Destroying fingerprints: biometrics, government, and ignorance
There's very good news to report. Last Wednesday the school met with parents to hear our concerns. At that meeting the director of food services took full responsibility for the decision and verbally committed not to use biometric technology. What's more, our school was their first site for implementation which means our efforts will nip it in the bud for the whole district. Our local school government seems to have stumbled into this controversy by complete ignorance. Provided they follow-through, they deserve a little praise for quickly claiming responsibility for the mistake and for taking measures to destroy the data they have collected.
In the way of bad news, it sounds like biometrics are already being used all over the place. An Associated Press report on biometrics in a Georgia lunch room includes this bit of background:
Colleges and high schools have used fingerprint scanners to stop non-students from sneaking into dining halls and gyms. Now elementary schools are joining in, hoping that biometric devices are a good way to keep lines moving and pay for meals.
Districts elsewhere in the country use finger scans to dispense medicine, take attendance, check out books in the library or ensure that bus-riding students get off at the right stop.
Jay Fry, CEO of biometrics maker identiMetrics Inc., said elementary school districts are one of his company's fastest-growing markets.
It's weird to read the casual tone of that article after seeing the reactions of many of my peers. Almost everyone with whom I've spoken has reacted with shock and dismay at the idea of fingerprinting children. Maybe we're just a bit more paranoid around here.
The main concern is this: if fingerprints are compromised, there's no way to change fingerprints. Even if the risk of compromise is very low (which it may well be), the consequences could be permanent damage to one's biometric identity. That makes the risk equation: low-risk, high-stakes. That assumes we're correct about the low-risk.
When I was in college student IDs were the same as Social Security Numbers. We didn't think twice about it. When test results were posted they were often listed by Social Security Number, ironically, to protect the privacy of our grades. Many establishments used to ask for a Social Security Number and driver's license number when accepting payment by personal check. It has only been in the past few years that identity theft has entered our vocabulary. We're only at the very earliest stages of understanding how our identity can be abused. Biometric data are a representation of our physical identity, not just unique numbers we've been arbitrarily assigned by The System. I suspect that the Government changes the Social Security Numbers for people under the witness protection program. But your fingerprints can't be changed. As biometrics enter the mainstream, they will become an obvious point of attack for identity thieves.
In light of our experience and the apparently growing use of biometrics, it seems especially important to publish this. Until we can verify the low-risk part, let's take the high stakes part seriously.
One other point to make -- it's not just about the fingerprints stored on the system. Every time someone presses their finger onto a reader, another image of their print is taken and processed. In the case of our lunch lines, that's a regularly scheduled, completely predictable stream of fingerprints. The need to secure that data is not just the first time it's collected, but every time its used as well. That's a very long term commitment to security. Moreover, that data needs to be protected for the entire lifespan of the student. Is our district insured against financial consequences of loosing that data?
How can the district ensure the destruction of biometric data once they have been collected? The short, scary answer: information can move pretty close to the speed of light so technically that data could be anywhere and in more than one place. The less scary answer is that bureaucracy doesn't move anywhere near the speed of light. They might not have backed up the data yet or transmitted it anywhere.
Any copies of the biometric data that have been transmitted or replicated in any way whatsoever must be permanently destroyed. If it's on hard drives or backup tapes those copies of the data must undergo a low-level security erase. If backups have been made to CDs those CDs must be shredded. If the data is in stable memory sticks or usb drives, those media must also undergo a low-level security erase. Any systems which were involved in the data transmission should also be shut down so any remnants in memory are also flushed. No electronic remnants on any systems or media of any kind. The data must be erased beyond recovery from any and all devices involved.
A security audit for any systems involved in the collection of biometric data would also be in order. If any of the systems were compromised by spyware or virus or trojan or root kit, that malicious software might have enabled the biometric data to escape the school district systems without their knowledge. Similarly if the computers in question are or were connected to a network then the security audit should expand to include the network and any connected devices as well as the specific systems involved because similar compromises on any of those systems might have intercepted the transfer of biometric data. Also, most operating systems these days use virtual memory as a matter of course. That means there's potential for the operating system to have saved copies of the biometric data to disk even if the biometric software were programmed not to use the disk at all. In other words, any areas of the disk used for virtual memory should also be security erased.
If the data found its way into a database, then the disk partitions on which those database tables are physically stored will also have to undergo a security erase. Any transaction logs or audit logs kept by the database will have to undergo a security erase. If the database is replicated or distributed, then the backup databases will require the same attention. In any of those cases, the district will insist on having a backup of the database in question. That backup will have to be created carefully to ensure that the biometric data is not included in the backup.
The district's backup systems deserve special attention. They almost certainly have an automated backup server which collects the vital data of the district. The timing of those automated backups may have captured the biometric data. Moreover, the backups are very likely to include not only the biometric data, but also the students personal records and maybe the encryption keys. Moreover, it is almost certain that the backups are conducted over the network. Previous comments about auditing networked systems apply to the network used for backup as well.
I have focused my attention on the scenario of some Bad Guy capturing the biometric data for financial gain. Some among my community are more concerned about the government being able to subpoena the database of encrypted biometric data, the encryption key which unlocks that data, and any of the district records about the students as well. The Bad Guys might be in the Government.