Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Privacy

Biometrics, Ownership and Privacy? 223

Posted by Cliff from the who-owns-the-data dept.
symbolic asks: "I just finished watching a small segment of World Business Review on PBS, where the topic of discussion the use of biometrics by employers to not only provide confirmation of identity, but as something to drive other parts of the operation - like tracking employee time. Briefly mentioned were face and iris scans, but as I was watching a picture of someone's iris, I realized that once an employer has captured a scan of your iris (or any biometric data), who has control over it? Does it become part of the cesspool of information trading that occurs between business and government entities? Will trading of someone's biometric information become as ubiquitous as their address or phone number. Is there any reason we should be concerned about this? I'd like to hear what others think about this." Ask Slashdot has previously approached the Biometrics topic for technical issues, but the privacy issue of such data has yet to be addressed. How do you feel about biometric data (or any data derived from your physical makeup, like your genome) being used as another commodity (like your address) in the corporate data exchange?
This discussion has been archived. No new comments can be posted.

Biometrics, Ownership and Privacy? More

Biometrics, Ownership and Privacy?

Comments Filter:

  • Yes! (Score:3, Insightful)

    by casio282 ( 468834 ) on Monday June 24, 2002 @05:58PM (#3759461) Homepage
    Of course we should be concerned about this! You can change your phone number, your email address, your name, and even your social security number if you work hard enough. But you can't change your biometric data, so once it's in the wild marketplace or personal information, it's out there for good...
    • Sorry -- that should be "wild marketplace of personal information..."

      cheers
    • I personally find the whole idea de-testable. Essentially each day we become more and more a cog in a vast machine that we have less control over. A large system of corporations and governmental interests who are increasingly controlled by fewer and fewer people at the top, curcumventing the democratic process at every turn.

      No one ever asked me if I like the drug laws, no one ever asked me if I wanted to live under a tryannical state where anyone now can be called a "enemy combatant", no one asked me if I thought it was ok to give my liberty for a small amount of illusionary safety. From my perspective I have been living in a totaltarian police state for a very long time.
      • No one ever asked me
        Um, it's called "voting." You should try it some time.
        • Ah yes, "voting". I just love that response. So when my only two choices are two guys whom only got into that place becuase of the influence and permission of extreme wealth, and between those 2 guys, I get one tiny little input in the form of a punch card in which the rest of my fate for the next 4 years is entirely determined by the same extremely wealthy who control and influence their decsions, where is my freedom. From whence does so-called 'voting' actually make a difference at all?

          There is a reason the majority of americans no longer vote, because they see it for the sham it already is. Not to mention flushing their electoral votes down the toilet when the a republic dominated Supreme court appoints our president.
          • So when my only two choices are two guys whom only got into that place becuase of the influence and permission of extreme wealth
            You've got lots of choices when you vote. There are more than two political parties in this country, and there are lots of independent candidates.
            I get one tiny little input in the form of a punch card
            You mean they only gave you one vote? Those conspiring jerks, how dare they?!?! See your later point about Florida, which was decided by a margin numerically smaller than some high school elections. Yes, your vote can and does make a difference. Even the largest landslide is only the culmination of many individual votes. If the politicians did not need the individual votes of the citizens, they wouldn't waste their time and money campaigning and bombarding you with bad commercials.
            There is a reason the majority of americans no longer vote
            Yeah, it's called laziness.
            Not to mention flushing their electoral votes down the toilet when the a republic dominated Supreme court appoints our president.
            Get over yourself. First, the Supreme Court is not exactly the John Birch Society. If you take the time to look at some cases, you will find that the Justices do not vote in blocks along party lines. Their appointed term is until they get tired of it or do something really bad, so they can afford to vote their consciences. In this case, they did exactly what the court is supposed to do: they brought final resolution to a divisive issue to ensure the continued and uninterrupted operation of American business. Furthermore, every re-count of the votes, including an independent one performed by a media-sponsored group (hint: the media tends to lean a little liberal--see Slashdot) confirmed that Bush had indeed legitimately won Florida's electoral votes. As for the issue if more people intended to vote for Gore, all I can say is that if you're too stupid to read the directions, you're vote probably shouldn't count anyway. Some Republicans had a gripe that some voters in the more conservative panhandle may have been dissuaded from voting by the media's premature awarding of Florida to Gore, to which I say the same thing. If you're too lazy to get up and vote, and if you're stupid enough to believe everything you see on the news, you're vote shouldn't count anyway. If you're really that bothered by the system, run for office or do something productive about it. Complaining on Slashdot that "nobody asked me" will get you exactly as far as the Slashdot database.
            • Teh only full of themselves is you from the simple fact that after all of your ranting you missed the basic and simple point of my argument - which is that we live in a system where the only real input any of us has is a single punch in a card once every four years!. That means that over a lifetime (say 60 adult years), we have only 15 punches of input that determines (if at all) our entire political climate. I and just about everyone I know had absolutely no say in the Patriot Act, the DMCA, the suspension of Habeus Corpus, the errosion of privacy rights, the copyright extension act, and thousands of other laws now on our books. To put it simply I'm living under a set of rules I an infinitesimal choice in. That's tyranny brother.
              • You're attributing way, way too much power to the office of the President. There are many levels and layers of government. In fact, the United States government was designed to insure that it didn't all hinge on one man or one single body of men.

                Hell, you can even take an active role and be elected yourself to have your voice heard. I'd recommend you drop the cynicism, first, of course.
                • You're attributing way, way too much power to the office of the President. There are many levels and layers of government. In fact, the United States government was designed to insure that it didn't all hinge on one man or one single body of men.

                  Have you been paying attention to the news lately? The precious seperation of powers you speak of no longer exist in any meaningful degree since our war on terrorism begun. The executive branch has made the largest power grab in American history. Already the executive branch no longer requires the oversight of the judicial branch it carrying out many of its policely duties. The 4th ammendent has already been nullified by the Patriot Act, no longer requiring a warrant or criminal investigation for you to be searched without notification. The first ammendement has come under increasing attack, people are being held (and even tortured) without due process, habeus corpus has been suspended, military tribunals are a reality, the army is now involved in domestic policing (against the law only 1 year ago), biometrics are being used to search and suspect us with out cause prior to the fact (facial recognition), and now the Bush Administration has called to combine 88 seperate agencies in the government into one large single "secret" domestic spying and policing force - a Super Gestapo.

                  What am I missing? hmm. What are you missing?
                  • All I can say is, don't let the door hit you on the way out. Seriously, if you hate America that much, one of the precious freedoms you enjoy that many others in the world do not is the freedom to leave. I for one won't mourn your departure or that of others like you. Now, if only Alec Baldwin would make good on his promise to leave the country if Bush were elected...
                    • Go back and read the guy's comments. They are filled with charged rhetoric (Gestapo, tyrrany...) and a general contempt for the entire political process. It is not a bold and courageous speech laying bare the flaws of the institution. That would make it worthwhile. It's mostly random, spiteful flames. Apparently, his biggest complaint is that he does not have the disproportionately large influence on the direction of the conuntry he feels others have (he only gets one vote, as if he deserves more than one). Certainly, he has a right to flame and complain as a citizen, but I was offering him an alternative that might make all of us happier. If America sucks so bad, he basically has three options. He can try to do something to make a difference (voting is the very bare minimum for a responsible citizen), he can sit and brood about it or he can leave. Poorly spelled rants on Slashdot basically amount to brooding. That, apparently, has not made him any happier and he hasn't responded to the suggestions that he could do something about it, so I invited him to leave. I'm not saying that we should force him out of the country, just that if he thinks America sucks so bad, he might be happier somewhere else, and I would definitely be happy to show him the door.

          • Ah yes, "voting". I just love that response. So when my only two choices are two guys whom only got into that place becuase of the influence and permission of extreme wealth, and between those 2 guys, I get one tiny little input in the form of a punch card in which the rest of my fate

            Go back to high school; you need to retake your civics class.

            You have *much* greater opportunity to influence the elections than just your one single vote, but it would require you to get off your ass more than just one day every two years (four, for the really lazy).

            Want to have an effect? Make like a good citizen (as opposed to a good sheep) and get involved in the process. Vote in primary elections. Join a political party and be active in it. Go to the local party meetings. Get yourself elected as a local party representative and go to the state level meetings (really easy to do, BTW). When you find a candidate your really like, work as a volunteer on their staff. If you really want to get serious, try running for office yourself.

            If that's too much work for you, try writing letters to your representatives. Enclose checks. Call them on the phone, or even go in person into their local offices.

            I get really tired of all of these "Oh, I'm so powerless" whiners that are powerless precisely because they *choose* to be. It's really easy to assume that you can't do anything because the wealthy individuals and corporations run everything, but the fact is that while they do have disproportionate power, there aren't very many of them.

            Like any democracy, representative or otherwise, the American system only works when its citizens take an interest and put forth real effort. You want a say? Find out how the system works and have it!

            Not to mention flushing their electoral votes down the toilet when the a republic dominated Supreme court appoints our president.

            Oh, pish. Get off that one already. It was an incredibly close election that could have gone either way depending on how the votes were counted. Vote-counting isn't an exact science and generally that doesn't matter at all, because rarely is the country so evenly divided. In my opinion, the Court was exactly right to put and end to the debate; the uncertainty was the biggest problem and the country had clearly found Gore and Bush equally (un)acceptable. And the Florida Supreme Court was wrong -- courts cannot make law, even if the law gives the party in control an unfair edge (and, yeah, I know there were other irregularities that may not have been so legal -- there always are, on both sides). Finally, the U.S. Supreme Court's action didn't change the ultimate outcome one bit. The Republican legislature in Florida was gearing up to take action, and they were going to give it to Bush. Legally, they could have given those votes to you or anyone else they like so there would be no challenging their decision (the constitution gives the allocation of the electoral votes to the states, not the populace).

            Hate him or pity him, Dubya is the Prez; that may change in a little over two years, or in a little over six years, or in some shorter time frame if he oversteps his bounds too aggressively. This continued whining is pathetic.

    • Re:Yes! (Score:5, Insightful)

      by RealisticWeb.com ( 557454 ) on Monday June 24, 2002 @06:28PM (#3759646) Homepage
      So why is that a problem? It is exactly the same to me as my finger prints. You can't change your finger prints (without scaring them) do you ever worry about who gets ahold of your fingerprints? No one does except a criminal. Do you wear gloves in all public places so one one can come by later and print you? Do you ever worry even slightly that a national database containing an image of your fingerprint will be comprimised by a cracker and used agaist you? No? I didn't think so. To me the fact that that they can't be changed is exactly what makes me not worry about it! If that information is sold it wouldn't be any different then the rest of my information that is currently being sold, except that you can't fake an eyeball! People can make fake credit cards, fake ID's and forge signitures, but what are they going to do, grow a synthetic eye from my DNA and hold it up to an eye scanner? Implant them in thier own eyes? You've got to be kidding. People who are going to get away with identity theft or even hacking/cracking for that matter are going to go for the most easy and fast way. Biometrics will be so hard to fake and do anything with, they are just going to try and swipe your credit card number the old fasioned way. I wouldn't get too riled up about this if I were you.
      • You can't change your finger prints (without scaring them) do you ever worry about who gets ahold of your fingerprints? No one does except a criminal.
        Um, I am not a criminal, but when Best Buy digitized my signature and then transmitted it in the clear over a wireless cash register system, yes, I was worried just a wee bit (no pun intended).

        sPh

      • Comment removed (Score:5, Insightful)

        by account_deleted ( 4530225 ) on Monday June 24, 2002 @07:30PM (#3759912)
        Comment removed based on user account deletion

      • Re:Yes! (Score:5, Informative)

        by Relic of the Future ( 118669 ) <dales@digitalf r e a k s . o rg> on Monday June 24, 2002 @07:53PM (#3759994)
        Just a nit-pick, but you can't reconstruct the patterns in a person's eyeball with their DNA, for the same reason that identical twins have different fingerprints. It's not something that's in the genes.
      • you can't fake an eyeball!

        Can't be done? I think it can.

        Imagine a ball of glass with the right refractive index, an image of the retina on the back printed with a colour printer, and covered with an opaque covering with a small hole opposite the image of the retina.

        Or perhaps the shape of the eye need not be replicated perfectly - a black plastic box with a small hole in one side and the retina image on the other would probably be good enough. An empty film canister would probably be good enough.

        When asked for a retina scan, hold these up to the scanner.

        Scary.

        • Re:Yes! (Score:2, Insightful)

          by shylock0 ( 561559 )
          An interesting idea. But ultimately one that probably wouldn't work. Retina images, like most biological imprints, have fractal-like resolution. Retina images aren't simple images. They are complex biological patterns whose level of resolution approaches the cellular level. Impossible to replicate? Probably not. But throw in a spectrometer and a thermometer along with the optical scanner, and you're pretty much guaranteed a counterfeit-free solution. You can't fake an eyeball, anymore than you can fake a stomach, or a heart, or any other human organ, to be identical to another.

          Basically, what B.D. Mills fails to realize is that biological systems -- and biological imprints -- have a level of detail that is nearly (though not totally) impossible to replicate mechanically. Biological systems are, by their very nature, pseudodigital, and not analog (like an inkjet print on a piece of paper). It is this pseudodigital nature that makes them so appealing.

          Which, as I'm sure pessimists will be quick to point out, does not make them perfect. But neither is any other system of identification that we, as human beings, have managed to devise. Even passwords are susceptible to truth serums -- or even just a fair bit of alcohol and a "trusted" friend. Like any system of identification, it is foolish to assume that biometic systems are completely reliable -- perfect -- because no system is or can be.

          • biological systems ... have a level of detail that is nearly (though not totally) impossible to replicate mechanically.

            You are forgetting a fundamental point here. The level of detail of such biological features is irrelevant, because they are always read by equipment with a finite resolution. It is not necessary to replicate the detail to a microscopic resolution. All that is needed is to replicate the eye or other body part sufficiently well to fool a computer.

            Spectrometers and thermometers are useful to thwart such attempts. However you need to remember that in the majority of cases, corporations will opt for the cheapest solution that gets the job done. Such a solution is unlikely to have all the ancillary equipment to verify that it is indeed an eye at the scanner and not a replica. Even these solutions are likely to fail if an unconscious victim is having their eye held open and forced against the scanner by an assailant.

            Recommended viewing is the movie "Sneakers" if you haven't already seen it. It's a great movie, and also has some relevant lessons on the vulnerabilities of security systems.
      • Actually, it would bother me if I had to use my fingerprint everywhere I went-- to buy groceries, go to the movies, and so on. That hasn't happened in part because it's a real pain in the ass and takes too long. But now that hand scanners and iris scanners are becoming cheap, fast, and (mostly) reliable, it's a lot more possible for large chains to use them.

        • Interestingly, this is kind of what crossed my mind as I was watching the show. Right now, there are three large companies that, for a price, will make available information about people - Equifax, TRW, and Experian. They represent central repositories of information, and that's the key here. There's only ONE retinal scan (in theory), that will represent who you are. There's nothing to update, nothing to keep current...once it's there, it's there. So...fast forward a decade, and think about how tempting it would be to build a central repository of everyone's ID - it might be that by this point in time, they'll have figured out how to do retinal scans as you walk by some kind of device that's (relatively) hidden from view. Any time you walk into an establishment equipped with a scanner, they can know at minimum, who you are, and potentially, a great deal of other information - all without having said a word.

          It's my opinion that my mere presence does not convey a right to know who I am- whether or not I reveal anything about my identity should be my choice, and mine alone.

  • I think it's great! (Score:5, Funny)

    by pizza_milkshake ( 580452 ) on Monday June 24, 2002 @06:00PM (#3759469)
    I think it's great. Instead of sending me spam via mail, fax and email -- now they can engineer ads based on my DNA.

    ad: pizza -- you have an 18% chance of getting colon cancer and only 32.34 years left to live, wouldn't you like to spend some of it drinking a nice, cold, refreshing Pepsi?
  • Looks like someone went to see Minority Report this weekend. Iris scans everywhere people went, used for access and advertising.
    Hopefully with the increase in biometric scanning will come an increase in black market body-part replacement.
  • Seeing as they already have much of your personal information (SSN, anyone?), is this really an issue? I mean.... if you're going to have to use Biometrics for your job, you think that by that time the government isn't already going to have your iris or whatever on file? I would guess that they would make it a requirement to get a drivers license or something similar.
    Everyone who is legally employed has given lots of personal information to their employer already... and I don't know about you but I haven't had any problems with ethical/nonethical use of my information yet.

    -kwishot

    • Re:Well.... (Score:3, Insightful)

      by jweb ( 520801 )
      Yes, this is an issue. The biggest problem with biometrics as a unique identifier is that they don't tolerate failure well. If your retnia scan is compromised, there is no way to recover from the failure, short of an eye transplant.

      I haven't had any problems with ethical/nonethical use of my information yet.

      The key word here is yet. If a biometric national ID card comes into common use, you can bet that there are any number of corporations and script-kiddies who will find a way to use this information in a non-ethical way.

    • Never will I provide such information. I am happy with the fact that I could vanish, and nobody would ever be able to find me again; because my appearance could easily be changed...

    • Re:Well.... (Score:3, Insightful)

      by cosmosis ( 221542 )
      The bottom line is this - making such divulgence of personal information compulsory. If it was voluntary that would be one thing, but each day we have to sacrifice more and more of our privacy and liberties in order to hold a job, make a living and not starve. I'm sorry but no one ever should be forced to obey a large system of rules and regulations just to stay alive - but thats how it is - and it tyranny pure and simple.
  • While I'm sure that there will be a massive puscht to trade and sell biometrics about employees (and, looking down the road, consumers, should the technology be adapted for things like credit cards and ABMS), it sets off giant, giant alarm bells for me. I mean, while we have things like addresses and phone numbers being traded and sold by large companies, such details about a person are easily changed. The basic structure of your retina or your fingerprints, however, are things you're stuck with. I really can't see any technology coming along that will rewrite your retinal signature outside of expensive surgery. That leaves fingerprint and retinal data, at the least, even more personal and, to my mind, private than your name. You can change just about everything about yourself, statisticwise; eye color, hair colour, weight, musculature, name, address, phone number, SIN number, credit card number, employer, and so on But you're stuck with your body. Barring six-million-dollar-man bionics, the one you've got is the only one you're ever going to get. Having unique bodily markers floating about on an advertiser's list, or worse, a blacklist for potential hires or borrowers, in the case of employers or credit companies, seems....alarming I'd rather be anonymous than tracked for my own safety. Anonymity is a risk I'm willing to take.
    • The blood vessels in the retina are akin to a fingerprint in that no two patterns are alike; the colour patterns in the tapetum (the reflective part of the retina) are probably also unique. Presumably retinal scans would use these factors for identification.

      Therefore, the only way to change your retinal signature would be to get yourself partially blinded by destroying part of the retina (use a surgical laser to burn parts sufficient to render the blood vessel pattern unrecognisable, or use a drug or infective agent to cause fluid buildup to detach/destroy part of the retina).

      Identity theft is difficult enough to rectify when it only involves your name and SSN. What if it also involved your biometric data? The only plus I can see in this is that if EVERY baby were subjected to biometric scan (retina plus DNA), and the data filed along with the birth certificate, you'd have a way to prove who you are in the event of identity theft later in life.

      But meanwhile, who has access to the data?? what if someone (perhaps by way of suitable bribes to low-paid gov't clerks) substitutes their own biometrics in your records? Then they have proof positive that they're "YOU", and once the official records are switched, there's no way you can prove otherwise.

  • With today's current politcal/corporate climate in regard to privacy, it seems fairly obvious that pretty much any information collected on someone (be it biometric or otherwise) will invariably end up being shared in one form or another. As soon as one entity decides a particular pieces of information is handy for keeping track of someone, others will follow; and where others follow, sharing begins. I expect to see an Iris.Net module out soon for Passport and I think my dog's pant pattern has been captured by bugged pellet in his dogfood which authorizes only him to eat that bowl of food.

  • Database Nation (Score:3, Informative)

    by sydney ( 119599 ) on Monday June 24, 2002 @06:03PM (#3759484) Homepage
    The book, Database Nation by Simson Garfinkle delves into this little considered topic. He asserts that biometric information is not owned by the individual, but by the organization that collects your information. Similar to the fact that you do not own your name, you do not own your retinal pattern information.

    Quite scary, if you ask me.

  • Identity-circumvention device? (Score:3, Insightful)

    by Bollie ( 152363 ) on Monday June 24, 2002 @06:04PM (#3759495)
    Coloured contact lenses.

    It's not farfetched to think that some idiot in the wake of 9/11 might push a law making it illegal to wear them. Oh yeah, only after the law's been passed will things like this come to light...

    Just think, a DMCA for identity-circumvention devices. No more anonymity, because, it's good for you!
    • Yes, however, it's difficult to even know if the person IS wearing colored contact lenses...a CAT scan can be used, but too many exposures might cause cancer, blindness, radiation poisoning, or slight genetic mutations. CAT scan machines also cost over a million bucks to produce. Hey, you can blind the population of the United States AND cause people to grow extra fingers! We'll be just like the Amish with their Kaufmann syndrome-contaminated gene pool!

      We wont have to worry about this yet-Biometrics are easy to circumvent at this stage-gelatin defeats hand print scanners, and coloured contacts can fool iris ones.

      Not today, Big Brother.
    • Most eye scanners use retinal scanning, not iris scanning. Color contact lenses would be useless.

  • Biometrics bother me... (Score:4, Insightful)

    by boa13 ( 548222 ) on Monday June 24, 2002 @06:04PM (#3759496) Homepage Journal
    ... because you can't change or revoke them. What if someone manages to get a copy of the binary data that characterize your iris? What if it gets circulated in some crackers circle? Will you change your iris? Or will you change your job? Or will you simply loose your work, since your iris is now unusable by your company?
    • The thing about biometrics like iris scanners is that the iris expands and contracts rythmically at about 120 Hz - very minute, but detectable. Modern iris scanners look for these fluctuations. If they're not present (dead eye, picture of an eye, etc.) then it will refuse to validate you.

      The only question then is whether or not you trust the company with the iris scanner. Not perfect, but at least your iris print isn't copyable.

      --Dan

  • Sharing of biometric data (Score:4, Interesting)

    by Todd Knarr ( 15451 ) on Monday June 24, 2002 @06:04PM (#3759497) Homepage

    Myself, I wouldn't like it. But the company should like it even less. Think about something here: what's your company's policy on employees giving out the keys to restricted areas? It's probably a termination offense. Now, suppose the company uses biometric data to control access to restricted areas. Isn't giving out that data exactly giving out the keys to those restricted areas?

    And if that biometric data is also required by law to be used for things like controlling access to bank accounts, where there's legal penalties for third parties who mishandle the access-control information, the company could face some nasty legal LARTs from employees if the company gives out access-control information for their bank accounts, Social Security accounts, driver's license records and such.

    This should give the company legal people migraines for a while. :)

  • John Anderton (Score:3, Informative)

    by martyn s ( 444964 ) on Monday June 24, 2002 @06:05PM (#3759498)
    In Minority Report, when Tom Cruise's character was running away, he was bombarded by ads that would scan his eyes.

    "Hello, John Anderton, you look like you could use a Guinness right about now."

    "John Anderton, wouldn't you rather be driving a Lexus?"

    After a little bit, all you heard was "John Anderton" over and over in many different voices. Spooky.

  • Already done with fingerprints. (Score:4, Interesting)

    by slashkitty ( 21637 ) on Monday June 24, 2002 @06:05PM (#3759506) Homepage
    I work at a bank. They take your fingerprints and share them with the FBI. They do tell you this before they take them, so if your uncomfortable with that, you shouldn't work at a bank. I see no reason why they wouldn't start doing this with other biometric data when it becomes more standard.

    I for one feel safer knowing that all the people working at my bank have at least been through a fingerprint check with the FBI. And if a vault is broken into, and they find someones fingerprints, they have a bunch to check.

    Now, I certainly hope they don't start selling the information for profit. That seems like it'd be a little harder to do with employee information. However, maybe a customer of a big store? Maybe a window shopper? It certainly has potential to be exploited in other areas.

    • Ditto here. I once had a gig as network manager for a public middle school and was duly fingerprinted and photographed so that they could confirm with the Feds that I am neither a felon nor known sex offender. Good thing to know if your kids are in school there, but it does seriously suck that the Man has my prints on file in perpetuity, so far as I know.

    • Hope springs eternal (Score:2, Interesting)

      by Anonymous Coward
      Of course they will use it otherwise. Your bank
      will get your biometric data which includes your
      DNA and that will be shared with their insurance
      co "for a better rate". They might already have
      your DNA; were you in the military?

      Sooner or later, they will check
      it BEFORE you get hired. Sorry, you don't fit
      the profile for the "benefit package".

      Your data will be in the big Homeland Security
      engines. See here, it says your are a terrorist
      and this is YOUR eye scan. No, they won't be
      able to cross reference it to your email, cc
      purchases and cell phone locator. Where did
      I put that swamp?

      Or maybe your local supermarket will start using
      it for checkout. Now your local police can pull
      up a list of people who bought beer and cross
      reference it with accidents that day. It's all
      good, right?

    • I for one feel safer knowing that all the people working at my bank have at least been through a fingerprint check with the FBI. And if a vault is broken into, and they find someones fingerprints, they have a bunch to check.

      Yeah. And I feel safer knowing that all the people working at my local Megamart have at least been through a fingerprint, retinal scan, and DNA check with the FBI. And if they find a jar of spagetti sauce shattered on the floor in aisle 5, and they find someones fingerprints, they have a bunch to check.

      Perhaps you'd like to hear some of my other ideas that will help us all feel safer?

      -

  • Your Eye, Their Data (Score:4, Interesting)

    by Saxerman ( 253676 ) on Monday June 24, 2002 @06:05PM (#3759507) Homepage
    Same principles apply as if someone snapped a photo of you. Does the photographer or the model own the rights to the created image? The photograph is owned by the artist. The image of the model belongs to the model, and the photographer must get permission to publish. Permission is usually, "I wave all rights in regards to my image in this photo for the some quantity of cash." Once such permisssion is granted, the photographer is free to do as they like with the photo.
  • It has the benefit of: If you iris print gets out, sue your employer for copyright infringement. If multiple people try using, call it piracy.

  • The biggest problem with biometrics. (Score:5, Insightful)

    by oGMo ( 379 ) on Monday June 24, 2002 @06:06PM (#3759515)

    Recently I watched a presentation by a biometrics group, so this is a bit familiar to me. By far the biggest problem, the question unanswered, is what to do when your information is compromised.

    See, you can change your credit card number, or your email address. You can even move someplace else. But you can't change your biometrics. Hopefully movies like Minority Report will provide some Good FUD about biometrics, so people realize that this information should be kept as private and closely-guarded as their own life.

    It's funny how people seem more willing to give out their fingerprint or retina than they are a number on their credit card. It may be hard to hack. It may be very hard to hack. It may be almost impossible to use. But as those in the security business know, nothing is impossible. And with biometrics, once you're compromised, that's it.

    • But you can't change your biometrics.

      If you saw Minority Report, you would know that you can get replacement eyes on the street for $2-3k US. Also, if you saw Men In Black, they have that neat machine that burns your fingerprints off your hand.
    • Then you combine the biometric data with a password. Problem solved.

    • See this article [cryptome.org]. If someone can get your fingerprint, he can make a "fake finger" out of gelatin with your fingerprint on it, put it over his own finger, and then eat the evidence.

    • The solution - get a lawyer to draft an NDA (Score:4, Interesting)

      by B.D.Mills ( 18626 ) on Monday June 24, 2002 @07:59PM (#3760022)
      Disclaimer: IANAL, but I do take the trouble to read all the fine print.

      NDA means "Non-Disclosure Agreement". These are common when corporations do business with each other, but rarely used by individuals. So far. We should change that.

      What you can put in it is an agreement where the corporation agrees that all your personal information - name, address, biometric info, the details of the business you choose to do with the corporation, the name of your dog, etc. - explicitly remains your property. You can also say that the corporation has no right to sell, trade or otherwise disclose this information to any third party without your prior written consent except where such disclosure is required by law.

      So what happens if the corporation breaches this agreement? Here's where your lawyer can get really nasty. You can set penalties in the agreement. You can set the minimum amount of money they must pay you as damages - $10,000 to $25,000 is a good figure - and stipulate that if actual damages are higher they must pay the higher figure. You can require the corporation to undo the damage at their expense, with more penalties if they don't comply within a certain fixed time. You know how hard it is to get off a list once you're on it? Make it THEIR problem - they do the damage, they fix it.

      Muhahaha.

      To save on legal bills, get your lawyer to draft a single standard agreement that you can use everywhere - your employer, the bank, anywhere you do business. Take back control of your personal information.

      Of course, there's no guarantee that this will work - corporations think they have the right to sell your personal information for whatever they can get for it - but there's no harm trying. You might even make some money off it.
      • The only problem I can see here is that you would have to get Company X to agree to sign the NDA. Most people only give fingerprints/eye scans/whatever when Company X has something they want; for example, my thumbprint whenever I want to cash a check. I don't just run around getting retina-scanned and fingerprinted because I like it... there's something I want, and relinquishing a part of myself that can be sold (or worse, stolen) is a necessary evil that I bitch about whenever I get the chance.

        So, what's to keep a bank from denying your application for a bank card when you present them an NDA? Or what's to keep your company from firing you or limiting your security clearance because they want nothing to do with your silly legal agreement? I know if I presented any papers to the bank when I tried to cash a check, they would simply say, "I'm sorry, we can't sign this." And I would not have any money.

        Much like software license agreements - I think most people would be surprised to read the rights and priviledges they sign away when they click "I agree," but for the vast majority of people, it's just one more button to click before you get your free e-mail account or install your shiny new software. And the rules are such that unless you agree to THEIR rules, you're SOL.

        Rather than worry about their legal liability when they sell your eyeprint, I suspect most companies would just refuse to do business with you, especially when there is a veritable plethora of customers who don't know or care enough to defend themselves in that way. Maybe the rules are different; if not, they really should be.

        • I suspect most companies would just refuse to do business with you

          If enough people use NDA's, then the company will lose market share unless they play ball. You have something they want - your money - and if one company won't agree, there's always others out there. Use the free market to your advantage!

          You could always use the same tactics they do when they want you to sign a dodgy document. You could make it several pages long with lots of fine print, and hope they don't read it in full before signing.

          There's also the technique I would use - when initiating a business relationship, ask them about their privacy policies, and ask them if they will sell your information to anyone else, and other similar questions. They may lie to you and say they won't when they will, but you can turn the lie against them. If they say they won't sell your information, you can hand them the NDA with a smile and say, "Then you won't mind signing this NDA, just to formalise this arrangement." Checkmate. They will have to admit the lie, sign the NDA, or lose your business.

          Another fun thing to do is to write NDA's on the back of cheques (or checks in American spelling), with a line that says "By cashing this cheque, you agree to be bound by these terms ... " Someone in Australia actually did something similar to this, and when they cashed the cheque and then breached the terms on the cheque, he won a court case against them for breach of contract.
        • So, what's to keep a bank from denying your application for a bank card when you present them an NDA? Or what's to keep your company from firing you or limiting your security clearance because they want nothing to do with your silly legal agreement? I know if I presented any papers to the bank when I tried to cash a check, they would simply say, "I'm sorry, we can't sign this." And I would not have any money.

          On, not much is stopping them. There isn't much stopping me, on the other hand, from saying to the person that I need to see the branch's VP so that I can close my account and walk over to the local credit union. I'm a rather young person, and when I signed up for my bank account, the banker handed me the papers and said very briefly what they said and then expected me to sign them. I took each paper and read them. Then I asked about the privacy policy and read through their little pamplet. I agreed with the terms, I got an account. If I didn't agree with the terms, within 400ft, there is another bank, and there are 6 other banks, and 1 credit union withing a half-mile. Besides that, I could have just said "Sorry, I don't agree with these terms" and gone and cashed my checks and payed with cash for stuff.

          Don't forget that if all the companies are requiring finger prints, retinal scans, and your butt print, then you can always start your own.

          --Josh
    • See, you can change your credit card number, or your email address. You can even move someplace else. But you can't change your biometrics. Hopefully movies like Minority Report will provide some Good FUD about biometrics, so people realize that this information should be kept as private and closely-guarded as their own life.

      Warning:
      The biggest problem with biometrics is this: While it is true that you cannot change your biometric data at will that is not the same thing as saying that it cannot change. Retinal scans use the pattern of blood vessels in your eye for example. THIS CAN CHANGE. No shit. Major physical changs in your body, like going on a major health bender and training (getting a lot of exercise), or for women just getting pregnant, can cause blood vessels to move aorund in your body. Hands (used by some biometric systems), eyes (used by rtinal scans)... anywhere. Of all the current biometric systems I think only fingerprints are known to be farily constant over a lifetime. The layperson thinks their body is in a 'static' state once they reach maturity but this is just not true. Ask medical professionals. All of these biometric technologies are headed for trouble as people start to rely on them for years and the natural changes in their bodies start to occur. One day you'll show up for work after a few weeks vacation at a health spa and your retinal scan will not work. It'll be a real-life version of 'The Net' I guess.

  • re:biometrics (Score:1, Informative)

    by Anonymous Coward
    While there may be plenty of other reasons in the world to be concerned about privacy, iris scans and other biometrics DO have a baseline protection built in to the method by which they are implemented: Your actual iris image is NOT supposed to be stored and sent to some central computer. Instead, a code (like a hash function but usually referred to as a "template") is derived from your iris that is useless by itself and connot be inverted to produce an image of your iris. Therefore, you don't have to worry about your "biometric password" being compromised once and never being able to be used subsequently....

  • Hold Firm (Score:2, Interesting)

    by OYAHHH ( 322809 )
    If you give anything out without legal guarantees to it's dissemination you can bet it will be distributed.

    Even with legal guarantees they have to be on your terms otherwise they will just change the rules on you, i.e. Yahoo and your privacy settings...

    Just give a retinal scan to your bank with their standard contract for a checking account and the next time you try to fly on a plane using a retinal scan you can bet with almost 100 percent certainty that you will be bombarded with offers especially tailored to how much cash (and or credit line available, etc.) you have in your checking.

    The only way to get around this crap is for everyone to draw a line in the sand and refuse to give it.

    Mankind has survived thousands of years without the need for this invasive type of "security" and I hope I never see this biometrics thing happen in my lifetime because I certainly feel as though my privacy has already been abused to no end.

    I don't need another ad for another of ACME Inc.s crap.

  • Color me jaded, but aren't we getting ahead of ourselves here?

    Fact:
    - Most of us leave finger prints all over the dishes each and every time we dine out.
    - I'll bet almost every US citizen here had their fingerprints taken as grade schoolers as part of some Community Enrolement program under the auspices of "help us find your child if they're ever lost or kidnapped."
    - Until there is some standard for data exchange between biometric devices, does it matter all that much who "owns" the data?

    I do not dispute that the author has a point; I do dispute the question that is asked. In my mind the "who owns the data" discussion should be prefaced by a discussion of how biometric devices will interoperate between the users (you and I) and the Real World (gas pumps, VISA card readers and the like). It just doesn't make a lot of sense to discuss ownership issues utnil we have some idea the scope of the playing field.

    After all, I'm not going to waltz down to the local Italian eatery and demand they wipe my finger residue off the glass before they clear the table as a means of respecting my "Biometric Personally Identifiable Property," now am I?

    Cheers,
    -- RLJ

    • As far as I am aware, there is no database that contains my fingerprints, which is something I am quite happy about. Fingerprints are EASILY fakable. I'd like it to be more difficult for the bad guys to frame me.
    • Well, it's kind of like this article that was up here a few months ago about bars that require licenses, and how they scan the barcodes on your license to collect demographic information.

      Just because this information has always been available, that doesn't mean that the situation isn't changing. Until now, all that information was useless because there was no way to extract any value from it.

      It's like, imagine I use a car service fairly often. I don't give my name when I call, but they have to come pick me up at my house. Well imagine I often go from A to B, and from B to C and from C to D and from D to B, etc. A, B, C and D all being fairly unique places. Until now, no car service could mine all that data to get anything meaningful from it. But imagine this car service company can now see that there is a person who often goes to and from a certain residence, and to and from a certain store. They also see that there is a person who goes to and from that store, often, and to and from a third place.

      It's not too hard to imagine that it would be possible to figure out who is going where.

      Just because it wasn't "secret" that you were going to a Gay and Lesbian meeting, you called up a public car service, and you didn't keep it a secret, that doesn't mean it's not dangerous that now all of a sudden people have the ability to extract meaningful information from all that data, information that until we would never have been able to mine.

      Even though the data source is the same public information that was always available, the end result is still bad: people will know things about you that you don't want them to know, and you won't be able to keep anything secret.

      Even though the method that they use to invade our privacy is legitimate and "legal" that doesn't change the end result: you will no longer have any secrets. Everyone will know.
      • I understand where you're coming from; the landscape is changing. My point is that yes, the landscape is changing, shouldn't we gague the new terrain (how devices will share personal ID info, what kind of info will be extracted - like demographics from bars or people/route mapping from your example) before talking about who owns the info?

        Western societies have used the signature as a mark of personal acceptance or identification on legal documents for centuries. I see today's discussion of biometric information ownership akin to discussing the ownership of the signature before establishing the fact that the signature is legally binding. Cart before horse, if you will.

        Cheers,
        -- RLJ

    • - I'll bet almost every US citizen here had their fingerprints taken as grade schoolers as part of some Community Enrolement program under the auspices of "help us find your child if they're ever lost or kidnapped.
      Those fingerprint cards are given to the parents, not retained by the school or the police. Now if the parents use them irresponsibly, that would be another issue, but that is also true of many things that parents/guardians could do.

      sPh

      • Those fingerprint cards are given to the parents, not retained by the school or the police.
        You naive fool! Don't you know the mothership scans ALL of those fingerprints from orbit even as they're taken and then beams them to the underground storage servers 10 miles beneath Virginia for backup? That way, the individual "handlers" who give the President and the congress their instructions always have it available via their telepathic workstations.
  • Well, we shouldn't have much trouble making fake lenses to wear for work, and then a different pair for each activity we engage in - multiple identities. Make 'em look like this this [lensquest.com] perhaps, ha!
  • In all seriousness, /. posted a link to a good article recently (the author's name escapes me) where he said that the big difference is that once someone has your physical/molecular data, they've got it forever. passwords, combinations, cc#'s and phone numbers expire. ss#s can even change. but your fingerprint and your dna won't. once someone gets your fingerprint data in an electric format, how do you ever recover from that? how will it ever be known whether the user is legitimate or not?
  • If anyone happened to catch an Opera doing a segment on Minority Report a while back while flipping through the channels, she is actually a proponent of this type of technology and such usage. She would infact like to see it used everywhere to stop all the evil terrorist and criminals. I imagine since like many things she has said her viewers would second this opnion. Unfortunatly, their are many of those viewers out there. Infact, many people around the world are for such technologies. I assume it is because they are not yet enlightened enough to see any of the dark sides of the technology. Or perhaps, I'm just being nieve, and its natural for humans to want to be monitered 24/7 with constant streams of advertisements, etc into there eyes.
  • As long as the checking of an iris requires the use of a computer, who cares! Anything digital can always be faked. If it ever became an issue, I am sure digital glasses that can fake iris scans will be out not long after. Plus, there will always be the elite, out to destroy such things... j/k
  • So, can we copyright our biometric information? I mean, let's face it, we very definitely made it ourselves. If companies get to patent segments of human DNA, we should be allowed protection of our own, complete, unique DNA.

    No, I'm sorry, you can't DNA test me. Why not? I own the copyright on my DNA and it'd be an infringement for you to copy it on to your systems. Iris scan instead? No, I'm sorry, I own the rights to that too. Would you like to discuss licensing?

    • If you want to be technical like that, I supposed our parents would be the legal copyright owner(s) of our biometrics. Because technically, _they_ made it, we just happen to possess it.
    • nope.

      but your parents can, as the "designers"...

    • "Certainly, sir. I hope you didn't need that credit card, car loan, job, health insurance... etc."
      In such ways do they steal our freedom, one "need" at a time... In order to follow the philosophy in my .sig file, a LOT of sacrifices must be made, to the point of being unbearable. That's the way the system is designed. More power to you if you can fight it.
  • Do you own your finger prints? Do you own your signature?

    No, you do not. Both can be digitized, misused, used against you.

    I expect the same is true of iris scans.

    The courts will probably mis-apply 17th century property laws to the issue. Oh, brave new world.

    =brian
  • We had a meeting recently to discuss high level issues about HIPA and how it will effect the lives of sysadmins here. What I have heard sounds like it would be reasonable for biometrics. Basically... HIPA will require that personally identifying health care information be protected, it has to be encrypted such that every feild in the database can be individually encrypted (possibly to prevent someone with DBA access from just dumping the DB and stealing the data) for starters...

    then there has to be ACLs for who can access the data... AND all acesses of the data make an audit trail so it can be seen who accessed it.
    (when princess di came to MGH many years back, a number of employees were slapped by management because they accessed her medical records to satisfy their own personal curiosity - this was before HIPA regulations even! the software recorded who accessed the data)

    I think when it comes to personally identifying information these types fo requirements are perfectly reasonable and should be encouraged - never mind restrictions preventing the sale or unauthorized transfer of such information - thats pretty much agiven IMNSHO. (no point in any other restrictions on access if you don't have that now is there?)

    -Steve

  • Descriptors (Score:2, Insightful)

    by Quixotic Raindrop ( 443129 )
    The data, in the aggregate, or the datum, in the individual, represent me. They are part and parcel of my being who I am, and as such are inseparable from me, regardless of how you define "me." In the US, at least (and, at least in theory), "[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated[.]" This, of course, only really applies to the Federal and State governments (via the 14th Amendment), but seems pretty clear: a person's "person" is inviolate. "We hold these truths to be self-evident: that all men are created equal, endowed by their Creator with inalienable rights; among these are life, liberty, and the pursuit of happiness." (Emphasis Added.)

    It is the person who is (or, perhaps, should be) most sacred. Kant reminds us that people cannot be used as means to any end, but only always as ends unto themselves; Rousseau points out that liberty cannot be given away, even if one wants to do so. Liberty::Human as Attraction::Gravity. You can no more separate the tendency of masses to attract one another from the masses themselves than you can remove freedom of the individual person from the individual person.

    With that in mind, it seems pretty clear that my iris, my fingerprints, my voice patterns, are mine. The FBI or state police may have a compelling interest to keep a database of criminals, and how to identify them, but it's pretty well established that these are pretty limited-use activities, and not available to the general business population. It is also pretty well established that those fingerprint records are not the property of the FBI, or any other agency, but that the FBI and other agencies can collect them as part of their routine criminal investigation activities. The FBI certainly doesn't own the fingerprints. Why would private companies be able to "own" retinal or iris scans?

  • Do you need to ask? (Score:2, Insightful)

    by pla ( 258480 )
    C'mon, you meant this as a rhetorical question, right?

    What do you *think* the slashdot crowd will respond to a question like that, when we overwhelmingly loathe even having companies able to correlate such trivalities as our names and email addresses?

    Offensive... I think that makes a good word. I find it offensive in the extreme that anyone but me profit from my personal information (and by that, I don't mean I would agree to it even if I *could* profit from it). Selling information about me violates an absolute of the idea of posessions in general - If I don't "posess" my own information, what the hell *do* I own?
  • I don't want any of my personal biological information in the hands of anyone but my doctor. He's the only person who actually needs the information, not an employer. Frankly, employers know too much about me already.
  • Biometrics is based off the trust that the machine that is doing the scanning of said body part is trusted. what happens when someone sticks a packet sniffer or similar between said trusted device and the box that handles the processing? could you take the packets that you captured, run them into the box at a later time and bypass the system (or empty an account). I know you could make this more difficult by encrypting the data before it hits the wire with a time based algorythem, but once again these are justs bits , and once you have a device that lets you emulate the signals given by a good box doesn't this make it trivial to break the system?
  • I'm wary of any entity that controls the rights to that data, since there is a precedent being set by companies like Verisign and Yahoo that do not value your right to privacy. Corporate entities have little fear of the law since the penalties they face for abusing their customer's privacy usually only affect the people who run them indirectly, and seldom result in more than fines to the company. Concurrently, allowing the government to outright control this system provides them with a means to abuse the power similar to corporations, but for different ends.

    I think the only way to ensure protection for yourself and for those that need to use it is to setup some sort of government-funded clearinghouse whose sole purpose is to store the information and provide access to it to others who have been explicitly granted permission by those that provide the biometric data. This would not be unlike an authentication system like Kerberos which innately distrusts everything and will only grant limited-use tickets to use its data when properly authorized to. Then and only then, would I feel safe in providing this information.
  • This just seems to be the most sensible extension of current patent/copyright law. These things (iris profile, genetic code, personality, interests, hobbies) are all an outgrowth of my initial programming (genitic), a certain ammount of random chance and the environment within which I was raised. My body's code is it's own!....The artistic pattern of my blue eyes is my own!...any trading of that information should be at my discression.

    Considering that copyright has been extended automaticly to the artist of almost anything else(without necessarily having to label something directly as such), I deserve to hold these rights on my body too.

    If I choose to "auction" off this information, that should be my legal right, but the default state should be "protected."

    Moving away from this simply shows the hypocritical nature of "Intellectual Property." Seems that enforcing this right for the individual would help all those IP flakes make their claims consistant.

    Either it applies to everyone, or they gotta come up with a better claim for why I shouldn't be swapping their information.
  • This story is a "red herring". Suppose a breakthrough law is passed, allowing all U.N. citizens to own their own biometric data. All of the sudden, consent forms appear everywhere, and you are required to consent to the ownership of your personal data. Persons rejecting this deal would not be able to do business with any of the institutions required in daily life (banks, drivers licenses, etc). Nothing would change.
  • It strikes me that the more *personal* information that abounds in pure digital format, the easier it is to frame someone who is innocent, of whatever you would like.

    Unlike physical evidence... evidence based on biometric data can be introduced into the system AFTER the scanner itself. For example... as long as someone knows your iris or fingerprint, they could offer a digital file directly into the system, bypassing the sensor, that would make it look like you had used that system.

    It will be difficult for courts to find people innocent, if computers *record* your iris, fingerprint, etc... and show you accessed something illegally... even if there is no physical evidence.

    Guilt based on data is not a good solution to me.... and quite frankly scares me.

  • One thing that deeply concerns me is that fact that unlike an Email address, a physical address, or a P.O.Box, one cannot simply change one's retina, fingerprint, or DNA (well, maybe in the future, but not for some time).

    This means that once someone gets a hold of my biometric data, that there is nothing I can do but receive spam, sales calls, and god knows what else FOR THE REST OF MY LIFE!!!

    This obviously is not a good thing from whichever point of view one decides to look at it.

    So what is my proposed solution: Everyone I give my biometric data to has the right to use it for a specific purpose I have to agree to (i.e.: track my working hours and let me in into the building) and NOTHING ELSE. A law has to be passed and heavy fines should be given to those that break this simple rule.

    In other words, you use my data for ANYTHING and you have to prove that *I* gave you permission to use it for such specific purpose.
  • His magic box will steal your soul.

    --Blair
  • Someone else mentioned it, but I think it's worth another post. How does this differ from fingerprints? I'm not saying you should get over it because fingerprint information is already some common. I'm saying that we don't have to wait before biometric data becomes common enough to worry about. It has been a common means of identification for hundreds of years. It's only recently however, that the methods used to store, catalog, and compare fingerprints has advanced enough to make it a concern to large groups of normally law abiding citizens. So, let's put aside the "We'll deal with that when it gets here" attitude and let's discusss the problem that we have already.
  • Once you're no longer employed, they MUST toss it out. It makes no sense otherwise.

    And if I was running a bank or other enterprise that needed security, I wouldn't buy somebody else's assurance that the data in the ID file was REALLY the individual's unless I could trust them even more than my own eyes, ears, sense of smell and research.

    Okay, maybe AFIS system
  • A few years ago, someone where I worked had "photosensitive" glasses, that became dark when exposed to sunlight. His boss came in and noticed the glasses were dark. At 10:30 in the morning, this meant he had just came in from somewhere he shouldn't have gone to...
  • I know what you're thinking, biometrics CAN'T change. Well, mine are changing. Specificly my retinal scan. If you look in to my posting history far enough, you'll learn that I have a retinal eye disease. As part of my disease, as the retina degenerates, the way it looks changes. As more areas get pigmented, I'd imagin that my retinal scan would be different.

    Now, at the moment, I can still drive. If I were to have gotten a retinal scan when my license was issued, and a cop pulls me over now, I don't know if my ID would match up to my retina. What happens then? Do I get ticketed for having a fake ID? Do I get charged with a fellony? Do I get branded a terrorist? So perhaps, I have to go to court, and prove that I have Retinitus Pigmentosa. I don't mind having people know that, but some people don't want that information in the public record. What do people like me do in a situation like that?
  • Yes, I know that a lot of you seem to dislike the idea of unionism, but when employers start to pull this kind of crap wouldn't having the employees organised so that they can put pressure on employers to change policy (if they refuse to listen to common sense) be a good thing?

Slashdot Top Deals

An adequate bootstrap is a contradiction in terms.

Close