Would You Submit Biometric Data to Join a Gym? 190
An anonymous reader asks: "I went to my gym (Rocky River, OH branch) yesterday and there was a huge line of people at the counter. When I went to the scanner to swipe my membership card, I noticed they were training people in the use of their new security system that requires the input of your thumb print. There currently a story on boingboing that mentions a tanning salon in Arkansas that is enacting a similar policy. I'm going to call the gym later today and see what type of security they have on their network. I guess we can look forward to a future where these sorts of personal services clubs require the submission of biometric data. I was wondering how the members here at Slashdot feel about the security risks involved in submitting biometric data to small private companies?"
No. Thank. You. (Score:2, Funny)
Re:No. Thank. You. (Score:3, Insightful)
But then, someone could steal your fingerprint without the trouble of hacking some system simply by getting you to hold on to something, for example, a frosty beer or maybe even your gym card.
Then you have to ask (Score:3, Insightful)
If there is no value, they don't need to collect it, do they?
Re:Then you have to ask (Score:2)
Fingerprints don't have value on their own, but they do when used as security keys to your property!
Re:Then you have to ask (Score:2)
Re:No. Thank. You. (Score:5, Interesting)
I went to check out a nice large brand-new gym near my house. They handed me a form to fill out including a questionnaire and a space for my name phone number and address. I answered a few of their questions and just put my first name on the form.
They mentioned that they'd like me to fill in my phone number and address and I said, "no thank you, I'd like to check out the equipment first before signing up." They told me they couldn't show me the gym without that information. Still thinking we just had a misunderstanding I pointed out that I wasn't there to use the gym, I just wanted to see what they had to offer before signing up. They then proceeded to point out to me that they were prepared to give me a tour, but would not do so without my phone number and address.
I said, "goodbye" and walked out the door. Even my bank doesn't require biometrics and didn't ask for an address before they told me about their features. These fitness center folks are too big for their own britches. Pushups and situps are free and running shoes don't cost that much compared to a gym membership. I'd like to use the gym, but I don't have to and I certainly wont consider it untless they figure out how to be less intrusive.
TW
Re:No. Thank. You. (Score:2)
Re:No. Thank. You. (Score:2)
Frankly I would rather ride my bike than go to a gym but that is just me.
Re:Endurance vs. strength (Score:2)
Re:Endurance vs. strength (Score:2)
The off road rideing gives some upper body and lots of leg stregth.
How secure is their security? (Score:3, Insightful)
Re:How secure is their security? (Score:2)
Once they've got your biometric data, how secure are they going to keep it?
Umm, why would they need to keep it secure in the first place?
Unlike a password, it's not possible to change your biometric data if someone steals the gym's files and uses it to spoof other systems.
And also unlike a password, it's not a password. What system could you spoof by knowing what someone's fingerprint looks like?
Re:How secure is their security? (Score:2)
Lots of "secure" things rely on your fingerprint; if the gym has this fingerprint then you are granting them access to everything you intended to keep secure. All so other people can watch you exercise through those big windows...
Re:How secure is their security? (Score:2)
How in the hell can you be so sure nobody can?
"Ignorance more frequently begets confidence than does knowledge"
Re:How secure is their security? (Score:2)
Re:How secure is their security? (Score:2)
Re:How secure is their security? (Score:3, Informative)
http://www.security-focus.com/news/6717 [security-focus.com]
Re:How secure is their security? (Score:2)
The article did not demonstrate that data could be extracted from an existing system and the thumb reconstructed from that data. The above article tested mostly low-security and co
Re:How secure is their security? (Score:3, Funny)
It's already been done. There was even a Slashdot article on it. The guy took an computer image and make a mold and use gelatin. Then he put the gelatin on his thumb and fooled almost every finger print device he could find. He could also eat the gelatin off if someone got suspicious.
So why not make a fake gelatin thumb when you sign up? Surely you can find a thumbprint image somewhere on the internet. Then the gym won't have your thumbprint, they'll have the fake one.
It's...um...bad (Score:5, Insightful)
Re: (Score:3, Insightful)
Re:It's...um...bad (Score:4, Interesting)
Well, not really. It's more like a hash. Unless the people that designed the security sytem didn't have a clue, they wouldn't store reversable fingerprint information at all.
I remember having this discussion with my old boss when he wanted to go biometric a few years ago. He even got ahold of a some fingerprint readers for testing. We found that the industry, and this manufacturer, were very clear on the matter. No one wanted to actually store your fingerprints.
So, feeling confident, he installs the software, plays with it for a little bit and invites me over to try to "hack" his account with my thumb. I put my thumb on the plate and sure enough the device tells me I'm unauthorized... while displaying a giant picture of my thumb accross most of the display.
My conclusion: I believe the companies really aren't storing reversible fingerprint information. I also believe they're doing a lousy job of making people feel confident about this fact.
I think there are enough other downsides that this technology should be condered DOA for most purposes, but this particular issue is probably just a PR problem.
TW
Re:It's...um...bad (Score:2)
Mod parent up.
Re:It's...um...bad (Score:3, Insightful)
Well, the problem is I have to trust on blind faith that it's a hash, and that it's different from the hash used by other companies.
It doesn't matter if my fingerprint is hashed to an opaque 0x0116632c51bde43 if every other system made by the same manufacturer will accept that hash as representing my fingerprint. I'm still screwed, because I can't
Re:It's...um...bad (Score:2)
I think simply having a person's fingerprint or DNA will never be as valuable a form of identity theft as stealing more traditional ID data -- social security number, mother's maiden name,
theft of my fingerprint? (Score:2)
Fingerpring? I'm fearful regarding theft of my finger!
Re:theft of my fingerprint? (Score:2, Funny)
Well, if it goes missing, you can just check all of your local Wendy's franchises. It seems all missing fingers end up in a bowl of chili eventually.
Mmm.. chili. It's finger lickin' good!
Re:theft of my fingerprint? (Score:3, Informative)
here [boston.com]
or here [yahoo.com]
or here even [yahoo.com]
another one [chron.com]
In other words.. she's a known con artist, and now she's paying the price for being clumsy.
thumbs are useful (Score:3, Insightful)
Better than having swipe-cards that fail after a single wash. (Thumbs are wash-proof!)
But using thumbs as positive I.D. for your bank account is a bad idea.
See?
Re:thumbs are useful (Score:1)
What if you wash them too long and they get all wrinkley?
Re:thumbs are useful (Score:2, Interesting)
When I am exposed to soap it causes a lot of problems with fingerprint scanners for me. So yeah, cards are a better option for people with my condition.
Why not go for something like card + hand geometry identification if they're so c
Re:thumbs are useful (Score:2)
Re:thumbs are useful (Score:3, Insightful)
Sacrificing your deeply personal information for the convenience of a simple consumer product is plain dumb. Aren't you concerned with security? This is plain sleezy, and it wouldn't suprise me to see "24-hour Nautilus" (Sleezebags) use this scheme in a couple years.
The gym isn't doing this for your convenience. They do it to prevent people from sharing memberships, which is fine, but not when they reso
Re:thumbs are useful (Score:2)
Re:thumbs are useful (Score:3, Insightful)
If any argument is made that "well, a hacker could break in and change the picture on record," then you need to realize that it would be exactly as difficult for a hacker to break in and change the thumbprint on record.
The difference is my thumbprint is my own bu
Re:thumbs are useful (Score:2)
Vote with your feet (Score:1)
Not feet (Score:2, Funny)
Copyright (C) Yourself. Right now. (Score:2, Insightful)
Someone should fire up a dot-com which allows people to copyright all biometric info about themselves. Yes, it would be a registry. No, it wouldn't be "Big Brother" - the purpose would be to allow any individual worried about protecting their information, to have legal grounds to stand on in pursuing action against any other party using that information inappropriately.
A 'clearing house', or 'group repository of biometrics' datab
Re:Copyright (C) Yourself. Right now. (Score:3, Insightful)
Re:Copyright (C) Yourself. Right now. (Score:2)
Ahh well.
In reality, this is like trying to stop the tide from coming in. You'd have better luck stopping the sun on it's ecliptic than trying to stop biometrics from becoming the defacto identification.
It will happen!
Eventually, your credit card, bank account, paycheck, network password, car key, and every thing else you can think of will be tied to your voice, fingerprints, or GATTACA-style DNA
Re:Copyright (C) Yourself. Right now. (Score:2)
Re:Copyright (C) Yourself. Right now. (Score:2)
You can't copyright facts about yourself, which is what biometrics is based on, and for that matter most of what your privacy-sensitive information [jerf.org] is.
You can't copyright the collection, because other people will independently collect it, and they can (and do!) claim their own copyright on the new collection.
Trademarks don't work, because they are mostly concerned with preventing other people from fraudulently passing themselves o
Trademarks and passing off (Score:2)
Trademarks don't work, because they are mostly concerned with preventing other people from fraudulently passing themselves off as your business concern.
And what would crooks use your thumbprint for, if not for fraudulently passing themselves off as you?
Re:Trademarks and passing off (Score:2)
This is why I said to dig deeper before pos
Re:Copyright (C) Yourself. Right now. (Score:2)
"The" company (boy, I wish it was a "the" company...) is also not copyrighting your data. Nobody can. What they can and do do is copyright the collection of data.
For further information, look up "compilation copyright", as this is a somewhat rich topic, and beyond the scope of a Slashdot posting.
Clarification (Score:2)
Size of the company does not matter, (Score:2)
Re:Size of the company does not matter, (Score:2)
How long until stores want you to give a urine sample before using the bathroom?
Re:Size of the company does not matter, (Score:2)
LOL, I'd rather piss at their manager's leg like a dog!
obUrinetest: It's bad enough that it is legal for an employer to demand a urine sample and other stuff belonging to one's privacy. I'd never work in such an asshole company!
My University did this. (Score:3, Interesting)
Re:My University did this. (Score:1)
Re:My University did this. (Score:1)
Re:My University did this. (Score:2)
Errr... combination lock...?
Not if I can help it. (Score:2)
If needed, it's easier to shed an ID, and get lost in the big mass of people in any world city and take on a new ID. When your fingerprints are out there, it's there for ever. I rather not cut of my fingers.
Perhaps your traveling can be tracked with ID (at borders and such), but at least you know it when you hand over your card. Prints can be found up to a few days after you have left, without
Re:Not if I can help it. (Score:2)
I guess it could keep a full scan. Figure 1 sq in per thumb average a 600x600 8bit grey scale scan would take 351k per user uncompressed.
It's okay if they are Micrsoft Certified (Score:1)
In a word: (Score:2, Interesting)
Fuck 'em. We already own a treadmill and the wife's been wanting to buy an elliptical [nordictrack.com] anyway.
Slowly things like this get introduced and the stupid sheeple submit en masse. The more people that stand up and argue with the un- and under-educated about such invasiveness, the better.
Sure, these things may not be so bad yet but this may just be the tip of the iceberg. Give 'em and inc
Not a big deal... (Score:2, Informative)
I would worry more about the other data they could hold on their machines, which could contain more sensitive personal information and could be stored in less secure machines.
There's still a lot of sensitive data (medical records etc.) stored in Access databases and similar b
Re:Not a big deal... (Score:1)
I'd like to tell you ... (Score:4, Funny)
I..........I
I..........I
I..........I
I....
I..........I
Your unquestioning compliance in this matter would be greatly appreciated.*
Thank You,
The Management
* By supplying your thumb print, you agree to abide by our Terms of Service. You may request a copy of the Terms of Service directly from our Corporate Headquarters.
wtf (Score:2)
But on a goddamn GYM?!
Hell, I have access to a USB dongle that will store passwords for websites, variable per user, and it identifies the user by the user's fingerprint.
ON A GYM?!
Who the hell is going to have significant problems if someone steals their identity to go to the damn gym?
If the gym has to be secure, fark the membership cards, and just have a database of people allowed in, and hav
Re:wtf (Score:2)
All security aside, I think the USB dongle that stores your passwords and fills them in automatically when you apply your finger is a cool idea.
I think my money (Score:2)
Not big brother (Score:3, Insightful)
And, as someone pointed out already, there is no security concern to be worried about. Even if someone copied their thumbprint database, I mean, what could you do with that? Nada...
Re:Not big brother (Score:2)
Until thirty years from now, long after you've forgotten that some random gym two states away has your thumbprint on file. When your job or bank or something starts using thumbprints, and is actually super-secure about it, so you go ahead and use it there too... But surprise! It doesn't matter how securely the new place keeps
Re:Not big brother (Score:2)
Other than framing you for a crime...
The right way to do it (Score:3, Insightful)
But here's how to implement a thumbprint-as-login system and keep people, including the paranoid freaks here at slashdot, happy.
1) Make it optional. Don't want to submit your thumbprint? Fine. Just make sure you always show up with your card.
2) Make it hashed, using a public key unique to that system. That way, the information stored is effectively useless. If a hacker gets in, all that they will be able to do is see a bunch of GUIDs. Whoop de doo.
I'm almost 100% that this is, in fact, just what is being stored. I mean, imagine actually storing a thumbprint. That's got to take up more space, and is really slow and inefficient for data lookup.
Someone more knowledgeable in biometrics, please rip me a new one if necessary.
Re:The right way to do it (Score:2)
It's not clear to me that this is being done to keep people from needing their gym ID, although that is one possible reason. But it does at least address the first question that ought to be asked: what is the problem we are trying to solve here?
Not having to carr
Re:The right way to do it (Score:2)
When you become a member they issue you a card with a short ID number (4 to 6 digits), and they use a webcam to take a snapshot of you for the customer database. When you go to the gym, you don't need the ID card at all- walk in, tell the person at the door your ID number. They punch the code into the computer and it pulls up your info including the picture, and one look at your face lets them know you are who you say you are.
Re:The right way to do it (Score:2, Insightful)
Re:The right way to do it (Score:2)
A) Your Social Security Number
B) Your fingerprint scans
C) Your Iris/Retina scans
D) Your picture (head only)
I'd *much* prefer them to take a picture of me than take my fingerprints. If you think you can walk down the street, go to the airport, a store, the post office, the bank or use an ATM without your face ending up recorded on some sort of analog or digital medium you're mistaken. Even the gym has a security
Re:The right way to do it (Score:2)
OK, that's cool, but I think the point the parent was making is a photo or a fingerprint are both forms of biometrics. Why is a photo OK when a fingerprint isn't (or the other way around, why is a fingerprint NOT when a photo IS)?
Re:The right way to do it (Score:2)
If some important information about you was leaked from a database, would you rather it be: A) Your Social Security Number B) Your fingerprint scans C) Your Iris/Retina scans D) Your picture (head only)
Iris/retina scans, then fingerprint scans, then SSN, then my picture. I think about it this way: which would I rather have released on Slashdot, and that's the order I'd put it in.
If you think you can walk down the street, go to the airport, a store, the post office, the bank or use an ATM without your
Re:The right way to do it (Score:2)
Clever, but gloves would be acceptable to wear in any of the areas I mentioned. Just try wearing that mask in the airport, bank, or even the convenience store and see what happens. I can visualize enough of the outcome to insist you go first with that mask on any day other than Halloween
Re:The right way to do it (Score:2)
I'd imagine that avoids having the issue of two John Smiths at one gym. Every time John comes in he'd not only have to give his name, but some other information to help the guy behind the desk figure out which John he is (unless it displayed all the John Smiths, but this gets complicated). Just giving everyone a number makes it simpler. Same reason you get a number in most places of work, the library, the government...
Re:The right way to do it (Score:3, Informative)
But if you switch you get a 3% discount and a free drink every month! But you loose a bit of privacy.
That's the way big stores (Walmart&Co) get you to switch to their rabate system. You safe $50 a year. They earn $100 because the sell your data to "data blackhole" companies like ChoicePoint.
How much worth is your privacy?
Don't wait until there is any kind of self regulation in the "data grabbing business".
In Germany the data belongs
Re:The right way to do it (Score:2)
Or, to share their gym card with their friends.
Also, it's much faster to slam your thumb on a pad than to hold out a card for someone to scan.
And cheaper than paying someone to check the cards.
Re:The right way to do it (Score:2)
I've done some research into biometrics, and you're pretty much right on. Nobody that I'm a
Ask them to assume liability (Score:2)
If that doesn't work, it's summer - you've got 'till fall to find another gym. If you need work to do, I've got trees to clear.
And? (Score:2)
Personally, not having to carry around numerosu bits of plastic that don't actually identify me is going to be a relief.
Re:And? (Score:2)
It's a matter of what is acceptable to the consumer, as well as the first step of a slippery slope.
What if they said "you must get this RFID chip implanted so we can identify you?" No thanks. "Have this bar-code tatood onto your neck?" Not likely.
This is getting very invasive. And, with everyone in the world having fingerprint information, you can bet that the ever-expa
Answer (Score:2)
I was wondering how the members here at Slashdot feel about the security risks involved in submitting biometric data to small private companies?
I'd feel fine about it as long as the small private company signed a contract guaranteeing that the information they have about me would only be used for very specific purposes, never disclosed to third parties and that they would post a bond for compensation should any such disclosure, deliberate or inadvertent, ever occur.
I'm sure they'd hem and haw and try to
Two problems with this approach - (Score:2)
2) This is a gym. How many jock boys have opposable thumbs?
And of course, we've got #3, in the tradition of Douggy Adams..
3) Scratches, scrapes, dead skin, flakes, etc. will make the image different enough to screw up the match. Add in sweat, gym chalk, bandages etc...
No Big Deal? (Score:2)
Seriously folks, this for a gym membership, not admittance into NASA or the CIA.
If a non-essential or frivolous business like this demanded that kind of personal information I'd be out of the door in an instant, not because I worry about security, but because it's a wholly unreasonable demand to make of your customers.
Perhaps more importantly, every time that you allow a business to record unnecessary information about you
Re:No Big Deal? (Score:2)
Not bad.
Unfortunately, most employees don't know about the customers, don't care what they like, aren't cheery, and aren't well trained or motivated because they aren't paid well.
It has something to do with a chicken and an egg.
Sure. If... (Score:2)
Especially if it's as innoxious as a [almost publically available] thumbprint.
That said, it would be nice to hold biometric data under the same sharing rules as other medical info.
Solving Crimes (Score:2)
ask for their data retention and privacy policies (Score:4, Interesting)
If anyone is collecting sensitive information from you: SSN, biometric data, etc. you need to get a data retention and privacy policy in writing.
Will they transfer this data if the company is sold or goes out of business? Remember eToys had a privacy policy that went out the window during bankrupcy. Will they destroy the data when you cancel your membership. What security mechanisms and audit procedures do they have in place?
When you bring it up it may be the first time they have thought of it so be prepared to wait.
-weld
Re:ask for their data retention and privacy polici (Score:2)
If anyone is collecting sensitive information from you: SSN, biometric data, etc. you need to get a data retention and privacy policy in writing.
Too late for that. The FBI already has a copy of my fingerprints. They got it when I signed up as an originator of electronic filed tax returns. Pretty much any other part of the federal or state government could get it if they wanted it, it's probably already in databases accessible to all of the federal government. If the government already has it, I don't
Wow. How collossally stupid, (Score:2)
This is totally appaling, and not that different from businesses asking for things like your social insurance number for no good reason.
There is no business that I would ever provide this information to. Heck, I wouldn't give this to anyone but the police, and then even only if I was compelled. A gym or a tanning company? Not fsck'ing likely.
I've already deci
another example (Score:2)
Any company, organization or individual (Score:2)
I was wondering how the members here at Slashdot feel about the security risks involved in submitting biometric data to small private companies?"
Tin foil hat aside, I don't feel comfortable in submitting biometric data to anyone or thing.
Depends on what they store (Score:2)
Ask them if they store the image or just the template. If they store the image then I would be less likely to do it. If they just store the template then that would be OK in my book.
Although it is possible to sometimes reconstruct your fingerprint from a template, it is a non-trival operation and if you have people capable of doing something like that, they can do far worse things than get your fingerprint off some health club system.
Remember, you leave
Re:Depends on what they store (Score:2)
(a) how can I be sure that they're actually only storing the template?
(b) if other systems from the same vendor use the same templates, what's to stop someone stealing the template database, and submitting the templates to other systems as if there were fingers present? (e.g. to rig ATM transactions)
Re:Depends on what they store (Score:2)
(b) True, but there are a crapload of template standards and it's rare that any two companies use the same format. There is (currently) no standardization at all. However, like I said, it's super-easy to get fingerprints from all sorts of sources anyway. It's semi-hard to inject raw templates into the system because that would require hacking the server and/or the hardware.
Anyway, fingerprints are more for convenience than real sec
Who cares? (Score:2)
Would You Submit Biometric Data to Join a Gym?
Sure, why not? I submitted biometric data to join Busch Gardens. They measured the distance between my fingers or something. See the story [newsmax.com] about it. Sure, it's not fingerprints, but what's the difference?
This country was founded by criminal lovers (Score:4, Insightful)
Damn those long-haired freak Founders and their crazy ideas. If only someone would've told them that innocent men have nothing to hide, they could've avoided making many [cornell.edu] unnecessary [cornell.edu] additions [cornell.edu] to the US Constitution.
Re:At the risk of being offensive... you clowns! (Score:3, Insightful)
Maybe the thumbprint is superf
Re:make them aware of the liability (Score:2)