66

The Israeli Minister of the Interior is pushing legislation to introduce biometric IDs. On the one hand I hear his argument that it can help to prevent identity theft. On the other hand, something makes me very nervous about having my biometric "password" in the hands of any government. And I worry what will happen if a hacker somehow steals that "password", because I can't change my DNA and get a new password.

My discomfort is largely emotional, though, because I don't fully understand the real risks of biometric IDs.

Can anyone please explain clearly what the risks are, if any, with biometric systems?

D.W.
  • 98,420
  • 30
  • 267
  • 572
Shaul Behr
  • 1,027
  • 1
  • 9
  • 16
  • I know nothing about the Isreali proposal but note that a biometric ID scheme does not necessarily imply the creation of a centralized database containing all these data. That's how biometric passports work in Europe, as far as I know. – Relaxed Apr 17 '15 at 10:03
  • In Europe the passports have NFC chips inside which contain biometric data, and I suppose how this data is used is that when they have suspicions whether you're really the owner of the passport they "measure" your biometric data (fingerprints, etc) and then compare to what's stored in the passport. This doesn't require a central database, but I don't know if such database exists nonetheless. –  Apr 17 '15 at 14:20
  • 9
    Just because its not known to the public doesn't mean it don't exist...i have read news saying that NSA were collecting high quality photos of people to use in facial recognition software so why not biometric data ? You can easily fool facial recognition but not biometrics sensors – Freedo Apr 17 '15 at 18:41
  • 1
    1. "What are the risks?" is a pretty broad question. One could write an entire book about the topic, and people have. The question might be more suitable if you can narrow this question down to one about a specific biometric technology. 2. There's a lot written about the risks of biometrics. What research have you done? We expect you to [do a significant amount of research before asking](http://meta.stackoverflow.com/q/261592/781723), and to show us what research you've done in the question. See http://security.stackexchange.com/help/how-to-ask. – D.W. Apr 17 '15 at 22:56
  • 1
    3. "Should I be resisting/joining campaigns resisting this legislation?" is a subjective question that is not suitable for this site. (Opinion polls are not suitable.) I've edited your question to remove that part. Please see http://security.stackexchange.com/help/dont-ask for guidance about how to ask questions that are suitable for this site format. Feel free to edit your question to improve it further, after reading those guidelines. – D.W. Apr 17 '15 at 22:59
  • Submitting for reopen. @D.W. I hear your criticisms, and I acknowledge that according to the "rules", you have a fair point. Nonetheless, I humbly suggest that when a question racks up 2,500 views, 47 upvotes and 6 favorites within 48 hours, the community is saying loud and clear, "This is a good question, and we are also interested to hear what the experts have to say." I therefore submit that this is an occasion to relax the rules somewhat and let the community have what it wants. – Shaul Behr Apr 19 '15 at 07:03
  • 1
    @ShaulBehr, I suggest that you post on Meta and make your case there; that's a better place to have a discussion than in the comment thread here. (My take: In general, there is no exception to the rules for popular questions. And in this case, this question made it on Hot Network Questions, which is known to distort vote counts and view counts; those have to be interpreted with special care for questions that are featured on Hot Network Questions. See e.g. http://meta.security.stackexchange.com/q/1585/971.) But the community could discuss it, on Meta. – D.W. Apr 19 '15 at 07:16
  • @D.W. Meta question [here](http://meta.security.stackexchange.com/q/1772/16786) – Shaul Behr Apr 19 '15 at 07:54
  • Not sure I see any of the answers addressing what would happen if a hacker got their hands on a biometric password - I find it unlikely that a hacker could change their DNA, fingerprint, or eye scan in order to match what they found, so what could they actually do with it? steal your index finger? (more of a physical issue than a cyber-hacking issue) – user2813274 Jun 23 '15 at 15:24

6 Answers6

38

A few thoughts about that:

  • Biometric data is easy to access and should not be used as a password, only as additional authentication.
  • As Freedom explained quite well your government already tracks you.
  • Biometric data like fingerprints are mostly not stored as raw images but in form of hashes. An algorithm extracts certain characteristics. You cannot restore your fingerprint from this data. Still, it might be possible to trick some authentications with this data.
  • Biometric data could be misused. DNA markers could contain information about medical issues or ancestry. Currently forensic teams are trying to reconstruct how a person looks from their DNA.
  • Data that is not needed should not be stored. Especially not centralized.

I am against this because: Freedom before Fear.

Update because of comments

With "Freedom before Fear" I tried to translate the German "Freiheit statt Angst" slogan. We tend to give up freedom because we fear terrorism and crime. The Freedom is in this case the control over your private data. Data you can not change. Data that defines who you are. This data might stop someone from copy a passport or it might not. In anyway it does not stop terrorism but it does create the risk that the data is miss used.

A database of DNA where you could look up all foreigners. What could a dictator do with this? A database that tells an insurance that you could get a sickness. Who knows what will be possible with this data in the future?

If you create such a database there is always a chance it will be used for evil. How and in what way is impossible to tell but it would not be good for you.

Community
  • 1
PiTheNumber
  • 5,394
  • 4
  • 19
  • 36
  • 7
    Can you please elaborate on the slogan "Freedom before Fear"? You've given a great rational cost/benefit analysis above, but the final line seems to fall back to an emotional argument. What, specifically, is the "freedom" that you're concerned about losing? And do you not feel that the "fear" of identity theft is a clear and present danger? – Shaul Behr Apr 17 '15 at 09:55
  • I fully agree with with @ShaulBehr I can't link the slogan you quote, the argument you make and that weird statement of position you conclude your answer with. Please clarify. – Stephane Apr 17 '15 at 09:57
  • 3
    @ShaulBehr I added some more text. Identity theft is possible and will still be possible. This database does prevent it in some cases but it also creates new threats to fear. You have to decided for you self what risks you like to take. – PiTheNumber Apr 17 '15 at 10:32
  • Thanks for your additional comments. In our particular case, they only want to use a photo and two fingerprints. Do you feel that this poses any risk in the event that a future government goes full totalitarian on us? – Shaul Behr Apr 17 '15 at 11:48
  • 3
    @ShaulBehr: Most documents already have a photo of you. As for the fingers, if the *government goes full totalitarian*, you can always cut them off. Be glad they're only asking for two. – Daniel Apr 17 '15 at 18:12
  • This answer has some good material but I recommend you radically edit it to focus on the technical question here: what are the risks? I see two parts of the answer that try to articulate the risks: the bullet item beginning "Biometric data could be misused", and the last two paragraphs of the answer. The remainder of the answer is a combination of an appeal to emotion and generic, tangential comments about biometrics that don't really answer the question about risks; I suggest those parts be edited out. Would you like me to have a try at editing it? – D.W. Apr 17 '15 at 23:05
  • 1
    I would've translated that slogan to *Freedom over Fear*, but [it seems](http://de.wikipedia.org/wiki/Freiheit_statt_Angst) they've chosen just *Freedom not Fear* in English. – Bergi Apr 18 '15 at 20:23
  • @Bergi I would go with *Freedom over Fear* too. – PiTheNumber Apr 20 '15 at 12:11
19

Based on the linked article, the biometrics to be used in this proposal are similar to what was used in the recent past on Georgia (US) drivers' licenses: a photo and fingerprint data. So this move would not be entirely without precedent.

The linked article is a little short on details, so it is hard to assess what the risks to the individual might be without researching the exact provisions of the proposed law. But certain hypothetical scenarios seems relevant:

  • The law could require or allow government escrow of biometric data (photo and fingerprints)
  • The law could require human-readable representations of biometric data to be printed on the ID itself (photo and fingerprint image)
  • The law could require machine-readable representations of biometric data to be printed on the ID itself in one or more forms:
    • Optically readable (i.e. a bar code or CQ code)
    • Radio or magnetic echo, requiring only close proximity (i.e. RFID)
    • As an embedded data storage device with a physical interface

Government escrow of biometric data carries obvious privacy and security concern for the individual:

  • Possession of the data itself is an inherent violation of individual privacy and dignity, unless participation is free and voluntary on the individual's part. In today's culture, this point is often overlooked or trivialized, but I argue that it really is "just plain creepy" for government to collect highly personal data on the individual, and it's OK to feel that way.
  • The declared and intended uses of the data must be considered. Usually, these are reasonable enough, and even beneficial to the individual (such as fraud prevention).
  • The undeclared but possible uses of the data must be considered:

However, as a practical matter, it must be asked whether the government likely already possesses your photo and fingerprint data, and if they do, what restrictions on its use are in place today; and how those compare with what is being proposed.

The technical features of the proposed passport, combined with the types of information included on it, greatly affect the degree of risk to the individual.

  • RFID readability of personal data would be highly dangerous. Even a passport kept safely inside a purse or briefcase could be read by someone nearby with the right equipment, or by a stationary waypoint. Washington State (US) claims that their enhanced driver's license only allows a successful attacker to obtain an opaque ID number. But that ID number is still unique to the individual, and even if retrieving details like name and home address directly is difficult, it could still be possible to correlate the ID number itself to other non-government sources, or track appearances and behaviors of that ID number. (Essentially, Washington State's driver's license has all the same privacy issues as cookies on the web, except you can't clear it with developer tools. In an admission of how bad their scheme is, they offer "protective sleeves" for them.)
  • Optical bar codes or CQ codes, or magnetic stripes, have all the same issues as RFID except that they require being able to see or touch your device. At least you can keep the device from being read without your knowledge, as long as you have it on your person and hidden from sight.

Next to consider is, what can "bad guys" do with your biometric information once they have it? And can they get the same information without getting it from your passport or from the government? These answers will depend greatly on the societal effects of introducing this mandatory system, and are hard to predict.

A very strong argument against mandatory biometric identification in general, that applies directly to this proposal, is that in order to be useful, biometrics must be immutable; but that is exactly what makes them risky for the individual. If someone guesses or obtains my password to a website, I can hopefully (if the site design is good) change it. But I can't change my fingerprint or my likeness or my retina or iris. If someone manages to obtain and use that, it's forever compromised.

Finally, and importantly, does the use of this biometric system provide an incentive for "bad guys" to kidnap you or amputate parts of your body? People I know who prefer not to think about security issues frequently laugh at me when I ask this. But it is a serious question, because I would much rather somebody steal my wallet than my index finger in order to get to my bank account. But in the case of a photo and fingerprint being used for a passport, it is not clear whether this applies.

Should you be afraid? I don't know enough to answer directly about what other uses of fingerprints specifically are common in Israel today, or what kind of culture of information-sharing exists or could spring up in order to exploit such a thing. Frankly, I can think of much worse plans.

wberry
  • 624
  • 3
  • 6
  • You came in late, after the "Hot Network Questions" viewing frenzy, so you missed out on most of the upvotes. But I'm going to give you the answer credit for giving the most detailed and helpful explanation of the risks. Thanks! – Shaul Behr Apr 19 '15 at 10:35
  • 1
    [CQ codes?](https://en.wikipedia.org/wiki/CQ_(call)) Did you mean [QR codes](https://en.wikipedia.org/wiki/QR_code), or is this something different? – jpaugh Mar 30 '18 at 14:10
11

The government already has your photos, your fingerprints, your birth certificate, it knows where you live and what you have by taxes and the bills or otherwise you wouldn't officially exist. They can track you in public places using facial recognition with cameras, snoop in your internet traffic, listen to your calls, read your SMS... after all that do you really think they need biometric IDs and passports to track you any further?

Walking the streets with an biometric ID on your jeans won't make you anymore traceable than your phone with GPS. On the other hand, it can make faking an ID and passport much more difficult (nothing is impossible with money and determination) and this would only be bad to spies, terrorists and etc trying to travel with an fake passport and ID and things like that, nothing that a normal citizen would need to worry. But I know... I don't like it either but we must be realistic.

I would worry much more about Microsoft trying to get everyone's biometrics data with Windows 10, than the government, since a private company not famous by its security is far more disturbing (the same for other companies too).

Although if many companies sites, etc start changing the usual passwords to biometrics, then it's a problem since the government will be able to log in easily into anything. So maybe it's better to stick to the old fashioned passwords.

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
Freedo
  • 2,253
  • 5
  • 18
  • 28
  • 5
    That last edit is perhaps the first concrete argument I've heard against the government having your biometric ID. OTOH, wouldn't the same principle allow Company A to log into your account at Bank B using your biometric ID? – Shaul Behr Apr 17 '15 at 07:30
  • Does the biometric ID work like a password? Is it stored in each and every Company's / Govt.'s databases? If so, this would be akin to using one password for all your services and even your identity like passport. This would be a complete disaster then. – Pavin Joseph Apr 17 '15 at 07:39
  • 15
    That last element is an artifact of the incorrect use of biometrics. It's NOT supposed to be a password or key. The closer you'd get could be a hash or HMAC. It allows someone to VERIFY an identity by taking a MEASUREMENT. – Stephane Apr 17 '15 at 07:51
  • So @Stephane, to be clear, are you saying that the government (or any other entity that has my biometric credentials) will *not* in fact be able to use those credentials elsewhere, but rather that this just means they'll have a hash to verify my identity? – Shaul Behr Apr 17 '15 at 08:22
  • 1
    I'm saying that, with properly designed biometric system, they can't use them without building a false source of biometric data (i.e. a "false you"). The catch, of course, is that this assume biometric authentication systems are properly designed. But it's still not the same as giving away your passwords. – Stephane Apr 17 '15 at 08:28
  • 2
    "Walking the streets with an biometric ID on your jeans won't make you anymore traceable than your phone with GPS" - you can get new phones, presumably not new biometrics. The phone says "someone was here" (or "Jane Smith was here" if you tell it you're Jane Smith), the ID always says "Jane Smith was here" – user253751 Apr 17 '15 at 11:29
  • 3
    I wonder if in the future we'll have killer robots hunting people based on their biometrics. Might make a nice movie. – Daniel Apr 17 '15 at 18:21
  • 1
    @Stephane I hope so...but isn't Microsoft trying to do that already with Windows 10? I read you could use your biometrics to log in...and don't Iphones already do that with the fingerprint thing to unlock the screen? I think you should avoid to use your biometrics that way and use only strong passwords – Freedo Apr 17 '15 at 19:07
  • 1
    @Daniel - we already have one. It's [Fahrenheit 451](https://en.wikipedia.org/wiki/Fahrenheit_451) – Deer Hunter Apr 17 '15 at 19:10
  • Having a phone with GPS isn't compulsory ... and neither is narrating your life through SMS messages. I'm all for biometrics if it's -voluntary- (and don't expect me to participate). – Atsby Apr 18 '15 at 07:00
  • @Freedom The iPhone fingerprint system is entirely local; your fingerprint info never leaves the phone. It's used to control access to other passwords and keys, which is what lets it do more than just unlocking the phone. – cpast Apr 18 '15 at 08:27
  • @cpast never leaves the phone until an determined attacks get remote control of your phone and now he can put it on internet....and not leaving the phone also do nothing if the attacker have physical access to the device or to your finger(it just happened with someone i knew, the wife just took the finger of his husband while he was sleeping and read all his messages)...and we have no proofs to say it never leave the phone since its not open source...i really fail to see why biometric would be better or more secure than strong passwords – Freedo Apr 18 '15 at 09:07
  • Really? At least in the UK, the police do **not** take fingerprints from you unless you have commited a crime or are a suspect for a crime (I have never had my fingerprints taken). – Toothbrush Apr 18 '15 at 19:47
  • @toothbrush, Are you sure? Fingerprints are taken when you are born and registered. They don't change. – Pacerier May 05 '15 at 05:12
  • @Pacerier Fingerprint recognition is used in many schools in the UK (which the police *could* potentially access with a court order). – Toothbrush May 06 '15 at 15:39
  • @Pacerier Absolutely positive. In the UK, fingerprints are **not** taken when you are born/registered, nor at any other time. The only time the police would take a fingerprint would be if you were a suspect in a case (see https://www.gov.uk/arrested-your-rights/giving-fingerprints-photographs-and-samples). Schemes attempting to change this in the UK have met widespread opposition (see https://en.wikipedia.org/wiki/Fingerprint#Privacy_issues for a recent example). – Toothbrush May 06 '15 at 15:44
  • 1
    At least on Brazil your fingerprints are taken when you are born so i thought it was like that in most of countries – Freedo May 06 '15 at 15:46
  • @toothbrush, Seems specific to UK alone... or it looks like many countries don't support human rights then. – Pacerier May 24 '15 at 14:57
1

There is no a priori reason to assume that systems based on "biometrics" are going to be weak. We need to know what the security protocol is before we can evalute its resistance to potential attacks. Just knowing that its based on biometrics isn't enough to conduct a sensible assessment.

In my view, good uses of biometrics are those that re-measure the biometric factor is going to be measured at the time of access. For example, storing thumbprints and requiring a matching thumb scan to enter the country is an effective way to keep out unauthorized persons. Note that in this usage case, stealing your thumbprint data wouldn't go very far in allowing an unauthorized person enter the country. They'd have to -change- their thumb to match yours. And, in this case, what's being protected is access to the country, not your personal bank account. There'd be no loss to you specifically if someone used your "stolen" thumbprint to enter the country.

So, while I'm not 100% enthusiastic about "biometrics" myself, let's stay objective by asking to know what the security protocols are before condemning an entire branch of technology.

Atsby
  • 1,098
  • 7
  • 6
  • 1
    a devils argument: the Iranian government steals your biometric data and uses it to try to sneak a bomb into Israel. (this is not completely out there as there have been official statements by Iran that they want to eliminate Israel.) How does this not hurt you? After you prove you were not involved, how do you change your credentials? – hildred Apr 18 '15 at 13:43
  • 1
    @hildred *the Iranian government steals your biometric data and uses it to try to sneak a bomb into Israel.* But how does your biometric data in any way help them sneak in? Do they change their thumbprints to match yours? Or do they dodge the thumb scanner? If they can dodge the thumb scanner, why do they even need your thumb data? – Atsby Apr 18 '15 at 19:37
  • Faking fingerprints is not that difficult, I read about a guy who with less than 30 minutes prep was able to get 80% successful read with fake fingerprints on samples at a security tradeshow. But lets say that the biometric being used can't be faked, and you have to fool the system. In many cases it is easiest to attack the communication or database. It would be fairly simple to swap the identifiers between a trusted security researcher that has already passed the background checks and their operative either on the wire or in the database. – hildred Apr 18 '15 at 19:58
  • @hildred *It would be fairly simple to swap the identifiers between a trusted security researcher that has already passed the background checks and their operative either on the wire or in the database.* It would be "simple" is what you say; "impossible" might be a better word. – Atsby Apr 18 '15 at 20:38
1

Though this question was asked and answered over two months ago, the State Comptroller of Israel has issued a report asserting that there exist "Fundamental defaults in the state biometric database" (Hebrew).

From the linked article:

בין הממצאים בדו"ח מבקר המדינה: היעדר מידע ונתונים אודות תופעות גניבת הזהות וההתחזות, לקיחת 430 אלף טביעות אצבע בסורק שהיה ספק לגבי איכות ביצועיו ואי בחינת החלופות למאגר הביומטרי. בינתיים מסתמן שתקופת המבחן תוארך

Translated (by me):

Among the findings in the State Comptroller report: A lack of information regarding the phenomenon of identity theft and impersonation, 430,000 fingerprints were taken with a machine of questionable performance, and a lack of choice of alternatives to the biometric database. In the meantime, the trial period is to be extended.

As I firmly believe that sunlight is the best disinfectant, I feel that the checks and balances system is working. In this trial period problems were found, made public, and are being fixed. The biometric database is not perfect, nor is any other database of citizens. But at least in this case, a best-effort attempt is being made to find and fix the issues publicly.

dotancohen
  • 3,698
  • 3
  • 24
  • 34
0

One example that quickly comes to mind is planting someone else's fingerprint in a crime scene (just search for fake fingerprints). Fingerprints are a valuable commodity.

David_Springfield
  • 184
  • 10