Entries Tagged "biometrics"

Page 15 of 17

DNA Surveillance in the UK

Wholesale surveillance from the UK:

About 4,000 men working and living in South Croydon are being asked to voluntarily give their DNA as part of the hunt for a teenage model’s killer.

Well, sort of voluntarily:

“It is an entirely voluntary process. None of those DNA samples or finger prints will be used to check out any other unsolved crimes.

“Obviously if someone does refuse then each case will be reviewed on its own merits.

Did the detective chief inspector just threaten those 4,000 men? Sure seems that way to me.

Posted on February 28, 2006 at 7:31 AMView Comments

Privatizing Registered Traveler

Last week the TSA announced details of its Registered Traveler program. Basically, you pay money for a background check and get a biometric ID—a fingerprint—that gets you through airline security faster. (See also this and this AP story.)

I’ve already written about why this is a bad idea for security:

What the Trusted Traveler program does is create two different access paths into the airport: high security and low security. The intent is that only good guys will take the low-security path, and the bad guys will be forced to take the high-security path, but it rarely works out that way. You have to assume that the bad guys will find a way to take the low-security path.

The Trusted Traveler program is based on the dangerous myth that terrorists match a particular profile and that we can somehow pick terrorists out of a crowd if we only can identify everyone. That’s simply not true. Most of the 9/11 terrorists were unknown and not on any watch list. Timothy McVeigh was an upstanding US citizen before he blew up the Oklahoma City Federal Building. Palestinian suicide bombers in Israel are normal, nondescript people. Intelligence reports indicate that Al Qaeda is recruiting non-Arab terrorists for US operations.

But what the TSA is actually doing is even more bizarre. The TSA is privatizing this system. They want the companies that sell for-profit, Registered Traveler passes to do the background checks. They want the companies to use error-filled commercial databases to do this. What incentive do these companies have to not sell someone a pass? Who is liable for mistakes?

I thought airline security was important.

This essay is an excellent discussion of the problems here.

Welcome to the brave new world of “market-driven” airport security, where different private security firms run and operate different lanes at different checkpoints, offering varied levels of accelerated screening depending on how much a user paid and how deep of a background check he or she submitted to. Thus the speed at which you move through a checkpoint will theoretically depend on a multiplicity of factors, only two of which are under your control (the depth of your background check and the firm(s) with which you’ve contracted). Other factors affecting your screening time, like which private security firm is manning a checkpoint and what resources that particular firm has invested in a particular checkpoint (e.g. extra personnel, more screening equipment, and so on) at a particular time of day, are entirely out of your control.

This is certainly a good point:

What’s worse than having identity thieves impersonate you to Chase Bank? Having terrorists impersonate you to the TSA.

Posted on February 1, 2006 at 6:11 AMView Comments

The Failure of US-VISIT

US-VISIT is the program to program to fingerprint and otherwise keep tabs on foriegn visitors to the U.S. This article talks about how the program is being rolled out, but the last paragraph is the most interesting:

Since January 2004, US-VISIT has processed more than 44 million visitors. It has spotted and apprehended nearly 1,000 people with criminal or immigration violations, according to a DHS press release.

I wrote about US-VISIT in 2004, and back then I said that it was too expensive and a bad trade-off. The price tag for “the next phase” was $15B; I’m sure the total cost is much higher.

But take that $15B number. One thousand bad guys, most of them not very bad, caught through US-VISIT. That’s $15M per bad guy caught.

Surely there’s a more cost-effective way to catch bad guys?

Posted on January 31, 2006 at 4:07 PMView Comments

Kevin Kelly on Anonymity

He’s against it:

More anonymity is good: that’s a dangerous idea.

Fancy algorithms and cool technology make true anonymity in mediated environments more possible today than ever before. At the same time this techno-combo makes true anonymity in physical life much harder. For every step that masks us, we move two steps toward totally transparent unmasking. We have caller ID, but also caller ID Block, and then caller ID-only filters. Coming up: biometric monitoring and little place to hide. A world where everything about a person can be found and archived is a world with no privacy, and therefore many technologists are eager to maintain the option of easy anonymity as a refuge for the private.

However in every system that I have seen where anonymity becomes common, the system fails. The recent taint in the honor of Wikipedia stems from the extreme ease which anonymous declarations can be put into a very visible public record. Communities infected with anonymity will either collapse, or shift the anonymous to pseudo-anonymous, as in eBay, where you have a traceable identity behind an invented nickname. Or voting, where you can authenticate an identity without tagging it to a vote.

Anonymity is like a rare earth metal. These elements are a necessary ingredient in keeping a cell alive, but the amount needed is a mere hard-to-measure trace. In larger does these heavy metals are some of the most toxic substances known to a life. They kill. Anonymity is the same. As a trace element in vanishingly small doses, it’s good for the system by enabling the occasional whistleblower, or persecuted fringe. But if anonymity is present in any significant quantity, it will poison the system.

There’s a dangerous idea circulating that the option of anonymity should always be at hand, and that it is a noble antidote to technologies of control. This is like pumping up the levels of heavy metals in your body into to make it stronger.

Privacy can only be won by trust, and trust requires persistent identity, if only pseudo-anonymously. In the end, the more trust, the better. Like all toxins, anonymity should be keep as close to zero as possible.

I don’t even know where to begin. Anonymity is essential for free and fair elections. It’s essential for democracy and, I think, liberty. It’s essential to privacy in a large society, and so it is essential to protect the rights of the minority against the tyranny of the majority…and to protect individual self-respect.

Kelly makes the very valid point that reputation makes society work. But that doesn’t mean that 1) reputation can’t be anonymous, or 2) anonymity isn’t also essential for society to work.

I’m writing an essay on this for Wired News. Comments and arguments, pro or con, are appreciated.

Posted on January 5, 2006 at 1:20 PMView Comments

Weakest Link Security

Funny story:

At the airport where this pilot fish works, security has gotten a lot more attention since 9/11. “All the security doors that connect the concourses to office spaces and alleyways for service personnel needed an immediate upgrade,” says fish. “It seems that the use of a security badge was no longer adequate protection.

“So over the course of about a month, more than 50 doors were upgraded to require three-way protection. To open the door, a user needed to present a security badge (something you possess), a numeric code (something you know) and a biometric thumb scan (something you are).

“Present all three, and the door beeps and lets you in.”

One by one, the doors are brought online. The technology works, and everything looks fine—until fish decides to test the obvious.

After all, the average member of the public isn’t likely to forge a security badge, guess a multidigit number and fake a thumb scan. “But what happens if you just turn the handle without any of the above?” asks fish. “Would it set off alarms or call security?

“It turns out that if you turn the handle, the door opens.

“Despite the addition of all that technology and security on every single door, nobody bothered to check that the doors were set to lock by default.”

Remember, security is only as strong as the weakest link.

Posted on December 14, 2005 at 11:59 AMView Comments

Stride-Based Security

Can a cell phone detect if it is stolen by measuring the gait of the person carrying it?

Researchers at the VTT Technical Research Centre of Finland have developed a prototype of a cell phone that uses motion sensors to record a user’s walking pattern of movement, or gait. The device then periodically checks to see that it is still in the possession of its legitimate owner, by measuring the current stride and comparing it against that stored in its memory.

Clever, as long as you realize that there are going to be a lot of false alarms. This seems okay:

If the phone suspects it has fallen into the wrong hands, it will prompt the user for a password if they attempt to make calls or access its memory.

Posted on November 16, 2005 at 6:26 AMView Comments

The Beginnings of a U.S. Government DNA Database

From the Washington Post:

Suspects arrested or detained by federal authorities could be forced to provide samples of their DNA that would be recorded in a central database under a provision of a Senate bill to expand government collection of personal data.

The controversial measure was approved by the Senate Judiciary Committee last week and is supported by the White House, but has not gone to the floor for a vote. It goes beyond current law, which allows federal authorities to collect and record samples of DNA only from those convicted of crimes. The data are stored in an FBI-maintained national registry that law enforcement officials use to aid investigations, by comparing DNA from criminals with evidence found at crime scenes.

[…]

The provision, co-sponsored by Kyl and Sen. John Cornyn (R-Tex.), does not require the government to automatically remove the DNA data of people who are never convicted. Instead, those arrested or detained would have to petition to have their information removed from the database after their cases were resolved.

Posted on September 27, 2005 at 11:31 AMView Comments

Fingerprint-Lock Failure in a Prison

So much for high-tech security:

Prison officers have been forced to abandon a new security system and return to the use of keys after the cutting-edge technology repeatedly failed.

The system, which is thought to have cost over £3 million, used fingerprint recognition to activate the locking system at the high-security Glenochil Prison near Tullibody, Clackmannanshire.

After typing in a PIN code, prison officers had to place their finger on a piece of glass. Once the print was recognised, they could then lock and unlock prison doors.

However, problems arose after a prisoner demonstrated to wardens that he could get through the system at will. Other prisoners had been doing the same for some time.

Unfortunately, the article doesn’t say how the prisoners hacked the system. Perhaps they lifed fingerprints off readers with transparent tape. Or perhaps the valid latent fingerprints left on the readers by wardens could be activated somehow.

I would really like some more details here. Does it really make sense to have a tokenless access system in a prison? I don’t know enough to answer that question.

Posted on September 26, 2005 at 4:03 PMView Comments

1 13 14 15 16 17

Sidebar photo of Bruce Schneier by Joe MacInnis.