privacy

EU, law, privacy

New European Data Protection Supervisor Opinion on Data Privacy & Biometrics

Privacy guardian wants one EU rulebook on ID databases (The Register)

“The EDPS [ed. European Data Protection Supervisor] considers that the proposed Regulation should establish a minimum set of requirements, in particular with respect to the circumstances, formats and procedures associated to security as well as the criteria, conditions and requirements, including the determination of what constitutes the state of the art in terms of security for electronic trust services,” it said.

The watchdog said that if common security requirements are not to be set out in the new laws, then provision should be put in place to allow the European Commission to “define where needed, through a selective use of delegated acts or implementing measures, the criteria, conditions and requirements for security in electronic trust services and identification schemes”.

Assistant EDPS Giovanni Buttarelli, who signed the opinion, said that the proposed new law should set out a requirement that trust service providers and electronic identification issuers should have to provide individuals who use their services with “appropriate information on the collection, communication, and retention of their data”. He added that those organisations should also have to provide individuals with “a means to control their personal data and exercise their data protection rights”.

The world can always use more Transparency and Consent.

Special attention for biometric data follows the section quoted above.

The pdf of the Supervisors report can be found here:
Opinion of the European Data Protection Supervisor on the Commission proposal for a Regulation of the European Parliament and of the Council on trust and confidence in electronic transactions in the internal market (Electronic Trust Services Regulation)

passwords, privacy, technology

Biometrics scares people, makes them happy.

Biometrics scares people* (Network World)
Perception of biometrics tends to be rather negative because it’s personal and physical, says Lockheed Martin’s biometrics division director.

How to find happiness in a world of password madness (PC World)
The beauty of biometrics is that you don’t have to remember anything at all, much less a complex password.

*Since I was a tad critical of Ellen Messmer‘s take on rapid DNA in the previous post it’s only fair that I single her out for praise for this highly enjoyable and thorough article.

Australia, privacy, regulation

Australia: Progress on Ratifying Privacy Recommendations

Privacy reforms pass through lower House (ZDNet)

The proposed changes, some now four years old, are designed to tighten the rules on how personal information is sent outside of Australia, how personal information may be used for direct marketing, increase the protections provided to sensitive information, such as health records and biometric data, and provide the Privacy Commissioner with powers to allow him to apply civil penalties in cases where the Privacy Act has been breached.

mobile, online, privacy

More biometrics for privacy protection

How to protect your digital life from hackers and viruses (Broadband Genie)
At the end of list of things you should be doing to increase your digital privacy comes this tidbit…

If you want extra security pick up a neat biometric USB stick with fingerprint scanner.

Why locking your mobile device with a fingerprint is a great idea (CSO)

Smartphones and tablets store gigabytes of data. They have banking apps, and apps that access credit card or investment accounts. They connect to email, and social networks. If a mobile device falls into the wrong hands, it’s possible that sensitive information and data could be compromised. That’s why your smartphones and tablets need to be locked down and protected.

One of the rumors floating around about the iPhone 5 is that it might come with fingerprint scanning technology. If it’s true, it would be a game changer for smartphone security.

Biometric technologies can protect individuals against privacy violations.

face, FTC, government, politics, privacy, senate

Senate Subcommittee Discusses Facial Recognition

Unfortunately, there doesn’t seem to have been any mention of facial recognition technology’s usefulness a as a tool for protecting privacy.

The Senate Privacy Subcommittee of the Judiciary Committee held a hearing about facial recognition (CIO)

The Federal Trade Commission (FTC) testified before the subcommittee. Their press release on the occasion is here: FTC Testifies on Commercial Uses of Facial Recognition Technologies.

AFIS, CJIS, DNA, face, FBI, finger, fingerprint, government, iris, Kirkpatrick, law enforcement, modality, palm, privacy, tweetchat

Biometrics & the FBI’s Criminal Justice Information Services (CJIS)

Here’s a Storify transcript of this morning’s Tweet Chat about biometrics (#biometricchat).

I offer many thanks to John at M2SYS for asking me to fill in for him and Mike Kirkpatrick for taking time out of his busy schedule to lend his experience to our understanding of the FBI’s use of biometrics for law enforcement and civilian purposes.

Background for the conversation is here.

July, 19 2012 Biometric Chat with Mike Kirkpatrick : Assistant Director in Charge of the Bureau’s Criminal Justice Information Services (CJIS) Division from April 2001 – August 2004.

Powered by Storify

  1. SecurLinx
    Good morning and welcome to this month’s chat on#biometric technology! #biometricchat
  2. SecurLinx
    I’m honored to be filling in for John @m2sys as this month’s host. Thanks for asking me, John!#biometricchat
  3. m2sys
    Good morning to you and thanks for taking over this month’s chat – we really are appreciative of your guest hosting skills! #biometricchat
  4. SecurLinx
    @m2sys The pleasure is mine. AND Thank you, and welcome to Mike @MDKConsulting, for joining us.#biometricchat
  5. SecurLinx
    Today, we will be discussing #biometrics in Law Enforcement (esp. FBI). Our guest is Michael Kirkpatrick. @MDKConsulting #biometricchat
  6. MDKConsulting
    Thanks for the invite! I’m looking forward to this morning’s chat #biometricchat
  7. SecurLinx
    @MDKConsulting Mike finished his FBI career as Asst. Dir. in charge of the FBI’s CJIS center (Apr. 2001 – Aug. 2004) #biometricchat
  8. SecurLinx
    Those dates should give you some idea of the challenges at the FBI’s CJIS. #biometricchat
  9. m2sys
    @SecurLinx Quite a tumultuous time at the FBI’s CJIS…anxious to hear some of Mike’s feedback and insight. #biometricchat
  10. SecurLinx
    Feel free to chip in with your own answers – answer each question (Q1, Q2, Q3, etc.) with A1, A2, A3, etc.#biometricchat
  11. SecurLinx
    Also feel free to submit your own questions during chat or ask other questions of the group. #biometricchat
  12. SecurLinx
    Q1: What was the biggest challenge CJIS faced in the transition from a paper fingerprint system to a fully fledged IAFIS? #biometricchat
  13. MDKConsulting
    A1:There were several challenges. Building the world’s largest #AFIS; IdM had never been done on that scale before… #biometricchat
  14. Note: IdM = Identity Management
  15. MDKConsulting
    A1…Getting the budget to build it ($640M); there were no #fingerprint electronic transmission standards so they had to be.. #biometricchat
  16. MDKConsulting
    A1:…developed (EFTS); Most #fingerprints were still being captured on paper so had to be converted to digital images:… #biometricchat
  17. MDKConsulting
    A1:…Major #FBI workforce retraining; IAFIS didn’t always work as advertised in the early days so alot of downtime #biometricchat
  18. m2sys
    Q1: Were lawmakers at the time reluctant to fund this or was it generally accepted that this was natural maturation? #biometricchat
  19. MDKConsulting
    m2sys A1: Overall, congress was very supportive but this was a high profile project, the only one of its peer projects… #biometricchat
  20. MDKConsulting
    m2sys A1:…(e.g., FAA & IRS modernizations) to succeed. It turned out to be a high risk/high reward project #biometricchat
  21. SecurLinx
    Q2: CJIS is a key part of US ID infrastructure. What is the breakdown between Law Enforcement vs civilian/licensing queries? #biometricchat
  22. SecurLinx
    FBI CJIS is used for firearm background checks, child care workers, financial services employment and more…#biometricchat
  24. BiometricUpdate
    Often wondered about this breakdown myself, actually#biometricchat #biometricchat
  25. MDKConsulting
    A2: #FBI has 2 #fingerprint streams-criminal and civil (licensing & employment checks). Currently ~55% are criminal… #biometricchat
  26. MDKConsulting
    A2:…and 45% are civil. The original IAFIS was designed to process 60K prints/day. #FBI Next Generation Identification… #biometricchat
  27. MDKConsulting
    A2: …(NGI) now easily processes more than 185K/day. Quite a leap forward! #biometricchat
  29. MDKConsulting
    Firearm pre-sale checks (NICS) are name-based, not fingerprint-based. #biometricchat
  30. SecurLinx
    @mdkconsulting Good catch re firearms… done thru the FBI but no fingerprints involved. #biometricchat
  31. SecurLinx
    Q3: What is the next biometric modality CJIS would like to incorporate into IAFIS? #biometricchat
  32. MDKConsulting
    A3: In order of priority, palm prints, face, and iris capabilities will be added to NGI. #biometricchat
  33. BiometricUpdate
    We just wrote about the B12 MORIS system being adopted by FBI. How much time can apps like this save?bit.ly/LYXvug #biometricchat
  34. SecurLinx
    Let’s go quickly to Q4 and then deal with Q3 & Q4 together… #BiometricChat
  35. SecurLinx
    Q4: Then, if the Big Three of #biometrics are Face, Finger/palm print & Iris – Where does DNA fit in?#BiometricChat
  36. MDKConsulting
    A4: There’s an ongoing multi-agency effort on rapid#DNA, which will put a “quick” DNA capability at the …#biometricchat
  37. SecurLinx
    @mdkconsulting Love the quotes around quick. Definitely quick compared to earlier DNA analysis!#BiometricChat
  38. MDKConsulting
    A4:…booking stations. We should see this in the market within the next couple of years. It’ll help solve alot of cases. #biometricchat
  39. MDKConsulting
    A4: #DNA in many ways is the ultimate #biometric but still has many privacy issues associated with it as well as the past… #biometricchat
  40. MDKConsulting
    A4:…relative slowness in getting results. It can prove someone innocent as easily as proving someone guilty, which is… #biometricchat
  41. MDKConsulting
    A4:…good as all in criminal justice should be searching for the truth. #biometricchat
  42. SecurLinx
    @MDKConsulting Excellent point. Biometrics can be evidence of either innocence and guilt. #biometricchat
  43. m2sys
    @MDKConsulting Q4: So DNA quick checks will be at booking stations to circumvent lab analysis in as little as a few years? #biometricchat
  44. MDKConsulting
    @m2sys A4: These are envisioned as a “quick” check as an investigative lead rather than a full-on forensic lab exam #biometricchat
  45. m2sys
    @MDKConsulting Thank you, truly amazing advances in science for DNA processing! #biometricchat
  46. MDKConsulting
    Currently, #FBI is processing criminal fingerprints in just a few minutes. Rapid DNA is envisioned to be more like an hour. #biometricchat
  47. SecurLinx
    Q3/4b: Which (palm, face, iris, DNA) advancement in CJIS capabilities is furthest along? #BiometricChat
  49. SecurLinx
    Last question Q5: What are some near future capabilities related to #biometrics that the FBI would really like to add? #biometricchat
  50. MDKConsulting
    A5: #FBI & law enforcement are looking for smaller, faster, cheaper mobile #biometric collection devices; capability for … #biometricchat
  51. MDKConsulting
    A5:…collection at a distance for fingerprints and iris; implementation of a national palm print capability (a high % of … #biometricchat
  52. MDKConsulting
    A5:…crime scene latents are palm prints); and greater accuracy in facial recognition technology for large databases. #biometricchat
  53. BiometricUpdate
    @MDKConsulting is palm a priority for any particular reason, or is it just an indication of technological advancement? #biometricchat
  54. MDKConsulting
    @biometricupdate: Palm print capability will help to solve many crimes which are unsolved without it. Countries, such … #biometricchat
  55. MDKConsulting
    @biometricupdate: …as Australia, which have implemented palms have reported significant increases in latent matches. #biometricchat
  56. SecurLinx
    That’s all folks. Our sincere thanks to @MDKConcultingMike Kirkpartick for taking the time to talk with us: FBI#biometricchat
  57. SecurLinx
    We kept him a little late but hopefully @MDKConsulting(and you) enjoyed our conversation as much as I did.#BiometricChat
  58. MDKConsulting
    Thanks! I’ve appreciated the opportunity to chat about one of my passions! #biometricchat
  60. m2sys
    @MDKConsulting Thank you for sharing your knowledge with us, it was extremely informative!#biometricchat
  61. SecurLinx
    Thanks @MDKConsulting! Thanks @m2sys for lending me the #BiometricChat hashtag! & to@BiometricUpdate for the questions!
EU, facebook, facial recognition, privacy

Germany will wait on Irish investigation of Facebook Facial Recognition

German Regulator Suspends Facebook Facial-Recognition Probe (Bloomberg)

A German privacy regulator suspended its probe of Facebook Inc. (FB)’s facial-recognition features pending an Irish audit of how the social-media company handles personal data.

Hamburg’s data-protection authority said it will wait for Facebook to negotiate with Ireland’s privacy regulator before deciding whether Facebook complies with rules for using biometric data in an application that suggests people to tag in photos on the social-networking site.

Canada, finger, privacy, transparency, travel, visa

Canada Moving Toward Biometric Visitor Visas

Appeal mechanism needed for biometric visa plan due to imperfect system: report (Winnipeg Free Press)

Saying no biometrics system is perfect, an internal report urges the federal government to create an avenue of appeal for visa applicants who are rejected because of a false fingerprint match. The Conservative government is moving toward using biometrics — such as fingerprints, iris scans and other unique identifiers — to vet all foreigners entering the country.

As a first step, it soon plans to require applicants for a visitor visa, study permit or work permit to submit 10 electronic fingerprints and a photo before they arrive in Canada. The prints will be searched against RCMP databanks. Upon arrival the Canada Border Services Agency will use the data to verify that the visa holder is the same person as the applicant.

The big news is that Canada is going biometric with its travel visas.

The author’s discussion of appeals and privacy, however, seems a bit overwrought.

Any ID management system, whether it has to do with biometrics or not, must include provisions for sussing out mistakes (appeals) and maintaining the security (privacy) of information.

Biometric systems aren’t robots about to take over the Canada Border Services Agency, they’re just another tool for them to use and adding a fingerprint to the visa system will, in all likelihood, reduce the number of mistaken identifications and streamline the existing appeals process.

The article continues…

It [the report] says that in addition to false matches, privacy concerns associated with the use of biometric technologies can also include unauthorized use of the information, discrimination through profiling or surveillance, and retention of the data beyond the length of time needed.

To preserve the privacy rights of applicants, the report also recommends:
— those applying for visas be told what information will be collected and how it will be used;
— there be standards as to how long the fingerprints, photos and biographical details are kept and when they should be destroyed;
— memoranda between Citizenship and Immigration and the RCMP and border services agency be reviewed to determine what additional provisions for privacy and security may be needed.

It’s not entirely clear that “transparency” rather than “privacy” isn’t the proper prism for examining the issues surrounding the information provided by visa applicants.

It’s really nice of Canada to be considerate of the sensitivities of visa applicants, to deal with them in a transparent manner, and take thorough decisions regarding data retention, but if someone wants to visit a country that requires them to procure a visa, privacy (ed. between the applicant and the visa issuing country) doesn’t really enter into it. They either supply the required information or they don’t and those issues come up with or without biometrics.

logical, privacy, telephone, voice

Who Said That? Voice Biometrics for Caller Authentication

That Wasn’t Me (IVR Deconstructed) 

Voice biometrics are numerical models of characteristics (like the sound, pattern, and rhythm) within an individual’s voice, and are represented in a voiceprint of spoken qualities.

The technology often acts as a quick, convenient, and secure method of remotely determining an individual’s identity. So why haven’t more organizations integrated these functionalities into their IVR systems?

Click the link for the answer in a really good and concise post about voice biometrics. I’d also encourage you to check out other content at IVR Deconstructed, especially posts by Lisa, for even more thoughtful material on voice biometrics, privacy and logical access control.

In case you’re wondering, IVR stands for Interactive Voice Response. I have a name for the IVR technology used by call centers: The Robot Lady. You may also know it as the beast that can only be slain by frantically and repeatedly pressing zero.

See also: Voice Biometrics and ID Management in Call Centers

face, privacy

“Friends” a threat to your privacy? This facial recognition app might help.

App removes faces from Facebook (SC Magazine)

CeeQ uses sophisticated facial recognition technology developed by National ICT Australia (NICTA) under the $5 million-plus Advanced Surveillance biometric project completed last year.

“It’s designed to help users find photos they are in so they can contact the owners or Facebook to get them taken down,” Abbas Bigdeli, creator of the application and a lead developer at Advanced Surveillance, told SC at the Biometrics Institute conference.

Biometrics offer exciting possibilities for privacy-protection.

Related thoughts…
Security has a lot to do with trust and privacy is a lot like security. Because they’re trusted, it’s far easier for friends to undermine privacy than it is for strangers. They’re more likely to know your secrets and they’re more likely to be connected to those who might care about them. Surprise birthday parties aren’t always surprises.

h/t @HodgeBarry

bricks + mortar, demographics, marketing, online, privacy, transparency

Get me rewrite.

Very Odd “Facial Recognition” Article at smartplanet.com

Two things jumped out at me while reading San Francisco bars: Buy a drink, become profiled by cameras by Charlie Osborne at smartplanet.com: the scare quotes around forms of the word ‘anonymous’ and a novel formulation of privacy.

The scare quotes are here…

Venturebeat reports that Chicago-based startup Scenetap has combined “anonymous” facial recognition technology in venues with mobile technology so socialites can choose where next to go on a Friday based on their preferences — all provided through cameras in different venues.

…and here…

Scenetap promises the technology collects data “anonymously” and nothing is recorded or stored, and it is based on sophisticated profiling technology to approximate sex and age.

But why the scare quotes? By any definition, what Scenetap does is anonymous. It is specifically designed and marketed to clubs and their patrons as a means for gathering demographic information and that information cannot be traced back to a specific individual because it uses no individual identifier such as a person’s name (or cookie, but we’ll get to that later). To go further and collect personally identifying information would require a real facial recognition system which would be very expensive, require a large investment in training and labor and probably wouldn’t provide a sufficient return on investment (ROI) in a club/bar setting to make the effort worthwhile.

Then there’s the conception of privacy in this passage.

This type of technology is already prevalent online, where customer preferences and habits are tracked — in order to recommend products or pages you may be interested in. As we cannot see the data being collated, it seems less of a privacy issue than knowing that cameras above are observing you — even though the information collected about your online activity is far more vast.

There’s absolutely no equivalence between Scenetap and smartplanet.com. The image below shows that smartplanet.com places two cookies on a visitor’s computer and runs seven programs in the background of which most users would be completely unaware: three for tracking the user; three for connecting to social media; and one to monitor the site’s performance. One of the trackers, Crowd Science, even claims to be able to tell smartplanet.com about users’ interests, preferences, lifestyles, attitudes, opinions and incomes.

Real world demographic analysis tools like Scenetap do no such thing. It’s a dead certainty that smartplanet.com is collecting far more (and far more individualized) data, a fact that is acknowledged at the end of the quote.

Then there’s the part where transparency and privacy are inversely related because “As we cannot see the data being collated, it seems less of a privacy issue than knowing that cameras above are observing you.”

“Out of sight; out of mind” and “what you don’t know can’t hurt you” aren’t theories of privacy one sees many people advancing these days. By this logic, bricks-and-mortar demographics analysis can attain smartplanet.com’s level of respect for individual privacy by collecting vastly more information and using facial recognition technology to track individuals as long as they hide the cameras.

I don’t want this post to come across as grousing about what web sites do. The folks at smartplanet.com are working hard to put food on their family just like the rest of us and people should understand that if they aren’t paying, they aren’t the customer; they’re the product being sold. That’s just the way it is. This is completely uncontroversial to those who operate in the online economy; but let a bricks-and-mortar organization deploy a tool that collects far less information and there’s a tendency for those in the online world to come down with a collective case of the vapors. Physician, heal thyself.

See also:
Retail Marketing Technology Online and In Person
Transparency