There's very good news to report. Last Wednesday the school met with parents to hear our concerns. At that meeting the director of food services took full responsibility for the decision and verbally committed not to use biometric technology. What's more, our school was their first site for implementation which means our efforts will nip it in the bud for the whole district. Our local school government seems to have stumbled into this controversy by complete ignorance. Provided they follow-through, they deserve a little praise for quickly claiming responsibility for the mistake and for taking measures to destroy the data they have collected.
In the way of bad news, it sounds like biometrics are already being used all over the place. An Associated Press report on biometrics in a Georgia lunch room includes this bit of background:
Colleges and high schools have used fingerprint scanners to stop non-students from sneaking into dining halls and gyms. Now elementary schools are joining in, hoping that biometric devices are a good way to keep lines moving and pay for meals.
Districts elsewhere in the country use finger scans to dispense medicine, take attendance, check out books in the library or ensure that bus-riding students get off at the right stop.
Jay Fry, CEO of biometrics maker identiMetrics Inc., said elementary school districts are one of his company's fastest-growing markets.
It's weird to read the casual tone of that article after seeing the reactions of many of my peers. Almost everyone with whom I've spoken has reacted with shock and dismay at the idea of fingerprinting children. Maybe we're just a bit more paranoid around here.
The main concern is this: if fingerprints are compromised, there's no way to change fingerprints. Even if the risk of compromise is very low (which it may well be), the consequences could be permanent damage to one's biometric identity. That makes the risk equation: low-risk, high-stakes. That assumes we're correct about the low-risk.
When I was in college student IDs were the same as Social Security Numbers. We didn't think twice about it. When test results were posted they were often listed by Social Security Number, ironically, to protect the privacy of our grades. Many establishments used to ask for a Social Security Number and driver's license number when accepting payment by personal check. It has only been in the past few years that identity theft has entered our vocabulary. We're only at the very earliest stages of understanding how our identity can be abused. Biometric data are a representation of our physical identity, not just unique numbers we've been arbitrarily assigned by The System. I suspect that the Government changes the Social Security Numbers for people under the witness protection program. But your fingerprints can't be changed. As biometrics enter the mainstream, they will become an obvious point of attack for identity thieves.
In light of our experience and the apparently growing use of biometrics, it seems especially important to publish this. Until we can verify the low-risk part, let's take the high stakes part seriously.
One other point to make -- it's not just about the fingerprints stored on the system. Every time someone presses their finger onto a reader, another image of their print is taken and processed. In the case of our lunch lines, that's a regularly scheduled, completely predictable stream of fingerprints. The need to secure that data is not just the first time it's collected, but every time its used as well. That's a very long term commitment to security. Moreover, that data needs to be protected for the entire lifespan of the student. Is our district insured against financial consequences of loosing that data?
How can the district ensure the destruction of biometric data once they have been collected? The short, scary answer: information can move pretty close to the speed of light so technically that data could be anywhere and in more than one place. The less scary answer is that bureaucracy doesn't move anywhere near the speed of light. They might not have backed up the data yet or transmitted it anywhere.
Any copies of the biometric data that have been transmitted or replicated in any way whatsoever must be permanently destroyed. If it's on hard drives or backup tapes those copies of the data must undergo a low-level security erase. If backups have been made to CDs those CDs must be shredded. If the data is in stable memory sticks or usb drives, those media must also undergo a low-level security erase. Any systems which were involved in the data transmission should also be shut down so any remnants in memory are also flushed. No electronic remnants on any systems or media of any kind. The data must be erased beyond recovery from any and all devices involved.
A security audit for any systems involved in the collection of biometric data would also be in order. If any of the systems were compromised by spyware or virus or trojan or root kit, that malicious software might have enabled the biometric data to escape the school district systems without their knowledge. Similarly if the computers in question are or were connected to a network then the security audit should expand to include the network and any connected devices as well as the specific systems involved because similar compromises on any of those systems might have intercepted the transfer of biometric data. Also, most operating systems these days use virtual memory as a matter of course. That means there's potential for the operating system to have saved copies of the biometric data to disk even if the biometric software were programmed not to use the disk at all. In other words, any areas of the disk used for virtual memory should also be security erased.
If the data found its way into a database, then the disk partitions on which those database tables are physically stored will also have to undergo a security erase. Any transaction logs or audit logs kept by the database will have to undergo a security erase. If the database is replicated or distributed, then the backup databases will require the same attention. In any of those cases, the district will insist on having a backup of the database in question. That backup will have to be created carefully to ensure that the biometric data is not included in the backup.
The district's backup systems deserve special attention. They almost certainly have an automated backup server which collects the vital data of the district. The timing of those automated backups may have captured the biometric data. Moreover, the backups are very likely to include not only the biometric data, but also the students personal records and maybe the encryption keys. Moreover, it is almost certain that the backups are conducted over the network. Previous comments about auditing networked systems apply to the network used for backup as well.
I have focused my attention on the scenario of some Bad Guy capturing the biometric data for financial gain. Some among my community are more concerned about the government being able to subpoena the database of encrypted biometric data, the encryption key which unlocks that data, and any of the district records about the students as well. The Bad Guys might be in the Government.
I'm one of three volunteers who have created a Challenge Math program at the neighborhood school. Only one of the three of us has a child enrolled. That's pretty exciting. It's one thing to love and understand math and yet another thing to be able to teach it. The best way to learn how is to just do it. As much as I'd like to talk about that I've got another thing on my mind. It's amazing how big issues present themselves at the little school around the corner.
The district recently adopted a system where every student has a six digit id number. The lunch program is using that number to manage the accounting for student lunches. The kindergartners and first graders have been having trouble remembering their id number.
The district decided to use their fingerprints to connect them to their lunch account.
I'll say that again in case you missed it. The district decided to roll out fingerprint scanners so the kids could get through the lunch line without having to know their six digit number. What's more, they notified parents that they could opt-out of the program two days after the student's fingerprints had been collected.
I learned about it from one of the other volunteers who asked how to confirm that the district destroyed all trace of their child's fingerprint data. I'll let you think about that question a bit and tell more about how I answered in another post.
In the meantime, it seems there's been some recent noise about exactly the same thing in the UK:
UK parent's planning a law suit vs. schools that fingerprinted kids without parent permission
UK MPs condemn schools for fingerprinting kids without parent permission
UK parent's collecting their ammunition (love the Pink Floyd reference in the URL!)
This paragraph from a German article about biometrics maybe tips my hand a bit about what scares me. The article is here: http://www.heise.de/ct/english/02/11/114/
The simplest eavesdropping tool is a filter driver like USB Snoop for Windows. USB Snoop interposes itself between the driver of the USB adapter and the actual device driver. After being presented by Windows with all the data exchanged between the USB and the device driver, USB Snoop then writes these into a log file of its own. These data the snooping party can then analyze at its leisure. Filter drivers are quite easy to detect though and in addition require administrator rights to be installed under Windows 2000 and Windows XP. Nevertheless, they would permit studies of a biometric scanner of the same kind as the one to be tricked to be undertaken at one's own PC.
I gave up raging against the machine last year. But I'm not done trying to change the world. I'm calling this game Political Emergence until someone comes up with something more catchy.
1. Post a couple policy positions you really care about on your blog.
2. Link to and comment on what other people post.
3. Post, link or comment when you see positions you care about escape the blogsphere into the mainstream media.
4. No name-calling, or character assassination.
5. No my-candidate-rocks-your-candidate-sucks.
6. No conspiracy theories.
Just your honest policy positions.
Here's a couple that have gotten me fired up lately.
"We do not condone torture" is a feeble double-negative leaving lots of room for interpretation. Between the lines it says maybe torture is okay if no one is looking. Be it hereby declared we the People of the United States expressly forbid torture. Anyone working with or for the People found to be engaging in torture will be treated as criminals. We boldly and unambiguously claim the moral high ground here. All US agencies, allies, and citizens, hear this message loud and clear: torture is forbidden. Conduct your investigations and interrogations accordingly.
We're done with the "war on terror" rhetoric. We're not at war. Be it hereby declared we the People of the United States regard terrorism as a crime against humanity, not as an act of war. As such, we will pursue terrorists through criminal investigation and detective work, not through war.
Seems worth saying a little more about the game. This is about emergence, so the details will change as more people play. There are some values that I'd like to persist as the game emerges. Some really cool things happened in Howard Dean's presidential campaign, but then kinda died when he lost. This game and the policies it produces will have more longevity if it remains independent of specific politicians or parties. The game will be more fun if we get conflicting policy statements and end up debating issues on their merit instead of on their red-blue state. Let us see how We The People can influence political policy and the media. Let's trust that the most compelling and effective ideas will find their way into the culture and maybe even change the world.
I'll be watching delicious and technorati for political_emergence