Shostack + Friends Blog Archive

Fingerprint Readers and the Economics of Privacy

I used to feel bad advocating for privacy laws. I’m generally down on laws restricting private contracts, and privacy laws seemed to be an intellectual inconsistency. I’ve resolved that feeling because almost a great many privacy invasive systems depend on either social security numbers, or government issued identity documents. It seems quite consistent to restrict how such documents can be used.

But your fingers aren’t government issued. So the same logic doesn’t apply. Now Government Computer News reports that “DHS shoves fingerprint tech forward:”

The Homeland Security Department is working with the departments of Defense and State, the FBI and the Commerce Department’s National Institute of Standards and Technology as well as technology vendors to develop a new generation of 10-finger “slap capture” units for fingerprint collection.

DHS pushing new generation of readers. A “10 finger slap reader” is a reader that’s designed to rapidly read fingers without a need to roll each one for a good read. The new technologies are also supposed to be AFIS compatible, which will be tricky.
The trouble with these five agencies coming together is that they create a predictable, profitable market to encourage R&D spending. Once that money has been spent, these systems will be put in place all over the place.

I’m opposed to driving down the cost or efficiency of bulk fingerprinting. It should remain an expensive process to discourage its use. The cleared, desensitized functionaires who are putting forth what they label a challenge are also putting forth subsidies for a future privacy invasion infrastructure. In many ways worse than that, they’re sending a clear message that “visitors are no longer welcomed, they’re made to feel like suspects in a criminal investigation.”

One question to ask is, what happens when everyone tries to do this and use fingerprints as authenticators? When the same authenticator is widely used, it becomes easy to steal. I know that many of my employment agreements have included security policies such as not re-using a password, Does anyone have contract forbidding re-exposure of biometrics? (I’d be happy to help someone create one.) What happens when all ten of your fingers have been claimed by companies whose terms of service forbid you from using that finger elsewhere? Will you be required by contract to resist fingerprinting after arrest?

(Thanks to GCN for the `neutral’ headline, and Alice Marshall for the pointer. Fingerprints by, of, Tow Zwierz, on Flickr. Click the image for the large version. [Updated: Sorry to misspell your name there Tow.)

Originally published by adam on 30 Dec 2005
Last modified on 30 Dec 2005
Categories:   ID Management   information security   privacy   Uncategorized