FBI Building Biometrics Database

The FBI is building a vast biometrics database.

Given its track record, does anyone believe for a minute that his or her biometrics information will be secure in this database?

Posted on December 28, 2007 at 1:31 PM • 22 Comments

Comments

John WDecember 28, 2007 2:05 PM

No. And unfortunately if compromised, it can be used to attack many private systems who use the same biometrics.

I've been one of the few who defends our government from time to time against what I often believe are misguided accusations. So hopefully that gives me some credibility--as I have no ill intent towards our leadership--when I say this will likely have some disastrous consequences.

Not a good move.

Tangerine BlueDecember 28, 2007 2:08 PM

Database security is a concern, but I'm more worried about my physical security.

I'd hate to hear that the FBI "found" my fingerprints on some murder weapon after I showed up at a Bush speech wearing a "Let there be peace on Earth" t-shirt.

Tangerine BlueDecember 28, 2007 2:22 PM

@John W.
> what I often believe are misguided
> accusations. So hopefully that gives
> me some credibility

Bummer, now you make me look like a paranoid tin-foil hatter.

But just because I'm paranoid doesn't mean this could never happen. Someday I might really become a pacifist.

Geoff WDecember 28, 2007 2:23 PM

I watched the testimony in front of the Senate Judiciary regarding REAL ID. Some very good comments were made.

Probably a good time to revisit that...

I think the link to the video is here =>

rtsp://video.c-span.org/project/ter/ter050807_realid.rm

John WDecember 28, 2007 2:30 PM

@Tangerine Blue: Bummer. Pre-emptive strike. Now I look like a paranoid tin-foil hatter.

But just because I'm paranoid doesn't mean this could never happen. Someday I might really become a pacifist.
___________

Not really my point, but I'll respond. I wasn't trying to say that people who criticize the government are always wrong. What I was saying was that since I defend them against what I think are unfair accusations quite a bit, that my concerns are not coming from someone who just has knee jerk complaints.

Basically, my point is that some people cry wolf so many times that when they are right, they aren't heard. There are a couple people here that insult me frequently and attribute motives to me that aren't true, and it gets so old that I don't even bother reading their posts anymore. Contrast that with someone who dialogues with me respectfully--when they say "you know, John, that was off base, rude, and/or wrong because..." then they have more credibility with me becuase I know it isn't just knee-jerk disdain.

Best wishes in the new year.

derfDecember 28, 2007 2:37 PM

If the FBI doesn't do it, NSA, CIA, DHS, ATF, or any of the other security minded federal agencies will do (have already done) it.

Accept that the government already has your data. The IRS gets all of your personal info every year. Labor currently gets all personal data for new hires. When you apply for state licenses, state social services organizations send your personal data to the feds to check for "deadbeat dad's" information.

Since the government is typically the last bastion for the inept, you can also expect that your data has already been compromised. Just look at the UK's and US VA's embarrassing data losses as precursors to what we'll find out about going forward.

Happy New Year.

-ac-December 28, 2007 2:46 PM

> does anyone believe for a minute that his or her biometrics information will be secure in this database?
Secured from what?

This is a lot different from a biometric access system where the biometric data is stored in the ID badge, compared with scanned fingerprint. Once the biometrics data are captured, it would only required a stroke of a pen after a large national attack/disaster to release the "secured" data into the wild.

From the article: >To achieve those rates, the German police agency said it would tolerate a false positive rate of 0.1 percent, or the erroneous identification of 23 people a day. In real life, those 23 people would be subjected to further screening measures, the report said.

And would those same 23 people be subjected to further measures every day?

I would like to hear an intelligent discussion on systems where false positives exceed the true positives by several orders of magnitude.

Nomen PublicusDecember 28, 2007 2:49 PM

It seems that people with money will fund almost any "identity" database boondoggle so long as you promise the moon.

The trouble is, most suicide bombers don't have a history of previous similar activity. As for the rest, doesn't 100 years of policing tell us that knowing who the bad guys are doesn't actually stop them doing bad things.

Rich WilsonDecember 28, 2007 3:14 PM

The FBI already has a vast database of biometric information. They're just expanding beyond fingerprints and probably expanding the ways they get data.

NicolaDecember 28, 2007 3:26 PM

I hope that among the data contained in the database there will be also the penis length, so the abitual "enlarge your..." spam could be mmmmmore targeted.

Rich GibbsDecember 28, 2007 3:44 PM

"Given its track record, does anyone believe for a minute that his or her biometrics information will be secure in this database?"

Actually, given the FBI's track record with technology projects*, there may never _be_ a database, secure or otherwise. It's sad to think that one of the better outcomes might be wasting a lot of time and money to no effect.

*"Virtual Case File" and the SirCam installation at the National Infrastructure Protection Center come to mind.

Stephan SamuelDecember 28, 2007 4:52 PM

Doesn't this already exist? I know they have a fingerprint and DNA database and I'm not aware of large-scale efforts to collect any other biometric data (yet).

Also, this isn't like on CSI:, where they can get your retinal scan data from a security camera picture bounced off a glass door. The number of times the data will be useful is very small.

RoyDecember 28, 2007 5:30 PM

Doesn't the FBI need this information in advance if they are going to defeat the security at your workplace or home when doing black-bag jobs to collect intel? They do need to know in what they will find so that they can apply for a proper search warrant and then come back and legally smash down your doors, terrorize everybody, and go right to the goods they know are there.

It's all about public service.

ShadDecember 28, 2007 5:42 PM

...and then everything will become dependent on fingerprint readers, and then an eczema or minor burn becomes a ticket to "further screening measures".

KashmarekDecember 28, 2007 7:21 PM

These measures are the same as the no-fly list. Its purpose is to intimidate a large segment of the population.

jananthaDecember 28, 2007 8:01 PM

Whenever you store information in a database you are at risk of comprimising. Therefore the best thing is not to get included which means don't fly to USA. :D as lot of off-shore embassies have enforced fingerprinting and also retina scan! UK embassy in Sri Lanka do both.

miyamotoDecember 30, 2007 7:42 AM

Now we have Japan too involved in collecting biometric data and store it in "highly secure" databases for protection of travelers and prevention of terrorist acts!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..