There’s a really interesting article by Toby Stevens at Computer Weekly, “Proof of age comes of age:”
It’s therefore been fascinating to be part of a new initiative that seeks to address proof of age using a Privacy by Design approach to biometric technologies. Touch2id is an anonymous proof of age system that uses fingerprint biometrics and NFC to allow young people to prove that they are 18 years or over at licensed premises (e.g. bars, clubs).
The principle is simple: a young person brings their proof of age document (Home Office rules stipulate this must be a passport or driving licence) to a participating Post Office branch. The Post Office staff member checks document using a scanner, and confirms that the young person is the bearer. They then capture a fingerprint from the customer, which is converted into a hash and used to encrypt the customer’s date of birth on a small NFC sticker, which can be affixed to the back of a phone or wallet. No personal record of the customer’s details, document or fingerprint is retained either on the touch2id enrolment system or in the NFC sticker – the service is completely anonymous.
So first, I’m excited to see this. I think single-purpose credentials are important.
Second, I have a couple of technical questions.
- Why a fingerprint versus a photo? People are good at recognizing photos, and a photo is a less intrusive mechanism than a fingerprint. Is the security gain sufficient to justify that? What’s the quantified improvement in accuracy?
- Is NFC actually anonymous? It seems to me that NFC likely has a chip ID or something similar, meaning that the system is pseudonymous
I don’t mean to try to allow the best to be the enemy of the good. Not requiring ID for drinking is an excellent way to secure the ID system. See for example, my BlackHat 2003 talk. But I think that support can be both rah-rah and a careful critique of what we’re building.
Just about anything a database might store about a person can change. People’s birthdays change (often because they’re incorrectly reported or recorded). People’s gender can change. One thing I thought didn’t change was blood type, but David Molnar pointed out to me that I’m wrong:
Donors for allogeneic stem-cell transplantation are selected based on their HLA type (tissue type), and not on their blood type. Therefore, it is quite common that the donor and patient have different blood types. The blood type is determined by the red cells. After transplant and bone-marrow recovery the red cells will come from the donor and have the donor’s blood type. As an example, if the patient is blood type A, and the donor is blood type O, the patient after transplant will become blood type O. The long-term outcome of an allogeneic stem-cell transplant is affected only to a small degree by the blood types of the donor and recipient. If an ABO difference exists, the transplant itself may create some technical difficulties, but these can be easily overcome. Red-cell recovery may be delayed after such transplants, and the patient may need support with red-cell transfusions for a prolonged period of time. More importantly, the patient should be aware that the blood type has changed or will change, and that old blood type cards are no longer valid. IBMT will provide you with a laminated card that indicates that your blood type may have changed. After your bone-marrow function has fully recovered, you may receive red cells of your new blood type. During the transplant process, usually red cells of blood type O are used, since these can be used for any patient (universal donor).
(“Indiana Blood and Marrow Transplantation“)
The Seattle Cancer Care Alliance is the #1 by volume in the U.S and does several thousand per year. So that means several people per day are having their blood type changed right here in Seattle.
Does your database and e-health record support updating your blood type record?
Adam Harvey is investigating responses to the growing ubiquity of surveillance cameras with facial recognition capabilities.
My thesis at ITP, is to research and develop privacy enhancing counter technology. The aim of my thesis is not to aid criminals, but since artists sometimes look like criminals and vice versa, it is important to protect individual privacy for everyone.
What will these forms look like and how well will they integrate into our cultural expectations of body decoration while still being able to function as face detection blocking devices? How can hats, sunglasses, makeup, earrings, necklaces or other accessories be modified to become functional and decorative? These are the topics that I’ll be exploring in thesis on CV Dazzle.
Very interesting stuff in Adam Harvey’s CV Dazzle Makeup blog posts. I think everyone will be wearing them in the future.
A South Korean woman entered Japan on a fake passport in April 2008 by slipping through a state-of-the-art biometric immigration control system using special tape on her fingers to alter her fingerprints, it was learned Wednesday…
During questioning, the woman allegedly told the immigration bureau that she had bought a forged passport from a South Korean broker who told her to purchase an air ticket for Aomori Airport.
The woman also was quoted as saying that the broker gave her the special tape with someone else’s fingerprints on, and that she slipped past the biometric recognition system by holding her taped index fingers over the scanner.
So reports the Yomiuri Shimbun, “S. Korean woman ‘tricked’ airport fingerprint scan.” The story doesn’t mention a name, but if anyone has more details, I’d love to know more.
[Update: DanT has some interesting speculation in the comments about both operational aspects of the entry being an inside job, and that the bureaucracy in question would re-assign the insider rather than prosecute.]
One of the most useful things you can do to protect your passwords is to change them regularly. This bounds the effect of many attacks which obtain your password, by various cracking techniques or by mistakenly entering it in the wrong place. After you’ve changed your password, the old one doesn’t do any good. This doesn’t help if you’re worried about spyware or a compromised server sharing your password, but it does help in many cases, and is the origin of many password change policies.
However, in cases where your finger is used to identify or authenticate you, it’s much harder to change your password. To date, we haven’t seen open market sales of biometric information captured by private sector companies like Disney or Seaworld, but Bob Sullivan identifies a case where a Disney “contractor [was] caught trying to sell Disney data:”
An employee who works for the company that processes Disney Movie Club transactions was caught trying to sell customer credit card information, Disney told its customers this week. The story echoes an incident revealed by Fidelity National Information Services earlier this month.
Now, we know about this because it was credit card data. If it was your fingerprints, you’d be entirely out of luck, and you wouldn’t even know it.
Photo: PartyPig’s password, on Flickr. I think he has a different title.
In “Walt Disney World: The Government’s Tomorrowland?” Karen Harmel and Laura Spadanuta discuss how Disney has moved from finger geometry (to constrain ticket re-sale) to fingerprinting their customers.
I think the most important bit about this is about the links between Disney and the government:
Former Disney employees have filled some of the most sensitive positions in the U.S. intelligence and security communities. Eric Haseltine left his post as executive vice president of research and development at Walt Disney Imagineering in 2002 to become associate director for research at the NSA, and he is now National Intelligence Director John Negroponte’s assistant director for science and technology.
In a comment to my previous article on the subject, (“Fingerprints at Disney: The Desensitization Imperative,”) Smurzin wrote:
I drove with the family from Connecticut only to find that they were taking fingerprints. I was reluctant to do so, until I remembered that I had the kids with me. If you live 1000 miles away and drive to disney, you are kind of forced to enter the park and in turn give up your prints.
Tying these together, along with the scanning of ID at clubs, I’d like to ask: Is there a plan to use entertainment venues as beta sites for the invasion of our privacy? Is fun to be subordinated to permission? I hope not.
Photo credit: “Bug Juice” by Dulcelife.