Friday, March 30, 2007

How much...?

Parrenthorn High in Prestwich has become the first school in Bury to use biometric fingeprint scanners for cashless school meals - at a cost of £25,000.

"The government-funded scheme will be introduced at eight more secondary schools in Bury by 2008"

At £25,000 a throw, that's a cool £225,000 spent on biometric cashless food systems in Bury alone. I'm too speechless to comment on the amount of money Bury and the government are spending on this.

Thursday, March 29, 2007

Fingerprinting in Bradford without parents consent

Over on Tarique Naseem's blog he's dealing with his child's school introducing a fingerprint scanner for library use without asking for consent from parents. He has now drafted a single page letter to hand out to parents at school informing them about biometric systems in schools for them to sign and hand back to the school. A couple of parents have volunteered to copy them and hand them out.

"I do not give authority for my child’s fingerprints to be stored on the schools computer systems and kindly ask that any data already taken be destroyed by an approved data cleansing company as required by the Data Protection Act."

The school have already fingerprinted the children, Tarique's child was not fingerprinted. The price of data cleansing per record can range from £1.25 to £2.25 (+vat). With an average of 26 children in a class, with at least one class leaving primary school every year, if not more classes, data cleansing will be an additional expense for the school to incur, but probably haven't even considered.

Monday, March 26, 2007

Parents delay scanners in Taunton schools, Massachusetts

After plans to install [this link now broken, see here for story] lunch line biometric fingerprint scanners for all city students in six schools* parents and ACLU have managed stall the mandatory fingerprinting of all students, regardless of whether they eat school lunches, without parental permission.

Even when this had been agreed upon some parents have still not been told that the program is optional, or informed how they can opt out. When the letter went out from one of the schools, the school inadvertently omitted the following line which gave parents 1 day to write in, to opt out.

"If you do not wish to participate in the program, please submit this request in writing by Friday, March 23 to your principals or to the Food Service Director's Office."

Chuck Hart, father of a Chamberlain student, said he has been told by Sheila Kukstis, the school's principal, that a revised letter - including the opt out disclaimer - will be sent home today [March 22nd].

"That gives parents a day to respond," Hart said before the meeting. "This is unbelievable."

This have been very much the case over here in the UK with parents either just being told a day or so before hand, not being told at all or even being told that the school is going to do it anyway and they have no legal obligation to obtain consent from parents.

Here are some comments made by a parent, Mary Heim, who's last comment was the just indignance I felt when my children's biometric data nearly ended up on a PC for a school library system.

"Somehow, my rights as a parent have been waived. Lack of consent isn't implied consent." Heim, the parent of two elementary-aged children, referenced the fourth amendment to the U.S. Constitution, which guarantees the right to be secure in one's person.

"How dare you assume or try to record an identifying mark of my child without any thought of asking my permission?" asked Heim. "I do not give consent. Period."

I'll leave the last word to parent Patti Crossman:
"Postpone this until it's done right"

*Edmund Hatch Bennett, Elizabeth Pole, Joseph C. Chamberlain, and East Taunton elementary schools, and James L. Mulcahey and Joseph H. Martin middle schools.

Sunday, March 25, 2007

Value for money

Baroness Walmsley brought up the subject of biometrics in schools on Thursday, 22nd March, in a debate on value for money and transparency of public services commissioned from the private sector. She made these comments:

In my field, education, schools now have control over the vast majority of their own budget. That is a good thing in the main, although there is enormous pressure on local authorities to find the money for the support services for which they are still responsible. They have to pick up the pieces when individual schools fail children, and that can be very hard. It makes schools vulnerable to the clever sales pitches of companies that sell them the latest whizz-bang techie idea or snake oil that will solve all their problems. I think that rather ironic description applies to the military equipment companies that have persuaded about 3,500 schools to buy equipment to fingerprint their pupils for purposes as trivial as borrowing library books or paying for their lunch.

I will not go into the detail of the practice here, since the Minister replying today will not be in a position to answer me. Suffice it to say that the DfES has really no idea what is going on out there. It does not know how many schools are doing this or how many children are affected. The noble Lord, Lord Adonis, in answer to a question from me earlier this week, revealed that his department is unaware that most of those schools are flouting good practice by not getting the parents’ permission for this infringement of their children’s rights. That is the sort of thing that can happen when services to the public sector are not properly monitored. The Government are walking blindfolded into a future identity fraud crisis, and the parents and children do not even know about it or realise the implications of the practice.

Proper monitoring of outsourced public services is essential. Having opened up the market and allowed schools to spend their own money, the Government must introduce statutory guidance to regulate schools that use those systems. It is simply bad practice for schools to keep a record of children's precious and unique biometric information, sometimes on insecure computers that can be hacked into, without parents’ informed consent. The Government should do something about it before it is too late.

Thursday, March 22, 2007

Irelands advice to schools when employing biometrics

The Data Protection Commissioner in Ireland has this advice for educational establishments to consider before purchasing biometric technology for use with children. Under the term biometric it includes a fingerprint, an iris, a retina, a face, outline of a hand, an ear shape, voice pattern, DNA, and body odour. Biometric data might also be created from behavioural data such as hand writing or keystroke analysis.

It details consent, proportionality, fair obtaining and processing, fair obtaining of sensitive data (i.e. photographs, health and race), transparency, accuracy, security and retention of data.

The Irish Data Protection Commissioner stipulates that the obtaining of consent is of paramount importance when schools consider the introduction of a biometric system.

The document details points for schools to consider before installing such systems, it then goes on to say:

Before a school or college installs a biometric system, the Data Protection Commissioner recommends that a documented privacy impact assessment is carried out.

This is an important procedure to adopt as a contravention may result in action being taking against a school or college by the Commissioner, or may expose a school or college to a claim for damages from a student. Data protection responsibility and liability rests with the school or college, not with the person who has supplied the system.

The lack of guidance from the UK Information Commissioners Office or government is now becoming conspicuous in it's absence, especially when the percentage of children using biometrics in schools in the UK is probably higher than any other European country.

Wednesday, March 21, 2007

Australian Biometrics Institute Privacy Code

The Biometrics Institute in Australia have a voluntary Privacy Code, approved by the Australian Privacy Commissioner Karen Curtis, which applies to organisations that have agreed to be covered by the Code. The code came into effect September 2006.

The Code includes privacy standards that are at least equivalent to the National Privacy Principles (NPPs) in the Privacy Act and also incorporates higher standards of privacy
- sounds like the sort of boost our UK Data Protection Act could do with regards to biometrics, certainly in the area of using fingerprint softwear in schools.

On the third page of the Privacy Code, point 2 states that:

The Biometrics Institute Privacy Code seeks to build upon the National Privacy Principles (NPPs) in a manner that provides the community with the assurance needed to encourage informed and voluntary participation in biometrics programs. Biometrics Institute members understand that only by adopting and promoting ethical practices, openness and transparency can these technologies gain widespread acceptance.

The "informed and voluntary participation" and "adoption and promoting of ethical practices, openess and transparency" are points the biometric companies, schools and government in the UK could do with taking on board, at the very least in circumstances where children are involved.

Monday, March 19, 2007

House of Lords Peers "slam" fingerprinting

The BBC reports on today's debate in the House of Lords regarding the unregulated use of biometric fingerprint technologies used in schools.

Lord Adonis's views are very much towing the Labour Education Departments line on this issue, which really doesn't concur with cross parties views on this at all, or even some members of his own party.

He said fingerprints were destroyed once pupils left the school , [wrong], and were only taken with parents' consent [wrong]

He said biometric systems could improve the take-up of free school meals, as there was no "stigma" attached and many schools were using the systems "without any contention whatever".

Could it improve the take up of free school meals? Who knows? Is there a "stigma" to taking a library book out, registering in class or using biometric technology to use a vending machine in school?

Many schools are using the systems, he states, "without any contention whatever" - possibly because parents are not aware that their children are using fingerprint systems and if/when are made aware they get an industry spiel in a school newsletter with no informed consent whatsoever.

In actual fact there has been contention with the technology and as a result some schools have pulled the systems favouring the non biometric route - some such schools are not only in the UK but in China and Hong Kong.

Lord Adonis goes on to say: "I think there is a certain amount of scaremongering in your question, which I regrettably don't accept on the basis of the information that has been made available to my department."

What information has he had "made available" to his department? Certainly the Labour Education Department have so far not been able to comment on:

1. How many schools use the technology
2. How many thousands of children have been 'fingerprinted'
3. On how parental consent should be sought
4. How much money has been spent on these systems
5. Any research they have undertaken, showing that using these systems in schools have an end benefit to children
6. The cost effectiveness of the systems (sometimes weighing in at £20k)
7. Consultancy undertaken prior to biometric systems being introduced into schools
8. Legal opinion on parental consent issues
9. Security of data held/deletion of data
10. Any guidelines they have given to schools

etc,etc, (...could go on for a bit here)

Maybe a Freedom of Information request could be made of Lord Adonis to see exactly what information he has had "made available" to his department, that makes him regard Baroness Warmsley's question quite so dismissively.

Sunday, March 18, 2007

Police Officer's views on fingerprinting children

Over on the School Governors Forum the discussion regarding using biometric systems in schools continues, now 11 pages long, with this recent comment posted by a Police Fingerprint Officer of 15+ years.

His post is quite extensive and is well worth a read. On the area of consent he has this to say:

As to consent, if you have not been asked explicitly for your signed consent to allow your child's prints to be taken, kick up a huge stink immediately. Even arrested persons are asked to sign consent to their prints being taken - they can be taken by force if not consented to but this is a very rare occurrence.Victims of crime etc can refuse to provide their prints for 'elimination purposes' (legitimate access etc) and that's it, they don't get taken...

...I would assume that before printing kids (especially under 10 - age of criminal responsibility) schools would have to provide a detailed and explicit set of guides, rules and exceptions for what purposes prints are taken, how and where they will be stored and a policy for their eventual destruction. Criminal prints have this so innocent persons should be at least as well governed. If this hasn't happened, as governors, make sure it does.

Contact the police for advice, all forces have lawyers to scrutinise the legality of new and emerging issues like this.

The forum is run "by governors for governors".

Wednesday, March 14, 2007

"Ban the Scan"

Here [this link now broken, see here for story] is an encouraging story of parents, who's school district in Massachusetts were going to fingerprint children without parents permission.

After parent pressure and ACLU's involvement, the school district have backed down and made the biometric catering system "optional" - as yet not implemented.

Patti Crossman, a parent, concerned that her child would get scanned anyway designed a pair of snazzy buttons. Both say "Ban the Scan" a clear message to any adult. Patti also wrote to each school committee member, in order to voice concerns.

"I can't believe that I have to sign a permission slip for my child to take a field trip, or fill out a booklet for him to attend Nature and Me, but bio-scanning was going to just happen without any parental consideration," Crossman said recently, as she awaited a decision on a newly implemented "Do Not Scan List."

The response from the members was encouraging. School committee member Jordan H. F. Fiore said:

"As a matter of privacy, parents should have an option. We are living in a democratic society, and we should have the freedom to opt out; not that this is some '1984' kind of nosiness. I think it's important to always give parents an option."

Another school committee member Cathal D. O'Brien commented that parents could refuse their child to be scanned and said "It's none of our business the reason."

Laws are already in place in Iowa and Illinois that demand explicit parental consent for biometric scanning of any child in school. Maybe we might see a move to introduce a similar law in Massachusetts, as the precedent has already been set in these two other states.

Friday, March 09, 2007

Students fingerprints ending up in the States

Back in January I blogged about Canadian students biometric details going over the border to the States without their knowledge - this can happen to students in Europe, Asia, and Africa that sit the LSAT.

Michael Geist writes :"While the predictive reliability of the test has been the subject of considerable controversy, in recent days the LSAT [Law Schools Apptitude Test] has attracted attention for a different reason. As students file into testing centers throughout the U.S., Canada, Europe, Asia, and Africa, they must provide a thumbprint, which is used to crackdown on fraudulent test takers. The biometric data is transferred to the United States and retained by the Law School Admissions Council, the organization that administers the test."

The problem is that once the Law School Admissions Council has the student's biometric fingerprint details it could be compelled, by statutory provisions found in the USA Patriot Act, to give up this information to the US authorities which, according to Philippa Lawson of the Candian On the Identity Trail website "allows FBI access to private sector databases of customer information for counter-terrorism purposes, without any reasonable or probable cause to suspect wrongdoing by the individuals whose information is being disclosed."

She goes on the say: "Once digitally stored, biometric data - like any other data - is easily copied, transmitted, altered and searched. But unlike other personal data such as names, addresses and identification numbers, biometric data does not change. And unlike credit cards, passports, and drivers licences, biometric data cannot be invalidated and substituted once compromised.

The federal Personal Information Protection and Electronic Documents Act which came into force in 2001, is based on a set of widely accepted fair information principles. One of these principles is that organizations should not collect more personal information than necessary for the purposes that they have identified. Another is that those purposes must be reasonable."

Sounds very much like our Data Protection Act:

The Data Protection Priciples, Part I, The Principles
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Canadian privacy commissioners are currently investigating the LSAT complaints.

Wednesday, March 07, 2007

Island of Guam halts lunch line thumb scanners

Guam, an island in the Western Pacific Ocean, has recognised parents concerns over using biometric technology and has held off using fingerprint thumb scanners for catering in schools.

Parents hadn't been fully informed and privacy issues were raised too.
Parents have called the school's administration to voice worry that they did not receive proper notice their children would be fingerprinted. Use of the technology also has raised privacy issues. In stateside school districts, the use of fingerprint technology to speed up cafeteria lines has sparked worry among parents that Big Brother's reach would extend to the cafeteria, according to wire reports last year from California to Texas.
Guam is a territory of the United States.

Tuesday, March 06, 2007

Vital questions for schools

Leave Them Kids Alone have listed some questions that concerned parents can ask schools:

Apart from all the issues surrounding biometric systems in schools I would hope that Q11 has been given very careful consideration as this could, if not addressed properly, seriously affect children's safety in school.

1) Aside from manufacturers' anecdotal claims in advertising material, can the school give me details of any independent research proving benefits to my child of using this system?

2) Has any independent research been carried out regarding the effect on children of repeatedly using biometrics on a daily basis in a familiar setting? What steps is the school undertaking to teach my child about the dangers of misusing their biometric data?

3) The manufacturer claims that this system does not store my child's fingerprint, but surely if the biometric template it stores isn't the direct equivalent of a fingerprint, then the system simply wouldn't work?

4) Will my child be photographed as well as fingerprinted? Will all and any such photographic data be destroyed along with fingerprint templates when my child leaves school, or if I change my mind at any time?

5) Who, under existing legislation, including the Children Act and the government's stated commitment to widespread data sharing, may access my child's biometric template and associated data as stored on the system? The police? Social services? Civil servants? Technicians from the manufacturer carrying out routine maintenance? The large private multinational PFI companies that now run some LEAs e.g. Amey, Nord Anglia? The private companies running City Academies that may have access to children's data?

6) Would the school permit 'fishing expeditions' in the stored biometric data (e.g. if the local police were trying to find a match for a crime mark they suspected may have been left by a child from the school)? What would the school do if such a search revealed TWO probable matches?

7) Bearing in mind that my child's biometric template remains valuable for their entire lifetime, since it can't ever be changed, where is the biometric data stored, where are backups stored, and what security procedures are in place to prevent unauthorised copying of, or any type of access to this data? How will the school know if the data has been copied? What procedures would be followed if the main computer or backup system storing the data were stolen?

8) Is the computer holding the data connected to the school network and/or the internet? What active measures are taken to ensure the biometric data cannot be accessed by third parties via any such connection(s)?

9) Can the school guarantee that the data, including any backup copies, will be promptly removed as soon as my child leaves school, or if I change my mind at any point, by an approved professional data cleansing company as required by the Data Protection Act? Will the data-cleansing company certify in writing that the biometric information has been satisfactorily removed? (This requirement was
confirmed by the Information Commissioner on 9 Feb 2007.)

10) As new pupils join the school, will you regularly seek explicit informed parental consent before fingerprinting them (
as recommended by the Information Commissioner, Richard Thomas on 30 January 2007)?

11) Where fingerprinting is used for school registration, what backup strategy will the school implement to ensure that
if any part of the system fails before registration is complete, a full and accurate record of those children at school will be available in the event of an emergency evacuation at the start of the day, e.g. in the event of a fire?

Sunday, March 04, 2007

Children's fingerprints to be stored on secret government database

We parents have been accused of conducting a "false, nebulous debate" by one biometric library retailer. I would argue that the concerns we raise are not false, vague or confused. Indeed they are most coherent, as this blog clearly details the points to debate.

But is it really any surprise parents are concerned with biometric data being taken from our children, some as young as four years old without our consent, when this government has plans, detailed in the Times today, for children aged 11 to 16 to have their fingerprints taken and stored on a secret database?

'Secret' databases are already kept, in schools. Parents are still finding out now, literally years after the event, that their children's biometric fingerprint data has been taken and kept on a school database... and most possibly still on the school database - unless, of course, the schools have used a professional data cleansing company, as the Information Commissioners Office advises, to erase the children's data.

Chambers Dictionary:
secret (adj) kept back from the knowledge of others; guarded against discovery or observation; unrevealed, unidentified; hidden; secluded; a fact, purpose or method that is kept undivulged.

"...With the fingerprinting of all our children, this government is clearly determined to enforce major changes in the relationship between the citizen and the state in a way never seen before.”
David Davis, Shadow Home Secretary

Friday, March 02, 2007

ACLU's intervention over biometric fingerprint scanners in schools

The Tauton Gazette, Massachusetts, reports that the American Civil Liberties Union (ACLU) have had complaints from concerned parents after a schools district were planning to use fingerprint scanners for lunch lines without any opt out alternative available. Parents learnt of the biometric systems introduction through local newspapers.

Sarah Wunsch, Staff Attorney for the ACLU Boston chapter has now requested documents pertaining to the planned introduction of biometric technology in schools:

* All records relating to the Taunton School District's decision to implement the "Lunch Bytes" program or system, including but not limited to copies of agreements with Lunch Bytes Systems and costs;

* All documents relating to security for scanned fingerprint information and retention of data relating to the scanning under the Lunch Bytes System, including policies and procedures relating to sharing of data with law enforcement agencies or other entities;

* All documents relating to the Taunton School District's evaluation of the Lunch Bytes System and other methods of addressing problems of delays in the school cafeteria and the needs of students receiving free or reduced lunches;

* All notices and information provided to parents and/or staff of the Taunton School District about the Lunch Bytes System.

Superintendent Arthur W. Stellar has 10 days to reply.

It should make interesting reading, especially the third request. How these systems are cost evaluated for the gains they claim, hasn't yet been explained here in the UK.

Initially, here in the UK, we seem to be using fingerprint scanners for library book issue in schools (because security in libraries is a "big issue"...) - but increasingly biometric technology is being sold to schools for lunch line/cashless catering 'solutions'.

Maybe now we can look to the States for this elusive answer to see whether the £millions already sunk in to children's biometric fingerprint systems, here in UK schools over the past 6 years, has been wisely spent.

"...participation in this system is not optional and will be mandatory for all students at the six schools in the next few weeks, apparently whether they eat school lunches or not."

"Other school systems, after inquiry, have decided not to utilize similar systems and we urge Taunton to reconsider its plans." Wunsch referenced the Boulder Valley Public Schools in Boulder, Colorado as one district that decided against the technology. Irvine, California's another.

A poll of parent teacher organization officers from the six district schools in question revealed a wide range of concerns.

"By requiring students to provide their fingerprints for scanning, from which a unique identifier will be created and stored, the Taunton school system is effectively teaching students and their parents to be quite casual about their biometric data, at a time when computer security breaches are commonplace and identity theft has become a major problem in our society," Sarah Wunsch, staff attorney for the ACLU Boston chapter, wrote to Superintendent Arthur W. Stellar.

"This is the wrong lesson for Taunton to be teaching."