Schneier on Security
A blog covering security and security technology.
« Social Engineering Via Voicemail |
| Paris Hilton Cellphone Hack »
May 23, 2005
Fingerprint Library Cards
Biometric library cards are coming to Naperville, Illinois.
On the one hand, the library is just storing a data string derived from the fingerprint, and not the fingerprint itself. But I have a hard time believing the second paragraph below.
Library Deputy Director Mark West said the system will be implemented over the summer beginning with a public education campaign in June. West said he is confident the public will embrace the technology once it learns its limitations.
The stored numeric data cannot be used to reconstruct a fingerprint, West said, nor can it be cross-referenced with other fingerprint databases such as those kept by the FBI or the Illinois State Police.
Nor do I have any faith in this sentence:
Officials promise to protect the confidentiality of the fingerprint records.
Posted on May 23, 2005 at 7:44 AM
• 53 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
In my opinion, there are two issues here; will they be able to maintain the security of the information they collect? And more importantly, why do they need this information in the first place?
Let them protect the confidentiality. How effective their protection is is what counts in the long run.
@DevanJedi: imagine checking out and returning books just by sliding your fingerprint over a reader.
There was quite a bit of discussion on this over at Slashdot. As I pointed out there, it isn't necessary to take the hashes and reconstruct the fingerprint. The government (or other attackers) only needs to take the same algorithm and hash their existing fingerprint library. In fact, the search becomes much faster at that point, since there is a much smaller number of points being compared is probably much smaller than a full-on print-to-print comparison.
@Axel, while I don't doubt the real reason behind this change is convenience rather than the stated security concerns, my guess is that the driving convenience is for the library. I can see this being combined with RFID tags on the books to provide self-checkout in a way that also helps limit unverified theft (i.e. someone who hasn't checked out a book walking out the door with it as opposed to someone not returning a book they checked out). If this was about convenience for the consumer, there's no reason to pretend that this is for "security" purposes.
@Otto: Indeed. I didn't mean to come across in a positive way - after all, to me fingerprinting people still has the feel of criminalizing them.
Your argument is correct - even if it's a one-way hash, with the given algorithm and, possibly, a bit of conversion any existing fingerprint data could be hashed and compared.
"There are going to be folks who come from...authoritative regimes who may not be comfortable with this," Caldwell-Stone said.
No kidding. They go to the trouble of moving half-way across the world just to land in a budding police state.
We're supposed to feel safer because they can't reconstruct our actual fingerprint--they're just hashing it! I'm reminded of frequency hopping spread spectrum technology... wait for it, I'm making a point :-)
When FHSS first came out, people considered it to be secure because RF transmitters using FHSS hopped from frequency to frequency in a pattern that was known to them, but, ostensibly, not known to an attacker. The flaw in the thinking was that FHSS hopping patterns are defined by the IEEE, and nearly all, if not all, FHSS transmitters use the standard IEEE hopping patterns. Same thing with this fingerprint hash: if the hashing algorithm is standard or widely used, then it doesn't matter if they can reconstruct your actual fingerprint. The hash is essentially equivalent!
I like to be very pragmatic about these issues. If this were my library, I would ask them to put an agreement in writing for me that if their system is hacked, or if they share my data with any organization that lacks a written right to search their DB, that they will pay me $1,000.
If they really believe their system is secure and will be properly handled, they should have no problem with this.
Oh, and I would suggest to all my friends that they do the same.
- Precision Blogger
@Precision Blogger: Good to know how cheaply I can buy your life. Granted, you are well above Bruce's estimate of "my DNA for a cheeseburger", but $1000 for the ability to impersonate you for anything that requires your fingerprints appears to be a really, REALLY good deal.
If it were me, I'd take the library, the home of the guy who thought this was a good idea, his dog, his car, his kids, all his money, and make him into my personal servant for the remainder of his life. The library MIGHT think twice with costs like this. $1000 is nothing.
I think the whole point is not whether it is possible to reconstruct the original fingerprint (probably not) or trace the data to a real person (most likely). The point is that the age of legal anonymous communication is behind us, and in the future, whenever someone utters an idea on some medium, his 1:1 identity will be attached.
It is very difficult today to transmit anything legally AND anonymously on the Internet today. I think that if you wear a baseball cap to Kinko's you're still okay, but I suspect that won't last long. You can still make anon. calls from public pay phones, and you can still use the US postal service anonymously. When that's eliminated... you can always find an open hot-spot, but that is or will be illegal.
The only debate remaining is whether it is good or bad. My take on it is that it's bad. It hinders self-expression. One would like to say something that is not in line with the current regime, and would like to do it without fear of prosecution. One would like to voice an unpopular opinion without suffering the taunts of the majority. And real soon now it would not be possible.
And as far as law enforcement and terrorism? "When anonymity is outlawed, only outlaws will have anonymity", because they, who are not bound by the limits a lawful citizen places upon itself, can always steal someone's identity.
I live in Naperville, and I read this blog, so I felt compelled to comment.
First: I am a frequent patron of the Naperville public library system. It is one of the very best I have ever seen -- rivals most of the better college libraries for convenience, staff knowledge, and selection (for non-academic specific materials). On all things but their computer policy am I a big fan.
Second: To my knowledge fingerprint use is only for computer use -- although I am unsure whether everyone is being asked to get fingerprinted cards (it wouldn't surprise me).
Third: Their computer policy is already somewhat draconian requiring you (starting about a year or two ago) to register at the desk with ID for any public computer use. I simply don't use them anymore (which is a shame, because combining google and/or amazon searches with catalog searches was a great way to find the right book). Catalogue computers, BTW are not on the same network, and do not (as of now at leat) require ID checks.
My overall impression is that they mean well, but like soooo many others, they believe that safety can be accomplished through rules -- even though those whom they fear are perceived as criminals anyway. In their fear (remember we must protect the children!), they erode their own (and their children's) rights, thinking this will provide security. Ironically, almost the entire computer-using group seems to be teenagers now that they have enacted ID checking -- so this means they will be fingerprinting their own children -- as if taking away what little privacy children have these days makes them safer.
Ahh, well. I will follow this story intently. I plan to find out if there is any kind of organized opposition and see if I can't help out.
Does this imply that the grandkids cannot return gramp's books if he's a little ill?
"The stored numeric data cannot be used to reconstruct a fingerprint, West said, nor can it be cross-referenced with other fingerprint databases such as those kept by the FBI or the Illinois State Police."
So, there is not enough stored info to reconstruct it, but just enough to differentiate the person's fingerprint from someone else's? How's that not usefull for lets say the Police or Government? And they adjust their system to import the data from these id-cards just as easily.
Why didn't they opt for the key option. Use youre simplified fingerprint as the key, not stored on the id-card?
A password or seed for some smart encrypt/decrypt system, or a one way hash.
"Officials promise to protect the confidentiality of the fingerprint records"
Ah, well this is a classic.
They build a new database. Try to protect it, but forget their network is connected to the internet... More importantly, who is authorised to access and maintain the data within the libraries? The local employe?
The trouble with these biometric systems is, once youre fingerprint gets compromised (stolen, like from a glas, i use my imagination), the fingerprint owner is in a lot of trouble because he/she can't change it.
Any system based on a simple fingerprint system
is then compromised also, because it fails to id the right person with the used fingerprint.
But when the passport comes out with biometrics on it, wil this discussion then end? It's just a matter of time before there things are introduced.
"The only way to verify this is to look at the source code from the applied software (it's OpenSource, right?)."
"There was quite a bit of discussion on this over at Slashdot. ... print-to-print comparison.
Posted by: Otto at May 23, 2005 08:45 AM"
I fully agree with you.
How about a lawsuit to require the library to post a bond to cover potential liabilities? Figure $100,000 potential damages per patron, times their customer base ...
I liked this observation in the article:
"During the investigation of the incident, library officials discovered that many patrons logged onto library computers using library cards and passwords of friends or relatives."
This does not clearly necessitate moving to biometrics. Granted, friends/relatives using someone's library card is not ideal, but it did not impede the investigation that raised the issue of stronger authentication in the first place.
Quite the contrary, tamper-proof and non-duplicable access "cards" would serve virtually the same purpose as the biometric system without introducing any form of more serious identity risk/liability to the users.
From a simple economics standpoint I think the locals should seriously revisit whether they prefer "a $40,646 contract with a local company...to install fingerprint scanners on 130 computers" versus a small per-user fee for a more sophisticated access card. For example, the computers probably already have a USB port and USB keys could be issued to users for only a few dollars each. Again, the key could be loaned to a friend/relative, but this should be explicitly forbidden (e.g. if you are caught loaning your key you will be fined or lose privileges) and should not seriously handicap an investigation.
My guess is that if you asked library patrons "$40K of the library budget to fingerprint scanners or a user-fee of $2 for a computer access key?" virtually 100% would chose the latter.
Introducing biometrics carries an unnecessary risk, as many have pointed out above, that should have been found to be excessive compared to a modest change to the sophistication of access/authentication keys and monitoring/revocation.
Bruce, seeding the Name field with "Anonymous" seems to have some odd consequences. I just had it replace my Name on the last post when I navigated back and then forward on the blog...anyway, the last comment was from me.
So, from the patrons' perspective, this is security through obscurity. Once the algorithm is divulged it will be possible to reconstruct the hash and do matches.
"Does this imply that the grandkids cannot return gramp's books if he's a little ill?"
Please. In every library I've ever been in (not to mention video rental stores, e.g.), anyone can return anything, no questions asked.
To me it seems most people generally don't care about their identity or their personal information and are happy to give it away for convenience or just a little monetary gain (shopping cards that give you discounts are a good example of this). In this case you can obviously choose not to use any of their services, but the problem is, when majority of people are happy to give their information away you start seeing things like this everywhere. And when it's everywhere it's pretty hard to avoid.
I would like to see the statistics that prove a) they have an incredible problem with theft of borrowed books and need to crack down, and b) libraby patrons are overwhelmingly terrorists or criminals.
"Reconstructing" a fingerprint from a hash is a matter of semantics, so for me how they store it isn't as important as why they truly feel the need to store it in the first place and how it is being stored.
@ Marc de Wit
"The trouble with these biometric systems is, once youre fingerprint gets compromised (stolen, like from a glas, i use my imagination), the fingerprint owner is in a lot of trouble because he/she can't change it."
If only the hash is compromised, it will only allow impersonation on systems that use the same hashing algorithm. I haven't read the article (requires registration) but I doubt it gives us enough information to know how much of a problem this is.
(In the following, client is the machine with the scanning hardware.)
Scenario 1: Scanner scans full print and sends it to server, which hashes it. Full fingerprint can be obtained by compromising the client or server.
Scenario 2: Scanner scans print, client hashes it, sends to server. Attacker needs to compromise client.
Scenario 3: Scanner hashes the print before sending it to client. Attacker needs to compromise scanner.
What if only the hash can be obtained by an attacker?
Scenario A: Other systems use the same algorithm, so the patron can be impersonated.
Scenario B: The hash algorithm uses a key, unique to the library. Any other similar system will use a different key, such that the library's fingerprint hash is not useful to calculate the fingerprint hash for another system. This only allows matching, and only by someone who has full unhashed fingerprints available, and the library's key (e.g. FBI.) An attacker might be able to take out library books in your name, however.
Some reports here do not match the evidence in the article:
- the fingerprints are only for computer use, and the article suggests they will not be on the library card.
- the fingerprints will not be mandatory. People who do not wish to use fingerprints will be able to get a staff member to log them on to the computer they want to use.
- the initiative was made in response to a specific criminal incident of the sort you would not want your children exposed to, plus the discovery in the subsequent investigation that the existing system was inadequate at ensuring child Internet access was restricted where this had been requested by parents.
- the initiative is an attempt to match the person to the library id. None of the alternative methods of doing this suggested elsewhere in comments here come anywhere near being effective in this regard. The library management probably wanted to avoid the need for excessively intrustive photo ids and id checks on entry.
this use of fingerprinting is not new - the Buffalo-Erie library system in New York state uses it. Again, it is optional.
With a bit of careful reading of the report and what library management are saying, it becomes evident that the security implications are less scary than all the hot air would suggest. Remember, scare-mongering obscures the real security issues.
Yep, the system replaced my tag grahamc with "Anonymous" on my recent post to the Fingerprint Library Cards thread re reports not matching evidence in the article. Now wouldn't it be nice if the system had some means of automatically tying the person to the id :-)
Another article on this topic (no registration required) can be viewed at http://www.libraryjournal.com/article/CA603047?...
Library Internet terminals are useful for anonymous browsing, even if there is a paper sign-up sheet. However, anything that ties a session to a particular identity (i.e. requiring a library card) can weaken this anonymity. This is true even if Internet browsing habits will supposedly not be tracked.
Knowing the details of the system might be useful (those in charge might well refuse on the basis of "security through obscurity.")
"However, anything that ties a session to a particular identity (i.e. requiring a library card) can weaken this anonymity."
The library probably thinks Internet cafes are the place to go for anonymous login. The library would probably like to provide anonymous access but then runs into the problems documented in the (quite reasoned and factual) libraryjournal.com article.
Davi and grahamc, I couldn't duplicate the problem with the name field reverting to anonymous, even after I first made an anonymous test post. Maybe you're being bitten by an autofill feature in your browsers?
Problem is caused by forgetting to make sure the name is entered in the name field. Typically I start entering a post, click preview to check it, then (stupidly) click the back button to return to where I was, instead of just continuing to edit on the same page. Going back returns me to the page with the comments still intact, but clears the name field, so unless I notice, it stays empty and defaults to anonymous.
This is clearly a case of pilot error. I did not mean to imply the site was at fault. It would be nice if it either did not clear the name field, or it cleared both the name and the comments fields to be consistent.... but it would also be nice if I followed sensible practice and didn't use the back button :-)
"Maybe you're being bitten by an autofill feature in your browsers?"
Yes, you are probably right. Pilot error with browser "assistance".
Of course, this could all be fixed if we just started requiring a retinal scan to read the blog.
The article says: " Last May, when Naperville police demanded the account information of a man who had fondled himself in front of teenagers while viewing pornography in the computer lab at Nichols Library, the library refused to release the information without a subpoena, citing the Illinois Library Records Confidentiality Act. Naperville police obtained the subpoena and later arrested Richard Blaszak, 35, of Naperville."
There is absolutely no justification what problem they need to solve with finger prints. The interesting thing will be how many residents will accept voluntarily to get finger printed. If, as promised, those who refuse won't have any disadvantages, then let's hope the whole story will amount to no more than lost money for the library, which is a pity but will teach them a lesson. If, on the other hand, people queue up to get finger printed... well, they'll only have themselves to blame.
@Anonymous (Posted by: Anonymous at May 23, 2005 05:08 PM)
Indeed, hashes are always the weak spot. But that leaves current ID systems with little altervatives then to upgrade to bigger hashes.
But doesn't solve the problem.
About uniquenes of systems. Most systems are compromised not by attacking it directly, but by some sideways approach like an employe of the library of the software vendor.
The trouble are the consecuences. Although we have only a tiny amount of information to speculate about, the problem remains. What wil happen when someone's finger print is stolen? Did they really thought about this possebillity? I don't know, but am curious to find out because politicians these days also use biometrics as a buz word. Do they know the consequenses?
@Marc de Wit (Posted by: Marc de Wit at May 24, 2005 02:35 AM)
"What wil happen when someone's finger print is stolen?"
They are not going to store the fingerprint, so the risk of theft appears to be low.
From the text of the article, the Fingerprint ID system seems to be a "kneejerk" reaction to an incident. However, it is not clear that this solution will actually solve the problem.
The incident described had an individual being indecent while viewing pornography on a computer. As a result, they decide to "lock down" the computers with a Fingerprint ID so the "next time" this happens, they can (more easily?) identify the individual, or to perhaps create a stronger deterrent preventing a similar incident since they have a better way to "know who you are".
What's to prevent this person (or another individual) from being indecent while viewing pornographic books or magazines at the same library? Seems that to truely prevent a similar incident, the Library should require Fingerprint ID to gain access to the Library. This way everyone in the Library will be absolutely identified.
Unless the Library doesn't have a pornographic book/magazine section (I don't recall ever seeing a section on pornography in our local library, although I haven't looked). If the library doesn't have pornographic books/magazines for general viewing, why would they allow viewing this type of content through their computers? If this is the case, it seems their money could be better spent purchasing a good Internet content filter for their computers.
Another thought that comes to mind with the Fingerprint ID system to access the Library's computers, is that of profiling. At our local library, while a general cross-section of the community use the library resources, those that tend to use the library computers are typically the less fortunate in our community that can't afford a computer, specific software (i.e. office), and/or high speed Internet access at their homes. So will this Library be creating a Fingerprint ID system, and ultimately a database, of only the less fortunate in their community?
Regarding the risk v. reward questions, there are a number of risks here, the biggest ones being Constitutional (i.e. police access to library data) and personal (attacker capturing my fingerprint and assuming my identity). There are others, such as the sufficiency of using only 15 data points for uniquely identifying people, but I'll ignore those for now.
On the Constitutional side, I believe that history shows us that the police will use the library fingerprint database, and feel justified in such use. Once such a database is created, all it will take is a high-profile crime to occur that could have been solved/prevented with police access to the library data, and the scared citizenry will be clamoring for changes with cries of "Somebody think of the children". Given that the police and libraries are both organizations within the same government, it takes no imagination to think that the police fingerprint system stands a chance of being run by the same people who run the library system, thus making non-legislated use by, how shall I say, ambitious officers easier to accomplish. I can see at least two potential outcomes of this: whole-scale comparison of both criminal and library records in every investigation (violation of Fourth Amendment protection against improper search and seizure) and library censorship of internet access for certain classes of people (i.e. limiting access for convicted felons, particularly sex offenders, and possibly profiling patrons, preventing foreign-looking people from accessing "radical" websites).
On the ID theft side, there are a number of potential attacks, such as replacing the fingerprint reader with a hacked one, inserting a dongle between the reader and the computer, copying the latent fingerprint from the reader glass to create a gummibear proxy, and using insider attacks on the hash database (i.e. getting a job at the library and/or paying off the library staff). As long as such a system exists, the library will be a target for such attacks, and the pressures will only intensify over time as biometrics use becomes more widespread. Given how underfunded most libraries are, such databases will be the low-hanging fruit of the ID theft world.
What are the rewards? Perceived convenience and perceived security. Initially, there may be more convenience, but the upkeep necessary to protect the database will become very expensive for the reasons listed above. There's been ample discussion here regarding the actual security provided, so I won't rehash it.
So, the risks are large, both to the patrons as individuals and to society, and the actual rewards are small, if any. It seems a shame that the library staff from Naperville doesn't read Bruce's blog. They might actually be able to achieve a clue.
@rcme: having worked with library IS staff in the past, I can tell you that they are very leery of making any decisions about who can use what portions of their services. While all libraries make decisions about what books they will and will not provide (hence the lack of a porno section), most librarians I've talked with try very hard to avoid getting into the position of saying that only certain classes of patrons may access certain classes of books. They try to apply the same logic to the Internet access: the service is there, warts and all, and all valid library patrons should be allowed the same access. Of course, minors are exempted from the equal access questions across the board, but usually by parental decision.
@Anonymous (Posted by: Anonymous at May 23, 2005 05:08 PM)
"An attacker might be able to take out library books in your name, however."
No - the article states the library is not using it for books loans, they are only using it for access to computers.
@Otto (Posted by: Otto at May 24, 2005 09:16 AM)
"It seems a shame that the library staff from Naperville doesn't read Bruce's blog. They might actually be able to achieve a clue."
In fact in 1999 Bruce said in http://www.schneier.com/essay-019.html: "They [biometrics] are useful as a replacement for a PIN, or a replacement for a signature (which is also a biometric). They can sometimes be used as passwords: a user can't choose a weak biometric in the same way they choose a weak password."
Looking at the library fingerprint article, the library is using biometrics to try and reduce the incidence of minors using fake library id to use the computers. So it appears that they might in fact have read what Bruce has said in the past and taken it at face value. Heaven forbid we should read Bruce's writings and take his advice!
Otto also said "Of course, minors are exempted from the equal access questions across the board, but usually by parental decision.".
Exactly. The library did it because of the discovery of "card and password misuse" (libraryjournal.com article above) and the concern that minor's access would not be filtered in the way they parents wished if they used fake library id.
In this context, an awful lot of the analysis in almost all the comments in this thread just does not apply to the reported situation. Many conclusions are being jumped to, such as that it was in response to a sex crime - it wasn't, it was in response to card and password misuse they subsequently found. It is being imposed on all - it isn't. It is being used to control book loans - it isn't. It is simply being used as "a unique hard-to-forge identifier" (Bruce again at http://www.schneier.com/essay-019.html).
They could have used photo id, which would not have even rated a mention here (but gee, what if someone used their mobile phone camera to steal an identity by taking a photo of a library user and their id card....), but they didn't, they used a HASH derived from a fingerprint, not even the fingerprint itself, so we have lots of analysis of incredibly obscure threats of attack on an access control system in a suburban public library, for heavens sake, all based on a misreading of the facts. Hmm, Come to think of it, that photo id identity theft method sounds quite promising, a lot more likely than an attacker tapping the wires of the fingerprint reader.
Security analysis cannot deliver sound security conclusions if it is based on incorrect assumptions.
@grahamc: The major difference I see between the photo ID and the fingerprint hashing is that the fingerprint solution requires a computer database of the hashes, the photo ID does not. Comparing fingerprints is a complicated task that most people are not qualified to do. Comparing the face of a card holder to the photo on the card, however, is well within the capabilities of most people.
Of course, this whole discussion was started with an attempt to use technology (computer-based authentication systems) to deal with a meat-world issue (improper use of computer systems). There are still ways that a kid could get around the system, such as having an older/authorized friend log in and then take over the session. From this respect, photo IDs would be better, because it would allow the library staff to compare the picture of who logged in to the computer to the face of the person sitting at the terminal.
To be honest, the ID theft aspect of the fingerprint system doesn't strike me as being as big of a threat as that of a government agency holding a database of fingerprints of normal citizens, particularly since the citizens most likely to have to interface with the system are kids. The fingerprint system is an expensive tool that has ramifications well beyond the library and won't actually fix the "problem" that supposedly existed. Remember, this was all brought about by an adult who had properly signed in with his own credentials and did something wrong. When the police provided the proper request (i.e. the subpeona for the records), the library provded the information, and the guy was caught.
This "solution" strikes me much the same as the requirement to provide a photo ID to fly on an airplane. That change was implemented under the guise of protecting us from terrorists (which it didn't) but actually had the effect of cementing the airline's stranglehold on their cash stream. Once the fingerprint system is implemented for the computer access and people are used to it, I have no doubt in my mind that the library will expand the use of such a successful program to allow the "convenience" of self-checkout via fingerprints and unique RFID tags in the books.
This solution is a waste of government money since it doesn't solve the problem it claims to address. It is a threat to the liberties of the residents of Naperville since it can so easily be abused by the police, well meaning or otherwise. It is a problem for the rest of us in the US because it serves to indoctrinate people into thinking that the government collecting uniquely-identifyable data on law-abiding citizens is not only acceptable, but commonplace.
@Otto (Posted by: Otto at May 25, 2005 10:35 AM)
"fingerprint solution requires a computer database of the hashes, the photo ID does not."
All photo ID solutions I have seen in at least the last 5 years store the photo in a database as part of the ID record. Not a hash, the full photo.
"photo IDs would be better, because it would allow the library staff to compare the picture of who logged in to the computer to the face of the person sitting at the terminal."
But it requires library staff to spend their time checking ID instead of managing the library. Bruce has often written of the idiocy of having half-trained people blindly check IDs - it doesn't work. In practice, the fingerprint solution has a higher probability of successfully checking ID.
"Remember, this was all brought about by an adult who had properly signed in with his own credentials and did something wrong."
No, it was directly brought about by what they discovered about id and password misuse subsequent to the criminal incident.
"it doesn't solve the problem it claims to address."
I don't see any proof of this. I see a high probability that it will solve the problem it claims to address, certainly higher than any alternatives proposed here.
"having an older/authorized friend log in and then take over the session. "
I agree, but all other methods proposed here suffer from the same deficiency, so it is not a deficiency of the fingerprint proposal.
@Otto (Posted by: Otto at May 25, 2005 10:35 AM)
"It is a problem for the rest of us in the US because it serves to indoctrinate people into thinking that the government collecting uniquely-identifyable data on law-abiding citizens is not only acceptable, but commonplace."
I agree with the sentiment, certainly, but I still worry about the logic. The government has been collecting biometric data for centuries in the form of signatures. Photos have been collected for a century or more, and digitised signatures and photos for some years. Signature and photo recognition software is not new, so they can already mix and match any way they want.
I could see some point in, for example, trying to add biometric data protection for ALL forms of biometric data to the Bill of Rights, but worrying about one form only when the world is already awash with biometric data...?
The threat of inverting the hash by hashing an existing database is probably not as great as you might think, as different statistics govern the the two biometric problems "identify" vs. "authenticate". When trying to identify someone through biometrics, you will be searching against millions of records (450 million individual prints, in the case of the FBI), so your FAR (false acceptance rate) must be lower than parts in a BILLION. On the other hand for authentication, your FAR is governed by the risk of system compromise you are willing to accept. In the library's application, the reward for fooling the system is small, and a failure holds a fair risk of getting caught, so a FAR on the order of 1% would probably be acceptable (and is typical for fingerprint readers that are good quality but not top-of-the-line). With a FAR like that, hashing the FBI database would generate around 5 million false positives for every test!
Having said that, I still think this is a dumb idea. In fact it looks like yet another example of a biometrics company, still desperately searching for the "biometrics boom", foisting an inappropriate solution on managers who are not equipped to evaluate the proposal and are instead dazzled by the industry's promotional literature. Let's look at the problem domain:
"Restrict internet access based on whether a library user is a minor"
(Notice that the amount of information required about the patron is 1 bit: "is user a minor?".) Proposed solution:
"Spend $46,000 on a biometric ID system that uniquely identifies the patrons, and cross-references against a database that records which persons should be restricted as minors, then logs them into a captive gateway or similar with an appropriate ruleset. Having gone to the trouble of collecting far to much information, we then implement a clever system to degrade it down to a safer level, although we still end up with far more than is actually required."
Hmm, how about my alternative solution:
"Spend about $500 paying someone to set up an open source captive gateway and a script which generates one-time 6 digit passes, adds them to a db and prints them out on a receipt printer. There are two types of passes, clearly labelled: 'Adult' and 'Minor'. Librarians hand them out as required, taking about 1 second per transaction. (You'll also need a small point-of-sale receipt printer, c. $190, but you probably have one already)."
"On the Constitutional side, I believe that history shows us that the police will use the library fingerprint database, and feel justified in such use."
The problem with using fingerprints as a biometric for libraries (or schools) is that, because fingerprints are left behind at crime scenes, the police naturally have an interest in any fingerprint databases they can find. Imagine the police wanting to interview you about your knowledge of a particular crime that occurred at a restaurant an hour after you dined there and left your fingerprints on your wine glass. Scenarios like this could become commonplace if libraries start fingerprinting their patrons, and the police can get access to the library's fingerprint database.
If libraries (and schools) insist on using biometrics for whatever reason, let them use a biometric that is not associated with criminal activity. Iris scans are not left at crime scenes, so it would seem that the police should have minimal interest in accessing a database of iris scans.
"Imagine the police wanting to interview you about your knowledge of a particular crime that occurred at a restaurant an hour after you dined there and left your fingerprints on your wine glass."
And what is the harm in that? You could very well have seen the face of the prepetrator(s). Are you implying that assisting authority in solving a crime is something that should be avoided?
I'm wondering if Bill (the gentleman from Naperville) or anyone else in Naperville has written to the local papers? A short letter to the editor explaining that the second paragraph that Bruce highlighted is false might go a long way to getting the discussion started.
This article is nice. I'm totally against fingerprinting "anyone" not of the age of consent unless they are under arrest or something. People fail to realize that if you have, DNA, SSN, Fingerprint, First Name, Last Name, Date of Birth, you pretty much own all of that persons information for the rest of their lives. The library takes care of that in one swoop.
Fingerprints are public, anyone can get your fingerprint. Take a glass with your hand, and your fingers are there.
There is many ways to transform your fingerprint from the glass to a digital image.
So, if your fingerprint are public, the trick is to combine biometrics with something else.
And now for the parenoid among you, there is a report at http://www.thepost.ie/post/pages/p/... about a school in Ireland that is introducing a very similar fingerprint-based system to save the teacher the chore of checking who is in class and who isn't.
Like the library, the system stores a hash of the fingerprint, not the fingerprint itself. Securityfocus (http://www.securityfocus.com/news/11281?ref=rss) has doubts about the software vendors claims. Funny that.
No doubt there will be suggestions for alternatives involving teachers printing out stickers to put on student's foreheads...
Many of the postings this subject discuss "hashing" the biometric. That is not what the article says, and security folks often presume biometrics systems are more advanced than they are. The article says the data cannot be used to reconstruct the fingerprint. This obscure phrasing is common among biometric vendors. It is almost certainly means its using fingerprint minutiae, i.e. the critical features. This is the core representation used in AFIS and many other finger-print matching systems (matching images is too slow). This minutiae cannot use be used to uniquely reconstruct the original fingerprint, though infinitely many consistent fingerprint can be generated, anyone of which would match the original in a minutiae-based matcher.
In general you cannot has biometrics because the natural variations mean they are not exactly alike and a traditional hash would take the minor variations and make them impossible to match. My research team at work at U. Colorado at Colorado Springs is developing revocable fingerprint transforms, but they won't be in commercial products until the fall.
The library spokesman was probably just repeating the line passed on from the vendor, indented to make people feel its more private and/or safer. Minutiae-based templates can be easily reused by the government, and there is an official interchange standard (M1) to help ensure systems can share and inter-operate on these forms. Cross system exchange tests are currently being done at NIST, to ensure one company's templates work well in other peoples matching.
You think that's bad? In a Brisbane, Australia high school, kids can't borrow books unless they get fingerprinted. It boggles the mind, but it's been that way for years - and no one apparently on the PTA (P&C in Oz) or anywhere else seems to see this as a problem.
Schools in the UK are fingerprinting elementary-grade kids. Check out this blog.
Check out the quote from a national newspaper relating to this:
"A primary school headmaster has outraged parents after he tricked his pupils into recording their fingerprints by telling them they were playing spies. Children were persuaded to give their prints after being told by Mark Woodburn that it was 'just a game...so there's no need to tell your parents'"
Also, a local council had on it's website advice on fingerprinting young children. It contained this gem:
"You may need to guide the thumb to the scanner"
How chilling does *that* sound?!
Given the enthusiasm shown by politicians, police and schools for obtaining biometric data on others, shouldn't we start with them. Let's begin with a database of the DNA of all the politicians and police. After all, what do they have to hide...?
Seems like headteachers have in many cases treated parents like Luddites where they have expressed concern.
There was a story in the UK a couple of years back about a guy who got arrested (and released without charge), but they kept his fingerprints on file. They then ran them against a database later on and found they match some fingerprints that'd been found on some stolen post. He was arrested (again) and advised to accept a caution. He refused. Turns out the letters that had his fingerprints on them were Christmas cards his mother had asked him to post!! Police work at it's best.
When you actually think about the implications of all this, isn't letting a bureaucracy take your five-year-old's fingerprints a failure of your parental duty?
Apparently the fingerprint campaigners in the UK approached "Liberty" (a civil rights organization) for help, but they were (characteristically) impotent. Wish we had the ACLU in the UK. I'm sure they'd have fun with this one.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.