‘Positively chilling’ says Liberty

By John Ozimek • The Register

Radical Think Tank Open Europe has this week exposed a study by the EU that could lead to the creation of a massive cross-Europe database, amassing vast amounts of personal data on every single citizen in the EU.

The scope of this project also reveals a growing governmental preference for systems capable of locking people up not for what they have done, but for what they might do.

Open Europe (OE) researcher, Stephen Booth, has been reviewing projects currently in receipt of EU funding. Last week he identified one of these - Project INDECT – as having potentially far-reaching effects for anyone living or working in Europe. The main objectives of this project, according to its own website, are:

To develop a platform for: the registration and exchange of operational data, acquisition of multimedia content, intelligent processing of all information and automatic detection of threats and recognition of abnormal behaviour or violence, to develop the prototype of an integrated, network-centric system supporting the operational activities of police officers.

In addition, it aims “to develop a set of techniques supporting surveillance of internet resources, analysis of the acquired information, and detection of criminal activities and threats.”

There are two controversial aspects to this research. First is the extent of data collection implied by the project scope. Second, and perhaps far more worrying, is the proposition that law enforcement agencies, in possession of sufficient data, will in future be able to model potentially criminal and anti-social behaviour and therefore focus on individuals before crimes are committed.

In this, it echoes another EU-sponsored piece of research – ADABTS – which is all about Automatic Detection of Abnormal Behaviour and Threats in crowded Spaces. According to the ADABTS prospectus, it “aims to develop models for abnormal and threat behaviours and algorithms for automatic detection of such behaviours as well as deviations from normal behaviour in surveillance data.”

The INDECT project is co-ordinated by Polish academic Professor Andrzej Dziech. Participants include several institutions from Poland – which until recently had its own issues with over-arching state surveillance – as well as the Northern Ireland Police Service.

Shami Chakrabarti, the director of human rights group Liberty, described this approach as a “sinister step” for any country, but “positively chilling” on a European scale.

Stephen Booth added: “The problem with the EU funding these types of projects is the lack of accountability. Citizens are left completely in the dark as to who has approved them and there is no way to ensure that civil liberties are being duly respected.

“The absence of any political debate about the use of these new surveillance technologies in our society is a very dangerous trend, which is especially acute at the EU level.”

However, the idea of punishing potential criminals is not just an EU notion. As El Regreported last year, the Home Office has certainly considered the use of automated profiling to check travellers at points of entry to the UK. This has been controversial, both because of the veiled racism implied by such a policy, as well as evidence provided to the Home Office that it might not actually work.

However, the Vetting Database – which is due to go live later this year – will take decisions on whether people are fit to work in millions of “regulated” positions on the basis of a scoring system, designed to “predict” likelihood to offend.

The introduction of predictive models into society appears to be carrying on apace, with very little public debate as to how desirable they are, or how the state should compensate citizens where mistakes occur. There is also a blurring of the lines between predicting a threat – in which case law enforcement officers can be asked to investigate – and simply predicting criminality and penalising an individual on the basis of something they have not yet done.

OE is interested in seeing less formal integration across Europe, and a return to more issues being resolved at the national level. Their investigation looked at funding provided under the Seventh Framework Programme (FP7). This can be accessed via the Cordis portal, and is a mechanism whereby funds controlled by the EU Commission are made available for research projects.

The existence of an FP7 project is not necessarily an indicator of EU policy in an area, but it is clear evidence of some interest in the approach being investigated.

Project INDECT launched on 1 January this year with a project budget of 14.86 million Euros. It is due to deliver the goods, including a 15-node pilot project, by the end of 2013. ®

By Jonathan Kent,  BBC News, Kuala Lumpur

Police in Malaysia are hunting for members of a violent gang who chopped off a car owner’s finger to get round the vehicle’s hi-tech security system.

The car, a Mercedes S-class, was protected by a fingerprint recognition system.

Accountant K Kumaran’s ordeal began when he was run down by four men in a small car as he was about to get into his Mercedes in a Kuala Lumpur suburb.

The gang, armed with long machetes, demanded the keys to his car.

It is worth around $75,000 second-hand on the local market, where prices are high because of import duties.

Stripped naked

The attackers forced Mr Kumaran to put his finger on the security panel to start the vehicle, bundled him into the back seat and drove off.

But having stripped the car, the thieves became frustrated when they wanted to restart it. They found they again could not bypass the immobiliser, which needs the owner’s fingerprint to disarm it.

They stripped Mr Kumaran naked and left him by the side of the road – but not before cutting off the end of his index finger with a machete.

Police believe the gang is responsible for a series of thefts in the area.

ISRAEL at Risk of Not Being a Democracy Anymore: Knesset Approves INVASIVE ‘Biometric Law’

Anyone who follows the news has no doubt come across the claim that “Israel is the only democracy in the Middle East.” Usually, this claim is followed by its logical inference: “As an island of freedom located in a region controlled by military dictators, feudal kings and religious leaders” - Not any more – Israel democracy is now controlled by superficial politicians…

Black Day for Democracy

By Gil Ronen and Nissan Ratzlav-Katz

(IsraelNN.com) The Knesset plenum approved Monday evening the ‘Biometric Law’ in the final readings. Forty Knesset members voted in favor of the law, 11 against and three abstained. The purpose of the law is the creation of a biometric database that would hold the fingerprints and facial photos of all of the country’s citizens. The data would be stored in the Interior Ministry computers.

MK Nitzan Horowitz (Meretz), who led the opposition to the law, said after its approval that the vote was “a serious mistake which causes grave harm to freedom of the individual in Israel.”

“I hope that we do not pay too heavy a price for it,” Horowitz said. “In any case, it has been proven that an unrelenting public struggle by idealists can have influence and make a difference. The proof is that the law in its final wording is completely different from the original version.”

During the Knesset debate about the law, MK Horowitz stood at the podium and held up printouts of information from the Ministry of Interior’s database which contained information about Knesset members and which reached the Internet. He said that he would not show the contents so as not to invade the MKs’ privacy. “The leaked data which reached my hands prove how easy it is to break into government databases,” he said. “I hope that this will not be the fate of the biometric database.”

MK Dov Henin (Hadash) said that despite the government’s statements that it would not force Israeli citizens to join the database, “in fact, whoever does not do so would be punished – he will not be able to leave the country’s borders, since he would not receive a passport at the level required in developed countries.” The database is not truly a voluntary one, he said.

Faked fingerprints
On the same day that the Knesset approved the law, there news from Tokyo that appeared to show that this system, too, was not foolproof. Police in the Japanese capital said that they arrested a 27-year-old Chinese woman suspected of illegally entering the country after surgically altering her fingerprints to deceive a biometric recognition system operated by immigration officials.

Australia Post has revealed plans to introduce new technology to allow Post Office staff to take fingerprints, biometric scans and digital signatures from customers applying for services such as bank accounts and passports.

The new Identification Services Program Project is expected to be adopted at all 4,443 retail Post outlets, but is currently being tested at 25 Australia Post-owned outlets across NSW and Western Australia.

If approved by State and Federal Governments, Australia Post would become the first non-law-enforcement organisation to take digital fingerprints for commercial purposes.
The power is currently limited to law enforcement Agencies, the Courts, spy Agencies and the Defence Force.
Spokesperson for Australia Post, Alex Twomey was reported in the press as confirming fingerprinting capabilities would be introduced over the next two years and that staff would be trained in protocols for storing and transmitting customer information.
“Fingerprint information will be stored for six hours at the outlet and then transferred for storage at a central Australia Post database,” Mr Twomey said.
“Under Agency agreements, we would then be required to wipe the information after it was sent to Government Departments or other corporate clients.”
According to reports, Australia Post plans to install the data capture equipment at 375 of its own outlets by the end of June 2010, followed by another 400 in 2011 and then 2,000 privately managed post offices nationwide.
Funding for the Identification Services Program project trial was approved in March 2009.
Chairman of the Australian Privacy Foundation, Dr Roger Clarke said he was concerned over the lack of public discussion surrounding the new system.

“These types of initiatives are just too important to introduce without public discussion,” Dr Clarke said.

He said “securing fingerprints and other data across such a large retail network was a major concern as it would be difficult to design a system to protect all information”.

By Søren Duus Østergaard – Duus Blog

A basic principle in the current European Data Protection Act is to ensure proportionality between the level and amount of personal identifiable data, that you have to reveal to identify yourself has to be proportional to the risk and danger incurred if the identity is faked or stolen.

The recent years have seen a growth in tools for identification, mainly in the biometric area, that has led to the risk of ‘overreacting’ using easy biometrics where lesser level of authentication could have been used. One of the latest strange cases from Denmark is a night club, that has been allowed by the data protection agency to take customers fingerprints at the entrance as a means to secure against violent behavior. Horror examples of major collection of biometric data is of course U K’s collection of DNA profiles for children, a practice that was started 5 or 6 years ago.

The risks involved are related to the kind of threat you are trying to prevent: Do we need the security tool to reveal the identity and all related information? This may be the case if we have a strong suspicion that a person is directly related in crime or an act of terror. Or do we only need to know if a person is 18 years old so it is legal to sell alcohol to him/her? Similarly, within the health area a nurse and a doctor do not need to have full access to a patients medical record if he has lost his consciousness and need a blood transfusion, only the key information of blood type and current medication.

So the use of biometrics in itself is one dimension of the game – and the other dimension is what the biometric identification gives access to reveal of PII – Personally Identifiable Information – at the same time or as a consequence of using the biometrics.

The first question of proportionality is then solely related to the ’strength’ of the biometric method used. A weak solution is a quick, convenient solution which is non-intrusive, non-incriminating and non-discriminating in regard to civil rights and color of skin, sex, race and religion. For this purpose simple biometrics like a signature (Analog or digitized) may be better than a fingerprint ( traditional, optical electronic scanning using a template to generate a simple bit stream) – because fingerprints may be seen as incriminating, offensive, police-like. while a face recognition reveals race, color of skin and maybe sex, and thus does not meet the other criteria.

Signatures may be faked, fingerprints (simple fingerprints) can be stolen – in bizarre cases it has been seen that criminals have cut off fingers of owners of Mercedes 300S cars to break the fingerprint starting mechanism. (This risk is probably less in Northern Europe, though.) Or it may bedifficult to read the results properly.

When stronger proof is needed, it is acceptable to rely on methods with higher reliability – like the thermal scanning of fingerprints, that measures the distance from the underlying blood, revealing riffs and valleys, again to be transformed by fast fourier transformation to a template consisting of 0’s and 1’s. This prevents the use of faked fingerprints copied on a strip of tape – and even the rough case of cutting off Mercedes’ owner’s finger –( presumably the blood has stopped circulating – so no heat difference). AlsoIris recognition has been suggested, whereas 3D face recognition at this point still has a higher rate of errors. It has been suggested to use at least 2 types of biometry, like the US border control where you combine fingerprints with face recognition.
In any case the reliability of the identification methodology applied in every case has to discussed and explained before any solution is deployed. (See article about reliability)

It may be OK under well-defined circumstances to use higher level of trusted biometrics, even if they are not 100% proof. The second dimension of the question than is what other PII is stored with the template or the face geometry is stored and how these data are protected. This is a question of data stewardship and again should be in proportion to the use of the data. Taking the example from the Danish night club that has been granted permission to store peoples’ fingerprints, these should definitely not be store with any other information than the purpose: Is this guy know to have a tendency to quarrel – NOT his name, address etc. Even if this is kept using cryptography, it is not in proportion to the use of the biometric data.

Other types of biometrics are recognition of moving patterns, voice recognition, pattern of the veins, retina scan – and of course DNA. Whereas the failure rate (both positive and negative) of the first 2 of these types are still relatively high, the 3 other may reveal unwarranted additional details of the health situation of the individual, hence these items should only be used for forensic purposes and not just collected arbitrarily or even – as in the UK DNA case – systematically.

An important aspect of using Biometrics is also how it will be possible to revoke or change the biometrics as the person changes. Whereas fingerprints remain stable for a longer period in life, face geometry changes a lot from childhood to old age, so does walking patterns, voice. And people do have cosmetic operations in their faces, accidents may change the looks and behavior so any system based on biometrics should have a way to allow for changes of this kind and it should be possible to revoke biometrics.

But as the technology improves and computing power is increasing, one solution which could use biometrics and at the same time prevent the data from occurring in the open space or being communicated could be to have an ID card with a number of different domains, each holding the relevant information linked to the person: one domain simply stating the age, another for the bank including bank account numbers, one for driving license use, one for medical/health care use, one for insurance use, one for credit cards, one for public identification purposes.
If this identity card can be activated by a fingerprint reader plus a pin code, the citizen could then select exactly how much PII he wants to reveal in the situation. This is in line with the PrimeLife recommendations from IBM Zürich Lab, that has just got the German award for forward think identity management solution. This type of solution has the advantage that the user is in full control and that no central database is required for the biometric data.

In a few days I will discuss the use of video surveillance, what we know about it as a crime prevention tool and what may be a more intelligent way of using it.

By Michael Fitzpatrick – BBC Increasingly facial recognition is picking out people in a crowd

A surveillance state, with cameras on every street is commonplace but now Big Business is also turning to Big Brother.

Face recognition, behavior analyzing surveillance cameras, biometric profiling and the monitoring and storing of our shopping patterns has made snooping into our habits, movements and private lives ever easier.

Dismayed at its shrinking power to market to us via traditional media or even the internet, the private sector is now proposing to reach potential customers in ways that critics say should have us all concerned.

“There is an enormous pent-up demand for personalized location advertising, whether it is on your cellophane or PDA, on your radio in your car, or on the billboards you walk by on the streets and inside stores,” says Bruce Schneier, chief security technology officer of BT.

“This is yet another technological intrusion into privacy. And like all such intrusions, it will be taken as far as the owner of that intrusion finds it profitable.”

Emotional reactions

New surveillance technology could even evaporate the advertiser’s favorite grouse that “half of advertising is wasted, but we don’t know which half”.

Advertisers are turning to “intelligent” digital billboards that use cameras to watch you watching the ads.

In Germany, developers have placed video cameras into street advertisements attempting to discern people’s emotional reactions to the ads, according to the Washington-based privacy advocate outfit the Electronic Privacy Information Center (EPIC).

It warns that this type of surveillance encroaches on civil liberties. Such face, voice and behavior technology could be a means of tracking individuals on a mass level across their entire lives, it says.

Pushed by the demands of advertisers and security-minded governments, these technologies are becoming so increasingly smart and intrusive that they now resemble something out of science fiction, it warns.

Science fact

Some of the technology available now seems to have overtaken fiction.

When an interactive ad shouts out to Tom Cruise’s character in the 2002 film Minority Report: “John Anderton, you could use a Guinness!” It identified him as he walked through a mall by scanning the unique pattern of his iris.

This is now pretty standard. Face recognition technology is proving to be a handier, more sophisticated tool to pick us out on the street, a crowded room or at passport control.

Such systems are able to automatically detect and identify human faces using recognition algorithms.

The first step for a facial recognition system is to recognize a human face and extract it from the rest of the scene. Next, the system measures the distance between the features — a distinctive aspect of our faces that does not change with disguises or even surgery.

Matches can then be found in databases in under a second, although 100% accuracy is not yet guaranteed.

Currently the private sector is finding such systems useful for what it calls “targeted marketing,” or “dynamic advertising.”

Japan’s NEC, for instance, is sells face-recognition technology to allow advertisers to tailor what ad is showing on a digitized screen depending on the viewer’s sex and age.

Tracking systems, such as these, can determine the viewer’s gender 85-90% of the time, approximate age and ethnicity, and change the ads accordingly.

NEC denies the system raises privacy concerns as it does not store any images, only the analyzed results (age and sex) based on those images.

But as Schneier points out systems like these are likely liable to “function creep” where a technology is brought in for one purpose, to profile your sex while viewing an ad for example, and then begins to push the boundaries.

“Once the cameras are installed and operational, once they’re networked to central computers, then it’s a simple matter of upgrading the software,” he says.

“And if they can do more — if they can provide more “value” to the advertisers — then of course they will. To think otherwise is simply naive.”

And when advertisers start to follow us, our privacy, our right to be left alone will be severely compromised, he thinks.

More control

Democratic governments, charged with protecting us from such violations, are beginning to wake up to these practices.

EU commissioner Viviane Reding wants to see tighter controls

The US is about to propose a bill to ensure that consumers know what information is being collected about them. While the EU promises to rigorously police what it claims are already stringent controls on our personal data.

“Europeans must have the right to control how their personal information is used,” Viviane Reding, the EU’s commissioner for information society and media told BBC news. “We cannot give up this basic principle, and have all our exchanges monitored, surveyed and stored, in exchange for a promise of ‘more relevant’ advertising.”

Despite such assurances, given the pervasiveness of such technologies firstly on the internet and now spreading to the physical world, what we do about them in the next few years will be crucial. It might control our privacy for generations to come say human rights advocates.

“Companies are increasingly impatient to get to us and once these practices are commonplace it will hard to reverse them,” says Marc Rotenberg director of EPIC. “Particularly as, ironically, we lose privacy these companies are gaining secrecy.”

It would seem sensible to debate now how far business and the state should be allowed to tag us while we still have a privacy to protect.

Multi-modal biometrics targeted for new system

By Ellen Messmer Framingham – Computerworld | Thursday, 24 September, 2009

The Federal Bureau of Investigation is expanding beyond its traditional fingerprint-focused collection practices to develop a newbiometrics system that will include DNA records, 3-D facial imaging, palm prints and voice scans, blended to create what’s known as “multi-modal biometrics”.
“The FBI today is announcing a rapid DNA initiative,” said Louis Grever, executive assistant director of the FBI’s science and technology branch, during his keynote presentation at the Biometric Consortium Conference in Tampa.

The FBI plans to begin migrating from its IAFIS database, established in the mid-1990s to hold its vast fingerprint data, to a next-generation system that’s expected to be in prototype early next year. This multi-modal NGI biometrics database system will hold DNA records and more.

Grever said that fingerprints and DNA appear to be the most mature and searchable biometrics possibilities, but the FBI is working to include iris-scan records among newer biometrics technologies to identify criminals and terrorists. The plan is to share this data with authorised US and international investigative partners, as the agency does today.

The FBI’s current IAFIS database remains a workhouse; it processes about 200,000 daily transactions from its 370 million 10-fingerprint records, and it just crossed the 250 million transaction mark.

The next-generation FBI database system is under design by MorphoTrak and is expected to include DNA, iris scans, advanced 3-D facial imaging and voice scans among its multi-modal biometrics. Lower turnaround times for delivering information over wide-area networks are planned. The goal is to drop from a roughly two-hour response time for IAFIS urgent requests to less than 10 minutes.

But FBI officials acknowledged there’s still a lot of research and development that needs to be done to reach its NGI goals. One goal is to develop a rapid DNA analysis method that would provide DNA analysis in less than an hour, as opposed to several hours or even days. The FBI is cosponsoring research with the Department of Defense, which has a similar goal.

Kevin Reid, section chief for the biometrics service section at the FBI, said the FBI also wants to establish a service-oriented architecture for NGI, but it’s not clear when this would be in place to provide services related to biometrics information-sharing.

The FBI is already moving into new areas, including setting up apalm-print repository and searchable databases for scars, marks and tattoos that it will be collecting.

The FBI, under the DNA Fingerprint Act of 2005, is now allowed to collect reference-sample DNA material for biometrics analysis purposes at the time of booking, Grever said. “DNA has become a powerful and timely tool,” said Grever, adding there are no “privacy or civil liberties issues beyond those associated with fingerprints.”

Published: 6:44PM Monday September 21, 2009
Source: ONE News

New technology designed to prevent identity fraud is sparking “big brother”-like concerns.
Legislation being debated in parliament will allow Immigration New Zealand to use biometric checking to stop those who are not who they claim they are from crossing borders illegally.
But there are fears these new powers will be extended to other arms of the state.

ONE NewsAn example of biometric testing

The shape of your face, the width of your nose, iris patterns, fingerprints, the way you walk, even the way you type are unique characteristics.
It is information governments around the world are keen to collect, says Michael Bott from the Council for Civil Liberties.
“The more information the state has about you, the more they can track your movements and control you. Knowledge is power,” he says.
From the end of 2009, New Zealanders and Australians with electronic passports will have the option of using SmartGate to get through customs quickly. Your image is checked against the biometric identity data chip in your e-passport.
Advertisement
“This technology will actually pinpoint multiple points on cheekbones, nose and eye and if the distance is fractionally out it will go ‘this is not the person’,” says Customs Minister Maurice Williamson.
Under new immigration legislation making its way through parliament on Tuesday, anyone arriving in New Zealand will be required to provide biometric data.
Immigration New Zealand says biometrics could have prevented a man allegedly linked to the September 11 attackers from crossing the border. He spent four months in New Zealand before being deported.
“We, along with every other country, have been the victim of identity fraud and identity crime,” says Immigration Identity Programme Manager Aaron Baker .
ONE News has been told New Zealand has joined Canada, Britain, Australia and the United States to work more closely on managing entry visas.
Three of those countries have agreed to share biometric information. New Zealand has not yet, but is likely to do so.
Privacy concerns
A report obtained by ONE News has highlighted some of the potential threats to privacy if biometric information is shared too widely.
The new legislation allows immigration to share data with other departments if a migrant or visitor applies for a taxpayer funded service like hospital treatment.
Privacy Commissioner Marie Schroff would like to see more details around how there will be protections around that information.
There are also concerns a law that allows one government agency to collect biometric data will allow others to follow.
Overseas, the technology is already used to check the identities of drivers, prison visitors and welfare beneficiaries.
Biometric technology is becoming more sophisticated. However, there are genuine fears that the rights of citizens to privacy will be left behind as technology advances.

By Jimmy Woulfe, Mid-West Correspondent
Tuesday, September 08, 2009

A CO Limerick secondary school may be forced to drop a hi-tech fingerprint student monitoring system for breaching data protection legislation.

All 420 students at the mixed Salesian College in Pallaskenry have been fingerprinted for the new biometric system used for daily enrolment.

A fingerprint from each hand is registered on two scanners when students arrive in the morning and return after lunch.

The system cuts out an hour’s work every day compiling rolls.

However, the Data Protection Commission (DPC) said the project may contravene data protection legislation. Commissioner Billy Hawkes has contacted the school for information abut the new enrolment procedures.

A spokesman for the commissioner said they have brought to the attention of the school to guidelines set out for any school on monitoring systems.

While the guidelines do not specifically refer to finger printing, the spokesman said: “They set out the principles that have to be applied to render the collection of personal data legitimate.”

The guidelines state that the introduction of a biometric system has to get the approval of parents and each student, before being introduced.

School principal, Paddy O’Neill informed parents of the introduction of the system by way of a news letter during the summer holidays.

A private firm was commissioned to install the system. The school has refused to say how much it cost.

The DPC spokesman said they had been in contact with the school and awaiting a response, which they expect within days.

He said it seemed that the school was not aware of certain aspects of the guidelines which pertain to the introduction of biometrics in school.

It is believed that four other schools which had planned to introduce a similar system had dropped it after consulting with the DPC.

A school which went ahead with the fingerprinting system two years ago, closed it down after being contacted by the DPC.

Mr O’Neill said the system has been working very well, cutting out five hours paper work each week and giving teaching staff immediate information on who was absent.

Parents, he said, were also alerted by text that a pupil was not in attendance.

He described the fingerprint system as being better than swipe cards which could easily be lost or passed among students.

Mr O’Neill emphasised the school did not have an absenteeism problem.

This story appeared in the printed version of the Irish Examiner Tuesday, September 08, 2009

Read more: http://www.irishexaminer.com/ireland/kfauaumhqloj/rss2/#ixzz0ReLPgNWg