Bakel from his site – Nobody's business:

All 12 million kids in the country will have to be fingerprinted. Actually, that's not news — I wrote about it here. What's news (to me) is that parents will likely have no way to opt out on behalf of their children. They can't tell Little Nigel to tell the government's data-miners to shove it.

See if you can follow the logic here without gasping.

David Smith, deputy Information Commissioner, said it was a complex issue that was still being worked out, but it was likely that parents did not have an automatic right to decide whether their children's biometrics could be taken by a school.

“The Data Protection Act talks of consent of the individual — essentially that's consent of the child,” he said. “Now there's a requirement that consent is informed and freely given. That will depend on the age of the child,” he said. “The idea is that as long as children can understand the implications of what they are being asked to do, they can give consent without deferring to their parents. The Data Protection Act is about the pupil's rights, not the parents’ rights over the children's information,” said Smith.

Can a six-year-old understand the implications? A ten-year-old? A thirteen-year-old? It's doubtful, but somehow, the government is fully prepared to consider these pupils — and itself — to be more competent in such matters than the children's own parents.

Also note Mr. Smith's up-is-down government-speak when he spins the ominous legal requirement for children to surrender their biometric data as if it were a really a right — one that must be protected from the ignorant stubbornness of Mum and Dad.

Meanwhile, in the name of crime prevention, U.K. authorities are ordering citizens who visit clubs and pubs to get fingerprinted, too. No joke.

The government is funding the roll-out of fingerprint security at the doors of pubs and clubs in major English cities. Funding is being offered to councils that want to have their pubs keep a regional black list of known trouble makers. The fingerprint network installed in February by South Somerset District Council in Yeovil drinking holes is being used as the showcase. “The Home Office have looked at our system and are looking at trials in other towns including Coventry, Hull & Sheffield,” said Julia Bradburn, principal licensing manager at South Somerset District Council. Gwent and Nottingham police have also shown an interest, while Taunton, a town neighbouring Yeovil, is discussing the installation of fingerprint systems in 10 pubs and clubs with the systems supplier CreativeCode.

In order to qualify for a new license, a pub owner or club manager will have to promise to install a fingerprinting system. If, after the system is in place, customers fail to display a “considerable” reduction in alcohol-related violence, the drinking establishments could have their licenses revoked.

I'll make just a brief comment about both these issues.

I think the student should be able to refuse consent if she doesn't want to be fingerprinted, and the parent should be able to refuse it on her behalf as well.  After all, the child should learn how to protect her self, though ultimate responsibility lies with the parent.  Further as shown by Joy's “No scan, no eat” report, we need some way to prevent the bullying of children (and parents) into submission.

As for fingerprinting people on their way into pubs, all I can say is:  Britain, get a grip!    As a Canadian, it's like watching a loved one losing her mind.

Mass fingerprinting of children will start in 2010

More good news from The Sunday Times in Britain: 

CHILDREN aged 11 to 16 are to have their fingerprints taken and stored on a secret database, internal Whitehall documents reveal.

The leaked Home Office plans show that the mass fingerprinting will start in 2010, with a batch of 295,000 youngsters who apply for passports.

The Home Office expects 545,000 children aged 11 and over to have their prints taken in 2011, with the figure settling at an annual 495,000 from 2014. Their fingerprints will be held on a database also used by the Immigration and Nationality Directorate to store the fingerprints of hundreds of thousands of asylum seekers.

The plans are outlined in a series of “restricted” documents circulating among officials in the Identity and Passport Service. They form part of the programme for the introduction of new biometric passports and ID cards.

David Davis, the shadow home secretary, said: “This borders on the sinister and it shows the government is trying to end the presumption of innocence. With the fingerprinting of all our children, this government is clearly determined to enforce major changes in the relationship between the citizen and the state in a way never seen before.”

…Children under 16 will not be part of the ID card scheme. But the documents show that from 2010 they will still have to be fingerprinted for a new passport.

The prints will initially be stored on the directorate’s database. Once children reach 16 their fingerprints and other personal information will be passed for storage on the register, along with those of nearly 50m adults.

If they don't scan, they don't eat

The more I look into this story, the worse it gets.  We don't have to go to Britain for examples of child fingerprinting – just take a look at this email from a lady in Illinois:

Kim,

My name is Joy and I am continuing to get the word out & tell this true story.

In August 2005, our public school district with less than 500 students decided to start using biometric equipment for “accounting purposes”.  We were told at registration to take our children over and have them scanned.  (There was not an opt out or opt in policy).

I objected and said no – our children are not to use this equipment -especially when there is not a policy to look over.

We were told, “if they don't scan ,they don't eat.”

I explained I believed that to against the law and the rights of the children as well as parental rights.  I was then told that this equipment would put Earlville, Illinois on the map (not like they thought).  A few days later I gave birth to our youngest daughter, on Aug 20, 2005, and explained to my husband that when I recovered I was going to discuss this matter with the district administration again.

Meanwhile my eldest children Brooke & Gunner were still brown bagging it.  Well, Sept 21, 2005 my 7 year old son was scanned anyway – even though he reminded the “tech director” that he was not to scan.

I of course called the school and started recieving excuses from the adminstrative staff.  I went to the local paper, the school board and still did not feel as if we were getting very far with our objection.  I then decided to write to Illinois legislators and the media.

Senator Miquel Del Valle introduced SB 2549 in Jan, 2006. CBN came to our town and interviewed us (as well as Senator Miquel Del Valle on a different date.)  The story aired Nov 7, 2006.  Then Senator Miguel Del Valle stepped down and took another position in Chicago. SB 2549-session sine die.

There I was again writing and calling the media and legislators.  In Jan,  2007 I was invited to speak with some privacy advocates and share this almost unbelievable story.  In Feb, 2007 two bills were introduced and are passing:  HB 1559,  introduced by State Rep Bob Pritchard; and SB 1702, introduced by Senator Kim Lightford.

I have several newspaper articles as well as letters from the Superintendant stating that my 7 yearr old son willingly gave up his finger.  Info about this story can also be found on EFFs deeplinks ,the Cato Institute,The End times and of course the CBN website.   As soon as I get updated on the bills I can notify you.   In the meantime I will continue to get the word out and search for advice on this matter .

I had my finger impression scanned for an Illinois licensure requirement, however I am a mother of five, over 30 and a private detective.

Not a minor child trying to by hot lunch at school.  We know that the data on these children can be sold, given away and anyone who knows how to write a FOIA can have access to this info. 

Joy Robinson-Van Gilder

Make sure children are calm

Continuing to explore the new specialty of child fingerprinting, I came across a nice piece on this phantasmagorical teaching aid:

Not surprisingly, people are responding to this preposterous misuse of identity with sites like leavethemkidsalone.  These people know how to communicate.  Take a look at this little video

Amazingly, those caught up in child fingerprinting have broken the first four laws of identity all in one go.  This will come back to haunt them – and much worse, may stalk some of their little victims.

First, both the parents and the children should have been asked for consent – and given the opportunity to opt out (law 1).  Second, far more information is being collected than is required by what the schools are using it for (law 2).  Third, this information is in the hands of unwarranted parties (law 3).  Fourth, a non-revocable omnidirectional identifier (you can't change fingerprints) is being used in a an interaction where a unidirectional (context-specific) identifier would do just fine, paving the way for many attacks on the individuals’ privacy and security (law 4). 

Strangest of all, though we can predict with near certainty that the information being collected will leak over time, the schools and government seem to have no concern for the unnecessary liability they are assuming.  Strange.  Perhaps, in Britain, they are immune to law suits?

Already we see the first repercussions.  In fact the Dudley school system teaching aid shown above was taken down in response to a leavethemkidsalone story.

3,500 British schools fingerprinting their children

Greg Mulholland, a British MP, has drawn my attention to a misuse of identity technology that not only concerns me, but saddens me. 

I'm a pretty hard-bitten technologist.  I long ago observed that one of the unfortunate characteristics of computers is that they allow people to do stupid things thousands of times more quickly than they did before. 

But this one goes beyond silly to abusive.  It involves inflicting a technology that is not yet ready for use in the real world, on young children.  An analogy might be a decision, by people who don't realize testing is necessary, to inject students with an untested vaccine.  And worse, the parents have no opportunity to opt out. 

This is one of those cases where ignorance breeds Sorcerer's Apprentices who act without the slightest knowledge that there will be consequences to what they do.

On a personal note, I can't help responding as one who has taught – albeit, not to children.  I wonder what has happened to our teachers, whose job must be to know their students intimately and respond, with open hearts, to their needs and abilities?  What macabre pathways led them to introduce impersonal and mechanized technologies like RFID and – the mind boggles – fingerprinting, as a substitute for personal interaction?  I see a tear in Socrates’ eye.

In  Britain, not only do an estimated 3,500 schools already use fingerprinting, but, in astonishing ignorance of the first law of identity, parental consent is not required.  If it had been, the technical and security issues now coming to light would have been raised earlier, and the money which has been poured down this pathetic technology drain could have been used to better ends.

The following is a story on the BBC web site about the growing controversy and the government's new “guidelines” on fingerprinting in schools:

The guidelines, published next month, will “encourage” schools to seek consent before taking biometric data.

The move comes after it emerged some primary schools stored children's thumb prints for computerised class registers and libraries without parental consent.

The Department for Education and Skills (DfeS) says it does not have figures for how many schools are already using biometric data.

However, a web poll by lobby group Leave Them Kids Alone, estimated that 3,500 schools had bought equipment from two DfES-approved suppliers.

Under the Data Protection Act, schools do not have to seek parental consent to take and store children's fingerprints.

‘Sensitive area’

But privacy watchdog the Information Commissioner will urge them to do so from next month after pressure from parents and campaign groups.

“Because this is a fairly sensitive area – because young people are going to be sharing their personal information – we are encouraging schools to adopt best practice and seek the consent of both pupil and parent,” a spokesman for the Information Commissioner said.

Schools will also be reminded that they must not share the data with other organisations.

They have also been told they should only hold fingerprint and other information “as long as it necessary for the purpose for which it is being processed”.

But the moves are unlikely to satisfy campaigners, who have been calling for a change in the law to ban fingerprint scanners from school premises.

‘Social conditioning’

The director of lobby group Action on Rights for Children, Terri Dowty, said having fingerprint technology in schools – allowing students to register, use the library and buy canteen food – was “encouraging children to be casual about their biometric data”.

Her views were echoed by Phil Booth from the anti-identity card campaign group No2ID.

He said: “We're talking about social conditioning. In a school environment it will make kids less concerned about their biometric data.”

But he also raised concerns about storing such information on “relatively insecure databases”.

Parent activist David Clouter said a lack of guidance from the DfES and the Information Commissioner had “produced a juggernaut of companies wanting to jump on the bandwagon” to sell equipment to schools.

‘Stolen identities’

He had been told that having biometric data in school libraries “would encourage people to read”.

“Given that children have been reading for centuries I find that hard to believe”.

A technology expert, Andrew Clymer, who has campaigned to keep biometrics out of the school attended by his children, aged six and eight, said that no IT system was guaranteed to last beyond a few years.

However, a fingerprint taken from a 4-year-old child would last a lifetime.

“Security is always developed with a timeframe, but biometric data is for a lifetime.

“We would potentially be opening up the possibility that in the future kids will have their identities stolen,” Mr Clymer said.

Guidance

Forty-seven MPs have signed a Commons motion tabled by Liberal Democrat MP Greg Mullholland calling for consent to be required for the collection of biometric data.

Shadow schools minister Nick Gibb has also asked schools minister Jim Knight about guidance.

Mr Knight responded that biometric information about pupils should be handled in the same way as other personal data about pupils, and said it was subject to the Data Protection Act 1998.

Under the Act, schools are not obliged to seek consent from parents, but they should provide notification of their use of data to individuals involved.

‘Common sense’

The DfeS said fingerprints were used to help make school libraries, lunches and “management systems” run more smoothly and the information was stored as a “digital number stream” rather than individual prints.

Schools are also required by the Data Protection Act to tell parents about any information being held on their children and what it is being is used for.

A DfeS spokesman said: “It is important to remember that schools have always collected personal information, such as registers and home addresses, on pupils for their own smooth running.

“They are well used to handling all kinds of sensitive information to comply with data protection and confidentiality laws.

“Parents should be engaged in all aspects of school life and it is common sense for schools to talk to them about this and all issues relating to their children.”

The new guidance for schools will be available from the end of March on the website of Becta, the British Educational and Communications Technology Agency.

Delegation tokens and impersonation

I've been asked to clarify a couple of points by Devlin Daley and Bryant Cutler, who are studying with Phil Windley.

Delegation tokens 

Delegation tokens, as you've described them, (according to one of Dale Old's recent posts) are not yet implemented in CardSpace.  Is that accurate? Is it soon to be added to specification or is it still a work in progress?

I like Dale's piece, but think the “not yet implemented” statement might lead to confusion. 

One of the key characteristics of CardSpace is that it has no idea what kind(s) of token it is carrying.  It's hard to get this across – the practical meaning isn't obvious.  But your question about “delegation tokens” provides  a good concrete example:  delegation coupons can be conveyed through CardSpace without any changes or extensions to it.  This doesn't mean anyone is doing so yet.  That is likely what Dale is talking about. 

I've actually been thinking of putting together some demo code to show how this would work.  If you look at my “HelloWorld Card” tutorial,  you will see that rather than requesting and sending a “HelloWorld Card”, the relying party could easily be requesting a delegation coupon.  So CardSpace is actually ready for “delegation coupons”.

One can then ask what a delegation coupon would look like in concrete terms.  What's the best format for the (possibly multiple) constituent tokens?  The blogosphere discussion about delegation shows lots of people are thinking about this, but so far we haven't built the “early implementations” that let us explore the issues and problems concretely enough to emerge with a new standard.  I would be interested in learning about research systems built in the academic community to explore this territory – perhaps you can share your research with us.

Impersonation

Devin and Bryant continue:

We've been bantering about the idea of delegation vs. impersonation. Clearly impersonating someone without them knowing is wrong and a serious problem. But, is impersonation “bad” if I give my express permission for someone to do so? (assuming there is a mechanism for revoking this permission).

In your Powell's and Amazon example, what if I don't want Powell's to know that I am supplying this information to Amazon? Obviously there are cases where we want to let others know that services are acting with our permission. Perhaps there are cases where we don't want to disclose that. Is granting the choice to me more user-centric?

You are quite right that, as per the first law of identity, the choice of what to disclose must always be in the hands of the user.  Further, if a user wants to delegate to a machine the ability to “be her”, that should be possible too.  Let's call it extreme delegation.  Our job is not to tell anyone that they should live in some particular way.  We might, however, have the responsibility of pointing out the technical dangers of this extreme, perhaps even recommending some interesting science fiction readings…

But I'll point out that it isn't necessary to do impersonation to achieve the goal you want to achieve in your example – preventing Powell's from knowing that you are supplying information to Amazon.  In fact there are two ways to use delegation to do this. 

The first is simply to create a coupon saying, “the holder of this key has the right to see my Powell's behavior”.  Then you give Amazon the coupon and the key.  In return, Amazon might give you assurances about how it will protect the coupon.  Meanwhile, it can retrieve the information it wants without revealing its identity.

Or you may wish to have an agent of your own to which you delegate the ability to assemble your behaviors, and the right to pass them on according to your dictates.  I personally think this is the most likely option since it provides optimal user control.  But even in this case, designing secure systems means limiting the capabilities delegated to that particular piece of software, rather than “making it into you” by having it operate in your identity.  There is zero need for impersonation.

Your use case of information hiding can be handled without departing from my delegation maxim:

No one and no service should ever act in a peron’s identity or employ their credentials when they’re not present.  Ever.  

Putting several threads together, the user should act through a transducer to delegate to well-identified processes.

Cruise control and alcohol…

In a new comment, Ernst Lopez Cordozo book-ends our “transducer versus delegation” discussion with a spectacular real-life example.

I had been trying to tease apart the distinction between a transducer and an agent to which we have delegated, arguing that we need both classes of component in computerized systems.  Using the “gas pedal” as an example, I wrote:

I’m certain that Ernst would not argue that we “delegate” control of acceleration to the foot pedal in our car – the “foot-pedal-associated-components” constitute the transducer that conveys our intentions to engine control systems.

Ernst's response puts the whole discussion into stark relief:

I agree with your analysis. And yes, it is difficult.

Ten years ago the car of a well known Dutch opera singer caused a fatal accident while driving on the parking deck of the Amsterdam Arena. The singer, who was behind the wheel, successfully claimed that the accident was caused by his car’s cruise control, rather than his consumption of alcohol that night.  I don’t make this up.  Reality dovetails nicely with your examples.

Whether we use an innocent transducer or a possibly disobedient agent determines the deniability of the resulting actions.