Liberal Democrats in Scotland are fretting over the use of biometric technology in Scottish schools, fearing it might lead to children thinking it is normal to give identity information to achieve simple tasks, such as paying for school meals.

28 December 2010

Liberal Democrats in Scotland are fretting over the use of biometric technology in Scottish schools, fearing it might lead to children thinking it is normal to give identity information to achieve simple tasks, such as paying for school meals.

After national ID cards, curtailing such activity in schools is one of the Liberal Democrats’ stated aims, despite the fact that such systems – when installed responsibly – can help alleviate bullying, theft of money or preloaded cash cards, and the stigma of having free lunches. Meanwhile, in many schools, it is also helping to secure access to sensitive places such as nurseries and primary schools, so ensuring only authorised adults and children are allowed entry.

The information was obtained through the use of Freedom of Information requests. The political party said that 68 schools across Scotland – just a fraction of the total – use biometric ID systems, while there are another 10 that have the capability but do not use it at present.

Biometric ID systems are used by schools to get access to libraries and to pay for school meals. Meanwhile, in one secondary school in West Lothian there is a hand pad system in place for primary school pupils housed there temporarily to gain access to toilets. (We suspect this is a hand or finger geometry system rather than an expensive palmprint system. This would mean that only simple information is captured, such as length and width of fingers, not the palmprint itself – similar to the type of system being used by resorts such as Disney in Florida.)

The Liberal Democrats point out that if fingerprint technology is used, an image of the child’s fingerprint is not kept. “What is kept is a representative template”, which is “widely recognized” as “harmless and certainly not useful to law enforcement agencies” (this is often where the stigma behind fingerprinting comes in).

Despite acknowledging that fingerprint images are not stored, Liberal Democrat Justice spokesman Robert Brown curiously goes on to comment: “Public bodies have shown in the past that they are not always to be trusted with sensitive personal data. If the finger or palm prints of children as young as 4 years old got into the wrong hands, it could have significant consequences. Do we really want this sort of intrusive information taken from young children?”

Even more curiously Brown then compares these simple access control systems to plans for ID cards. He comments: “Liberal Democrats in Government have scrapped the invidious plans for ID cards. We really don’t want to see this coming in through the backdoor through Scottish classrooms.”

Sadly this is political scaremongering at its worst. The insinuation – presumably - is that children will become used to giving their fingerprints at school, and will therefore see it as normal if any future government wanted to resurrect the idea of a national ID card.

Extrapolating this line of thought for a moment shows how futile such a comparison is. One wonders how many children this year received laptop computers with “cool” embedded fingerprint technology. One wonders whether children realise how many cameras now use facial recognition technology to make handling images easier – a technique now being rolled out by Facebook. One wonders if the majority of parents really object to systems that make their precious children a little less vulnerable from bullying and the threat of intruders. One wonders if the parents of those objecting possess objects such as passports, bank cards, library cards, work ID cards – or the most privacy-invasive cards of all – store loyalty cards.

Michael (Micha) Shafir the Founder & Inventor of Innovya
Traceless Biometric technology, is demonstrating to Governor
Kaine, how easy, stored information can be leaked out without
connection to any public network, and why it is so dangerous
to collect sensitive Biometric Information about innocent citizens.
Proving that there is no better security for sensitive data
than not collecting it in the first place.

12 Sep 2009, 1824 hrs IST, ET Bureau

NEW DELHI: In view of the National Unique ID project initiated by the government, and its bearing on the smartcards, RFID, biometrics, e-Security

sectors in India, SmartCards Expo 2009 has been organised in the capital from September 11-12.

The government may use biometric features like iris scan and hand geometry for recording secondary details for the National UID project, said officials at the SmartCard Expo 2009. Face readers which can scan even the face of a hijab clad woman, or a man wearing a beard from his or her original face, new smart cards, iris scanners and printing technology, were showcased at the event in this regard.

Technology majors like NXP, ST Microelectronics, Texas Instruments, Sagem, Base Systems, Bartronics, Lipi Data Systems Ltd, HiTi Digital, Infineon participated in the event. However the absence of any representative of the UIDAI (Unique ID Authority of India) was severely felt at the event, inspite of the importance of this Conference, which was fully devoted to the subject of UID.

Greg Pote, Chairman, Asia Pacific Smart Cards Association mentioned the in his view, various governments are still searching for what they can do with the national ID cards beyond ID. But most governments have a privacy commissioners and monitors, and they limit what the government can do with the details. He said that the registration number is the key driver for the card. That creates problems, with resistance from privacy bodies. His estimate is that smart cards in India are 5 years behind Europe.

Dr B K Gairola, Director General, National Informatics Centre touched upon the role of the government and the importance of the UID Project to India as a whole. He mentioned the it is like a 16 lane highway on which all applications could ride. He talked about the earlier experience of the MNIC – Multi Application National ID Project and also the importance of the creation, operation and maintenance of a Unique ID Database and the challenges associated with it.

Accenture’s Ravinder Pal Singh mentioned that Bluecasting might be a better alternative to start with because people have mobile phones, especially in villages in north India. Mobile phone is much more authentic and secure, according to him.

Biometrics involving fingerprints and other biometrics feature such as face recognition, DNA shape identification, etc were also extensively discussed.

Gemini Ramamurthy, Chairman of Cyber Society of India said that a set of 12 parameters has been issue by the UID, but the only parameter that cannot be duplicated is the biometric one. While it is important to achieve uniqueness in identification of persons, it is equally or more important to be able to establish secure identification. This means the identification of a person has to protected against misuse.
The challenges to the ID project are many. Mere possession of a unique identification number belongs to that person. It has to be established beyond doubt that the particular unique identification number belongs to the particular person and no one else. In other words, there should be a secure way to ensure that no other person can carry that identification number.

And then, if these security features have to be matched with the database contents of a particular individual, it requires a very efficient and robust facility of data base storage and retrieval with a highly reliable remote connectivity.

A more plausible is to provide a smart card, which will carry the unique identification number and the various additional security features that can be checked to further establish the uniqueness of identification of the individual. Many countries have already implemented smart card based identification programmers emphasizing the unparallel security provided by smart cards.

The government is thus considering splitting the UID database into two sets of paramters – the primary database will be accessible on the Internet and used for access purposes and verification, while the secondly database is likely to be kept offline, and in multiple formats, and be used only if the primary data is in dispute. Secondary data could have multiple biometric features including Iris scan, hand geometry, and additional data including names of grandparents and great grandparents, because the hacker may not be aware of these things, Mr Ramamurthy added. Since the UID data is in digital form, it may be useful to include an email ID as an additional data parameter.

“The appropriate audit trail, and what was the value of the data before and after the access needs to be stored, as well as the mode of access to that data. These should be available for judicial scrutiny, and certified for integrity. Companies from countries suspected of cyberwarfare against India should be avoided in case of this project.” Mr Ramamurthy said adding that a pilot project for the UID is being planned in Bangalore.

An eminent panel of experts debated with a sizable audience about the UID andtechnologies of relevance to India. The Panel was chaired by Pradeep Kumar, Vice President, Asia Pacific, STMicroelectronics. Panelists were from Sagem Securite, WYSE Biometrics, UNISYS, Bartronics, NXP Semiconductors, Barnes International, and ASK France.

By Tom Espiner ZDNet.co.uk

Posted on ZDNet News

Security expert and BT chief security-technology officer Bruce Schneier has attacked the US-Visit border-biometrics program, saying it has had “zero benefit” in terms of security.

Speaking to ZDNet UK last week, Schneier said that there was little evidence that the US-Visit program, which takes fingerprints and retinal scans from all visitors to the United States, had made any impact on reducing the threat from criminals and terrorists.

“If the Department of Homeland Security had apprehended any terrorists [through US-Visit], they would have kicked up a huge press stink,” said Schneier. “There has been zero benefit from the program.”

A long-time critic of the US-Visit program, Schneier first questioned the cost-effectiveness of the scheme in 2006. At the time, just under 1,000 people had been apprehended for criminal or immigration violations, yet the program had cost $15 billion (£9.4bn) up to that point.

“Take that $15 billion number,” wrote Schneier in a 2006 blog post. “One thousand bad guys, most of them not very bad, caught through US-Visit. That’s $15 million per bad guy caught. Surely there’s a more cost-effective way to catch bad guys?”

However, Robert Jamison, undersecretary at the US Department of Homeland Security’s National Protection and Programs Directorate, which oversees US-Visit, told ZDNet UK at the RSA Conference Europe 2008 on Wednesday that the border-biometrics program had been effective.

“There have been several instances of someone applying for entry under one name, being denied, applying under another name, and again being denied [due to biometrics records],” said Jamison. “In a few cases, criminal activity and, in some cases, terrorist activity have been prevented.”

Jamison declined to say exactly how many terrorists had been caught as a direct result of the program, saying the information was “classified”. However, Department of Homeland Security figures show that more than 2,400 immigration “violators” and criminals have been identified since the inception of the program in January 2004.

In February, US-Visit was claimed to have helped identify two terrorist suspects, now being held in Iraq, from fingerprints lifted from an improvised explosive device.

Security bypassed by researcher.

By Jeremy Kirk, IDG News Servic

A security expert has cracked one of the U.K.’s new biometric passports, embarrassing the British government which has touted as a way of cutting down cross-border crime and illegal immigration.

The attack, which uses a common RFID reader and customised code, siphoned data off an RFID chip from a passport in a sealed envelope, said Adam Laurie, a security consultant who has worked with RFID and Bluetooth technology. The attack would be invisible to victims, he said.

“That’s the really scary thing,” said Laurie, whose work was detailed in the Sunday edition of the Daily Mail newspaper. “There’s no evidence of tampering. They’re not going to report something has happened because they don’t know.”

The British government, which began issuing RFID passports about a year ago, eventually wants to incorporate fingerprints and other biometric data on the chips, although privacy activists are concerned over how data will be stored and handled.

Currently, the chip contains the printed details on the passports, the person’s photograph and security technology to detect if those files have been altered.

The attack was executed while the passport was still in its original envelope used to send it from the passport service, since RFID chips can be read from a few inches away, Laurie said. He used a passport ordered by a woman affiliated with No2ID, a group that opposes the U.K.’s biometric passport and ID card programs.

The data on the passport’s chip is locked until an RFID reader provides the encryption key, Laurie said. The encryption key is calculated using a combination of the person’s personal data, such as date of birth, and is contained in the “machine-readable zone” (MRZ) – the string of characters and digits on the bottom of the passport’s first page.

At an immigration desk, the optical character reader scans the MRZ and gets the key. The RFID chip is unlocked, and the information on the chip is matched with that on the passport.

However, Laurie was able to do this process himself. He analysed ICAO 9303, the standard from the International Civil Aviation Organization that been adopted worldwide for machine-readable passports, to see how the MRZ was organised.

Laurie also knew some of the woman’s personal details – used to calculate her passport’s key – and found out more through Internet research.

He then wrote what’s known as a “brute force” program, which repeatedly tries different combinations of data to discover the key. After about 40,000 attempts by the program, he cracked the key.

To scan the chip, he used a common RFID reader from ACG ID, now part of Assa Abloy Identification Technology of Germany.

The attack could then let Laurie begin the process of making an exact copy of the woman’s passport.

The biometric passport had been sold to the world as something that increased the security of the passport, “but so far I don’t see anything about it that increases my security,” Laurie said.

The greatest weakness with the passports is using relatively easy-to-find data to compose the encrypted key, Laurie said. It would be better to include more random elements that would render brute-force style programs nearly useless, he said.

Laurie’s work spawned from concern over how users can know what’s on their passport’s chip.

“At the moment, if you want to see what’s in your own passport, you have to go to passport office,” Laurie said. “With my code, you can do it at home.”

Laurie has published a library of open-source tools written in the Python programming language that will run on RFID readers made by ACG and by Frosch Electronics OEG, based in Austria.