Fingerprint Requirement For a Work-Study Job? 578
BonesSB writes "I'm a student at a university in Massachusetts, where I have a federal work-study position. Yesterday, I got an email from the office that is responsible for student run organizations (one of which I work for) saying that I need to go to their office and have my fingerprints taken for the purposes of clocking in and out of work. This raises huge privacy concerns for me, as it should for everybody else. I am in the process of contacting the local newspaper, getting the word out to students everywhere, and talking directly to the office regarding this. I got an email back with two very contradictory sentences: 'There will be no image of your fingerprints anywhere. No one will have access to your fingerprints. The machine is storing your prints as a means of identifying who you are when you touch it.' Does anybody else attend a school that requires something similar? This is an obvious slippery slope, and something I am not taking lightly. What else should I do?"
Non-issue? (Score:5, Interesting)
I've used biometric scanners like this in the past. Whatever it stores to recognize your fingerprint never leaves the machine. I don't know if that's what's going on here, but it seems perfectly reasonable.
No contradiction. (Score:5, Interesting)
I checked into these before. The scanner records a description of your fingerprint, not the image. The description is used to match. It's a form of message digestion.
Most scanners of this type do not even record enough detail to qualify as evidence. Those that do must have their data shared with law enforcement, making them a hard sell as a biometric time card.
Disney World (Score:3, Interesting)
At Disney World, they require finger prints when you enter the park if you want to be able to re-enter or switch to another park (if you have a ticket that allows that). At least the government doesn't directly get them, but who knows what they're doing with them or how long they keep them. (This was several years ago; I don't know if it's changed.)
Re:What else should I do? (Score:5, Interesting)
I used to work at a job that required using an id card to clock in and out. If you left it at home it was a huge hassle to get a temporary id card. Forget it too many times and they started to take disciplinary action. I'd rather use my fingerprint to 'clock in' than try and remember to bring my id card every day when the only function of that card was to clock in and out.
Pick your battles. Settle for knowing... (Score:4, Interesting)
...that the next time a pompous administrator says in public "nobody has complained about that," you know that he is lying. Settle for not just knucking under without saying anything at all. Settle for knowing, if you do know, that your complaint has reached someone who sets policy and that you're not just making things hard on a bunch of other ordinary workers whose job is to keep things running.
This is not nothing at all, but it's a small thing.
You can't change the world through indignation. You really have only three choices. First, be docile and do nothing at all. That's often a good option by the way. Second, make sure your concerns have been heard, even if they are dismissed. Or, third, be prepared to devote at least a year or two of your life to the cause of fighting this thing.
If you feel that spending a year or two toward the goal of getting the university to stop using fingerprinting gadgets for access to work-study jobs is worth it, and is what you want to do with that chunk of your life, you can probably achieve your goal. I dunno how. Work through the union if there is one? Start a union if there isn't one? Make appointments and personally talk to one administrator after another, calmly, until you figure out how to get the policy changed? Personally work out an actual proposal, including costs and benefits, for alternative security, so you're presenting them with something positive and their work all done for them, instead of just saying "don't do what you're doing?" Find a faculty committee that's interested in the question that you can swing to your side? I dunno.
GENTETIC Testing (Score:2, Interesting)
Wait till they start genetically testing everyone with DNA requests for security purposes.
Thats when the fun will begin.
Expect to be denied loans based on life span and proclivities to all sorts of diseases they find you will contract.
Effectively they can prevent your student loans/grants to save money as they certainly do not want to invest in anyone who won't be around long enough to pay back that 100K.
All sorts of monkey business is planned. If you have a kid right now, the blood of every baby born in US hospitals MUST be saved by the department of homeland security for a genetic test for identification.
-Hack
PS: NO, they DO NOT tell you about that last part.
Re:No contradiction. (Score:4, Interesting)
Do they have to just volunteer all the data automatically, or only if law enforcement asks? (If the former, [citation needed].)
Re:For the fossils (Score:3, Interesting)
And now for the rest of the story:
http://www.youtube.com/watch?v=5_7C0QGkiVo [youtube.com]
Re:Those things don't work (Score:3, Interesting)
After the first two weeks, it kept saying (in a REALLY annoying voice) "Please try again ..." "Please try again ..." "Please try again ..." "Please try again ..."
It was tempting to just hack into the PC it was running on and just update the stupid database manually, but that would have been too much work to maintain, running after everyone and asking them what hours they wanted to show on the timesheet.
And if you did more than 12 hours, it got confused.
And if you forgot to punch out the night before, it would SAY you were punching out the next morning when you punched in, but in reality it was punching you in, since you had exceeded the 12-hour limit. So people would quickly "correct" it by punching in, and it would SAY that they were now punched in, but in reality they just punched out. And 8 hours later, when the went to punch out ... it would say they just punched in.
And it didn't update when the time changed between DST and EDT, and vice versa.
After a few weeks of that, it's understandable that people began beating on it.
It also must have had a math aversion - it couldn't add up time properly. I would take the numbers on the print-out, add them up manually, and get an hour LESS than I was being credited for. It can't add. Not if one day had 10 or more hours worked, but less than 12 - it would throw in an extra hour, giving 11 hours worked. for example, a 4-day week, 4 x 10 hours, is not 44 hours.
Re:What else should I do? (Score:2, Interesting)
Re:I recommend... (Score:5, Interesting)
Humor me:
How much information about you is encoded in your fingerprint, exactly?
If someone gained access to your fingerprint could they, for example, empty your bank account? Take out a loan in your name? Give me an example here.
cut off finger? gummy bear can beat the system and (Score:3, Interesting)
cut off finger? gummy bears can beat the system and the myth busters where even able to beat high tech lock with a copy on paper.
Re:GENTETIC Testing (Score:1, Interesting)
A quick search turned up this:
http://www.cnn.com/2010/HEALTH/02/04/baby.dna.government/index.html?hpt=Sbin
http://earthhopenetwork.net/forum/showthread.php?tid=476
http://infowars.net/articles/february2010/080210DNA.htm
I have no idea of the validity of these claims.
Re:It's all stupid, and for stupid reasons (Score:0, Interesting)
It is because americans do the same when foreign people visit USA, So brazilians got tired of that discrimination and in response gives the same treatmen that americans give to brazillians. Argentina took a different aproach, now Argentina charges a fee, for all the visitors whose country charges argentineans. Usa claims a 123 usd fee in order to request a visa, (that can be denied with no reason nor refound) so argentina charges americans a 123 usd fee. Think that as a way to make citizens of other countries how they threat to foreigns.
They could go even further... (Score:5, Interesting)
To login BonesSB would present a finger, the same information points would be measured, then hashed then the two hashes compared.
I am not saying that they did go to that extent, but they could have.
It would be illegal in many EU coutries (Score:4, Interesting)
I know this will surprise many slashdot readers but using your fingerprint as described by the poster for the purpose of clocking you in and out of work would be illegal in many countries accross Europe (with the possible exception of the UK). In France, for example, you can actually get fined by the data protection authority for doing so.
It's true that most of these devices don't store an image of your fingerprint but rather a "template" : a description of some special features of your fingerprint. But that doesn't change the problem.
Indeed, many data proctection authorities accross the EU consider that biometrics pose sevreall security and data protection issues and must therefore be used with caution. Fingerprint biometrics are of special concern, in particular when the biometric data (templates) are stored in a central database. The big problem with fingerprints is that we leave them everywhere, on all objects we touch. Someone can pick up your fingerprint and test it against the templates inside the database. (Sounds crazy or technically impossible ? It's much easier than you think : i've tested it myself, that's part of my job). There are other issues whith fingerprint biometrics that I won't detail here.
In the end data protection authorities in the EU consider that the use of a central fingerprint database is excessive if your only objective is only clocking people in and out. Instead, they encourage the use of a smartcard to store the biometric data : you show your finger to the biometric reader and it gets compared with the data stored in the smartcard. This solution offers the same benefits in terms of security but you keep control of your biometric data.
Why even ask about privacy? (Score:3, Interesting)
I mean, if I had to use a fingerprint scanner for identification, I'm the kind of person who would fool with it just for fun. The only way they have been able to make them "reliable" -- that is, reliably accept your fingerprint and not lock you out -- was to loosen up the match criteria enough that they are much too prone to false positives, which in turn makes them easy to fool.
I would do things like clock in Susan for four hours when she is really on vacation in Hawaii, for example, just to see what happens. Or clock in Sam at 3 a.m. so that when he comes around at noon and scans, he's really clocking out. And so on. Consider it like friendly hacking... you are showing the owners that their system just doesn't work. It's a useful technique when they simply won't listen to reason.
Re:They don't store your actual fingerprint (Score:3, Interesting)
Only if you work for a security conscious facility who is willing to deal with the hassles of running such a system. Both places I've been at that used it for just timeclock purposes either turned the discrimination down so far that at least one other person could fake for them, or gave up on the high false negative rate and switched to "type in something you wouldn't want your coworkers to know, like your SSN".
I left the latter place real quick.
Re:They could go even further... (Score:3, Interesting)
Has more to do with hygene than privacy (Score:3, Interesting)
GEEZ! The Slashdoters sure can pitch a fit about nothing!
These devices only store a few numbers that were derived from the patterns of your prints. They don't store anything near the actual image. When you re-scan your finger to clock in it creates a new set of numbers and looks for a set that is statistically close to something it has in it's database. Usually you have to enter a PIN as well because these things do such a crappy job that without knowing where to start, it would have a terrible time figuring out which of the stored sets of numbers match up to the one you just scanned in. I'm not saying that some systems can't do a great job. I'm just saying that the kinds of systems they sell for time-clocks are usually pretty lame. Especially after they get beat around for a while. So all these time-clock units really do is determine if the clock-in scan is statistically close enough to the original scan to be more likely to be you than some other employee. The actual data stored is less personally identifiable than your name. Are you gonna complain if they ask you to give your name when you clock in?
I also seriously doubt that these things produce any form of standardized data that could be transferred to any other system. Heck, sometimes the scans won't match up just because you bought a slightly different model from the same manufacturer to replace a broken unit. Ever try to troubleshoot one of these systems? It is a nightmare.
So, you have nothing to worry about. "They" are more likely to track you by mere facial recognition via security cameras than by your fingerprints.
Re:They could go even further... (Score:3, Interesting)
This is why fingerprints should be usernames, not passwords.
That's why they are on our (government) systems.