Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Would You Submit Biometric Data to Join a Gym?

Posted by Cliff on Fri Apr 29, 2005 09:12 AM
from the your-body-is-no-longer-your-own dept.
Privacy Security
An anonymous reader asks: "I went to my gym (Rocky River, OH branch) yesterday and there was a huge line of people at the counter. When I went to the scanner to swipe my membership card, I noticed they were training people in the use of their new security system that requires the input of your thumb print. There currently a story on boingboing that mentions a tanning salon in Arkansas that is enacting a similar policy. I'm going to call the gym later today and see what type of security they have on their network. I guess we can look forward to a future where these sorts of personal services clubs require the submission of biometric data. I was wondering how the members here at Slashdot feel about the security risks involved in submitting biometric data to small private companies?"
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Would You Submit Biometric Data to Join a Gym? 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • I wouldnt be a member of that gym for much longer (or, any gym, really). I wonder if i can copywright my fingerprints, and then charge royalties for anyone who requires a print? that would be sweeet.

    • Re:No. Thank. You. (Score:3, Insightful)

      by tha_mink (518151)
      " I wouldnt be a member of that gym for much longer (or, any gym, really). "

      But then, someone could steal your fingerprint without the trouble of hacking some system simply by getting you to hold on to something, for example, a frosty beer or maybe even your gym card.

    • Re:No. Thank. You. (Score:5, Interesting)

      by Total_Wimp (564548) on Friday April 29 2005, @10:13AM (#12383718)
      I wouldnt be a member of that gym for much longer

      I went to check out a nice large brand-new gym near my house. They handed me a form to fill out including a questionnaire and a space for my name phone number and address. I answered a few of their questions and just put my first name on the form.

      They mentioned that they'd like me to fill in my phone number and address and I said, "no thank you, I'd like to check out the equipment first before signing up." They told me they couldn't show me the gym without that information. Still thinking we just had a misunderstanding I pointed out that I wasn't there to use the gym, I just wanted to see what they had to offer before signing up. They then proceeded to point out to me that they were prepared to give me a tour, but would not do so without my phone number and address.

      I said, "goodbye" and walked out the door. Even my bank doesn't require biometrics and didn't ask for an address before they told me about their features. These fitness center folks are too big for their own britches. Pushups and situps are free and running shoes don't cost that much compared to a gym membership. I'd like to use the gym, but I don't have to and I certainly wont consider it untless they figure out how to be less intrusive.

      TW
      • I had a similar experience. When I lived in Boston, I stopped by a gym near my apartment to find out their rates. They refused to even tell me how much their monthly rates were unless I took a full tour and filled out forms. I told them flat-out, that's just creepy, I'm leaving.

  • How secure is their security? (Score:3, Insightful)

    by AndroidCat (229562) on Friday April 29 2005, @09:16AM (#12383050) Homepage
    Once they've got your biometric data, how secure are they going to keep it? Unlike a password, it's not possible to change your biometric data if someone steals the gym's files and uses it to spoof other systems.
      • Latex or geletin successfully fools almost all biometric security devices in use today.

        http://www.security-focus.com/news/6717 [security-focus.com]
        • Your post just proved that you don't know what you are talking about. I have read the article you are referring to. The only conclusion one can draw from it is that many biometric systems have security problems. It is almost completely irrelevant to my point, except that part about glass doors (which is the method they used).

          The article did not demonstrate that data could be extracted from an existing system and the thumb reconstructed from that data. The above article tested mostly low-security and co

        • It's already been done. There was even a Slashdot article on it. The guy took an computer image and make a mold and use gelatin. Then he put the gelatin on his thumb and fooled almost every finger print device he could find. He could also eat the gelatin off if someone got suspicious.

          So why not make a fake gelatin thumb when you sign up? Surely you can find a thumbprint image somewhere on the internet. Then the gym won't have your thumbprint, they'll have the fake one.

  • It's...um...bad (Score:5, Insightful)

    by tha_mink (518151) on Friday April 29 2005, @09:17AM (#12383058)
    I am fearful regarding theft of my fingerprint or any other biometric information since I KNOW that eventually, someone will steal it from anyone who collects it from me. But then, someone could easily get my fingerprint by following me around for a little while and picking up my trash. Same with DNA for that matter.

    • Re:It's...um...bad (Score:3, Insightful)

      by sartin (238198)

      But then, someone could easily get my fingerprint by following me around for a little while and picking up my trash.

      Yes, but following you around is labor intensive and targets you specifically. For less effort (at most small business networks I've seen), a hacker could recovers hundreds or thousands of fingerprints (or other biometric data). This change in scale changes the nature of the problem and removes control from you. Without the biometric data stored in the business computer, the paranoid can we

      • Re:It's...um...bad (Score:4, Interesting)

        by Total_Wimp (564548) on Friday April 29 2005, @01:22PM (#12386007)
        That control is gone when the data gets stored on computers owned by various businesses.

        Well, not really. It's more like a hash. Unless the people that designed the security sytem didn't have a clue, they wouldn't store reversable fingerprint information at all.

        I remember having this discussion with my old boss when he wanted to go biometric a few years ago. He even got ahold of a some fingerprint readers for testing. We found that the industry, and this manufacturer, were very clear on the matter. No one wanted to actually store your fingerprints.

        So, feeling confident, he installs the software, plays with it for a little bit and invites me over to try to "hack" his account with my thumb. I put my thumb on the plate and sure enough the device tells me I'm unauthorized... while displaying a giant picture of my thumb accross most of the display.

        My conclusion: I believe the companies really aren't storing reversible fingerprint information. I also believe they're doing a lousy job of making people feel confident about this fact.

        I think there are enough other downsides that this technology should be condered DOA for most purposes, but this particular issue is probably just a PR problem.

        TW

        • Re:It's...um...bad (Score:3, Insightful)

          by metamatic (202216)

          It's more like a hash. Unless the people that designed the security sytem didn't have a clue, they wouldn't store reversable fingerprint information at all.

          Well, the problem is I have to trust on blind faith that it's a hash, and that it's different from the hash used by other companies.

          It doesn't matter if my fingerprint is hashed to an opaque 0x0116632c51bde43 if every other system made by the same manufacturer will accept that hash as representing my fingerprint. I'm still screwed, because I can't

    • There's a simple solution to that problem: store the fingerprints using one-way encryption, the method long used to store Unix passwords. That way you can compare a submitted password (or fingerprint) by re-encrypting it, and comparing the encrypted versions. But you can't reverse the process to obtain the original data.

      I think simply having a person's fingerprint or DNA will never be as valuable a form of identity theft as stealing more traditional ID data -- social security number, mother's maiden name,

    • I am fearful regarding theft of my fingerprint

      Fingerpring? I'm fearful regarding theft of my finger!

  • thumbs are useful (Score:3, Insightful)

    by chewy (38468) on Friday April 29 2005, @09:17AM (#12383059) Homepage
    Though I feel you are correct for being sceptical about the security of biometrics, I think that the convenience of using a thumbprint machine for entry into a gym is worth the sacrifice.

    Better than having swipe-cards that fail after a single wash. (Thumbs are wash-proof!)

    But using thumbs as positive I.D. for your bank account is a bad idea.

    See?

    • Re:thumbs are useful (Score:2, Interesting)

      by KronicD (568558)
      Yeah... I have dermatitis, basically when my skin is exposed to soap (the skin on my hands is more susceptible to this) it starts to "peel" off and the skin does not recover for 4-6 weeks. I avoid soap as much as possible, the non soap alternatives are quite expensive however.

      When I am exposed to soap it causes a lot of problems with fingerprint scanners for me. So yeah, cards are a better option for people with my condition.

      Why not go for something like card + hand geometry identification if they're so c
    • I think that the convenience of using a thumbprint machine for entry into a gym is worth the sacrifice.

      Sacrificing your deeply personal information for the convenience of a simple consumer product is plain dumb. Aren't you concerned with security? This is plain sleezy, and it wouldn't suprise me to see "24-hour Nautilus" (Sleezebags) use this scheme in a couple years.

      The gym isn't doing this for your convenience. They do it to prevent people from sharing memberships, which is fine, but not when they reso
    • At what point will gym fees be so high that crooks will cut off your thumb so they can work out. I think that somebody at the gym has been wacking off to CSI one time too many. Sure it give you proof that so and so forgot to put down the seat in the toilet but beyond that it's a friggin gym. Unless they prove you will get a Charles Atlas body in one week it's not worth it.
    • There are other ways to prove identity without sacrificing such fundamentally private information. e.g. At my gym you walk in, they scan your card's barcode, and your PICTURE shows up on the screen and, believe me, they look at you and confirm.

      If any argument is made that "well, a hacker could break in and change the picture on record," then you need to realize that it would be exactly as difficult for a hacker to break in and change the thumbprint on record.

      The difference is my thumbprint is my own bu
  • The only solution is for you to copyright all your details, about yourself.

    Someone should fire up a dot-com which allows people to copyright all biometric info about themselves. Yes, it would be a registry. No, it wouldn't be "Big Brother" - the purpose would be to allow any individual worried about protecting their information, to have legal grounds to stand on in pursuing action against any other party using that information inappropriately.

    A 'clearing house', or 'group repository of biometrics' datab
  • I never submit any personal data to any company if it is not really required for the business I have with this company. I don't see why I should change this policy for biometrical data.
    • I agree. My first thought on reading the intro was not about security, but "What's the reson for this?" I can't think of any legitimate reason for such a request.

      How long until stores want you to give a urine sample before using the bathroom?
      • How long until stores want you to give a urine sample before using the bathroom?

        LOL, I'd rather piss at their manager's leg like a dog! :-)

        obUrinetest: It's bad enough that it is legal for an employer to demand a urine sample and other stuff belonging to one's privacy. I'd never work in such an asshole company!

  • My University did this. (Score:3, Interesting)

    by dayid (802168) * <slashdot@@@dayid...org> on Friday April 29 2005, @09:20AM (#12383099) Homepage
    I work for (and attend) a State University. Our gym (in 2002) enacted similar policies and equipment. It was *optional* however, and was enacted for people who didn't want to have to carry around a membership-card or student/employee-ID just to be able to get into the gym (since most gym shorts don't have a pockets, and many people on campus just walk to/from the gym rather than driving or bringing a full bag and using a locker). It was an option for about one year, until they realized that the extreme costs of using the hardware and managing it (and its slight errors) far outweighed pleasing a minority of people who attended. It's good to see the technology developing, but I still prefer losing my identity to a bunch of little numbers on a card.
  • Although I don't have anything in particular against ID cards, I do have something against storing fingerprints.
    If needed, it's easier to shed an ID, and get lost in the big mass of people in any world city and take on a new ID. When your fingerprints are out there, it's there for ever. I rather not cut of my fingers.
    Perhaps your traveling can be tracked with ID (at borders and such), but at least you know it when you hand over your card. Prints can be found up to a few days after you have left, without

  • In a word: (Score:2, Interesting)

    by LouCifer (771618)
    No. And if the gym the wife and I belong to switches to biometrics, I'll demand a full refund of mine and my wife's membership.

    Fuck 'em. We already own a treadmill and the wife's been wanting to buy an elliptical [nordictrack.com] anyway.

    Slowly things like this get introduced and the stupid sheeple submit en masse. The more people that stand up and argue with the un- and under-educated about such invasiveness, the better.

    Sure, these things may not be so bad yet but this may just be the tip of the iceberg. Give 'em and inc

  • Not a big deal... (Score:2, Informative)

    by bafio (879076)
    As far as I know, biometric devices store only a signature of your fingerprint (like a digest of key points), so the stolen data would be of little use. Moreover they care about security because they normally control access to places.
    I would worry more about the other data they could hold on their machines, which could contain more sensitive personal information and could be stored in less secure machines.
    There's still a lot of sensitive data (medical records etc.) stored in Access databases and similar b

  • I'd like to tell you ... (Score:4, Funny)

    by cybermage (112274) * on Friday April 29 2005, @09:30AM (#12383225) Homepage Journal
    but you'll have to press your thumb in the box below to read my response.

    I..........I
    I..........I
    I..........I
    I..... .....I
    I..........I

    Your unquestioning compliance in this matter would be greatly appreciated.*

    Thank You,

    The Management

    * By supplying your thumb print, you agree to abide by our Terms of Service. You may request a copy of the Terms of Service directly from our Corporate Headquarters.

  • wtf (Score:2)

    by XO (250276)
    I can see using security like that on something important. Your bank account, private things ,etc.
    But on a goddamn GYM?!

    Hell, I have access to a USB dongle that will store passwords for websites, variable per user, and it identifies the user by the user's fingerprint.

    ON A GYM?!

    Who the hell is going to have significant problems if someone steals their identity to go to the damn gym?

    If the gym has to be secure, fark the membership cards, and just have a database of people allowed in, and hav
  • would be better spent BUYING an exercise machien - oh wait, I already did....

  • Not big brother (Score:3, Insightful)

    by brian6string (469449) on Friday April 29 2005, @09:43AM (#12383384)
    Alright, everyone take a deep breath here. The idea of a fingerprint to sign in at the gym is there as a customer convenience You don't have to carry a membership card into the place, and then find somewhere to stash it while you're exercising. This is actually a good thing.

    And, as someone pointed out already, there is no security concern to be worried about. Even if someone copied their thumbprint database, I mean, what could you do with that? Nada...

  • The right way to do it (Score:3, Insightful)

    by greenhide (597777) <(jordanslashdot) (at) (cvilleweekly.com)> on Friday April 29 2005, @09:59AM (#12383561)
    In the gym in question, it's clear that this isn't being done to heighten security; it's just to keep people from having to drag a gym id around. Also, it's much faster to slam your thumb on a pad than to hold out a card for someone to scan.

    But here's how to implement a thumbprint-as-login system and keep people, including the paranoid freaks here at slashdot, happy.

    1) Make it optional. Don't want to submit your thumbprint? Fine. Just make sure you always show up with your card.

    2) Make it hashed, using a public key unique to that system. That way, the information stored is effectively useless. If a hacker gets in, all that they will be able to do is see a bunch of GUIDs. Whoop de doo.

    I'm almost 100% that this is, in fact, just what is being stored. I mean, imagine actually storing a thumbprint. That's got to take up more space, and is really slow and inefficient for data lookup.

    Someone more knowledgeable in biometrics, please rip me a new one if necessary.
    • In the gym in question, it's clear that this isn't being done to heighten security; it's just to keep people from having to drag a gym id around. Also, it's much faster to slam your thumb on a pad than to hold out a card for someone to scan.

      It's not clear to me that this is being done to keep people from needing their gym ID, although that is one possible reason. But it does at least address the first question that ought to be asked: what is the problem we are trying to solve here?

      Not having to carr

    • 1) Make it optional. Don't want to submit your thumbprint? Fine.
      But if you switch you get a 3% discount and a free drink every month! But you loose a bit of privacy.

      That's the way big stores (Walmart&Co) get you to switch to their rabate system. You safe $50 a year. They earn $100 because the sell your data to "data blackhole" companies like ChoicePoint.

      How much worth is your privacy?

      Don't wait until there is any kind of self regulation in the "data grabbing business".

      In Germany the data belongs
  • Bring a simple contract to the manager and ask them to assume all liability for any financial losses you may incur as a result of their mishandling of your biometric information. If they sign it you should feel better. At least it might get them thinking.

    If that doesn't work, it's summer - you've got 'till fall to find another gym. If you need work to do, I've got trees to clear. :)

  • And? (Score:2)

    by samael (12612)
    They sold _you_ a membership - they want to know that _you_ are making use of it. What's the problem with you identifying yourself?

    Personally, not having to carry around numerosu bits of plastic that don't actually identify me is going to be a relief.

  • I was wondering how the members here at Slashdot feel about the security risks involved in submitting biometric data to small private companies?

    I'd feel fine about it as long as the small private company signed a contract guaranteeing that the information they have about me would only be used for very specific purposes, never disclosed to third parties and that they would post a bond for compensation should any such disclosure, deliberate or inadvertent, ever occur.

    I'm sure they'd hem and haw and try to

  • 1) The thumbprint is the hardest one to match. Though 1:1 is very good, still....

    2) This is a gym. How many jock boys have opposable thumbs?

    And of course, we've got #3, in the tradition of Douggy Adams..

    3) Scratches, scrapes, dead skin, flakes, etc. will make the image different enough to screw up the match. Add in sweat, gym chalk, bandages etc...
  • Yikes! Am I alone in being surprised how few people find this demand unreasonable?

    Seriously folks, this for a gym membership, not admittance into NASA or the CIA.

    If a non-essential or frivolous business like this demanded that kind of personal information I'd be out of the door in an instant, not because I worry about security, but because it's a wholly unreasonable demand to make of your customers.

    Perhaps more importantly, every time that you allow a business to record unnecessary information about you
    • Hire intelligent and motivated employees, pay them well, train them well, and encourage them to know your customers on a first name basis. Have them get to know the likes and dislikes of your customers, and greet each one by name witha cheery "Hello!"

      Not bad.

      Unfortunately, most employees don't know about the customers, don't care what they like, aren't cheery, and aren't well trained or motivated because they aren't paid well.

      It has something to do with a chicken and an egg.
  • The lockers can be keyed to the biometrics. That should help defeat thievery, and serve customers to allow them to not carry around a badge or key while working out or playing sports.

    Especially if it's as innoxious as a [almost publically available] thumbprint.

    That said, it would be nice to hold biometric data under the same sharing rules as other medical info.

  • ask for their data retention and privacy policies (Score:4, Interesting)

    by weld (4477) on Friday April 29 2005, @12:03PM (#12385132)

    If anyone is collecting sensitive information from you: SSN, biometric data, etc. you need to get a data retention and privacy policy in writing.

    Will they transfer this data if the company is sold or goes out of business? Remember eToys had a privacy policy that went out the window during bankrupcy. Will they destroy the data when you cancel your membership. What security mechanisms and audit procedures do they have in place?

    When you bring it up it may be the first time they have thought of it so be prepared to wait.

    -weld
    • If I wanted you'd fingerprints it would take me approximately 30 seconds to get them unless you're SO fucking paranoid you go everywhere in gloves...You'd be surprised how fast your 93 character password would come out after 30 seconds with a rubber hose.

      ...or you could just offer the gym's counter-jockey $200 for a backup of everyone's name, thumbrint, ssn, mother's maiden name, and password. The point is, they don't need any of it, for 'ease of entry' or any other reason.

      Maybe the thumbprint is superf

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.