Forgot your password?

Close
typodupeerror
Education Privacy United States Your Rights Online

Fingerprint Requirement For a Work-Study Job? 578

Posted by timothy
from the dept-of-double-speak-is-closed-please-come-in dept.
BonesSB writes "I'm a student at a university in Massachusetts, where I have a federal work-study position. Yesterday, I got an email from the office that is responsible for student run organizations (one of which I work for) saying that I need to go to their office and have my fingerprints taken for the purposes of clocking in and out of work. This raises huge privacy concerns for me, as it should for everybody else. I am in the process of contacting the local newspaper, getting the word out to students everywhere, and talking directly to the office regarding this. I got an email back with two very contradictory sentences: 'There will be no image of your fingerprints anywhere. No one will have access to your fingerprints. The machine is storing your prints as a means of identifying who you are when you touch it.' Does anybody else attend a school that requires something similar? This is an obvious slippery slope, and something I am not taking lightly. What else should I do?"
This discussion has been archived. No new comments can be posted.

Fingerprint Requirement For a Work-Study Job? More

Fingerprint Requirement For a Work-Study Job?

Comments Filter:

  • Contradictory (Score:2, Informative)

    by Arancaytar (966377) <arancaytar.ilyaran@gmail.com> on Saturday February 20, 2010 @07:36PM (#31214142) Homepage

    I can think of a better way to write that:

    Hey look, what's that behind you? It's much more interesting than any contradictions you might see in the following. There will be no image of your fingerprints anywhere. No one will have access to your fingerprints. The machine is storing your prints as a means of identifying who you are when you touch it. If you're still reading this, damn.

  • Modern Fingerprint Scanners dont keep prints (Score:4, Informative)

    by Tepshen (851674) on Saturday February 20, 2010 @07:42PM (#31214204)
    The way that most modern fingerprint scanners work is by using matching algorithms. They scan your fingerprint and translate that into a numeric value and then store that. Not a copy of your fingerprint itself. This numeric value cannot be used to recreate your fingerprint but it can however be used to match the output that only your fingerprint will produce when scanned. To be perfectly candid its far easier to steal your fingerprints by stealing something you own than it is to take them from a fingerprint security/tracking system.

  • Re:You're dumb (Score:5, Informative)

    by Midnight Thunder (17205) on Saturday February 20, 2010 @07:47PM (#31214236) Homepage Journal

    Solutions like this are often used to prevent someone clocking-in for you. I used this type of solution at a sports club which used to go to, where you would enter your member number followed by you finger print. Chances are this is another closed system, so it the finger prints probably won't get much further than the database.

  • Oh no! (Score:2, Informative)

    by ChinggisK (1133009) on Saturday February 20, 2010 @07:48PM (#31214244)
    I bet there was a handle on the door to their office too, wasn't there? Now your fingerprints are all over the door handle too! It's a conspiracy!

    Seriously though, of course privacy is a huge issue these days, but worrying about your school stealing your fingerprints? You're a little extra special paranoid.

  • It's all stupid, and for stupid reasons (Score:5, Informative)

    by gerf (532474) <edtgerf@gmail.com> on Saturday February 20, 2010 @07:50PM (#31214274) Journal

    Apparently if you visit Brazil, Europeans and Brazilians go through one line. Americans, we can all step over here to get fingerprinted, retina scanned, etc.

    Why? We do it to them, so they do it back. F.

  • They don't store your actual fingerprint (Score:5, Informative)

    by Colin Smith (2679) on Saturday February 20, 2010 @08:17PM (#31214494)

    Not the image anyway. They store the relative positions of specific details of your print. 2 minutes on Google would have told you this.

    The question remains though whether you want them to hold a representation (of any kind) of any part of your body on file.
     

  • Re:No contradiction. (Score:2, Informative)

    by Protocol16 (1706040) on Saturday February 20, 2010 @08:21PM (#31214548)
    Yup, exactly correct. Scanners will store a "hashed" version of your fingerprint based off of an algorithm. It just stores the "fingerprint" as a random string of data. The more secure versions store the hash on a Smart Card, which you have to authenticate against. The DoD uses this type of system on their ID cards for Contractors, Civilians and Military personnel. If you're worried about how bad this situation is, you need to watch a specific myth busters episode: http://www.youtube.com/watch?v=LA4Xx5Noxyo [youtube.com] Nothing to worry about, no privacy being broken, etc.

  • Re:Contradictory (Score:4, Informative)

    by digitalunity (19107) <digitalunity@yah[ ]com ['oo.' in gap]> on Saturday February 20, 2010 @10:03PM (#31215232) Homepage

    I am on federal work study right now and I have not had to submit my fingerprints for anything. You have a few options.

    Accept that this is the way they track work study hours.

    If you can afford it and the privacy concerns are too compelling, decline the work and let them know why in a formal letter. It may go directly to the waste bin but at least you made your reasons known.

    Lastly, you can try to change the policy. Contact your student senate for some backing as they're the most likely to listen, although not the most likely to have power to change it. A couple of suggestions: Switch from bio-informatics scanning methods to plain old bar code badges, RFID chips or paper timecards.

    My school does work study timecards on paper. It's probably the most likely to be abused, but it is convenient for everyone. I'd be more than happy to use an RFID token or bar code badge for clocking in and out. Wouldn't work very well for my specific job, considering I work from home, but in theory I would accept either.

    Your ability to change the policy by force is pretty limited. Employment rights(especially regarding privacy) vary by state when it comes to work study. You could try to contact your local department of labor but it's unlikely they will give you anything other than a headache.

  • Re:They don't store your actual fingerprint (Score:4, Informative)

    by goaliemn (19761) on Saturday February 20, 2010 @10:06PM (#31215248) Homepage

    I've installed systems that work like this. They store afew statistical points of your fingerprint. If someone actually got those points that they stored, they still couldn't make a complete fingerprint.

    This type of system is usually implemented due to former employees punching in for each other. This is a way that makes that more difficult.

  • Re:Non-issue? (Score:5, Informative)

    by Macfox (50100) on Saturday February 20, 2010 @10:19PM (#31215350) Homepage

    Ask if the unit is FIPS 201 certified. If it is then you can be certain that no reproducible image leaves the unit. There's no more identifying data than a password or PIN that leaves the unit.

    There are cheaper units on the market that centrally process the finger print image to speed up matching, which is open to abuse.

    Disclaimer: I previously worked for a fingerprint / time-clock manufacture that produced FIPS compliant devices.

  • Yes, that is right. This is due to Brazilian Constitution, which says that all diplomacy must be reciprocal. E.g., for every country which demands a visa from Brazilian people, Brazil demands a visa for their people to get in Brazil. If the government, the Federal Police or the airport authority decides to do any different, they will get sued.

  • Get over it. (Score:3, Informative)

    by Domini (103836) <lailoken@gmail.com> on Sunday February 21, 2010 @03:36AM (#31216870) Journal

    Sheesh... this is the same as having public and private encryption keys. The private one is for you, the public one is... you guessed it, public, and cannot be used to reproduce or fake the private one. They only store enough data to verify your fingerprint again. VERIFICATION and IDENTIFICATION are two very different things. No privacy issue.

    Move along, nothing to see here...

  • Re:They could go even further... (Score:2, Informative)

    by tburkhol (121842) on Sunday February 21, 2010 @08:11AM (#31217608)
    If "the system," being time-clock or Federal database, uses a specific, formulaic derivation of your fingerprint to establish identity, then storing that formula result is, from a privacy perspective, equivalent to storing your fingerprint. It's a means of identifying you, personally, by extracting your hash from a database of all hashes based on the hash of an unknown fingerprint. That the algorithm is one-way (ie: you can create the hash from the fingerprint, but not the fingerprint from the hash) is irrelevant. Maybe if the has space is small enough that many fingerprints give the same hash value - ie, the has provides sufficient uniqueness for a population of 50 or 100 employees, but not is not unique over a population of 1,000 or 10,0000 - although that seems to compromise its value as an employee identifier.

  • Re:What else should I do? (Score:2, Informative)

    by skade88 (1750548) on Sunday February 21, 2010 @09:22AM (#31217886)
    I have been using a finger print scanner to clock in and out of my jobs for the past 10 years. As the IT guy at some of these jobs, I know that its not actually storing the full image of my finger print. It stores a few critical points to make sure it has it and not the full image. But if someone really wanted your finger print, it would be easy for them to lift it off the door knob when you enter your office, or from a coke can you throw into the trash or from your keyboard when you get up to goto the bathroom or anything else you touch in a given day. It would be much easier than hacking the time clock or a server to get your finger print.

  • Been there, done that (Score:2, Informative)

    by Mathinker (909784) on Sunday February 21, 2010 @09:54AM (#31218068) Journal

    OK, I've actually never faked a fingerprint myself. But I've read about research on it in Bruce Schneier's blog:

          http://www.schneier.com/crypto-gram-0205.html#5 [schneier.com]

    Care to guess what the batting average of most fingerprint readers was against someone trying to fool them?

    (Answer: the eleven commercial fingerprint ID systems, together, wouldn't defeat my son's blindfolded Little League team.)

  • Re:They could go even further... (Score:1, Informative)

    by Anonymous Coward on Sunday February 21, 2010 @10:34PM (#31224862)

    This isn't a flaw of biometrics so much as it's a flaw of any dongle-based, single-layer security system. For example, you have the same problem with a door with the same key issued to 1000 people -- yes it technically can be changed, but it's quite expensive, so in practice it's never done. That leads to people who should no longer have access still having access, and the ability to easily copy the key and use the copy without detection.

    Your analogy doesn't apply to biometric credentials, where the issue is not cost in re-issuing a credential... but the complete inability to do so at any cost. This problem is actually quite unique to biometric systems. Any non-biometric "dongle" can be expired and re-issued if it's found to be compromised, whereas you have a limited number of fingers and when they're all used up you cannot under any circumstances issue a new fingerprint.

    The solution is trivial. If you combined a password with a fingerprint there would be a secret bit of information that's easy to change AND a physical bit of security apparatus that's harder to reproduce/copy than a password. This same solution also solves the key problem above. And it's the same solution already used in all sorts of applications where security is actually important.

    Multi-factor authentication doesn't resolve the problem that biometric credentials can't be re-issued. Once your biometric credential is compromised you can't reissue a new one, and you no longer effectively have two-factors.

    Now, you could be concerned about them having your fingerprints on file -- I understand the desire to keep people from collecting information about you. But honestly, unless you wear gloves all day long, they could already have your fingerprints if they wanted them; fingerprints are not secret information in the first place.

    The problem isn't people having your prints, it's a combination of 1) If their use proliferates, you have to give them to every organization you interact with. 2) Those organizations do stupid things like use them as a sole authenticator. 3) Criminals steal the biometric signature and and use it to authenticate as you. It's the social security number debacle all over again, and I don't believe people who say this stuff will only ever get used in systems that require physical proximity. Applications will start shipping these biometric sigs or their hashes over the network, and there will be flaws where you can impersonate someone if you have the sig, and the sigs will get compromised and collected by criminals, and you won't be able to re-issue them cause they're stuck to your body. If you need a dongle, just a re-issuable one... otherwise use another authenticator like an ID card.

Advancement in position.

Close