Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid Cartoons |
| Giving Up Passwords for Chocolate »
April 21, 2008
Chertoff Says Fingerprints Aren't Personal Data
Homeland Security Secretary Michael Chertoff says:
QUESTION: Some are raising that the privacy aspects of this thing, you know, sharing of that kind of data, very personal data, among four countries is quite a scary thing.
SECRETARY CHERTOFF: Well, first of all, a fingerprint is hardly personal data because you leave it on glasses and silverware and articles all over the world, they're like footprints. They're not particularly private.
Sounds like he's confusing "secret" data with "personal" data. Lots of personal data isn't particularly secret.
Posted on April 21, 2008 at 6:54 AM
• 55 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Um. So if the DHS admits that fingerprints aren't private, can we take that as ruling out using them for identification in (for example) biometric security systems?
Thought not. Cognitive dissonance, anyone?
Also: Chertoff now surely should be high on the list to have his fingerprints published online. According to him they aren't "private" or "personal", so why would he possibly object?
"they're like footprints."
Chertoff walks around without shoes on?
The course of action for protest-groups is now clear: Get his Fingerprint and publish it (alongside with fingerprint faking-sets) like the Gerans did with Schauble.
Um.. using that logic, DNA isn't private, either--after all, if you drink from a disposable cup or straw, or smoke.. your DNA is going to be on the epithelials you leave behind in the trash. :-/
Sounds like he's confusing "secret" data with "personal" data. Lots of personal data isn't particularly secret.
The obvious question: because he's confused about the difference, or because he wants the audience to be confused? (And if one thinks 'tis the first... well, Londo Mollari said it best: "I can only assume you have not been paying attention!".)
Isn't he the guy with a lot of Czar experience and no security experience ?
No surprise there.
The safety and directives of the National Security State are paramount. I, for one, will be first in line to get my bar code tattoo.
And when they can clamp an MRI on my skull, I will be happy to prove that I have not one deviant thought. So great is my love for my rulers.
Orwell was an unimaginative punk.
You have to read the statement this way:
"All your private data are not private any more, because WE OWN it"
Funny thing: All these stupid politians surly thing that all these measures will NEVER be turned against them.
Ups, not "thing" but "think"
No one is innocent. Citizen assume the position. Do not resist. We are determining your level of guilt now.
Justice will be swift.
if you have read the new york times article yesterday, it would seem that the fight is against the population, the pentagon brass have designated the US population as the number one taget for psyops in support of a war for bushs vanity and the pentagons neocon israeli wing.
Does this mean we'll all be given access to AFIS now?
Amateur CSI's are going to love this... :)
How can he justify saying it's not private when the Supreme Court has specifically said they are protected by the Fourth Amendment? Y'know, that crazy little section in the Constitution that is the basis for the protection of privacy?
It seems more like he and the interviewer aren't talking the same language. Chertoff is a lawyer (and former judge). He probably means you don't have a reasonable expectation of privacy in fingerprints you leave about (or in DNA, for that matter).
pri-va-see? what is that?
... Sounds like he's confusing "secret" data with "personal" data. ...
Nah, I am sure Chertoff is not confusing the two, rather he is knowingly trying to get the media and hence the public to confuse the two.
@Worldmage: The government has been editing the 4th amendment out of existence for quite some time now (even predating the current regime) so why should privacy be excluded from exclusion?
That said, it is not merely the government - I have never understood why (in the US) my likeness is the private property of whoever was holding the camera that took the picture and can be used for commercial purposes by them without my permission.
People, people, calm down. All you have to do is remember to bring a hanky with you and wipe down EVERYTHING you touch, thus, eliminating the need to wait for the DHS to follow you around collecting them. :)
So in more general terms, any information, in the general sense, that is 'broadcast' and made publicly available is no longer the property, or in the control, of the owner?
OK, so fingerprints aren't private anymore, right? So let's say you are flying through JFK. TSA enters you into nofly database. Bing! Comes up that they don't yet have your fingerprint on file. Radio down to baggage search area, have associate lift fingerprint from your suitcase or something in it.
Now they have your fingerprints. No longer private and there's nothing you can do about it. Unless you wipe EVERYTHING down and carry it with gloves on. Wait, wearing rubber gloves to check your bag? That's suspicious.
DNA? Hit the nofly database. Bing! No DNA on there either. Get some hair from the hairbrush in your shaving kit. Got DNA and there's nothing you can do about it except soak everything in bleach and pack your bag in a sterile environment wearing an exposure suit.
Here's an interesting article about TSA theft:
Here's one about more training, probably how to get those fingerprints and DNA samples:
Gotta love it!
Another quite likely possibility is that it's too late already. All those politicians HAVE had it used against them, and are under effective blackmail. Why else would they go along so easily with stuff the voters mostly hate?
With the kind of abuse of power that's been going on, and knowing enough politicians to know that very few are "clean" by standards the media would like to use...I bet not one pol has spoken up BECAUSE they already have seen what the executive branch "has on them".
If you don't like the comments, then wear gloves everywhere you go.
"Sounds like he's confusing "secret" data with "personal" data. Lots of personal data isn't particularly secret."
No. It's normal English usage. He means just what he says: fingerprints are not something which is not publicly expressed. Fingerprints are not private and personal.
Translation: "not private" means "we don't need no stinkin warrent".
What do you call "government by excuse"?
The fingerprint itself may not be private or secret, nor is a name. However, the association of the two is surely worth protecting. A particular sequence of nine digits is not personal, but associating them with a name (as in the US Social Security Number) is widely protected. If fingerprints could be used instead of Social Security Numbers to obtain credit in the US, they would most assuredly be private.
"Fingerprints are not private and personal."
No problem then: the government can go and find my fingerprints "on glasses and silverware and articles all over the world".
And also, Mr. Reaching, the length of your penis and the appearance of your mate's mammary glands and other supposedly "private parts" are in fact neither "private" nor "personal", by virtue of the Chertoff Argument.
I mean, it's all just a matter of wavelength: with the right illumination, and the right camera, you are quite naked. Not much you can do about it either.
Just one of those things you have to get used to.
@Reaching is simply providing his take on what Chertoff meant. I agree with his take, and I disagree with Chertoff.
"@Reaching is simply providing his take on what Chertoff meant."
If you say so. However, I say he and others who think that way are simply rationalizing -- even if they still manage to disagree with Chertoff.
As Schneier says, fingerprints are not _secret_. They are, however, private. Chertoff's use of "personal" is deliberately vague, and almost certainly (given his position) to drive a wedge into this historical privacy, and likely use it as a fulcrum for other future arguments.
Actually, it's quite legal. All you have to do is to refer to the "purely commercial purpose" as "editorial use".
The key to avoiding the normal issues with cognitive dissonance in this case is to forget that newspapers, television, and so forth aren't "commercial" enterprises...
"That said, it is not merely the government - I have never understood why (in the US) my likeness is the private property of whoever was holding the camera that took the picture and can be used for commercial purposes by them without my permission.
Posted by: bob at April 21, 2008 10:14 AM"
Not sure which US you live but...
Speaking as a photographer that's not the case. It's true enough that I can, in a public space, take a picture of you but if I use that image for a commercial purpose without a valid release I open myself up to all kinds of potential trouble. While the law is not as clear as it could be on this issue it's been adjudicated in a number of cases, commercial use requires a release. No release, you're asking for trouble.
"they're like footprints."
Oh, that clarifies it for me, I was confused by the term "fingerprint".
Or is he saying fingerprints are not unique - which they aren't, by a long shot, and so shouldn't be used at all ?
I like the idea of reconstructed nude pictures of politicians as not being 'private'...
...they may finally understand why privacy is important in our society.
The problem, ice weasel, is that copyright law has drawn an arbitrary distinction between using a photograph on a piece of advertising vs. using the photograph on the front page of a newspaper.
Both are commercial use, the disgusting gyrations of the law notwithstanding.
The real distinction, which you will never find voiced by members of the media or the legal professionals that represent them, is that media people have gotten the law written to their favor.
This doesn't remove the need to ask the question though: why should the the photographer and the newspaper profit exclusively in the latter case?
Perhaps someone should simply ask Mr. Chertoff for his fingerprints. The next time I see him, I'll certainly ask. Perhaps if the next few press-conferences started with a request for his fingerprints, Mr. Chertoff might figure out what the problem is. It's not a problem to get fingerprints off silverware. If DHS went through the terminal collecting fingerprints that way they wouldn't get nearly the flack they get today. The process they use, collecting a full set of fingerprints with the intent of associating them with identity through a person's passport, is the problem. The association is the personal data, not the squiggly lines themselves.
I think sidelobe has it right. The focus should be on the *legal* definition of "private" information, and the protections offered.
Of course, everyone leaves fingerprints everywhere. These traces of a person's presence are not (should not be considered) private. (Also, such fingerprints are not time-stamped, either.)
On the other hand, the association of a fingerprint to an individual is something that should be thought of as private and protected by law. According to the source article, the DHS currently defines fingerprints to be personal info, and DHS is legally required to follow special procedures wrt personal info.
Chertoff may be playing a deeper game, as has been suggested above, trying to influence the treatment of such data, such that the government has total access to it upon demand or safeguards.
Other folks have pointed out the similarity by analogy of fingerprints to DNA. Indeed, that may be where this is going. "We need to do this to [stop the terrorists, protect the children, remove road blocks to effective law enforcement, etc.].
And, perhaps we ought to lean on our legislators a bit more strongly to get them to enact laws protecting our privacy/private information.
reply to: Anonymous at April 21, 2008 01:01 PM
While this isn't necessarily the side (one of many) of the argument I want be on I think the answer is quite obvious. In our system the media is supposed to fulfill a function. Since we've allowed capitalism, that same media is allowed to make a profit fulfilling that function. It's really that simple.
Dupont isn't the media. And while it's arguably whether or not Dupont or the Washington Post do more to inform the general public, the division, in this case, is clear.
Media gets the pass and the ability to make a profit from images they take and Dupont is supposed to cut you in to the deal (or cut you out in getting a valid release).
I'm not defending the law or advocating one way or the other. But it doesn't confuse me that one commerical entity is also supposed to do a "public service" and the other is only engaged in making a profit, public service, if any, is serendipitous.
I think the reason you won't, as you allege, hear the media talking about this is, well, it's obvious. It's not complex or subtle.
All that said, I'm much more interested in where our media dense society is headed. Now that everyone with a cell phone and access to Flickr or YouTube is a content provider, where are the lines drawn? That's a much more interesting question than why can my local paper publish a picture of me in the town square and "make money" (something which, I hasten to point, the newspapers aren't much good at anymore).
When a grandma from Des Moines can make a grand selling a video of you falling down in a puddle in the street or a college student can leverage a media career with a cell phone image, who pays whom then?
Fingerprint information should not be allowed to fall into the wrong hands. So, whose are the RIGHT hands? Or the left hands?
(Sorry, had to be done.)
One of the major objections to biometrics is that once the database is hacked, you can't go around and upgrade everyone's fingertips.
Are you kidding me? DHS has really gotten that invasive into the lives of Americans that they actually believe that fingerprints aren't personal data? Or was this simply a misspoken statement that really needs retracting?
Hacking our fingerprints... Sounds like a good cover story for Reader's Digest. (By the way, whoever writes it, I would like a little byline credit please.)
@Reaching is simply providing his take on what Chertoff meant. I agree with his take, and I disagree with Chertoff
ac said : "So in more general terms, any information, in the general sense, that is 'broadcast' and made publicly available is no longer the property, or in the control, of the owner?"
Great comment, fully agreed. Cant have it both ways.
Maybe my fingerprints are not secret, but their connection with my person certainly is. Of course you can take my fingerprints a lot of places, but you do not know that they are *my* fingerprints.
"Since we've allowed capitalism, that same media is allowed to make a profit fulfilling that function. It's really that simple."
Maybe you didn't understand.
The point is not that the newspapers are making money. I mean, everyone makes money.
Nor is the point that newspapers are supposed to "inform the public" (a debatable proposition in itself, but we need not digress).
The point is that a photograph of you can be published without your explicit release by a newspaper under "editorial use".
It seems to me that newspapers can perform their functions as profit makers and public informers _and_ obtain releases like everyone else. Why, then, are they exempt?
Well, at one level we know why: the law literally says so. What's a few million for lobbyists? But is that law still relevant? Is it in need to excision? The latter is an important question because Chertoff's Argument is effectively an extension of the "anything you do or say, criminal or not, anywhere, can be used against you in the newspaper for the public's education", simply changing "newspaper" into "government" and the last phrase into "to save the children".
Or, as one database vendor CEO put it, "You have no privacy. Get over it." He probably didn't even blush from the conflict of interest. But if this is all true, then a world where everyone has a backscatter x-ray imager, or millimeter wave scanner, is inevitable and you can expect your teenage daughter's boobs to be "informing the public" on the front page of the Times.
See? Recapturing privacy is not going to happen by little tweaks here or there anymore. Wholesale adjustments to core law are needed. That Chertoff can say what he said with a straight face is undeniable evidence we are way, way, down a slippery slope...
Well, the Minister of Interior from Northrhine-Westfalia (Nordrhein-Westfalen, a geman federal state) said that the hard-disk of a computer connected to the internet does not belong to the personell area of the user and though all date on this hard-disk is not protected by law.
Well, Chertoff actually makes a good point when arguing why fingerprints shouldn't be used in security appliances for authentication and authorization.
Somebody should snatch one of his hairs from a chair he has been sitting on and run a DNA analysis on this hair and publish the results. After all, DNA is just as personal as fingerprints in his own words, as we leave DNA almost wherever we go, losing skin particles, hairs and so on. Let's see how he reacts to that...
Excuse Me??? Michael "Lenin" Chertoff is saying that fingerprints and DNA are not in any way personal data? Allow me to instruct him properly on his theory. Whenever a criminal suspect is booked by law enforcement his fingerprints are taken, personal effects are also take and if necessary, a full physical (including bodily fluids are taken). I live in South Carolina and work with juveniles who come in negative contact with law enforcement and for serious crimes such as sex offenses, carrying weapons to school and assault crimes, (depending of the seriousness), in which they are given probation, they have to submit a blood sample that would be placed on the State's Law Enforcement Divison's Database which would be there for a good hot little minute. I can not wait to vote this numbnut as well as his chief and their little cronies out of office. Homeland Security is surely becoming part of the New World Order.:/, Sad that our liberties are being flushed away. Mr. Secretary, if you still think that fingerprints and dna are not personal data, please come to South Carolina and present your counter theory, since you believe that science used by law enforcement daily is not true, we would like for you to explain yourself. or better yet show law enforcement how would you secure criminal evidence.
My letter to Chertoff:
Dr. Mr. Chertoff,
Give me a Three Musketeers, and a ballpoint pen, one of those combs there, a pint of Old Harper, a couple of flashlight batteries, and some beef jerky. Oh, and your fingerprints, SSN and a DNA sample.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.