Would a National Biometric Authentication Scheme Work? 178
Ian Lamont writes "The chair of Yale's CS department and Connecticut's former consumer protection commissioner are calling for the creation of a robust biometric authentication system on a national scale. They say the system would safeguard privacy and people's personal data far more effectively than paper-based IDs. They also reference the troubled Real ID program, saying that the debate has centered around forms of ID rather than the central issue of authentication. The authors further suggest that the debate has led to confusion between anonymity and privacy: 'Outside our homes, we have always lived in a public space where our open acts are no longer private. Anonymity has not changed that, but has provided an illusion of privacy and security. ... In public space, we engage in open acts where we have no expectation of privacy, as well as private acts that cannot take place within our homes and therefore require authenticating identity to carve a sphere of privacy.' The authors do not provide any suggestions for specific biometric technologies, nor do they discuss the role of the government in such a system. What do you think of a national or international biometrics-based authentication scheme? Is it feasible? How would it work? What safeguards need to be put in place?"
I'm wondering (Score:5, Insightful)
And once a system has been cracked, it is totally useless, since you can't change your "password" on biometric stuff.
absolutelly! (Score:4, Insightful)
Everyone knows that bad people are entirely willing to be completely honest, so obviously a system like this would mean we would know everything about them, and could stop all evil in the world.
Private Sector (Score:3, Insightful)
Re:And how well would that work? (Score:2, Insightful)
Re:It would work to... (Score:0, Insightful)
And it would even save a considerable amount of money because nobody would have to worry about the possibility of false positives. Anybody questioning the system is clearly not with us and as such is with "them."
Or we could try secret option D which is actually return to a sane program of national security where we focus on actual real life terrorist organizations like ELF. But I'm probably not understanding the problem because I think that many of the people in ELF might not be heathens.
Oh no, not this again. (Score:5, Insightful)
Biometrics is inherently flawed as an authentication system, because biometrics is a password you can't change. Once someone gets your password, or at least the numerical representation of it such as could be lifted from a compromised reader or database, you are toast. How are you going to change your retina scan to something new?
And never mind the demonstrated hackability of all but the premium readers.
Biometrics sound great at first blush, and to the common voter they seem foolproof, so this fad will get worse before it will get better. In fact, the authentication issue may have achieved the level of complexity as the net-neutrality issue, such that Joe Registered Voter cannot possibly understand it (even if he is the rare sort to spend an hour googling it before forming an opinion).
Meanwhile, text passwords plus certificates (where 'certificate' could be a smart card, or your cellphone's IMEI, or whatever) is still the answer for security. It's awful, to be sure, but it's much less awful than biometrics.
Re:It would work to... (Score:3, Insightful)
Have you looked at the response winning the latest
The only possibly better response than whatcouldpossiblygowrong would be cureworsethanthedisease.
I'm confident I'd vote against any nitwit pushing such a plan.
Re:I'm wondering (Score:3, Insightful)
1) Something you have (a keycard, a usb key, a simple barcode scanned ID card)
2) Something you know (a strong password, the name of your first pet and the city you graduated highschool from)
3) Something you are (Your retinal scan, your infrared signature given off by your body, your dna, your face from two angles)
A system using this three step authentication process would not be easily cracked.
The article misses the point of anonimity (Score:5, Insightful)
Even the courts have found that anonymity is important component of freedom of speech. (Along with freedom of association.).
Re:It would work to... (Score:5, Insightful)
Why does all this scare me? Is it because I could be classified a 'problem individual' based on my political leanings? Is it because the Executive Branch reserves the right to pull American citizenship at will? Is it because even the Russians [wikipedia.org] know the best way to deal with a recalicrant individual, no matter what his power base, is to tar him as a sex offender?
My other question is of course, if I'm out and about, living my life in a lawful manner, why should the government care about me?. Police aren't there to arrest the lawful, they're there to arrest the criminals after commission of a crime. Where is the mandate to surveil everybody in sight waiting for them to commit a crime?
Re:It would work to... (Score:3, Insightful)
Re:I'm wondering (Score:5, Insightful)
MythBusters did a test of several of these devices. None were particularly hard to beat, including some that were supposed to be....
Even now, the best form of authentication is a human standing there looking at your driver's license, deciding whether it is real or not, then comparing the photo. The only thing that would be significantly better and more accurate would be a system in which you would swipe a driver's license and it would contact the DMV and bring up a digital copy of that license for comparison purposes. Anything beyond that---particularly biometrics---is more likely to weaken, not strengthen security as people will tend to believe what some biometric reader device tells them over what they see with their own eyes 99 times out of 100.
The way I feel about biometrics (Score:3, Insightful)
Re:Oh no, not this again. (Score:5, Insightful)
http://wordnet.princeton.edu/perl/webwn?s=identification [princeton.edu]
http://www.google.com.au/search?hl=en&q=define%3Aauthentication [google.com.au]
Biometrics are good for identification.. they replace your "login", not your "password".
Re:absolutelly! (Score:3, Insightful)
Re:I'm wondering (Score:1, Insightful)
Re:I'm wondering (Score:5, Insightful)
Re:I'm wondering (Score:4, Insightful)
What worries me the most about biometric IDs is the idea that somehow, biometrics never change. I expect that there will be no process in place to change the biometrics, or that the process will be so impossible as to be the same as having no process. And if the process to change your biometric passwords is easy, why use them instead of just a regular picture ID?
This stuff might work in specific situations, where outliers are rare, and relationships between the scanners and scannees close enough to make fixes easy. But I can only see nightmares if this gets implemented on a national level.
Re:It would work to... (Score:1, Insightful)
If this fails (Score:3, Insightful)
It doesn't matter how strong your security system is, it will fail. What happens when it does? I can't get a new $BodyPart if some fraudster spoofs it.
Who Watches The Watchers? (Score:4, Insightful)
Re:It would work to... (Score:5, Insightful)
The premise of the article - or at least the blurb - is wrong. It makes the claim we "have no expectation of privacy in the public space." But we do. Ever want to take a road trip to some town where no one knows you, just to get away, do some shopping, have dinner, watch a show, without having to deal with people who know you? Ever enjoy the feeling of being out, alone, in an unfamiliar city?
How's that going to sit when the desk clerk looks you in the eye as you walk up and says, "How you doing, Mr. LeParanoid, and how's that appendectomy scar healing up? Wife happy about that diamond necklace you bought last week?"
Or gives you a steely look because you're on The Sex Offender List (because you had the temerity to have sex with someone 3 days over some arbitrary line, or perhaps you pissed in a bush somewhere) and proceeds to treat you like a criminal as soon as your RF-enabled ID gets in range of his LittleDictatorsConsole(tm)? Sure, you can add biometrics to it so he's sure you're a sex offender or other malcontent antisocial. That'd all be real good, wouldn't it? After all, in this society, onece you're a criminal, you're permanently low class, you can't make up for it.
This whole ID mania needs to go away. It is a sign of a pervasive sickness among the rulers of this society. It is not a solution, or a potential solution, to terrorism, or any other problem we face.
Privacy includes anonymity. (Score:2, Insightful)
Another way of looking at it:
privacy: people not knowing what you've done.
anonymity: people not knowing who did X.
if you lose anonymity, you lose privacy in relation to X, and where X covers everything in the public sphere, you lose all privacy except in relation to those things that are not in the public sphere (Y). That's a lot of privacy to lose.
Re:I'm wondering (Score:3, Insightful)
Re:I'm wondering (Score:1, Insightful)
A much better question is to simply shorten it a bit: what problem is worth the cost of this system? All to often in security matters, people just wave their hand and say that any cost is worth it. But to decide if a system is worthwhile, you need to know how much it will cost and how much it will save. A system like this sounds extremely expensive, and has few benefits. Why, then, should we spend the money on it?
Re:I'm wondering (Score:2, Insightful)
"Something you are" is actually just a convoluted case of "something you have" - do you have something that makes the scanner go "approved"?
Fingerprint scanner? A xerox of a lifted print. DNA sample? See Gattaca [wikipedia.org]. Body infrared signature? Heaters in the clothes.
Biometrics are tokens that you can't revoke or replace. They're a generally bad idea.
Re:Are Fingerprints Unique (Score:2, Insightful)
The answer is yes.
Re:It would work to... (Score:3, Insightful)
Some of the basic premises stated in the article are just plain wrong. For example:
We have always enjoyed "the anonymity of the crowd." Walking down the street, minding your own business, with nobody having the right to interfere with your peacable enjoyment of your own "private space", and others, equally strangers, just doing the same.
A Solution in Search of Problem (Score:3, Insightful)
I have a suspicion. It's not for authentication at all. Others have already pointed out the inherent flaw in using nonrevokable certificates for authentication. (i.e. once someone has faked or corrupted your biometric data, you're fucked.) So what is a biometric data good for? The same thing that's good for when the government stores DNA sequences of everyone processed. It's a globally unique identifier. You can put multiple databases together easily. Name collisions are a thing of the past.
If you really think that government won't combine their databases, you're a fool.
Obscurity isn't security, but there is something to be said about making information, even public records, a bit harder to put together than to give a big data dump about everyone to everyone. Society has built on a certain level an anonymity existing, even when legally it doesn't exist. But it's all too obvious that people's expectations and behaviors don't always align with the letter of the law. And seriously, given the government's current cavalier attitude towards privacy and the law, do you really think that a simple law is going to stop them?
Re:It would work to... (Score:5, Insightful)
It's certainly possible to design the system to provide strong authentication for a variety of purposes without compromising privacy or even anonymity. Whether or not anyone will bother to do that/allow that to happen is debatable, but you shouldn't necessarily relate the ability to authenticate with an inability to provide privacy.
*I know they might like to know who I am for marketing purposes and whatnot, but they have no interest with respect to conducting a safe and reliable financial transaction.
No retina scanning for me, my eyes change (Score:3, Insightful)
I'm hosed if they chose retina scanning. I get drusen deposits http://www.medterms.com/script/main/art.asp?articlekey=10015 [medterms.com] .
Fortunately, it's not macular degeneration. But those deposits form and dissolve over time. That would make retina scanning a problem for me.
Of course it would work (Score:2, Insightful)
Re:It would work to... (Score:2, Insightful)
Actually, the premise is more right than you are in this particular matter. What you are describing here as privacy is actually what the blurb more correctly labels as anonymity. When one opts to go to an unfamiliar but public place to escape recognition, it is not to enjoy privacy, but anonymity. In order to enjoy privacy one would have to be alone literally, not just figuratively.
This statement makes the assumption that the adoption of a biometric ID system would grant private proprietors access to data beyond your personal identification. In a nation where the majority of stores and restaurants still use modems to process credit card transactions, I doubt many vendors are going to upgrade to the fully internet-capable point-of-service systems that would be required to take the limited ID information to which your eye or your thumb would yield access and simultaneously run a multi-dimensional search on that information. More likely that clerk will be lucky if he doesn't have to type the name that comes up from the scan into the hotel booking system to find your reservation.
Re:Are Fingerprints Unique (Score:3, Insightful)
For instance, a fingerprint algorithm may utilize certain features of a print (such as a line split or a swirl) to map points on a graph. Subsequent swipes will then have a certain number of points which must match within a certain range on this graph.
It is possible that these qualitative values would not take into consideration other features of a fingerprint - so people with different prints may in fact have enough common points to fool the system.
Ideally this would be unlikely - but it is possible that people can have the same biometric identity points - but different actual prints. It's a false-positive, in other words.
Re:I'm wondering (Score:4, Insightful)
In short, the people with most to gain from this are the criminals, who will have a really cheap, simple and reliable way of proving they are who they are not.
Meanwhile hoards of old ladies will be hauled of to jail "But officer, I thought it was my ID card - I realise now it was my library card/son's ID card - if you just let me go home, I can get my ID from the draw by the bed where I always keep it!"
You biometric database is exactly as secure as the PHP written by school leavers who lied on their CVs that protects it.
Re:Are Fingerprints Unique (Score:3, Insightful)
My biggest concern is false positive/false negative results. Let's say you have a false reading rate of 0.01% - that's 99.99% success. With 200M people each verifying their identity a conservative twice a day that's 20,000 false readings a day.
To provide the worst sort of evidence (anecdotal), I get about 5% false negative and unknown false positive rate with my (new) laptop fingerprint scanner. That error rate excludes "scan again" requests. Sure, it's an El Cheapo, but do you imagine a government splurging on decent tech for a national roll-out? Having seen public transport ticketing systems, driver licensing schemes, public sector building security and working in the civil service, I'm going with no.
Re:I'm wondering (Score:2, Insightful)
Re:It would work to... (Score:3, Insightful)
A driver's license is a certificate that says you can drive. It doesn't even need your name on it. You just need to have one in case someone questions if you have passed a test to drive. Having done so, of course, does not permit you to run a red light or drive over someone's baby in a stroller. Nor does not having a license prevent you from starting a car and driving off. As it turns out, the thing that really matters to society is how well you drive -- not the certificate at all.
A passport is a certificate that says you can cross the country's borders. I still have -- framed -- my grandfather's certificate from the US state department that allowed him, his wife, his minor dependents and a servant to do this. It did in fact have their names on it, but inasmuch as there was no way to assure that the people in the group were the people named therein, the fact remains that the certificate itself was the key issue. It is an over-sized paper, beautifully executed, has a wax seal and a ribbon. No pictures, very basic description of him, none of the others in his party. Nothing you couldn't forge. Yet he and his could travel. Amazing, isn't it? The question arises, why can't we travel this way today? What new thing has arisen that says "oh no, that's just unacceptable!" The answer to this lies only in the authorities claims that they can stop terrorists and threats of that nature, but we know that is not true and will never be true. They can certainly increase the inconvenience to us, though.
A dollar bill is a certificate that says you can have a cheeseburger. The important thing is not that it has your name on it, but that you have the certificate.
All plain paper or otherwise easily carried off certificates can be stolen under various sets of circumstances. The objective of linking a certificate to an individual's personal characteristics is to make that more difficult or (ideally) impossible.
As the value of a particular type of certificate goes up, the value of obtaining one goes up as well. For instance, people will steal $1 bills, but they won't counterfeit them. However, people will counterfeit $100 bills, even when the effort required is extreme, because the ROI is very high. Just ask the North Koreans, who are merrily producing our current $100 bils.
When this happens, the value of the certificate ceases to be that "it is what it is" but instead becomes "it does what it does." This is not a subtle difference. In the case of a passport, your legitimate passport will probably get you across the border both ways (assuming you're not on one of our secret police's lists) but what it will *not* do is prevent others from getting across the border or prevent others from using ID's derived from yours with different data. One requirement here is breach of the data, but we know from repeated experience that no database is secure in the face of sufficient corruption, and so that is the least of the obstacles at hand.
In the end, the certificates -- passport, license -- serve as standard locks. That is, if you're a legal, compliant citizen, you'll have nice, valid copies and you won't attempt to get around them. Criminals, government agents (but I repeat myself), and corporate spies (department of redundancy department) all will also have these certificates as well, but they'll be illegitimate in the sense that the ID actually identifies who it says it does. Reasons will range from the apparently good intentioned (witness protection program) to the clearly malign (gonna fly that plane into that building, praise [diety.])
In the end, the certificate is required to transact normal life. Because it will be the standard required by those in power. Even though the protective ability is illusory.
Now let me turn to what happens if your certificate is lost. In the case of money, you can get more at some rate you are well aware of; the trick is not to carry too much of it or allow any one credit or debit card to carry enough to wound you fatally in the financial