Friday, December 28, 2007

And you thought Minority Report was just fiction

Those of you who read Slashdot regularly know that law enforcement agencies have been working on long range iris scanning technology for a while now. The FBI is actively pursuing one from the University of West Virginia that, once completed, should read at as much as 15 feet. But this isn't the worst of it. The Washington Post is running an article about how the FBI is starting work on a campus to house a database containing all biometric data they can get their hands on.

Now, I can understand condensing information on captured criminals and terrorists in one common, well protected, database, instead of scattered among dozens. Yes, I realize the "well protected" part of that sentence is not generally met, just judging by the number of wide open XSS holes that have been found in fbi.gov web pages (links courtesy sla.ckers.org). True, an XSS hole doesn't by itself allow access to the database, but it can be used to compromise (very effectively in many cases) the system the browser is running on.

Compound that with the fact that they intend to hold "commercial" data (i.e. data on you and me) in there as well and you have the perfect recipe for massive identity theft. And this hits a bit harder than just social security or credit card number identity theft. This information can be used by a sophisticated criminal/terrorist to implicate you in something and you will never be able to fix it. At least with SSN/CC#s you can (with some difficulty) get a new one if it is compromised. You can't get a new iris or fingerprint.

There is also the plan the FBI has come up with to hold your data for your employer and notify them if you have a "brush" with the law any time in the future. Normally a criminal background check (although proven to be innaccurate in many cases) should only contain data about convictions. With this new plan, employers will be notified if your fingerprints are taken for any reason. It doesn't matter if you were guilty of anything, you could still, depending on the employer, lose your job.

Then there are other problems with those that can "legitimately" access your data. What could go wrong? The FBI audits all the companies that have access. Don't worry about the fact that these audits are only done every three years; it's not like the turn over rate at some of these companies is that large...

The closing quote by one of the researchers working on the iris/face matching software sums up the complete blindness these people have:

"The long-term goal," Hornak said, is "ubiquitous use. . . That's the key, you've chosen it. You have chosen to say, 'Yeah, I want this place to recognize me.' "

This of course ignores two facts that are obvious to anyone with any interest in personal privacy.

  1. If the technology is ubiquitous, you don't have a choice to be where it's not.
  2. If it can be done from across the room, you don't necessarily know it's being done.

Thus you have never chosen anything. Has anyone in the government ever heard of a little thing called the fourth amendment? Oh, I forgot, Cheney was using that part of the Constitution as toilet paper while he was on his hunting trips...

Via Bruce Schneier.

No comments: