Homeland Security to Propose Biometric Collection Rules:
The Department of Homeland Security (DHS) is to propose a standard definition of biometrics for authorized collection, which would establish a defined regulatory purpose for biometrics and create clear rules for using the information collected.
A proposed expansion would modernize biometrics collection and authorize expanded use of biometrics beyond background checks to include identity verification, secure document production and records management.
The proposed rule would also improve the screening and vetting process and reduce DHS' dependence on paper documents and biographic information to prove identity and familial relationships. It said the proposed rule would authorize biometrics collection for identity verification in addition to new techniques such as voice, DNA test results and iris and facial recognition technologies.
[...] Joseph Carson, chief security scientist and advisory CISO at Thycotic, asked if the DHS will collect only a mathematical computation of biometrics, or if it collect the actual raw data, as this really increases both security and privacy risks. "It should also be clear on what it can and cannot be used for since limitations in scope should always be clear. It is important to note that biometrics are not a replacement for passwords but are improved and secure replacements for usernames as they are typically used for identifiers and not actual secrets. It should also be made clear on how long the data will be kept and whom it will be shared with."
Carson said whilst biometrics improve identity proof, document verification and reduce password fatigue, they also introduce additional security risks that must be managed and secured using strong privileged access management. "It is important to protect the government, but at the same time, also protect the citizens," he said. "When biometrics are abused, or stolen, it impacts the citizen for life and the company/government for a limited time."
(Score: 0) by Anonymous Coward on Thursday September 10 2020, @05:09PM (1 child)
According to this guy, writing in 2017, everything is fine with wider use of biometrics...
https://danielmiessler.com/blog/why-biometric-data-breaches-wont-require-you-to-change-your-body/ [danielmiessler.com]
I'm not so convinced.
(Score: 2) by meustrus on Thursday September 10 2020, @08:32PM
According to that guy, a biometrics data breach doesn't mean somebody can steal your face.
That's kind of beside the point, though. Why not just take a picture of a person and use that to fool the authentication reader?
Yeah, biometrics data breaches don't matter (besides privacy concerns around fingerprinting, no pun intended). Because walking around with your actual face is a data breach anyway.
Imagine a data breach of securely salted passwords. You can't rainbow table them because the salt is different per user, but the salting is done by a third party library running in a client application. In other words, an attacker can use the salted password to log into anything using the same third party library as long as the password database isn't updated, but can't use it to log in anywhere else or reverse engineer the password.
Imagine that the service can somehow update their database so that your password still works, but the old salt doesn't work anymore. Should you still update your password?
The answer is yes, because other services might be using the same old salted password. You should go out to every one of those places, who have no responsibility to watch the news for the data breaches of other companies, and demand that they stop accepting the old password.
This is the biometrics scenario. Yes, theoretically if everyone is a good citizen, a data breach won't matter in the long run. But if everyone was a good citizen, you wouldn't need to update a password after it was pwned, either; they'd invalidate it somehow, and you'd need to use the "forgot password" flow to create a new one. Maybe - and this is a big maybe - biometrics could be updated automatically in this situation instead of requiring a "forgot password" flow. But we don't live in a world where it's reasonable to expect everyone to invalidate our passwords when they are pwned, let alone a world where they invalidate our biometrics.
The security practice that solves this problem is to use different passwords for different services. That's what the "better change my face" quip is getting at. It's not just that you have to change your credentials for that service, or trust them to somehow do it for you. It's that biometrics are necessarily shared with every single service that you use. With biometrics, it's not possible to protect yourself from a data breach from some stupid mobile game laying open your entire digital life for hackers to drain your bank account.
Biometrics have their place, but to quote the summary:
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by JoeMerchant on Thursday September 10 2020, @05:20PM (2 children)
Any word on how Disney et.al. are impacted by this?
They've gone in big for fingerprint on entry - not that their systems are anywhere near 100% reliable, but they do collect a tremendous number of fingerprints.
Україна досі не є частиною Росії Слава Україні🌻 https://www.pravda.com.ua/eng/news/2023/06/24/7408365/
(Score: 2) by meustrus on Thursday September 10 2020, @08:39PM (1 child)
Disney does a lot of stuff that works well for theme parks but not really anywhere else. Like their monorails. For fingerprint entry, the risk of failure is low. What do they lose, an admission ticket here or there? Certainly not on the order of magnitude of an entire digital identity. The loss is probably made up for in aggregate by reduced staff requirements at entrances. On top of that, they get to potentially speed up the entrance process, they make it cheaper to differentiate guests per-attraction, and guests get to feel a taste of the future.
To go to Disneyland is to travel to a fantasy land where nothing really matters, so it might as well be fun.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by JoeMerchant on Thursday September 10 2020, @09:07PM
My experience at Sea World was that they used the fingerprints to (attempt to) authenticate the annual passholders, and the process was slow and failure prone while standing in the heat waiting to get into the park after a long stand in line. Many times they would just wave you through after three failed attempts to read the fingerprints.
Україна досі не є частиною Росії Слава Україні🌻 https://www.pravda.com.ua/eng/news/2023/06/24/7408365/
(Score: 2) by ikanreed on Thursday September 10 2020, @05:32PM (5 children)
Anyone who has been exposed to any part of immigration and customs in the US(and to be fair, other countries I've visited), they collect all your fingerprints multiple times, intense amounts of medical records, and so far I haven't heard of any DNA sequencing, but I wouldn't be surprised.
(Score: 2) by Runaway1956 on Thursday September 10 2020, @06:06PM (4 children)
At least some police departments in the US routinely take DNA samples from all arrestees. I can't make any guesses how widespread the practice is. A (very) quick search fails to yield any obvious leads on the subject.
Abortion is the number one killed of children in the United States.
(Score: 2) by meustrus on Thursday September 10 2020, @07:56PM (3 children)
Taking DNA increases the likelihood of finding a match for future DNA evidence, which could theoretically save a lot of time. Of course police would want to do this. Then again, the scheme doesn't really work unless you have DNA from everyone. Otherwise, you'll have no idea what the false positive rate is, and evidence will skew against whomever individual beat cops decided looked more suspicious.
I think it's theoretically possible to build a system that enables law enforcement searches for matching DNA signatures while avoiding aspects that would make such a system insecure or harmful to privacy. We can debate about whether it's practically possible to produce such a system and prove it meets those requirements.
Regardless, the real question is: what's the real upside? It isn't hard to find suspects in rape cases. It's hard to find proof. DNA signatures make for good supporting evidence, but as we've learned over the last few decades, they are not infallible as primary evidence.
Unfortunately, police are largely immune to attempts to make them more effective at discerning the truth. Where there are gaps in the information, and a Law and Order TV show detective would go from witness to witness until the whole truth is made clear, a more typical real-world detective would just guess at the truth and a typical prosecutor would be more than happy to rely on that guess. Doubly so if the defense is an overworked, underpaid public defense attorney who lacks the time to Perry Mason every case. Many people, who are happy with where those guesses tend to lay blame, would rather not fill in those gaps with real information.
As long as police and their supporters are allowed to insulate themselves from the truth and substitute it with their own alternative facts, they have no business getting better tools.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by ikanreed on Thursday September 10 2020, @08:20PM
But also, as anyone who's done basic elecrophoresis in high school biology might be aware, unless they do full $equencing, it's not just a quick lookup of in a database. It's matching a visual vague pattern against other, often very similar ones.
Research has shown DNA evidence expert analysts are likely to get tripped up and make false matches once the number of compared plates reaches about 20-25. It's not a super reliable method. But they still sometimes fish criminal record databases for matches.
(Score: 2) by Muad'Dave on Friday September 11 2020, @12:04PM (1 child)
Unless you consider the recent uptick in searches for familial matches [sciencedirect.com]. They can search for a relative of the suspect [ncjrs.gov] and harass them into identifying their relative. Search for "familial dna searching" for lots more articles.
(Score: 2) by meustrus on Friday September 11 2020, @01:51PM
What I was getting at more is the likelihood that the rich and powerful people in town probably aren't in the database. Their families aren't, either. It probably helps though to search records submitted to an ancestry service, since rich people use those sometimes. In a way, it's not as bad as using DNA collected during arrests, because the sampling is less biased.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 1, Offtopic) by Subsentient on Thursday September 10 2020, @09:39PM
My nipples are cheesyandfull ofpus
Ooh, looks like my boldifier works.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 0) by Anonymous Coward on Friday September 11 2020, @05:03PM
I understand they made it easier for customs by implementing the Steven Miller algorithm:
if ($PERSON == BROWN) then
if (fromShitholeCountry) then
call DEPORT
else
COLLECT_DNA
/* CONFISCATE_PHONE -- removed due to Antifa-loving libs */