proportionality

passwords, proportionality, security

Interesting usability research out of the University of Washington

Read the whole thing; it’s good. My little quibbles after the quote are meant to reinforce the general point of the research which is “if people won’t use it, it won’t work (and vice versa).” The importance of research is the attempt to identify and quantify, and therefore perhaps predict, how much people will endure before they throw their hands up in the air and quit on the technology.

Technology to Replace Passwords Fails User Tests (PsychCentral)

University of Washington engineers are trying to figure out why fingerprint- and eye- and face-recognition authentication technology have not gone mainstream. They found in a recent study that the user’s experience could be key to creating a system that doesn’t rely on passwords.

“How humans interact with biometric devices is critically important for their future success,” said lead researcher Cecilia Aragon, Ph.D., a UW associate professor of human-centered design and engineering.

“This is the beginning of looking at biometric authentication as a socio-technical system, where not only does it require that it be efficient and accurate, but also something that people trust, accept and don’t get frustrated with.”

So true, but hardly new. Security is, and always has been, a socio-technical system. We’ve all seen a waste basket used to keep a self-locking door propped open. If the security measure is disproportionate to the cost of a security breach, people will reject the system. Thoughtful security planners have always known this and it’s why one of our mantras around here is “biometrics is about people.”

Passwords are also likely to be around for a long, long time, but if biometrics could displace passwords in certain cases and allow for simpler passwords in other cases, that’s a big advance. Where simple passwords (PIN’s) are sufficient today, biometrics should be able to displace them altogether. Where increasingly complex passwords are required today, applying biometrics should allow for simpler passwords such as 4-digit PIN’s.

That’s nothing to sneeze at.

consent, Europe, Ireland, privacy, Privacy Commissioner, proportionality, US

Irish privacy commissioner’s report

It’s mostly inspired by the Facebook photo tagging affair but it deals with privacy issues and biometrics in a holistic way.

Ireland: Preserving Privacy In The Age Of Biometrics (mondaq)

The Office of the Irish Data Protection Commissioner (‘ODPC’) recently published its audit report regarding Facebook. The audit was undertaken to determine whether Facebook had implemented recommendations stemming from the ODPC’s first audit in 2011. While the audit was largely positive in its findings, the photo tagging feature introduced by Facebook, ‘tag suggestion’, was deemed by the ODPC to be a step too far for compliance with European data protection rules. This tool used cutting-edge facial recognition technology to automatically suggest the matching of names and pictures, i.e. upon the Facebook user uploading a photo, ‘tag suggestion’ would prompt the names of the individuals appearing in such image.

Consent, contract and transparency are all discussed in some detail at the link and we’ve discussed those topics philosophically on this blog in the past. There is also an analysis of proportionality in the linked article. Proportionality is a concept seen a lot in discussions of privacy issues involving European government institutions. It’s not a big part of privacy discussions in the United States.

In Europe, governments seem to feel freer to proactively inject themselves into arrangements between private entities than do governments in the United States. The recent French decision re biometrics for time-and-attendance is a good example of the invocation of proportionality to regulate the behavior of private entities.

In the United States, negligence, liability and torts seem to fill some of the roles proportionality plays in Europe. Since the legal system in the United States generally holds that one cannot consent to another party’s negligence, negligent parties are exposed to civil suits in the event that a data breach harmful to individuals occurs.

In general, it seems that the European approach is more proactive and government driven while the approach in the United States is more reactive and driven by private interests.