Security & privacy

Revocable biometrics, often called private biometrics, are important because they allow people to have multiple identities using the same biometric information, such as their fingerprints. It is a key technology for addressing some of the privacy concerns, and this article reports a new European project to fund for research and development in the area. This is good news.

Firms get $9 million for cryptography work

European biometrics companies have received $9 million in U.S. money from the European Union to develop advanced cryptography for interoperable fingerprint biometric solutions over three years, the companies have announced.

The Trusted Revocable Biometric Identities (Turbine) research project team led by Sagem Sécurité of France is applying cryptographic methods to ensure that data generated from the fingerprints for authentication purposes cannot be used to reconstruct the original fingerprint.

In addition, users will be able to create, use, and revoke as necessary several “pseudo identities” from the same fingerprints that can be used for various applications.

Bruce Schneier provides some advice on setting national policies for improving security. This applies to Canada too.

Security Matters: Memo to Next President — How to Get Cybersecurity Right

I have three pieces of policy advice for the next president, whoever he is. They’re too detailed for campaign speeches or even position papers, but they’re essential for improving information security in our society. Actually, they apply to national security in general. And they’re things only government can do.

Fingerprint Test Tells What a Person Has Touched – NYTimes.com

With a new analytical technique, a fingerprint can now reveal much more than the identity of a person. It can now also identify what the person has been touching: drugs, explosives or poisons, for example.

I while ago, we were commissioned to do some research on the state-of-the-art of some security technologies. One of those was fingerprint-based biometrics. After completing the report, I sanitized it and prepared a book chapter. Well that book project got canceled and a submission to the CHI conference was rejected, so the paper has languished. But a recent workshop on usability and biometrics has reassured me that the material is still relevant, so I decided to publish the paper on my web site as an essay. Have a look and tell me what you think.

Fingerprint Concerns: Performance, Usability, and Acceptance of Fingerprint Biometric Systems

Abstract: Despite the long history of using fingerprints, some key concerns still remain about the accuracy of identification, the usability of fingerprint systems in different situations, and acceptance by the users. This paper provides a review of those concerns and it provides recommendations for people considering adopting fingerprint recognition systems. The focus is on fingerprint-based systems, but other forms of biometrics will be mentioned as appropriate.

Earlier this week I attended the International Workshop on Usability and Biometrics in Washington, DC (organized by NIST and sponsored by DHS and US-VISIT). I was invited to talk about the public acceptance of biometrics, and I had the pleasure of sharing a session with Angela Sasse. We both talked about factors that influence the perceptions and acceptance of biometric systems, and we played the role of contrarians when contrasted with an earlier keynote address from Robert Mocney, the Director of the US-VISIT program. The presentations were well received and led to many discussions about privacy and public policy throughout the workshop (I do love presenting early at these events).

Notes from my presentation are now available, and all the presentations from the workshop are now available.

I have long been predicting doom, gloom, and the end of the world whenever I think about Facebook applications. The problem is that virtually anyone can build a Facebook application, and each of them can collect personal information and introduce security problems. Here is a report for Canada’s Privacy Commissioner’s office about a recent study of the privacy risks of Facebook applications.

Privacy in Facebook apps – the risk of the SuperPoke

The application took them three hours to create and allowed them to not only collect personal information about the Facebook user who had downloaded the application, but all of his friends as well.

Here is an interesting post from Kim Cameron. It seems his new laptop is really good at collecting fingerprints… right beside the fingerprint reader.

IdentityBlog – Fingerprint Charade

The net of all of this was to drive home, yet again, just how silly it is to use a “public” secret as a proof of identity. The fact that I can somehow “demonstrate knowledge” of a given fingerprint means nothing. Identification is only possible by physically verifying that my finger embodies the fingerprint. Without physical verifcation, what kind of a lock does the fingerprint reader provide? A lock which conveniently offers every thief the key.

Here is an interesting report on an experiment in anonymous living. Catherine Price writes in Popular Science about attempting to hide every aspect of her daily life for seven days. The article also provides a good review of the privacy situation in the U.S., and the ubiquity of commercial surveillance.

The Anonymity Experiment | Popular Science

We don’t know what information is being collected about us, whom it’s
being shared with, what it’s being used for, or where it’s being held.
As companies and the government collect more and more data on us, some
of it will inevitably be incorrect, and the effect of those errors
could range from trivial to severe. It’s not a big deal to get coupons
for products you don’t want, but if a mistake in your file or an
identity theft caused by a data breach drives down your credit score,
you could find yourself knocked into the subprime-mortgage market. And
privacy-invading safeguards don’t just catch bad guys. Anyone could end
up like Senator Ted Kennedy, who was erroneously placed on a do-not-fly
list because a terrorist had once used the alias “T. Kennedy.”