The tourist hoping to use her credit card in any part of the globe, the asylum seeker hoping to access social benefits in her host country, the banker hoping to move money from one stock market to another in real time—all have the same need. They must prove their identities and be certain of others’. Traditional means of proving identities are not dependable enough in most parts of the world and hence unfit for global digital networks. In this context, biometrics appears to offer a viable technological solution. However, the technology itself is subject to popular critique, warning of dystopian futures of overwhelming surveillance and loss of privacy.

By: Emilio Mordini, Andrew P. Rebera

Article first published online: 19 JAN 2012 DOI: 10.1111/j.1541-1338.2011.00535.x

© 2012 by The Policy Studies Organization

Abstract

• 1 We intend no reference to any actual group of that name, should such exist.
• 2 We do not discuss the other major concern, namely that the technology could be highly invasive of privacy and has the potential to reveal a huge amount of sensitive personal information regarding, say, health, background, lifestyle, and others. In this regard, there is some overlap with the issues discussed in section 2(ii).
• 3 See, e.g., Kaluszynski (2001), Joseph (2001), as well as Project Bertillon athttp://www.criminocorpus.cnrs.fr/bertillon/enter_uk.html.
• 4 In all cases bar the first of the following, biometrics is fairly obviously incidental. Even in the first (concerning Agamben) we feel that, ultimately, what is objectionable does not pertain to biometrics.
• 5 We are here using the word “personal” (and cognates) in a very wide sense, according to which relations between the state and an individual may be described as personal.
• 6 In the spirit of the (tongue in cheek) adage that 88.5% of statistics are made up, the veracity of these statistics is explored inAaronovitch (2009) and Channel 4 News (2008).
• 7  There are of course a variety of issues at play in this controversy. Our point is merely that there is a prima facie case to be answered. Whether it can be answered and how is not a point of interest here.
• 8  It is of course the case that if the primary goal of bearing arms is not to shoot people but, say, to shoot targets for sport, or to have something nice to hang above the mantelpiece, then we might construe the analogy differently. As mentioned in an earlier note, we are not really concerned with the rights and wrongs of gun ownership here.
• 9  How strongly one reads “bestow” here is likely to depend upon one’s answers to antecedent questions in political philosophy. A certain variety of social contract theorist might suppose that the citizen is, in some sense, born of identification by the state; in which case bestowal here is more or less literal: the state creates the citizen as a bearer of rights. Alternatively, if one holds that rights accrue to the individual independently of the state, identification by the state will involve less of a bestowal and more of an acknowledgment of rights. Our use of “bestow” is not intended to prejudge any of these foundational matters in political ontology and philosophy.
• 10  In the Kantian mode: the initial bestowal of rights serves as a condition of the possibility of all subsequent legitimate identification transactions between A and B, state and citizen.
• 11  The use of CCTV in classes would still be objectionable on the grounds of data minimization. What need is there for cameras in classes? If it is for discipline, or for teacher-training, these ends could be met by less intrusive methods. We will not explore the issues.
• 12  The soldiers appear in the photograph as anonymous. In reality they are (presumably) not, but have at least their names or numbers shown on their uniforms. Let us emphasize again that we are not discussing what or who is literally depicted in the photo, but its wider symbolic significance as an iconic image of the dark side of biometric identification transactions.
• 13  Again, the facts in Afghanistan may be different, but we are not discussing Afghanistan.
• 14  Once more: we are not discussing Afghanistan. Perhaps the actual soldiers in the photograph speak the villager’s language—perhaps he speaks theirs. Perhaps there has been a huge publicity campaign about the identification system.
• 15  This work has been funded by two European Commission research grants, RISE—Rising panEuropean and International Awareness of Biometrics and Security Ethics (GA230389), and TABULA RASA—Trusted Biometrics under Spoofing Attacks (GA 257289).

MAY 4, 2012 | BY REBECCA BOWE

In India, a massive effort is underway to collect biometric identity information for each of the country’s 1.2 billion people. The incredible plan, dubbed the “mother of all e-governance projects” by the Economic Times, has stirred controversy in India and beyond, raising serious concerns about the privacy and security of individuals’ personal data.

The plan is moving ahead at a clip under the auspices of the National Population Register (NPR) and the Unique ID (UID) programs, separately governed initiatives that have an agreement to integrate the data they collect to build the world’s largest biometric database. Upon enrollment, individuals are issued 12-digit unique ID numbers on chip-based identity cards. For residents who lack the necessary paperwork to obtain certain kinds of employment or government services, there’s strong incentive to get a unique ID. While the UID program is voluntary, enrollment in the NPR program is mandatory for all citizens.

The NPR program’s stated objectives are to streamline the delivery of government services such as welfare or subsidies, prevent identity fraud, and facilitate economic development, but some critics contend that the plan has its roots in an agenda focused on national security. Indian journalist Aman Sethi argues in a New York Times Op-Ed that the NPR originated with a 1992 government campaign to deport undocumented Bangladeshi immigrants, and that the creation of a comprehensive identity database was intended “exclusively to assist law enforcement.” And while UID was originally created to target India’s poorest 200 million citizens to facilitate service delivery, it has since been expanded to cover the country’s entire population.

The UID program is administered by the Unique Identity Authority of India (UIDAI), an executive body created to oversee the issuance of unique ID numbers for the stated purpose of facilitating access to benefits and services. At the helm of UID is Nandan Nilekani, a billionaire who made his fortune in the tech industry before ascending to his current role as chairman of the UIDAI.

While the NPR program has been moving ahead since 2004 with a relatively low level of public opposition, the more recently introduced UID project has sparked controversy. UID took center stage during a political feud last December when Parliament’s Standing Committee on Finance rejected a bill establishing the National Identification Authority of India, which would have granted the UID program statutory mandate. Although the bill was submitted in 2010, the UIDAI had already begun processing individuals and issuing numbers pending Parliamentary approval of the legislation, operating under the authority of the executive branch. The committee rejected the reasoning that they had the authority to do so, calling the program’s legality into question.

In late January, a compromise deal was struck between the NPR and the UID program administrators following a political turf war, when officials announced “the NPR and UID projects would proceed side by side to ensure that all Indian citizens have a unique number by June 2013.” Project administrators from UIDAI and India’s Ministry of Home Affairs, which oversees the Indian Census and the NPR program, announced that they would collaborate to de-duplicate the data to eliminate overlap for integration purposes.

Collecting Biometric Data

To date, some 170 million individuals have been registered in the UID program. To perform the data collection, the UIDAI has executed Memoranda of Understanding (MOU) with partners — including states, union territories and 25 financial institutions — to act as registrars for implementing the scheme, according to a Parliamentary committee report.

The registrars, in turn, contract with tech firms such as Wipro, a company that has issued at least 6 million UID numbers in Maharashtra. Agents gather the data by going from village to village to set up processing camps, toting laptops and scanning equipment along with them and scrambling to process as many individuals as possible each day. In addition to demographic information, individuals’ biometric information is collected with iris scanners, fingerprint scanners, and face cameras that employ facial recognition technology. Morpho, a technology company, is a primary UID contractor that develops and maintains systems to crosscheck new applications by sifting through the biometrics database and prevent actual or fraudulent duplication.

The UID program is known as Aadhar, which also refers to the unique 12-digit number citizens are issued upon enrollment. According to recent news reports, a pilot program will link Aadhar with financial and banking services in 50 districts in a move that the UIDAI program director says will “change the financial landscape of the country.”

Nilekani has championed the UID program as a tool that can aid low-income sectors of India’s population by streamlining the delivery of public services and creating a system that is more inclusive to the poor. Yet R. Ramakumar of the Tata Institute of Social Sciences in Mumbai pushes back against this point in an op-ed in The Hindu, charging, “the UID would be an alibi for the state to leave the citizen unmarked in the market for social services.”

And if the interviews with Delhi’s poorest residents in this report is any indication, there’s also a danger that some marginalized individuals could slip through the cracks altogether.

An issue of greater concern, however, is that the biometric database could open the door to significant violations of personal privacy. The Aadhar system became mired in controversy last December surrounding the Parliamentary Standing Committee on Finance’s rejection of legislation that would have given it statutory mandate. In a report, lawmakers based their disapproval on concerns about security, data theft and the fact that that a national data protection law has yet to be enacted.

“The collection of biometric information and its linkage with personal information of individuals without statutory amendment appears to be beyond the scope of subordinate legislation,” committee members wrote.

They also seized on the risk, uncertainty, and potential for privacy violations that would be ushered in under the massive scheme:

“Considering the huge database size and possibility of misuse of information, enactment of a national data protection law, which is at a draft stage, is a prerequisite for any law that deals with large scale collection of information from individuals and its linkages across separate database…The committee is afraid that the scheme may wind up being dependent on private agencies…”

Despite these concerns, the UID program continues, while at the same time, biometric data collection for the NPR moves ahead on a separate track. Mandatory registration for all citizens in the NPR went into effect with the 2004 amendment of the Citizenship Act, providing that“the Central Government may compulsorily register every citizen of India and issue National Identity Card[s].”

Civil Society Responds

The Center for Internet and Society (CIS) has criticized the system due to design flaws that pose security and privacy concerns.

“We don’t need Aadhar because we already have a much more robust identity management and authentication system based on digital signatures that has a proven track record of working at a ‘billions-of-users scale on the Internet with reasonable security,” CIS Director Sunil Abraham noted in a Business Standard op-ed. “The UID project based on the so-called ‘infallibility of biometrics’ is deeply flawed in design. These design disasters waiting to happen cannot be permanently thwarted by band-aid policies.

“Biometrics are poor authentication factors because once they are compromised they cannot be re-secured unlike digital signatures. Additionally, an individual’s biometrics can be harvested remotely without his or her conscious cooperation. The iris can be captured remotely without a person’s knowledge using a high-res digital camera.” (For more detailed information on CIS’s work on India’s UID program, see here, here, here, here, here, and here.

Delhi-based NGOs have also condemned UID as an affront to civil liberties that violates citizens’ basic constitutional right to privacy.

In his Op-Ed, Ramakumar echoes Indian economist Amartya Sen in arguing that the system could open the door to abuse by law enforcement:

“There is a related concern: police and security forces, if allowed access to the biometric database, could extensively use it for regular surveillance and investigative purposes, leading to a number of human rights violations. As Amartya Sen has argued elsewhere, forced disclosure and loss of privacy always entailed ‘the social costs of the associated programs of investigation and policing.’ According to him, ‘some of these investigations can be particularly nasty, treating each applicant as a potential criminal.’”

Meanwhile, famed activist Arundhati Roy voiced scathing criticism against India’s biometric collection scheme, saying, “The UID is a corporate scam which funnels billions of dollars into the IT sector. To me, it is one of the most serious transgressions that is on the cards. It is nothing more than an administrative tool in the hands of a police state.”

It is irrationally excessive to collect this sensitive biometric data in a centralized nation-wide ID scheme. The massive collection of biometric information in a centralized ID scheme is not necessary nor proportionate in a democratic society.

EFF has documented (here, here, and here) the function creep risks that this data collection poses to privacy and security, including in those countries with data protection laws like the European Union. Informed analysis of the long-term consequences of the misused and secondary uses of this data collection and its impact in people’s lives should have been given to all citizens before the collection even started. There is still time to ask the Indian government to dismantle that colossal database, like the UK did.

 The act as a whole (and the biometric database specifically) raises significant concerns. Privacy advocates have urged the Home Office to re-evaluate the potential grave risks to information security and privacy that the database poses – for example, the irreversibility of biometric data loss and the public’s general mistrust of the government’s ability to secure the database. A proposition to transform the database into a blurred set-base that would enhance security and privacy was recently offered by Professor Adi Shamir, a well-known cryptographer. However, despite backing from the Law Information and Technology Authority, the government eventually rejected Shamir’s proposition.

Contributed by Pearl Cohen Zedek Latzer

September 20 2011

By Amy Chung, Postmedia News September 15, 2011

Some countries, such as France and Germany, implemented “ePassports” (with Empty Biometric information on their chip) five years ago to allow their citizens to travel to the U.S. under its Visa Waiver Program, which requires participating countries to have specified security measures on their passports. Canadians do not require a visa to enter the U.S. and are not subject to the program. Despite the new passport’s enhanced security features, some information security experts say the document is not necessary and can be vulnerable to privacy leaks.

OTTAWA — Canada’s long awaited ePassports will be ready by the end of 2012, making this country the last among G8 nations to have enhanced digital security measures on the documents.

The electronic passport program was first announced as part of the government’s National Security Policy in 2004.  Also known as a biometric passport, the document looks like the traditional book but will contain an electronic chip encoded with the bearer’s name, sex, date and place of birth, as well as a digital image of the person.

According to Passport Canada, 95 countries have issued approximately 350 million Biometric passports worldwide.

Asked why Canada was so late in bringing about the passports, Passport Canada spokeswoman Beatrice Fenelon said the agency had to repatriate overseas passport printing to Canada, which was completed in 2006, and it had to implement new facial recognition technologies.

Also, Fenelon said between 2007 and 2009, the department was flooded with increased numbers of passport applications when the U.S. Western Hemisphere Travel Initiative required Canadians to show their passports to enter the United States.

“As a result, the organization was not able to turn its full attention to the ePassport project until 2009, when planning began in earnest,” Fenelon wrote in an email.

Some countries, such as France and Germany, implemented “ePassports” (with Empty Biometric information on their chip) five years ago to allow their citizens to travel to the U.S. under its Visa Waiver Program, which requires participating countries to have specified security measures on their passports. Canadians do not require a visa to enter the U.S. and are not subject to the program. Despite the new passport’s enhanced security features, some information security experts say the document is not necessary and can be vulnerable to privacy leaks.

“After 9/11, the U.S. pressured the visa waiver countries to get (ePassports). Canada was out of that, but we were encouraged to go along with it,” said professor Andrew Clement, who coordinates the Information Policy Research Program at the University of Toronto. Clement says there has not been enough discussion to say if there are any problems with our current passport.

“With the 19 hijackers, there were a couple who had expired visas and not travelling under false documents. So it’s a bit of security theatre. So I think this was brought in for other reasons and there hasn’t been any debate if it’s a good thing or not,” said Clement. He said the facial recognition technology can allow border agents to screen your image in other databases like watch lists, creating risks of misidentification.

“It’s concerning that our everyday activity is surveyed, even if our behaviour is innocent, it could get the attention of authorities unnecessarily,” said Clement.

Postmedia News

Dr. Ann Cavoukian, Information & Privacy Commissioner of Ontario, Canada

DNRD has referred three people – two Russians and a Moldavian – to Dubai International Airport (DIA) Police, for suspicion of smuggling forged Eye Biometrics Recognition Stamps

WAM –  UAE | General

The Naturalization and Residency Department in Dubai (DNRD), has referred three people – two Russians and a Moldavian – to Dubai International Airport (DIA) Police, for suspicion of smuggling forged Eye Biometrics Recognition Stamps with intent to facilitate the entry to the UAE of individuals who were previously banned.

A team of DNRD officers, consisting of preventive security staff and airports investigation department personnel, succeeded in arresting ‘F. Sh’, a 17-years-old Russian, at DIA, after he surrendered 72 fake Eye Biometrics Recognition stamps. Another suspect ‘Kh.A’, a 34-year-old Russian, who received the bag containing the fake stamps, was also captured.

A third suspect, ‘A.M’, 21 years old female holder of Moldavian passport was also arrested at the DIA with a laptop and 5 ink pads and later she acknowledged that she was going to deliver them to the first suspect. The DIA team prepared a criminal report against the three and referred them to special task forces for further investigation.

Major-General Mohammed Ahmed Al Marri, DNRD Director, revealed that the number of individuals arrested through the Iris Scan System at DIA reached 1,325 in 2006, which increased to 3,626 and 4,382 in 2007 and the first half of 2008, respectively.

Germany has decided against deploying full-body scanners at German airports; after a 10-month trial, in which 1,280,000 passengers were scanned, the government said that the false alarm rate was just too high

Published 2 September 2011

Germany has decided against deploying full-body scanners at German airports; after a 10-month trial, in which 1,280,000 passengers were scanned, the government said that the false alarm rate was just too high

After trials which lasted ten month, the German government has decided against deploying full-body scanners at German airports.

The German Interior Ministry said that “the technology is not mature enough for the available equipment to be used in practice” and that it will therefore not be installed at the county’s airports “for the time being.”

The ministry spokesperson said that the agencies responsible for airport security were leaning toward supporting the use of body scanners to “improve efficiency and effectiveness of air transport security checks,” but that the trials showed that there were “too many” false alarms.

FlightGlobal quotes sources in the German federal police as saying that the false alarm rate was “significantly higher than 50 percent.”

There were also concerns about the health effects of backscatter X-ray scanners, so the system tested used millimeter wave technology.

The test was conducted at the Hamburg Airport from September 2010 to July 2011, and involved scanning 1,289,000 passengers.

As facial biometric technology becomes increasingly ubiquitous, IT experts warn that these systems can easily be abused and therefore require stringent privacy policies and data encryption

Published 30 August 2011

As facial biometric technology becomes increasingly ubiquitous, IT experts warn that these systems can easily be abused and therefore require stringent privacy policies and data encryption.

In an interview with Information Security Media Group, Beth Givens, the founder and director of the Privacy Rights Clearinghouse, cautioned that organizations using biometric facial solutions should encrypt their data.

“If they back up those applications with good, solid privacy policies and practices, they’ll be in good shape,” she said.

Givens explained that a major problem with facial recognition technology is the chance that sensitive information could be compromised. As evidence, Givens pointed to a Carnegie Mellon University study where researchers used only a photo of a person’s face and publicly available information to track down that individual’s birth date, personal interests, and Social Security number.

“To me, that’s astounding,” Givens said. “There are many places where you can get a person’s birth date; in fact, that’s public information. But being able to link it to a Social Security number as well as personal interest is another matter entirely, that takes it to an all new level.”

To help protect against the loss of sensitive data, Givens encouraged organizations to investigate biometric encryption.

More than 16 million Indians’ people have since been enrolled, and the pace is accelerating. By the end of 2011, the agency expects to be signing up, 1 million Indians a day, and by 2014, it should have 600 million people in its database. It takes about 10 minutes to enter someone into the Aadhaar database. A single UID, earlier estimated to cost around Rs 31 per person, may now end up in the Rs 400-500 territory. The reason: in one hour there are only 60 minutes it is 6 people per hour the “mission” is to provide 1 million ID’s per 24 hours… all that efforts just to create a USELESS invasive Biometric’s  collection on a “national database”…. India is a democratic country… with democratic privacy laws (!!!???)… {Innovya}

• By Vince Beiser
• August 19, 2011  |
• 1:27 pm  |
• Wired September 2011
• 
  

  In India, hundreds of millions of impoverished people have no ID—which means no bank account, credit, insurance, or government aid. Photo: Jonathan Torgovnik; Fingerprints: Getty

The courtyard, just off a busy street in a Delhi slum called Mongolpuri, is buzzing with people—men in plastic sandals arguing with one another, women in saris holding babies on their hips, skinny young guys chattering on cheap cell phones. New arrivals take up positions at the end of a long queue leading to the gated entry of a low cement building. Every so often, a worker opens the gate briefly and people elbow their way inside onto a dimly lit stairway, four or five on each step. Slowly they work their way upward to a second-story landing, where they are stopped again by a steel grille.

After a long wait, a lean woman in a sequined red sari, three children in tow, has finally made it to the head of the line. Her name is Kiran; like many poor Indians, she uses just one name. She and her school-age brood stare curiously through the grille at the people and machines on the other side. Eventually, an unsmiling man in a collared shirt lets them into the big open room. People crowd around mismatched tables scattered with computers, printers, and scanners. Bedsheets nailed up over the windows filter the sun but not the racket of diesel buses and clattering bicycles outside. Kiran glances at the brightly colored posters in Hindi and English on the walls. They don’t tell her much, though, since she can’t read.

A neatly dressed middle-aged man leads the children to a nearby table, and a brisk young woman in a green skirt sits Kiran down at another. The young woman takes her own seat in front of a Samsung laptop, picks up a slim gray plastic box from the cluttered tabletop, and shows Kiran how to look into the opening at one end. Kiran puts it up to her face and for a moment sees nothing but blackness. Then suddenly two bright circles of light flare out. Kiran’s eyes, blinking and uncertain, appear on the laptop screen, magnified tenfold. Click. The oversize eyes freeze on the screen. Kiran’s irises have just been captured.

Kiran has never touched or even seen a real computer, let alone an iris scanner. She thinks she’s 32, but she’s not sure exactly when she was born. Kiran has no birth certificate, or ID of any kind for that matter—no driver’s license, no voting card, nothing at all to document her existence. Eight years ago, she left her home in a destitute farming village and wound up here in Mongolpuri, a teeming warren of shabby apartment blocks and tarp-roofed shanties where grimy barefoot children, cargo bicycles, haggard dogs, goats, and cows jostle through narrow, trash-filled streets. Kiran earns about $1.50 a day sorting cast-off clothing for recycling. In short, she’s just another of India’s vast legions of anonymous poor.

Now, for the first time, her government is taking note of her. Kiran and her children are having their personal information recorded in an official database—not just any official database, but one of the biggest the world has ever seen. They are the latest among millions of enrollees in India’s Unique Identification project, also known as Aadhaar, which means “the foundation” in several Indian languages. Its goal is to issue identification numbers linked to the fingerprints and iris scans of every single person in India.

That’s more than 1.2 billion people—everyone from Himalayan mountain villagers to Bangalorean call-center workers, from Rajasthani desert nomads to Mumbai street beggars—speaking more than 300 languages and dialects. The biometrics and the Aadhaar identification number will serve as a verifiable, portable, all but unfakable national ID. It is by far the biggest and most technologically complicated biometrics program ever attempted.

Aadhaar faces titanic physical and technical challenges: reaching millions of illiterate Indians who have never seen a computer, persuading them to have their irises scanned, ensuring that their information is accurate, and safeguarding the resulting ocean of data. This is India, after all—a country notorious for corruption and for failing to complete major public projects. And the whole idea horrifies civil libertarians. But if Aadhaar’s organizers pull it off, the initiative could boost the fortunes of India’s poorest citizens and turbocharge the already booming national economy.

f

It takes about 10 minutes to enter someone into the Aadhaar database. Photo: Jonathan Torgovnik

It takes about 10 minutes to enter someone into the Aadhaar database.
Photo: Jonathan Torgovnik

The Indian government has tried to implement national identity schemes before but has never managed to reach much more than a fraction of the population. So when parliament set up the Unique Identification Authority of India in 2009 to try again with a biometrically based system, it borrowed a trick used by corporations all over the world: Go to an outsourcer. The government tapped billionaire Nandan Nilekani, the “Bill Gates of Bangalore.”

Nilekani is about as close to a national hero as a former software engineer can get. He cofounded outsourcing colossus Infosys in 1981 and helped build it from a seven-man startup into a $6.4 billion behemoth that employs more than 130,000 people. After stepping down from the CEO job in 2007, Nilekani turned most of his energy to public service projects, working on government commissions to improve welfare services and e-governance. He’s a Davos-attending, TED-talk-giving, best-seller-authoring member of the global elite, pegged by Time magazine in 2009 as one of the world’s 100 most influential people. This is the guy who suggested to golf buddy Thomas Friedman that the world was getting flat. “Our government undertakes a lot of initiatives, but not all of them work,” says B. B. Nanawati, a career federal civil servant who heads the program’s technology-procurement department. “But this one is likely to work because of Chairman Nilekani’s involvement. We believe he can make this happen.”

The Unique Identification Authority’s headquarters occupies a couple of floors in a hulking tower complex of red stone and mirrored glass on Connaught Place, the bustling center of Delhi. As chair of the project, Nilekani now holds a cabinet-level rank, but his shop looks more like a startup than a government ministry. When I show up in February, the walls of the reception area are still bare drywall, and the wiring and air-conditioning ducts have yet to be hidden behind ceiling tiles. Plastic-wrapped chairs are corralled in unassigned offices.

“I took this job because it’s a project with great potential to have an impact,” Nilekani says in his spacious office, decorated with only a collection of plaques and awards and an electric flytrap glowing purple in a corner. He’s a medium-size man of 56 with bushy salt-and-pepper hair and a matching mustache. His heavy eyebrows and lips and protuberant brown eyes give him a slightly baleful look, like the villain in a comic opera. “One basic problem is people not having an acknowledged existence by the state and so not being able to access things they’re entitled to. Making the poor, the marginalized, the homeless part of the system is a huge benefit.”

Aadhaar is a key piece of the Indian government’s campaign for “financial inclusion.” Today, there are as many as 400 million Indians who, like Kiran, have no official ID of any kind. And if you can’t prove who you are, you can’t access government programs, can’t get a bank account, a loan, or insurance. You’re pretty much locked out of the formal economy.

Today, less than half of Indian households have a bank account. The rest are “unbanked,” stuck stashing whatever savings they have under the mattress. That means the money isn’t gaining interest, either for its owner or for a bank, which could be loaning it out. India’s impoverished don’t have much to save—but there are hundreds of millions of them. If they each put just $10 into a bank account, that would add billions in new capital to the financial system.

To help make that happen, Nilekani has recruited ethnic Indian tech stars from around the world, including the cofounder of Snapfish and top engineers from Google and Intel. With that private-sector expertise on board, the agency has far outpaced the Indian government’s usual leisurely rate of action. Aadhaar launched last September, just 14 months after Nilekani took the job, and officials armed with iris and fingerprint scanners, digital cameras, and laptops began registering the first few villagers and Delhi slum dwellers. More than 16 million people have since been enrolled, and the pace is accelerating. By the end of 2011, the agency expects to be signing up 1 million Indians a day, and by 2014, it should have 600 million people in its database.

More than 1.2 billion indians will be in the system—the biggest biometrics database on earth. Photos: Jonathan Torgovnik

More than 1.2 billion indians will be in the system—the biggest biometrics database on earth.
Photos: Jonathan Torgovnik

The village of Gagenahalli sits amid a placid quilt of green millet and tomato fields in the hinterlands of Karnataka state, some 1,300 miles south of Delhi. Bulls with tassels on their horns pull wooden carts decorated with deities and demons past tiny, cheerily painted houses of dried mud. Old men and skinny cows lounge in the shade of baobab trees. It’s a lovely place to visit but a hard place to live. Many of Gagenahalli’s 8,500 residents are landless peasants, and about three-quarters subsist below India’s official poverty line, earning less than a dollar a day.

Most Indians still live in rural hamlets like this, so getting them enrolled in Aadhaar requires some creativity. One evening not long ago, a man walked through Gagenahalli’s red-dirt streets beating a drum and calling the villagers to gather outside—the traditional way to make public announcements. He explained that the government wanted everyone to visit the village schoolhouse in the weeks ahead to be photographed.

A few days later, Shivanna, a stringy 55-year-old farmer—again, with just the one name—presents himself in a cement classroom commandeered by the agency. He doesn’t know what it’s all about, nor is he particularly interested. “When the government asks to take your picture, you just go and do it,” he shrugs. Shivanna takes a worn plastic chair at one of the four enrollment stations set up about the room. All the computer gear and the single bare lightbulb are plugged into a stack of car batteries and kerosene-powered generators—the village gets only a few hours of electricity a day from the national grid.

A young man in a polo shirt records Shivanna’s personal information in a form on his laptop. It’s bare-bones stuff: name, address, age, gender (including the option of transgender). He has Shivanna look into a camera mounted on the laptop. Once the Aadhaar software tells him he’s got Shivanna’s full face in the frame and enough light, he snaps the picture. The program runs similar quality checks on the agent’s work as Shivanna looks into the iris scanner and then puts his fingers on the glowing green glass of the fingerprint scanner. “We had to dumb it down so that anyone could learn to use the software,” says Srikanth Nadhamuni, Aadhaar’s head of technology, as he watches the scan progress.

About 100 miles east of Gagenahalli is Bangalore, the center of India’s booming IT industry. In one of its southern suburbs, across a busy street from Cisco’s in-country headquarters, sits the office building housing Aadhaar’s Central ID Repository. The information collected from Shivanna the farmer, Kiran the rag sorter, and every other person enrolled in the Aadhaar system gets sent here, electronically or via couriered hard drive.

This is Nadhamuni’s domain. He’s a trim, energetic, half-bald engineer with geek-chic rectangular glasses. His English is full of the awesomes and likes that he picked up in Silicon Valley, where he worked for 14 years. In 2002, he, his engineer wife, and their two kids returned to India, and a year later he and Nilekani launched a nonprofit dedicated to digitizing government functions. Nilekani even kicked the organization a few million dollars.

Some of the projects that Nadhamuni worked on—computerizing birth and death records, improving the tracking of schoolkids in migrant worker families—impressed upon him how much India needed a central identity system. When Nilekani asked him to be point man for the task of wrangling Aadhaar’s data, Nadhamuni says, “I was, like, delighted.”

The offices, like the identity program’s Delhi headquarters, are still under construction. When I tour them, rolls of carpet tied with string are stacked along a wall, and workers’ bare feet have left plaster-dust prints in a corridor leading to an unfinished meeting room. The rows of cubicles that will eventually accommodate roughly 400 workers are only about half full. The wall intended for a dozen video monitors showing incoming data packets is, for now, empty.

Getting the poor into the system is a huge benefit, says Nandan Nilekani. Photo: Jonathan Torgovnik

Getting the poor into the system is a huge benefit, says Nandan Nilekani.
Photo: Jonathan Torgovnik

Each individual record is between 4 and 8 megabytes; add in a pile of quality-control information and the database will ultimately hold in the neighborhood of 20 petabytes—that is, 2 x 1016 bytes. That will make it 128 times the size of the biggest biometrics database in the world today: the Department of Homeland Security’s set of fingerprints and photos of 129 million people.

The unprecedented scale of Aadhaar’s data will make managing it extraordinarily difficult. One of Nadhamuni’s most important tasks is de-duplication, ensuring that each record in the database is matched to one and only one person. That’s crucial to keep scammers from enrolling multiple times under different names to double-dip on their benefits. To guard against that, the agency needs to check all 10 fingers and both irises of each person against those of everyone else. In a few years, when the database contains 600 million people and is taking in 1 million more per day, Nadhamuni says, they’ll need to run about 14 billion matches per second. “That’s enormous,” he says.

Coping with that load takes more than just adding extra servers. Even Nadhamuni isn’t sure how big the ultimate server farm will be. He isn’t even totally sure how to work it yet. “Technology doesn’t scale that elegantly,” he says. “The problems you have at 100 million are different from problems you have at 500 million.” And Aadhaar won’t know what those problems are until they show up. As the system grows, different components slow down in different ways. There might be programming flaws that delay each request by an amount too tiny to notice when you’re running a small number of queries—but when you get into the millions, those tiny delays add up to a major issue. When the system was first activated, Nadhamuni says, he and his team were querying their database, created with the ubiquitous software MySQL, about 5,000 times a day and getting answers back in a fraction of a second. But when they leaped up to 20,000 queries, the lag time rose dramatically. The engineers eventually figured out that they needed to run more copies of MySQL in parallel; software, not hardware, was the bottleneck. “It’s like you’ve got a car with a Hyundai engine, and up to 30 miles per hour it does fine,” Nadhamuni says. “But when you go faster, the nuts and bolts fall off and you go, whoa, I need a Ferrari engine. But for us, it’s not like there are a dozen engines and we can just pick the fastest one. We are building these engines as we go along.”

Using both fingerprints and irises, of course, makes the task tremendously more complex. But irises are useful to identify the millions of adult Indians whose finger pads have been worn smooth by years of manual labor, and for children under 16, whose fingerprints are still developing. Identifying someone by their fingerprints works only about 95 percent of the time, says R. S. Sharma, the agency’s director general. Using prints plus irises boosts the rate to 99 percent.

That 1 percent error rate sounds pretty good until you consider that in India it means 12 million people could end up with faulty records. And given the fallibility of little-educated technicians in a poor country, the number could be even higher. A small MIT study of data entry on electronic forms by Indian health care workers found an error rate of 4.2 percent. In fact, at one point during my visit to Gagenahalli, Nadhamuni shows me the receipt given to a woman after her enrollment; I point out that it lists her as a man. A tad flustered, Nadhamuni assures me that there are procedures for people to get their records corrected. “Perfect solutions don’t exist,” Nilekani says, “but this is a substantial improvement over the way things are now.”

For the past year or so, Mohammed Alam, 24, has spent his nights in a charity-run Delhi “night shelter” for the homeless. Inside the weathered cement building, nearly 100 men and one 3-year-old boy in various states of dishevelment sprawl on worn cotton mats in a gloomy open room. A bloody Bollywood action movie flickers on a small TV sitting on a folding table in a corner. The stench of ammonia wafts from the group bathroom across the foyer.

Alam looks markedly healthier than most of his compeers, his glossy black hair elaborately gelled and his teal shirt and jeans spotless. He left his home in Lucknow because of family problems he’d rather not specify and has been getting by in the capital ever since, doing odd labor jobs. In a good month, he pulls in about $50. That makes it hard to afford his own place to live. But the Unique Identification Authority came to enroll the shelter’s inhabitants a few weeks ago, and Alam just received a letter from the authority with his randomly generated 12-digit Aadhaar number.

The authority doesn’t issue cards or formal identity documents. Once enrolled, each person’s eyeballs and fingertips are all they need to prove who they are—in theory, anyway. For now Alam keeps the folded-up letter in his pocket. It serves as ID when the police stop him, he says. But more important, he just used it to open a bank account. “I tend to spend more money when it’s on me,” he says.

Local grocers could act as banks, doling out cash and accepting deposits for a small fee.

That’s exactly the kind of thinking Nilekani is counting on. One of his first major coups was persuading India’s central bank to declare the Aadhaar number adequate identification to issue no-frills accounts. Bringing biometrically verified banking to the poor could lead to enormous savings in government benefit programs—for both the recipients and the state. Today, a pensioner in a village like Gagenahalli has to take a bus to the nearest town to collect his monthly payment in cash. That’s time and money lost for him. Meanwhile, more than 40 percent of the government’s $250 billion in subsidies and other spending on the poor will be siphoned off by scammers over the next five years, according to investment group CLSA. Both problems could largely be solved if instead the funds were sent straight to bank accounts held by biometrically verified recipients. “It’s like having 1.2 billion pipes through which you can send the benefits directly,” Sharma says. Connecting the poor to banks could also enable some of them to get loans to start businesses or pay for their children’s education.

Banks, however, are in short supply in the countryside, where most Indians live; the one nearest to Gagenahalli is 7 miles away. That’s one reason only 47 percent of Indian households have bank accounts (compared with 92 percent in the US). So Indian financial institutions have begun introducing “business correspondents” into bankless areas, essentially deputizing some shopkeeper or other trusted local who has access to a little cash to handle villagers’ tiny deposits and withdrawals. Here’s how it’s supposed to work: Say Shivanna wants 50 rupees from his savings account. Instead of schlepping miles to an actual bank, he goes to the little kiosk down the road from his house. The guy in the kiosk scans Shivanna’s fingerprints with an inexpensive handheld machine. (There are several on the market already; other similar gadgets—and even cell phone apps—that scan irises are in the works.) Then he transmits the image via cellular network to the tech hub in Bangalore and gets a simple confirmation-of-identity message. (The same process works for deposits.) Once Shivanna’s identity is validated, the kiosk guy gives him his cash or deposit receipt, minus a small commission. Shivanna’s bank reimburses the kiosk guy. Shivanna saves time and money, the kiosk guy makes a little profit, the bank gets more capital, and the rising tide lifts all boats.

Many Indians' finger pads have been worn smooth by years of manual labor. Photo: Jonathan Torgovnik

Many Indians’ finger pads have been worn smooth by years of manual labor.
Photo: Jonathan Torgovnik

In practice, of course, all kinds of things might go wrong. “Some iris scanners can be fooled by a high-quality photo pasted onto a contact lens,” says a senior exec from a biometrics-equipment maker working on the project. Fingerprints can be lifted from almost anything you touch, and a laser-printer reproduction of one will have tiny ridges of ink that may fool scanners. Or a corrupt Aadhaar worker could pair a scammer’s name with someone else’s biometrics. The system is being built with open architecture so other agencies and businesses can add their own applications. The idea is to make Aadhaar a platform for all kinds of purposes beyond government benefits and banking, much like a smartphone is a platform for more than making phone calls. In January, the Indian Department of Communications declared Aadhaar numbers to be adequate ID to get a mobile phone. It’s easy to imagine the numbers being used to authenticate airline passengers, track students, improve land ownership records, and make health records portable. But opening up the Aadhaar system so widely makes it vulnerable. Each record is encrypted on the enroller’s hard drive as soon as it’s completed, and the central database will have state-of-the-art safeguards. Still, Sharma acknowledges, “there’s no lock in the world that can’t be broken.”

Anyway, Nadhamuni points out, credit card numbers are stolen all the time, but everyone still uses them because the card companies have come up with enough ways to spot when they’re being used fraudulently. In the big scheme of things, credit card fraud is a relatively small problem compared with the gigantic benefit of being able, say, to buy stuff online. He believes the same calculus will hold for Aadhaar. And if Aadhaar data is stolen, they have countermeasures to deal with it.

There’s also the question of whether India’s cell phone network, which will carry the bulk of the verification requests, can handle such a load. “We expect to be getting 100 million requests per day in a few years,” Nadhamuni says. “And the authentication needs to happen fast. The answer needs to come back in maybe five seconds.” Partly to meet that demand, the federal government is investing billions to massively expand the nation’s broadband capacity. “It’s not there yet,” Nilekani says. “But if someone had told you 10 years ago that there would be 700 million mobile phones in this country today, you’d say he was smoking something.”

The technological problems may pale compared to the potential civil liberties issues. Anti-Aadhaar protesters showed up at Nilekani’s January speech at the National Institute of Advanced Studies. Several anti-Aadhaar websites have sprung up. And members of parliament and prominent intellectuals have criticized the whole idea. (A Christian sect even denounced it as a cover for introducing the number of the Beast.)

Technically, Aadhaar is voluntary. No one is obligated to get scanned into the system. But that’s like saying no American is obligated to get a Social Security number. In practice, once the Aadhaar system really takes hold, it will be extremely difficult for anyone to function without being part of it. “I find it obnoxious and frightening,” says Aruna Roy, one of India’s most respected advocates for the poor (and, like Nilekani, one of Time’s 100 most influential people). India, she points out, is a country where people have many times been targeted for discrimination and violence because of their religion or caste.

Earlier this year, privacy concerns scuttled an effort to give every citizen of the United Kingdom a biometric ID card, and similar worries have slowed ID plans in Canada and Australia. “But the intentions were very different. It comes more from a security and surveillance perspective,” Nilekani says. “Many of these countries already have ID. In our situation, our whole focus is on delivering benefits to people. It’s all about making your life easier.”

The Unique Identification Authority is very deliberately not collecting information on anyone’s race or caste. But local governments and other agencies subcontracted to collect data are permitted to ask questions about race or caste and link the information they harvest to the respondent’s Aadhaar number. In Gagenahalli, for instance, agents asked villagers several extra questions about their economic conditions that the Karnataka state government requested. “I haven’t seen any agencies asking for caste or religion, but the fact that they can seems problematic,” admits a midlevel Aadhaar official who asked to remain anonymous. And while the agency has pledged not to share its data with security services or other government agencies, “if they want to, they can,” says Delhi human rights lawyer Usha Ramanathan. “All that information is in the hands of the state.” It’s not an unreasonable concern; in the wake of the Mumbai terror attacks, security is a major preoccupation in India. Armed guards, x-ray machines, and metal detectors are standard features at the entrances of big hotels, shopping centers, and even Delhi subway stations. Police officials have told Indian newspapers that they would love to use Aadhaar numbers to help catch criminals. And, in fact, some of the agency’s own publicly available planning documents mention the system’s potential usefulness for security functions. “We would share data for national security purposes,” Nilekani admits. “But there will be processes for that so you have checks and balances.” Every official I speak with, from Nilekani on down, seems impatient when I bring up this issue. They breezily remind me that there’s an electronic data privacy bill before parliament—as though the mere fact that the government is thinking about the issue is enough.

For supporters, the bottom line is simple: The upsides beat the downsides. “Any new technology has potential risks,” Nilekani says. “Your mobile phone can be tapped and tracked. One could argue we already have a surveillance state because of that. But does that mean we should stop making mobile phones? When you have hundreds of millions of people who are not getting access to basic services, isn’t that more important than some imagined risk?”

Indeed, Kiran, the mother of three at the Mongolpuri enrollment station, actively wants the government to have a record of her and her children. She’s a bit mystified when I ask if the idea worries her. If you’ve never read a newspaper, let alone fretted over your Facebook privacy settings, the question of whether the government might abuse your digital data must seem pretty abstract—especially when you compare it with the benefits the government is offering.

The first thing Kiran plans to use her Aadhaar number for, she says, is to obtain a city government card that will entitle her to subsidized groceries. “I’ve tried very hard to get one before, but they wouldn’t give it to me because I couldn’t prove I live in Delhi,” she says. Having that proof will take some other stress off her mind, too. She’s constantly afraid the police will order non-Delhi residents to leave the overcrowded slum, but now she has something to show them if they do.

Her three children come running up, fresh from having their own irises scanned. They’re excitedly waving their receipts for the numbers that will be attached to them for the rest of their lives. “It was fun!” 7-year-old Sadar says. “It wasn’t scary at all.”

Vince Beiser (@vincelb) wrote about activists combating Chinese online censorship in issue 18.11.

Lack of Consent Bothers Privacy Advocate Beth Givens

Privacy Advocate Beth Givens explains that use of facial recognition technology could:

• Violate privacy rights by not getting an individual’s consent.
• Result in unequal treatment of consumers by businesses.
• Encourage stalking and violence.

August 29, 2011 – Eric Chabrow, Executive Editor, GovInfoSecurity.com

Soon it will be practicable to take someone’s photo on a smartphone and within minutes know their Social Security number and a range of other private data like their personal interests, sexual preference and credit status, researchers will tell the Black Hat security conference

Aug. 3, 2011 (1:35 pm) By: Jennifer Bergen

The annual Black Hat security conference is in full swing right now in Las Vegas. The conference, which started on July 30 and goes to August 4, is the place to be for security researchers to discuss and learn about different types of security vulnerabilities seen in almost every area of technology. One area of security that touches close to home for everyone is the privacy of our personal data being linked to our faces. Specifically, information can be linked to your face and made available to anyone who snaps your picture with their smartphone camera.

With major companies like Apple offering face detection APIs to developers in iOS 5, the method of taking a picture and having a database recognize the person’s face is available, and over the years, it will only get more and more advanced.

This privacy-invading technology is what Alessandro Acquisti, a professor at Carnegie Mellon University, will present at the conference on August 4. Acqusiti’s study uses three different technologies, including cloud-computing, facial recognition, and public information that can be found via various social networks. The technology would allow the user to see information about the person, in addition to the social security number, like sexual orientation, credit ratings, and personal interests.

Acquisiti says the point of the technology is to show that it’s something that’s already available, which means digital surveillance will only get better as technologies improve. He told Network Wold that “this and fear is the future we are walking into.”

The presentation is based on research that he and his team conducted. First, the team was able to identify people on an online dating site where members use aliases as identification. To do this, they looked at a person’s Facebook profile photo and compared it using PittPatt face-recognition software. They were able to identify other photos of the same person in the dating service database, and once the software made a match, the team looked at the photos to see how close of a match it was.

It’s not perfect yet, as the software ended up only identifying 1 of every 10 people. But, the team said this was actually acceptable number considering that the software only used one profile photo to identify the person. The number may also be improved if they considered Pitt-Patt’s second and third guesses.

The subsequent two experiments identified random people on a college campus (with 33% accuracy) and predicted the first five digits of a person’s social security number. The latter is possible because those digits are based on place and date of birth, both of which are available on many people’s Facebook pages.

The fact that these are all rough technologies that are only going to be fine-tuned in the near future is pretty scary. Facebook had implemented a facial recognition photo-tagging feature a few months ago that made many people upset, but now only lets people in your friends list can use the service. Facial recognition isn’t an immediate privacy threat but as technology improves it will be a way to quickly collect increasing amounts of information in people, using only publicly available data. Partial records could be constructed and then filled out as potential targets are identified.

via Network World

Face recognition software of the kind incorporated into biometric identification tools, photo-gallery applications and social media websites can be very useful but the technology raises privacy concern

Post by: crisisboom – The more you know, the better off you will be…

sciencecodex

Face recognition software of the kind incorporated into biometric identification tools, photo-gallery applications and social media websites can be very useful but the technology raises privacy concerns, given the seeming ease with which faces in photos can now be tied to an individual. Researchers in Russia and Poland hope to take face recognition technology an important step forward with the even more powerful software they have developed.

Writing in the International Journal of Biometrics, Georgy Kukharev of Saint Petersburg Electrotechnical University in Russia, and colleagues Paweł Forczmański and Andrzej Tujaka of the West Pomeranian University of Technology, Szczecin, Poland, explain how they have developed algorithms they refer to as two-dimensional Canonical Correlation Analysis (CCArc) and two-dimensional Partial Least Squares (PLSrc) for image matching where “rc” implies the analysis is applied to the images’ rows and columns.

Conventionally, scanning techniques based on CCA and PLS convert an image into a small set of variables, such as distance between eyes, width of jaw, and other factors. New images in which a face is to be identified are then categorized in the same way and the variables compared with those in the database. Correlation of a significant number of the variables gives a variable positive identification for the “new” face with one in the database and allows the software to verify with varying degrees of certain whether that new face is a specific individual in the database. The same technology can be used for biometric identification of a face on a driver’s license or on a social network, or for finding your friends and relatives in your photo collection.

The original algorithms for assessing and assigning variables are based on statistical methods developed in the 1930s. However, with the advent of more and more powerful computing, Forczmański and colleagues realized that these algorithms could be made much more powerful by measuring and analyzing many more variables in each image.

The team has extended the algorithms to utilize rows and columns and so generate a matrix for each image. They have tested them on known family databases as well as a photo gallery of their own creation with positive results. The algorithms perform well even with low-resolution images of faces and with varying lighting conditions and even if other objects, such as overhead lights or “loud” shirts are present in the photo. They have even developed a practical application that can find a person’s spouse given the presence of pairs of faces in single photographs.

Lynch contends that the NGI will not just collect and store criminal justice data because one third of the FBI’s IAFIS data is from civil sources like attorney bar applications, federal and state employees, and people who work with children or the elderly. She said the FBI hadn’t allowed those kinds of records to include photos and had segregated civil records from criminal data. “Civil records were also not included in bulk checks for criminal investigative purposes,” she wrote. The FBI’s NGI may remove those barriers, she warned. “There is some evidence to show the FBI is considering including this data in future NGI database searches and, according to the CCR FOIA documents, has already begun to include civil records from DHS and State Department database files such as visa applications, immigration records, and border entries and exits,” she said.

Mon, 2011-07-11 09:31 AM

By: Mark Rockwell

EFF’s Lynch

The FBI’s next-generation criminal identification biometric database could include not only information about criminals, but every day people, said the Electronic Frontier Foundation (EFF) on July 8.

Documents recently released under the Freedom of Information Act (FOIA) show the FBI’s Next Generation Identification (NGI) database could include biometric and other identification information from civil sources like attorney bar applications, federal and state employees, and people who work with children or the elderly, said EFF staff attorney Jennifer Lynch in a July 8 posting on the group’s Web site.

The National Day Laborer Organizing Network (NDLON), the Center for Constitutional Rights (CCR), and the Cardozo Law School Immigration Justice Clinic had publicly released the FOIA documents on July 6. The groups contended the documents showed Immigration and Custom Enforcement’s Secure Communities biometric identification system identify criminal aliens for deportation, is also a key component the FBI’s NGI. The combination, the groups said, will accumulate a massive store of personal biometric information on citizens and non-citizens with an aim to create a sort of electronic national identification card.

In remarks on the EFF’s Web Site on July 8, Lynch said the FBI’s NGI program hasn’t been secret. The FBI, she said, has “bragged” about it over the last 10 years and has “carefully laid the groundwork for extensive data sharing and database interoperability through publicly-available privacy impact assessments and other records.”

Even though the NGI program was developed in the open doesn’t make it any less dangerous, she said.  The FBI’s IAFIS [Integrated Automated Fingerprint Identification System] and DHS’ IDENT [Automated Biometric Identification System] systems, she said, can store extensive amounts of names, addresses, social security numbers, telephone numbers, e-mail addresses, fingerprints, booking photos, unique identifying numbers, gender, race and dates of birth. “Within the last few years, DHS and FBI have made their data easily searchable between the agencies,” she said. “However, both databases remained independent, and were only ‘unimodal,’ meaning they only had one biometric means of identifying someone—usually a fingerprint.”

The documents obtained under FOIA, she said, show the NGI database will contain both FBI and DHS records in “multimodal” capability.

“This means NGI is designed to allow the collection and storage of the now-standard 10-print fingerprint scan in addition to iris scans, palm prints, and voice data. It is also designed to expand to include other biometric identifiers in the future,” she said.

Lynch contends that the NGI will not just collect and store criminal justice data because one third of the FBI’s IAFIS data is from civil sources like attorney bar applications, federal and state employees, and people who work with children or the elderly. She said the FBI hadn’t allowed those kinds of records to include photos and had segregated civil records from criminal data. “Civil records were also not included in bulk checks for criminal investigative purposes,” she wrote. The FBI’s NGI may remove those barriers, she warned. “There is some evidence to show the FBI is considering including this data in future NGI database searches and, according to the CCR FOIA documents, has already begun to include civil records from DHS and State Department database files such as visa applications, immigration records, and border entries and exits,” she said.

“Big Brother Is Watching You” was the pervasive punch-line in British writer George Orwell’s classic novel “1984.” Now we know Big Brother is listening too.

By Arthur I. Cyr

“Big Brother Is Watching You” was the pervasive punch-line in British writer George Orwell’s classic novel “1984.” Now we know Big Brother is listening too.

Revelations that Rupert Murdoch’s News International Corp. for years has conducted massive hacking into British cell phone information is truly shocking. Alleged targets include cell phones of a murdered young girl and relatives of soldiers killed in action. Britain’s political parties have united in Parliament, an unusual move, to condemn the company.

The scandal includes allegations of police payoffs. An initial police investigation concluded the snooping was a renegade incident targeting only a few individuals.

Murdoch’s political influence in Britain has been enormous. Politicians across the spectrum fear his power to embarrass or endorse, and have assiduously courted his favor.

Orwell, one of the greatest writers of the 20th century, was a committed socialist. Unlike many on the left, however, he had personal involvement with working people, because he was one. He stressed egalitarianism, while warning about the dangers of concentrated power in government as well as corporations.

The Murdoch snooping scandal is particularly grotesque, and may bring down that media empire. However, guarding individual freedom, including privacy, from intrusive power structures inevitably is a challenge.

Other developments in British politics and American business underscore this tension. Britain’s coalition government has wisely repealed a national identity card. A card microchip linked to biometric data encouraged bureaucratic snooping. Amid launch of the latest iPhone, Apple leader Steve Jobs gave particular emphasis to protecting customer privacy.

A wag once suggested that “1984″ was really about 1948, a reference to the Stalinist dictatorships ruling in Eastern Europe as well as the Soviet Union when the novel was published. The Cold War had just emerged, and for many communism seemed the wave of the future.

Intense anti-communism seriously distorted U.S. domestic politics and the wider society intellectuals accused of left-wing views found their careers damaged and in some cases destroyed. Blacklisting of writers became a symbol of this intimidation.

An open economy under the rule of law helps limit abuse. Modern Britain has never had dictatorship, and the effects of Conservative Prime Minister Margaret Thatcher’s “Big Bang” deregulation of the economy were important in facilitating freedom. Her heavy-handed style earned her the sobriquet “Big Sister,” but the reforms were crucial to Britain’s economic recovery and reassertion of international influence starting in the 1980s.

A similar process unfolded in the U.S., beginning in the Carter administration and carried much further by the Reagan administration. The financial crises of the past decade, facilitated in part by deregulation gone too far, overshadow the durable beneficial consequences of this market freedom.

This in turn brings context to Steve Jobs’ statement. Apple last year surpassed Microsoft in total capitalization, a major accomplishment for a firm floundering less than 10 years ago before cofounder Jobs returned. Products that facilitate freedom are now major Apple marketing themes.

Meanwhile, competitor Google has grappled with embarrassing accusations that extensive information on individuals has been collected. For example, Google Earth cars driving through random neighborhoods captured specific data from unsecure wireless outlets in unsuspecting households.

In our fascinating, fantastic global information revolution, institutions committed to following the law and protecting personal privacy, not just profits and power, deserve our support. Murdoch and crew deserve condemnation, and prosecution.

Above all, remember: Big Brother is not watching you.

Not yet.

But he’d like to.

Arthur I. Cyr is Clausen distinguished professor at Carthage College. He is also a columnist for Scripps Howard News Service (www.scrippsnews.com). E-mail him at acyr@carthage.edu.

A Plymouth company whose technology turns ordinary iPhones into facial recognition tools has garnered rave reviews from law enforcement even as civil libertarians worry about the device’s privacy-invading potential.

BI2 Technologies makes a Biometric smartphone peripheral that scans irises, takes fingerprints and recognizes faces. The American Civil Liberties Union has expressed concerns over the technology because it could be construed as a “search. But B12 CEO Sean Mullin said “none of the data is stored on the smartphone” (IT WILL BE STORED AT THE POLICE DATABASES?), “and the system requires a basic level of consent from the party being scanned”.

Business & Markets

By Brendan Lynch
Sunday, July 17, 2011

A Plymouth company whose technology turns ordinary iPhones into facial recognition tools has garnered rave reviews from law enforcement even as civil libertarians worry about the device’s privacy-invading potential.

BI2 Technologies makes a biometric smartphone peripheral that scans irises, takes fingerprints and recognizes faces. The $3,000 Mobile Offender Recognition and Information System, or MORIS, will roll out to about 40 police departments starting this fall.

The American Civil Liberties Union has expressed concerns over the technology because it could be construed as a “search.” But B12 CEO Sean Mullin said none of the data is stored on the smartphone, and the system requires a basic level of consent from the party being scanned.

“If you’re going to have your face scanned, you have to stand still for a second and let me take a picture of your face,” he said.

Using the 12-ounce MORIS attached to the back of an Apple-made iPhone, a police officer responding to a domestic dispute could take video statements, search for and read relevant restraining orders or outstanding warrants, and record locations using GPS.

“Click, click. Get in the back seat. Watch your head,” said Mullin, who founded BI2 with former Plymouth County Sheriff Peter Flynn.

The Plymouth County Sheriff’s Department has ordered less than 10 MORIS units for the fall, said spokesman John Birtwell. Since Massachusetts sheriffs act mostly as jail keepers, the scanners will be used to confirm the identities of the 10,000 people it processes every year.

“It’s not only a practical time saver, it’s foolproof,” Birtwell said.

Birtwell said the department is sensitive to privacy concerns, though everyone they would scan would have already appeared before a magistrate.

“We’re not going to be randomly scanning people walking down the street,” he said.

The technology has applications in other markets such as health care IT and mobile payments. EMTs could access electronic medical records by scanning a patient’s iris, while shoppers could “sign” a transaction by scanning their eye.

“You won’t be able to steal the credit card, but you would be able to steal someone’s iPhone or Droid,” he said. “What this does is secure that transaction biometrically.”

Those applications are in the analysis stage. MORIS was similarly tested by the Brockton Police Department to offer suggestions for the law enforcement application.

“I wish I was a smart guy,”Mullin said. “I’m not. I’m a good listener.”

The company has shifted into expansion mode with plans to hire eight to 10 people — engineers, salespeople, marketers and management — over the next year in Massachusetts. Research and development is done at BI2 headquarters while the MORIS device is manufactured at contract manufacturer Columbia Tech in Worcester.

BI2 generated a lot of buzz last week with a prominent story in the Wall Street Journal on Wednesday and segment on CBS’ “The Early Show” on Friday, the company’s fifth anniversary.

Mullin said BI2 fielded about 2,500 inquiries about its system. “It’s great,” he said. “I just wish it wouldn’t all come in three days.”

This week, the Center for Constitutional Rights (CCR) and several other organizations released documents from a FOIA lawsuit that expose the concerted efforts of the FBI and DHS to build a massive database of personal and biometric information. This database, called “Next Generation Identification” (NGI), has been in the works for several years now. However, the documents CCR posted show for the first time how FBI has taken advantage of the DHS Secure Communitiesprogram and both DHS and the State Department’s civil biometric data collection programs to build out this $1 billion database.

JULY 8TH, 2011 by Jennifer Lynch

This week, the Center for Constitutional Rights (CCR) and several other organizations released documents from a FOIA lawsuit that expose the concerted efforts of the FBI and DHS to build a massive database of personal and biometric information. This database, called “Next Generation Identification” (NGI), has been in the works for several years now. However, the documents CCR posted show for the first time how FBI has taken advantage of the DHS Secure Communitiesprogram and both DHS and the State Department’s civil biometric data collection programs to build out this $1 billion database.

Unlike some government initiatives, NGI has not been a secret program. The FBI brags about it on its website (describing NGI as “bigger, faster, and better”), and both DHS and FBI have, over the past 10+ years, slowly and carefully laid the groundwork for extensive data sharing and database interoperability through publicly-available privacy impact assessments and other records. However, the fact that NGI is not secret does not make it OK. Currently, the FBI and DHS have separate databases (called IAFIS and IDENT, respectively) that each have the capacity to store an extensive amount of information—including names, addresses, social security numbers, telephone numbers, e-mail addresses, fingerprints, booking photos, unique identifying numbers, gender, race, and date of birth. Within the last few years, DHS and FBI have made their data easily searchable between the agencies. However, both databases remained independent, and were only “unimodal,” meaning they only had one biometric means of identifying someone—usually a fingerprint.

In contrast, as CCR’s FOIA documents reveal, FBI’s NGI database will be populated with data from both FBI and DHS records. Further, NGI will be “multimodal.” This means NGI is designed to allow the collection and storage of the now-standard 10-print fingerprint scan in addition to iris scans, palm prints, and voice data. It is also designed to expand to include other biometric identifiers in the future. NGI will also allow much greater storage of photos, including crime scene security camera photos, and, with its facial recognition and sophisticated search capabilities, it will have the “increased ability to locate potentially related photos (and other records associated with the photos) that might not otherwise be discovered as quickly or efficiently, or might never be discovered at all.”

The FBI does not just collect and store data from people caught up in the criminal justice system;about 1/3 of the data collected and reviewed in IAFIS is from civil sources such as attorney bar applications, federal and state employees, and people who work with children or the elderly. In the past, the FBI has not allowed these records to include photos and has segregated civil records from criminal data. Civil records were also not included in bulk checks for criminal investigative purposes. NGI may take down these barriers, however. There is some evidence to show the FBI is considering including this data in future NGI database searches and, according to the CCR FOIA documents, has already begun to include civil records from DHS and State Department database files such as visa applications, immigration records, and border entries and exits.

So why should we be worried about a program like NGI, which the FBI argues will “reduce terrorist and criminal activities”? Well, the first reason is the sheer size of the database. Both DHS and FBI claim that their current biometrics databases (IDENT and IAFIS, respectively) are the each the “largest biometric database in the world.” IAFIS contains 66 million criminal records and 25 million civil records, while IDENT has over 91 million individual fingerprint records.

Once these records are combined into one database and once that database becomes multimodal, as we discussed in our 2003 white paper on biometrics, there are several additional reasons for concern. Three of the biggest are the expanded linking and tracking capabilities associated with robust and standardized biometrics collection systems and the potential for data compromise.

Already, the National Institute for Standards and Technology, along with other standards setting bodies, has developed standards for the exchange of biometric data. FBI, DHS and DoD’s current fingerprint databases are interoperable, indicating their systems have been designed (or re-designed) to read each others’ data. NGI will most certainly improve on this standardization. While this is good if you want to check to see if someone applying for a visa is a criminal, it has the potential to be very bad for society. Once data is standardized, it becomes much easier to use as a linking identifier, not just in interactions with the government but also across disparate databases and throughout society. This could mean that instead of being asked for your social security number the next time you apply for insurance, see your doctor, or fill out an apartment rental application, you could be asked for your thumbprint or your iris scan.

This is a big problem if your records are ever compromised because you can’t change your biometric information like you can a unique identifying number such as an SSN. And the manyrecent security breaches show that we can never fully protect against these kinds of data losses.

The third reason for concern is at the heart of much of our work at EFF. Once the collection of biometrics becomes standardized, it becomes much easier to locate and track someone across all aspects of their life. As we said in 2003, “EFF believes that perfect tracking is inimical to a free society. A society in which everyone’s actions are tracked is not, in principle, free. It may be a livable society, but would not be our society.”

Unfortunately, biometric data collection is not limited to NGI or even to the legacy DHS, FBI and DoD fingerprint collection programs. The federal government and states have been steadily expanding their DNA collection efforts over the last 10 years as well. Currently all 50 states, the federal government and the District of Columbia collect and share DNA records through the FBI’sCODIS database. At least 15 of those states, as of 2010, collect DNA from defendants convicted of misdemeanor offenses. And as of 2009, under the federal DNA Fingerprint Act of 2005 and several recently-expanded state statutes, at least 21 states and the federal government collect DNA samples from any adult arrested for (not just convicted of) a crime. This has led to an exponential increase in the amount of DNA collected in the United States on an annual basis, with nearly 1.7 million samples processed (pdf Pg8) in 2009, alone. As of 2011, the National DNA Index or NDIS (the federal level of CODIS) contains over 9,748,870 offender profiles, and the states’ individual databases are each expanding as well.

Currently, it doesn’t appear the FBI plans to incorporate the DNA data held by CODIS into NGI. However, NGI has been designed to be flexible and to be able to incorporate additional biometric identifiers as the need arises in the future. This means that we can’t rule anything out. FBI claimsNGI “doesn’t threaten individual privacy,” but the government’s continuing efforts to collect, store and track the biometric data for so many Americans and foreigners cannot bode well for a society that values privacy.

The use of Biometrics in national identity cards has spliced the globe into two with people in developed nations looking at it as infringement of their privacy and civil liberties, reports Team Inclusion

A debate has been raging in India since Manmohan Singh government broadened the sphere of MNIC (Multi-purpose National Identity Cards) to National Population Register (NPR) appending into it a biometrics-based Unique Identification (UID) number. The opponents of the scheme have accused the central government of snooping into privacy of residents. They fear that the project would prove to be the death of right to privacy implicit in Article 21, which guarantees protection of life and personal liberty. They apprehend that the governmental agencies would misuse the information collected under the project to harass individuals.

The UID-Aadhaar detractors frequently quote the examples of UK, USA and Netherlands, Greece, France and Turkey, which recently scrapped either their identity projects, or use of biometrics on the grounds that they intruded into residents’ privacy. Their argument is that once a person hacks into the UID database, he can gain access to any other database as the UID will be linked with banks, phone companies, Public Distribution System (PDS), ministries, departments, Public Sector Units (PSUs) etc. They fear since many US companies are involved in the project, there is a possibility that Washington will have access to the database. They also fear that the unique identity would encourage identity thefts and misuse.

The project backers on the other hand hope that the linkages of UID with social sector schemes would improve targeting and delivery of services, reduce their cost and provide online cost-effective, ubiquitous authentication services.  Denying that the unique number was a guarantee to rights, citizenship and entitlements, they add that the project would promote financial inclusion as the UID number facilitates opening of bank accounts.

There seems to be a major rich-poor, developed-developing and big economy-small economy divide among the countries when it comes to implementation of the national ID project with people in upper western hemisphere and parts of Europe rejecting their government’s efforts to introduce and store biometrics in a central system.  Countries like United Kingdom, France, Hungary, Netherland, Greece, Norway, Turkey and Ireland in Europe have either not incorporated biometrics in the ID or stopped scanning biometric information.
Similarly in North America and Australia continents, countries like USA, Canada, Australia and New Zealand have kept off the biometrics.  In Asia, China, Japan, Sri Lanka are yet to join the clamour for biometric identity.  Russia and Turkey, the two majors of Eurasia, have also not signed up for the biometrics till now.

Here is a list of international experiments that have taken place in various countries around the globe:

Europe
Ironically Europe, which is extremely paranoid about terrorism, is also the one, which leads the campaign against use of biometrics in National ID Cards with Britain, Norway, Netherlands and Ireland having witnessed major opposition to the concept in the past.

Britain in fact seems to have done so many somersaults on the issue that it is never clear whether the ID card is in or out.  The project made its first appearance in UK during World War II when then British government decided to use national ID cards to facilitate identification of foreigners around the same time when Greece and France also introduced the cards.

Persons were required to carry the card at all times and show it on demand to police and members of the armed forces.  And this is what brought its downfall. In 1951 Acting Chief Justice Lord Rayner Goddard ruled that police demanding ID card “from all and sundry” was unlawful leading to repealing of National Registration Act, the law which facilitated issuance of the ID card.

In 1984 and 1998, the UK government put in place a Data Protection Act, which authorised storage of lot of personal information in databases.

The UK Parliament passed Identity Cards Act in 2006 providing linkages of National Identity Cards, a personal identification document and European Union travel document with a database known as National Identity Register (NIR).

Another two years later, then UK Home Secretary Jacqui Smith proposed that web communication be stored by the ISPs and MSPs in a giant database for 12 months. “Our ability to intercept communications and obtain communications data is vital to fighting terrorism and combating serious crime, including child sex abuse, murder and drugs trafficking. Communications data – that is, data about calls, such as the location and identity of the caller, not the content of the calls themselves – is used as important evidence in 95% of serious crime cases and in almost all security service operations since 2004,” she said.ⁱ

These anti-civil liberties measures proved to be the undoing of Labour government as two years later Conservatives rode back into power on the same issue. In February this year, the government finally scrapped the identity card scheme, terminated Identity Commissioner and destroyed all information held in the National Identity Register. UK Home Secretary Theresa May declared invalidation of existing cards saying they were ‘intrusive, bullying and ineffective’.

Earlier this month, however, the UK government once again revealed plans for an identity assurance scheme, which will help people access services, related to the Department for Work and Pensions. Under the scheme, private companies will run the accreditation services that verify a person’s identity when they log in to a service online. But this may still not be the last word on the subject.

The current French government has proposed a compulsory biometric card system, which is being opposed by human rights groups.

In Greece, fields included in previous ID card formats, such as vocation or profession, religious denomination, domiciliary address, name and surname of spouse, fingerprint, eye and hair color, citizenship and ethnicity were removed permanently as being intrusive of personal data or superfluous for the sole purpose of personal identification.
The plastic card in Hungary does not have any information about the owner’s residential address, nor his Personal ID. This sensitive information is contained on a separate card, called Authority ID.

Ireland and Norway have felt that ‘very serious privacy issues’ are involved in the biometric identity scheme. Austria has also restricted use of Social Security Number (SSN) to areas of social security, taxes, education and other administrative areas.

Yet many European countries – Belgium, Bulgaria, Denmark, Estonia, Finland, Iceland, Italy, Latvia, Lithuania, Poland, Portugal, Romania, Slovakia, Slovenia, Sweden, Switzerland and Ukraine have introduced a National Identification Number for their citizens.

North America
Like Europe, North America too has serious issues with the use of fingerprints, iris scan for national identity cards with America and Canada, the two major countries of the continent having failed to convince their citizens on the subject.

Americans have resisted quite a few attempts of their government to upgrade Social Security Card to a National ID Card. In 1971 and 1973, the American government was forced to say that National ID card was not desirable. Ronald Reagan and Bill Clinton administrations too preferred not to touch the controversial biometrics.

The 9/11, however, did tamper the opposition to identity card as US Congress legislated Real ID Act of 2005 calling for national digital identification system. The Act amended US federal law pertaining to security, authentication and issuance procedures standards for the state driver’s licenses and identification cards, as well as various immigration issues pertaining to terrorism. Since United States has no national identification card, driver’s licenses have been used as a de-facto standard form of identification within the country.
Real ID Act set 11th May 2008 as compliance deadline for all states. But majority of the states have either applied for extensions of the original compliance deadline or received unsolicited extension. Over half of the states have approved either resolutions or binding legislation not to participate in the programme.

Yet Obama Administration has not quite given up.  It hopes to fund pilot projects on adoption of Internet IDs next year.  The administration’s idea is to have multiple identity providers that are part of an ‘identity ecosystem’.

Although every now and then one hears voices for attaching biometrics to Social Security Card to bring about immigration reforms, so far, the American administration has not succeeded in convincing citizens who back civil liberties and privacy.

Earlier Canadians rejected a proposal for a National ID Card that would require fingerprints and an iris (eye) scan. The Canadians estimated that this system would cost Rs 226 billion for their 32 million citizens and offered no security for the country from terrorists as some experts suspected that even with eye scan the cards could be duplicated.
Mexico, however, is on way to introduce iris scan for all its citizens for identification. It has made a beginning with the city of Leon and Guanajuato.

South America
In South America, the saying ‘what is good for goose is good for gander’ stands on its head, as unlike their counterparts in North America, the countries in down South, appear to have no issues with biometrics. Recently UID honchos from India visited Brazil to learn from that country’s ‘innovative targeting and identification mechanisms for social programmes’.
The government of Brazil is engaged in a nation-wide effort to replace its traditional ID card with a Registery of Civil Identity (RCI) card enhanced with biometric data. The new chip-based identity card stores information about the cardholder’s name, gender, date of birth, photograph, affiliation, place of birth, signature, fingerprint, place and date of issuance and expiration. It uses state-of-the-art technology and is designed to avoid repeated identity registration in different states as well as confusion caused by different people with the same name.

Last year Brazil used biometrics in Presidential election to prevent voter fraud and ballot stuffing.

Brazil’s neighbour and second largest country of South America, Argentina, recently signed up with Cross Match Technologies, a global provider of biometric identity solutions, for deployment of identity management systems throughout the country. Cross Match will provide guidance and expertise in the areas of forensic-quality fingerprint and palm print capture devices, multi-model biometric capture systems, document readers, software and associated professional services. The Argentine government uses biometric identity solutions to enhance safety, security and promote welfare programmes for its citizens.

DNI (Documento Nacional de Identidad) is the official form of identification for citizens in Peru, another country in South America. The electronic DNA has facial image and print of right index finger of the cardholder besides other general details like name, date of birth etc.

Chile on the other hand uses biometrics extensively for healthcare insurance, banks, pension funds and retailers as well as police and immigration services. Santiago airport in the country uses facial recognition technology for security.

Pablo Izquierdo, Director General of I-Med, a Santiago-based company explains the diametrically opposite views held on biometrics in North and South America. . “In the U.S. people don’t much like the idea of a database of digital fingerprints; Latin Americans – well – they couldn’t care less about it,” Izquierdo says.ii
Bolivia, which shares borders with Brazil, Peru, Argentina, Chile, registered more than 5 million voters by collecting their fingerprints, biometric photographs and electronic signatures within 75 days before the 2009 elections and is now advising Georgia on the same.

Australia (Oceania)
Both the major countries in the region – Australia and New Zealand – are opposed to national identity and biometrics so much so that the former has rejected proposals for the card twice. The first proposal to create a universal number for Australian citizens and permanent residents was jettisoned in 1987. The second proposal – floated in 2005 for an Access Card for health and welfare benefits – was abandoned two years later due to privacy concerns relating to identity theft and disclosure of information. The country protects its Medicare and tax file number identifiers with strict privacy laws.

A parliamentary committee in Australia recently rejected the use of biometrics as a form of identification technology for gamblers saying that the technology would be a privacy overreach.

In 2009 when New Zealand tried to introduce biometrics in immigration, it kicked up a furore with people fearing that technology will be extended to other arms of the law. No wonder the island country is among the few countries of the world, which do not have a national ID card.

Africa
The situation in poor African continent would bring a big smile on the faces of votaries of biometric-based national ID in India as an overwhelming majority of the countries there have either already introduced the cards or are in the process of doing it.

While South Africa, Mauritius, Gambia and Zimbabwe have brought in biometric identity cards, Tanzania, Sudan, Lesotho, Nigeria, Angola, are on course to get them.
In Gambia and Mauritius, citizens above 18 years of age are required to apply for a National Identity Card. The former has made it mandatory for its citizens to show the biometric card at the time of applying for a driving license.

In South Africa, it is necessary for the citizens to carry identity document, which resembles a passport, at the time of opening a bank account, registering at an educational institution, buying a mobile or applying for a driver’s license, passport, unemployment insurance and voting in elections.

Tanzania’s National Identification Authority (NIDA) recently awarded a deal for national ID system for 25 million cards.

NIMC has the mandate to establish, own, operate, maintain and manage the National Identity Database, register persons covered by the Act, assign a Unique National Identification Number and issue General Multi-Purpose Cards (GMPC) to those registered individuals, and to harmonise and integrate existing identification databases in Nigeria.

Sudan is launching a civil registry project that expects to have the fingerprints of 8 million of the 16 million citizens and foreign residents for the country’s national database.
The Angolan Government has officially approved the design of its new ID card for all its adult citizens. The cards will store personal data including personal and biometric identification.

Asia
When it comes to biometric national ID cards, Asian continent is divided among ayes and nays with China, Japan and Turkey yet to give assent to biometric identification. Pakistan, Bangladesh and Malaysia, on the other hand have already issued biometric identification for their citizens.  Sri Lanka and Indonesia are all set to join the bandwagon.

In Pakistan, National Database & Registration Authority (NADRA) has captured 371 million fingerprints and 99 million faces and also facilitates mobile-to-mobile payment.  The ID is tagged with Benazir Income Support Programme for poor. NADRA issued support to 500,000 Watan Card-holders during floods in Pakistan in last year.

Bangladesh has had biometric identification since 2008. Bangladeshis use NID card for obtaining passports, driving licenses, credit cards and for registering land ownership. MyKad or Government Multipurpose Card (GMPC), the official compulsory card in Malaysia, carries a microchip, which contains several items including biometrics.

In Israel, a move to have biometric database is being criticised for not using encryption method to minimise infringement to highly sensitive information. The database will be in the custody of Interior Ministry. Association for Civil Rights, an NGO headquartered in Jerusalem, fear the database will grossly infringe on Israeli citizens’ rights.ⁱⁱⁱ

i. A report on BBC uploaded on October 15, 2008
ii. bUSiness, a business magazine of the Chilean American Chamber of Commerce (AmCham Chile)
iii. Report on ynetnews.com

BIOMETRIC: “If you can store it; I can steal it”

March 08, 2011: FBI : “The Next Generation Identification System (NGI), built by Lockheed Martin, delivers an incremental replacement of the FBI’s Integrated Automated Fingerprint Identification System (IAFIS)”

May 29, 2011: Lockheed Martin hit by cyber attack!….

 

Top security firm RSA Security revealed that it’s been the victim of an “extremely sophisticated” hack.

RSA’s ‘SecurID’ adds an extra layer of protection to a login process by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password. The number is cryptographically generated and changes every 30 seconds.

Michael (Micha) Shafir, the founder of Innovya says: “To make things clear, using an OTP (One Time Password device…) during a simple 1-way authentication with the presence of a HACKED TECHNOLOGY is NOT SECURE it is like showing your ID (passport, fingerprints…) to a fake police officer. In fact, the user is “strongly authenticated” but to the wrong person/target.

Saving Biometric information in databases or turning the human body into the ultimate identification card is extremely dangerous. The possibility of fraud with electronic chips and stored biometric data should not be underestimated. Exposing or losing biometric property is a permanent problem for the life of the individual, since, there is no practical way of changing one’s physiological or behavioral characteristics”.

By Tim Stevens posted Mar 18th 2011 8:49AM

If you’ve ever wondered whether two-factor authentication systems actually boost security, things that spit out pseudorandom numbers you have to enter in addition to a password, the answer is yes, yes they do. But, their effectiveness is of course dependent on the security of the systems that actually generate those funny numbers, and as of this morning those are looking a little less reliable. RSA, the security division of EMC and producer of the SecurID systems used by countless corporations (and the Department of Defense), has been hacked. Yesterday it sent out messages to its clients and posted an open letter stating that it’s been the victim of an “advanced” attack that “resulted in certain information being extracted from RSA’s systems” — information “specifically related to RSA’s SecurID two-factor authentication products.”

Yeah, yikes. The company assures that the system hasn’t been totally compromised, but the information retrieved “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.” RSA is recommending its customers beef up security in other ways, including a suggestion that RSA’s customers “enforce strong password and pin policies.” Of course, if security admins wanted to rely on those they wouldn’t have made everyone carry around SecurID tokens in the first place.

RSA Hack Demonstrates Superiority of Cell Phone as 2nd Factor

RSA 2 factor authentication gets Hacked… RSA is an important measure, making attacks against authentication systems much harder to commit (??) – NOT ANY MORE…

The company said in a note posted on its website that the intruders succeeded in stealing information related to the company’s SecurID two-factor authentication products. SecurID adds an extra layer of protection to a login process by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password. The number is cryptographically generated and changes every 30 seconds.