Thumbprints Used To Check Books Out of School Library

krou writes "Junior students at Higher Lane Primary in Whitefield, Greater Manchester, are in a trial of a system that uses their thumbprints to check out and return books from a library. The thumbprints are 'digitally transformed into electronic codes, which can then be recognized by a computer program.' The system was developed by Microsoft, and is being trialled elsewhere in the country. NO2ID condemned the system, saying it was appalling, and that 'It conditions children to hand over sensitive personal information.' The headmaster has defended the scheme, saying, 'We have researched this scheme thoroughly. It is a biometric recognition system and no image of a fingerprint is ever stored. It is a voluntary system. The thumbprint creates a mathematical template. All parents have been written to and we have told them what the system is all about. From the responses we have had there has been overwhelming support. We hold a lot of information about children because we are a school. This is no different.'"

Next up

[0100010001010011]

School bans gummi bears [schneier.com]

Big Deal

[sensationull]

Big deal schools in the UK and NZ have been using this method for checking out books for ages. You try to get a six year old to remember a pin number or library card. Many also use public barcode lists of users instead due to the cost of fingerprint scanners and in some rare cases privacy concerns.

It's worth mentioning ...

[krou]

... that it's more widespread [bbc.co.uk] than the article Snip:

Many schools are fingerprinting pupils without parents' permission, teachers have warned.

It is thought around 100 schools in the UK now use fingerprint identification systems for registration, borrowing library books and cashless catering.

But there is no legal requirement for schools to seek parents' consent for using biometric technologies.

Riiights...

[vvaduva]

"All pupils' details are erased when they leave school."

They promise...this time is true! For real!

Re:Big Deal

[DeadPixels]

Back when I was in elementary school, all you did was tell the librarian your name and she'd look you up in the system. I don't recall if there was anything to prevent abuse of the system - they might have asked for a birthday or something. Either way, this just seems unnecessary more than it is concerning.

My company produces similar...

[SeraphEX]

I work for a software company that produces something similar for school cafeteria use. The points of reference on the print are so minimal that we've had to work very hard just to get a decent read. The chances of someone using the code outputted by our algorithm are nil. It is completely unusable data except by our program. The bottom line is that that unless the program is retaining an image of a child's fingerprint, there is no privacy concern here. Anyone who says otherwise is wallowing in their own FUD.

Re:Fingerprint != Private

[betterunixthanunix]

Do you commonly tag your biometric data with your legal identity? Sure, my fingerprints are left on the counter when I buy something at the corner store, but I do not sign those fingerprints with my name. When you start using fingerprints for library records, you essentially have a convenient database for tying those fingerprints to the people who own them, without the effort that was once necessary to do so (i.e. following someone around, picking through their trash, and so forth).

Re:Big Deal

[teh31337one]

Exactly what I was thinking. They started using thumbprints for the library in my school back in 2001. (It was a UK school)

Re:Big Deal

[TheThiefMaster]

I was definitely trialled at my UK high school, 10? years ago.

Re:Not sensitive

[Lumpy]

The fact is you DONT leave them clean and legible everywhere. Cops are happy when they can retrieve a good fingerprint. Most of the time they are smudged or not left because of dust on the object. in a completely un-useable state.

Very rarely do Crime scene investigators get good fingerprints. Go ask a real one, and stop paying attention to utter fantasy like CSI. Most detectives cant stand that show and how utterly inaccurate and flat out wrong it is.

Re:Big Deal

[Anonymous Coward]

Big deal schools in the UK and NZ have been using this method for checking out books for ages. You try to get a six year old to remember a pin number or library card. Many also use public barcode lists of users instead due to the cost of fingerprint scanners and in some rare cases privacy concerns.

My 6-year old daughter can recite her 6-digit lunch pin by memory, and she has ADHD. Go figure.

Re:Hidden agenda

[Zerth]

I don't know about your fascist library, but mine only keeps records of what books you currently have checked out.

Once you return them in good condition, the entry showing you checked them out gets wiped from the system.

Re:Wait till swine flu appears again

[dummondwhu]

Yes, that's true, but getting fingerprints from a door knob had exactly zero to do with the comment I replied to, which made the point that filthy 4 year old children and people who don't wash in the bathroom would be spreading swine flu via heavily used thumb print readers.

Re:Hidden agenda

[natehoy]

But only one can be replaced with a new unique identifier. The library can make up numbers for cards, they can't make up a fingerprint. A fingerprint is yours for the rest of your life.

I understand that the library is only storing a hash, but unless the library is using a truly unique fingerprint hashing technique, a breach of the computer they are storing those hashes on could mean that validation data about you that cannot be changed could be used for other purposes. Think of "fingerprint hash" as the equivalent to "SSN". It's not something you can change easily, and for that reason it's something that can be used to identify you with a decent level of confidence. That hash could be injected into any computer that uses the same (or a similar) hashing algorithm, and even if the library discovers the breach there's little they can do about it.

That's where biometrics get interesting. They uniquely (or at least "practically uniquely") identify you, but if someone breaches the system holding it, it's hard to prove it invalid.

If the library makes up their own numbers, they aren't holding any valuable data. If they store something that can be uniquely derived from your fingerprint, they should at least be held to PCI compliance, but preferably a lot higher - you can change a credit card number.