“For what may be the first time, fMRI scans of brain activity have been used as evidence in the sentencing phase of a murder trial”

NOVEMBER 23, 2009

fMRI Evidence Used in Murder Sentencing

By Jimmy Woulfe, Mid-West Correspondent
Tuesday, September 08, 2009

A CO Limerick secondary school may be forced to drop a hi-tech fingerprint student monitoring system for breaching data protection legislation.

All 420 students at the mixed Salesian College in Pallaskenry have been fingerprinted for the new biometric system used for daily enrolment.

A fingerprint from each hand is registered on two scanners when students arrive in the morning and return after lunch.

The system cuts out an hour’s work every day compiling rolls.

However, the Data Protection Commission (DPC) said the project may contravene data protection legislation. Commissioner Billy Hawkes has contacted the school for information abut the new enrolment procedures.

A spokesman for the commissioner said they have brought to the attention of the school to guidelines set out for any school on monitoring systems.

While the guidelines do not specifically refer to finger printing, the spokesman said: “They set out the principles that have to be applied to render the collection of personal data legitimate.”

The guidelines state that the introduction of a biometric system has to get the approval of parents and each student, before being introduced.

School principal, Paddy O’Neill informed parents of the introduction of the system by way of a news letter during the summer holidays.

A private firm was commissioned to install the system. The school has refused to say how much it cost.

The DPC spokesman said they had been in contact with the school and awaiting a response, which they expect within days.

He said it seemed that the school was not aware of certain aspects of the guidelines which pertain to the introduction of biometrics in school.

It is believed that four other schools which had planned to introduce a similar system had dropped it after consulting with the DPC.

A school which went ahead with the fingerprinting system two years ago, closed it down after being contacted by the DPC.

Mr O’Neill said the system has been working very well, cutting out five hours paper work each week and giving teaching staff immediate information on who was absent.

Parents, he said, were also alerted by text that a pupil was not in attendance.

He described the fingerprint system as being better than swipe cards which could easily be lost or passed among students.

Mr O’Neill emphasised the school did not have an absenteeism problem.

This story appeared in the printed version of the Irish Examiner Tuesday, September 08, 2009

Read more: http://www.irishexaminer.com/ireland/kfauaumhqloj/rss2/#ixzz0ReLPgNWg

Q&A: NANDAN NILEKANI

Business Standard / New Delhi September 14, 2009, 0:55 IST

There are concerns on technology, cost and privacy in the decision to allot a unique identification number to every Indian. In a talk with Karan Thapar on the CNN-IBN television channel’s Devil’s Advocate programme, NANDAN NILEKANI, who has agreed to head the newly-created Authority to plan and implement this project, concedes these are legitimate concerns. And, that these can be addressed and the project is worthwhile. Edited excerpts:

Eighty per cent of Indians have Election Commission identity cards, others have ration cards, some people have BPL cards, others have driving licences and passports, there are even PAN cards. Why on top of this do we need a unique identification number?

We need one single, non-duplicate way of identifying a person and we need a mechanism by which we can authenticate that online anywhere, because that can have huge benefits and impact on public services and also on making the poor more inclusive in what is happening in India today.

In addition to name, age, sex, date of birth and address, you actually have the biometrics which are unique to that individual?

Absolutely. It is a combination of, most probably, fingerprints and picture and a biometrics committee will finalise that, but finally that makes it unique. And we will make sure there are no duplicates.

The London School of Economics (LSE) did an analysis of a similar project being considered by the British government and this is their conclusion: “The technology envisioned for this scheme is, to a large extent, untested and unreliable. No scheme on this scale has been undertaken anywhere in the world. Smaller and less ambitious systems have encountered substantial technological and operational problems that are likely to be amplified in a largescale national system.” IIf that is true of Britain, it has to be true of India in spades.
There is no question that we are going into uncharted territories, the technological challenges are immense and one of the risks is the technology.

Not just uncharted territory, this could end up being a case of India’s ambition outstripping its ability. Even today, we can’t issue identity cards with a guarantee that the name is correct or the address isn’t misspelt. We could end by making a complete hash of biometric details.
There are risks but, given the enormous opportunity and developmental benefits it can give, it’s worth taking on so that we get the outcomes we want.

You accept the technology is not just uncharted but not actually fully known?
There is no other country where a billion peoples’ biometrics have been captured and stored in an online database. We don’t have to invent the technology; we have to scale up the existing technology to work at this scale.

The second problem inherent is cost. Once again, the LSE did an analysis of a similar project the British government was thinking of and that is a country one-twentieth the size of India. The LSE concluded the probable cost for Britain would be between 10 and 20 billion pounds. Frontline magazine believes the government in India has a guesstimate of somewhere around Rs 1.5 lakh crore. Is it worth it at that cost?
I don’t know what the exact figure is, but it is much less than that by a factor of 10.

If you don’t know the exact figure, how can you say it is lesser by a factor of 10?
The bulk part is certainly going to be lesser than that.

But it’s a guess?
An informed and educated guess.

So, we don’t know what the exact cost will be?
We don’t know, but I am very confident that whatever the cost, the social, economic and efficiency benefits would make it well worth it.

India is a poor country. This order of money could be better spent if you expand education, health and sanitation, or if you use it to feed the 40 per cent of Indian children who are chronically malnourished.
We don’t want to take away money from important social programmes. But, as we expand our social programmes, their efficiency depends on their reaching the right people and that there are no duplicates taking away the benefits. You need the infrastructure at the bottom to make that happen.

You can only target better those actually availing the benefits but not receiving these fully. Take BPL. The real problem is not leakage, but that there is a vast number who qualify and are not included in the BPL threshold at all. How will you be addressing the second problem?
Today, in a particular state, there may be more BPL cards than the population of the state, because there are multiple cards issued to an individual. With the UID, you will be able to actually trim that down to one card per individual and therefore we will actually know who is not getting this now.

But you can’t identify those who should have BPL cards and do not because they are outside the system, they have been ignored. Technology won’t improve that.
This (UID) is not a panacea for all the problems. This is an enabler which will allow more effective public delivery.

Which is why the order of money involved could be better spent in targeting education, sanitation and health, not to mention child malnutrition, because you would actually then get real benefits rather than what I am describing as notional benefits.
In a country where we are spending Rs 1,00,000-2,00,000 crore a year on different kinds of subsidies and social benefits, to make investment which is a part of that, one-time, to make those investments more efficient, is definitely well worth it.

Is it a one-time investment? Frontline magazine says the government’s estimate of Rs 1.5 lakh crore does not include recurring cost. And we don’t know by how much.
On the scale of money that we spend on public programmes and the ability of the project to deliver better public programmes, it will be well worth it.

I put it to you again, there are so many imponderables about technology, size and cost, that is it wise for a poor country like ours, where there are huge levels of poverty (the Arjun Sen Gupta Committee report says 80 per cent of India live under Rs 20 a day), to be spending this sort of money on this project?
The government has come to the conclusion that this project is strategic and worth it. I have been invited to lead this project. I believe it is viable and I will do my best to make it viable.

How can you ensure the database you are creating will be secure, that it won’t be misused and won’t result in an invasion of privacy?
A very legitimate concern. We are looking at how to make it secure. We are saying nobody can read this database. All they can do is verify the authenticity of an identity. You can ask a question like, is X, X? and the only answer we will give is yes or no. But there is no question that once the UID is implemented and becomes ubiquitous in many applications, then there are challenges of privacy. And, with this project, we have to put in other checks and balances, including laws.

Professor Ian Angle of the LSE, a world renowned authority on precisely the creation of such a database, says with relevance to England, and it will apply even more to India, that what you are going to end up with is the “Olympic games of hacking”. You are going to provide people the biggest challenge to hack through. No one believes in the perfectability of computers, so hackers will hack and succeed.
A legitimate concern and we will have to design it as good as possible. The important thing is — is the risk of hacking and privacy large enough not to do this project? And the view is that the project has so many significant benefits for the poor, in making it inclusive and in giving them a chance to participate in the country’s progress, that it is worth it and we have to mitigate those risks.

You are creating a system which, in the wrong hands, would be a powerful tool for either religious or caste profiling. How can you ensure unscrupulous politicians won’t misuse it?
We are not keeping any profiling attributes in our database. No details of people’s caste?
No. In which case, how can you say to me that you will better target benefits at BPL and other categories? If you don’t know someone is SC or ST, if you don’t know they are OBC, how can you ensure better targetting?
That is the responsibility of the applicant that provides those services.

So, then they will add in that feature into your detail?
That is outside our system. Our system has only basic attributes like the name, address, date of birth. You are creating a weapon which you may not misuse but others could?
Today, we have electronic databases in the country which potentially can be used the way you are suggesting. We are not doing something different from what already exists.

In the UK, the US and in Australia, because the authorities couldn’t respond to public concerns about misuse, they have effectively put on the backburner consideration of similar schemes. If developed countries cannot tackle misuse, how can India, where 35 per cent of the people are illiterate and 22 per cent live below the poverty line?
What these developed countries have put on hold is giving national ID cards to people. But both the US and UK, have a number. In the US, you have the social security number; in the UK, there is the national insurance number. They already have a numbering system, which is what we are going to propose.

Except that it is nowhere near as extensive or as complete in terms of the biometeric details as what you are proposing in India. The national insurance in Britain has been around and developing slowly but it doesn’t have any details that could lead to an invasion of privacy. It doesn’t have any details that can be misused for profiling. Yours could have both.
These are legitimate concerns and we have to address them. But the social benefit, the inclusivity, this project will provide for the 700 million people in this country who are outside the system is immense enough to justify doing this project.

How will you handle the inevitable problems of internal migration or illegal immigration? How will you ensure the wrong people aren’t captured in your system and given an identity and made Indian?
Having this number does not confer any rights, benefits or any entitlements. All it does is confirm that X is X.

There are 100 ways of doing that. Why are we spending close to Rs 1.5 lakh crore just to be able to claim X is X?
To have a system which uses a unique identifier like biometrics, having a system which ensures there are no duplicates and having a system that provides online authentication is, we believe, something that can have a lot of social benefits for the poor.

The LSE conclusion, when they reviewed a potential British concept along the lines of what you are doing in India, was: “The success of a national identity system depends on a sensitive cautious and cooperative approach involving all key stakeholders, including an independent and rolling assessment and regular review of management practices”, and the LSE concluded that did not exist in the UK. If it does not exist there, that environment certainly doesn’t exist in India.
We are trying to make sure all the checks and balances are there. We will have a very wide consultative process. We will involve everybody. We will make it public. All these are legitimate concerns and we have an obligation to meet these concerns

Michael (Micha) Shafir the Founder & Inventor of Innovya
Traceless Biometric technology, is demonstrating to Governor
Kaine, how easy, stored information can be leaked out without
connection to any public network, and why it is so dangerous
to collect sensitive Biometric Information about innocent citizens.
Proving that there is no better security for sensitive data
than not collecting it in the first place.

12 Sep 2009, 1824 hrs IST, ET Bureau

NEW DELHI: In view of the National Unique ID project initiated by the government, and its bearing on the smartcards, RFID, biometrics, e-Security

sectors in India, SmartCards Expo 2009 has been organised in the capital from September 11-12.

The government may use biometric features like iris scan and hand geometry for recording secondary details for the National UID project, said officials at the SmartCard Expo 2009. Face readers which can scan even the face of a hijab clad woman, or a man wearing a beard from his or her original face, new smart cards, iris scanners and printing technology, were showcased at the event in this regard.

Technology majors like NXP, ST Microelectronics, Texas Instruments, Sagem, Base Systems, Bartronics, Lipi Data Systems Ltd, HiTi Digital, Infineon participated in the event. However the absence of any representative of the UIDAI (Unique ID Authority of India) was severely felt at the event, inspite of the importance of this Conference, which was fully devoted to the subject of UID.

Greg Pote, Chairman, Asia Pacific Smart Cards Association mentioned the in his view, various governments are still searching for what they can do with the national ID cards beyond ID. But most governments have a privacy commissioners and monitors, and they limit what the government can do with the details. He said that the registration number is the key driver for the card. That creates problems, with resistance from privacy bodies. His estimate is that smart cards in India are 5 years behind Europe.

Dr B K Gairola, Director General, National Informatics Centre touched upon the role of the government and the importance of the UID Project to India as a whole. He mentioned the it is like a 16 lane highway on which all applications could ride. He talked about the earlier experience of the MNIC – Multi Application National ID Project and also the importance of the creation, operation and maintenance of a Unique ID Database and the challenges associated with it.

Accenture’s Ravinder Pal Singh mentioned that Bluecasting might be a better alternative to start with because people have mobile phones, especially in villages in north India. Mobile phone is much more authentic and secure, according to him.

Biometrics involving fingerprints and other biometrics feature such as face recognition, DNA shape identification, etc were also extensively discussed.

Gemini Ramamurthy, Chairman of Cyber Society of India said that a set of 12 parameters has been issue by the UID, but the only parameter that cannot be duplicated is the biometric one. While it is important to achieve uniqueness in identification of persons, it is equally or more important to be able to establish secure identification. This means the identification of a person has to protected against misuse.
The challenges to the ID project are many. Mere possession of a unique identification number belongs to that person. It has to be established beyond doubt that the particular unique identification number belongs to the particular person and no one else. In other words, there should be a secure way to ensure that no other person can carry that identification number.

And then, if these security features have to be matched with the database contents of a particular individual, it requires a very efficient and robust facility of data base storage and retrieval with a highly reliable remote connectivity.

A more plausible is to provide a smart card, which will carry the unique identification number and the various additional security features that can be checked to further establish the uniqueness of identification of the individual. Many countries have already implemented smart card based identification programmers emphasizing the unparallel security provided by smart cards.

The government is thus considering splitting the UID database into two sets of paramters – the primary database will be accessible on the Internet and used for access purposes and verification, while the secondly database is likely to be kept offline, and in multiple formats, and be used only if the primary data is in dispute. Secondary data could have multiple biometric features including Iris scan, hand geometry, and additional data including names of grandparents and great grandparents, because the hacker may not be aware of these things, Mr Ramamurthy added. Since the UID data is in digital form, it may be useful to include an email ID as an additional data parameter.

“The appropriate audit trail, and what was the value of the data before and after the access needs to be stored, as well as the mode of access to that data. These should be available for judicial scrutiny, and certified for integrity. Companies from countries suspected of cyberwarfare against India should be avoided in case of this project.” Mr Ramamurthy said adding that a pilot project for the UID is being planned in Bangalore.

An eminent panel of experts debated with a sizable audience about the UID andtechnologies of relevance to India. The Panel was chaired by Pradeep Kumar, Vice President, Asia Pacific, STMicroelectronics. Panelists were from Sagem Securite, WYSE Biometrics, UNISYS, Bartronics, NXP Semiconductors, Barnes International, and ASK France.

What a shock: Your e-passport isn’t secure after all

By Bryce Longton – BlackBook Magazine

The US State Department is backpedaling like crazy from their earlier statement that the RFID-enabled passports are safe and secure. In fact, now they’re urging travelers to keep these passports in “radio-opaque sleeves” to protect owners from having their information skimmed by unauthorized readers within a 30-foot range. The State Department’s warning comes with the caveat that “hackers won’t find any practical use for data,” because personal information is encrypted. But that encryption has already been cracked.

As Marc Rotenberg, executive director of the Electronic Privacy Information Center, notes, “By obliging Americans to use these sleeves [...] the government has, in effect, shifted the burden of privacy protection to the citizen.” Who wanted an RFID-chipped passport anyway? No one knows. But if you do happen to have one, do what Mark Ashley of Upgrade: Travel Better suggests “Break the chip. Pound it with a hammer.” I’ll add in there, as a message to the government: if it ain’t broke, don’t fix it.