Friday, April 18, 2014

Florida bans biometrics in schools, and the industry's "emerging fight" against it

It has been interesting to follow the progress of the Florida legislature to ban schools from taking and processing children's biometrics, the process of which started late last year.  It will be the first time in the USA or worldwide that biometrics have been banned in schools, when Gov Rick Scott signs the bill.  Some have argued that the UK Protection of Freedoms Act 2012 should have gone this far but instead we have that schools can only process a child's biometric data with written parental consent.  However, how parents are fully informed to make that consent still leaves the process open to spin and ambiguity surrounding the technology and its capabilities.

In Florida three bills were filed dealing with Florida schools using biometrics, during September and October 2013. With one, SB188 relating to education data privacy, being passed on April 11 2014. It reads (see lines 49-66):

(1) An agency or institution as defined in s.1002.22(1) may not:
(a) Collect, obtain, or retain information on the political affiliation, voting history, religious affiliation, or biometric information of a student or a parent or sibling of the student 

The bill passed by 113 Yeas to 1 Nay

This news has been met by the biometric industry in the United States with fears it may lead to other states approving similar bills.  There are already laws in other states concerning parental consent for schools to use biometric technology but SB188 goes one step further, by banning it.

Many experts, privacy organisations and others have aired concerns over children using their biometrics in school for a variety of reasons:
     - Security of data - What does a child do if their biometric data is compromised?  How and when would that become apparent?  Leaps and bounds in technology cannot possibly foresee how this could play out in the decades to come.
     - The personal information that is held against the biometric - Reading or eating habits, who views that?
     - The sharing of biometric data and personal data stored against it - Government agencies now routinely take biometric data and upload it to other databases.
     - The subtle psychological message using this technology gives to children, that to gain access to books/knowledge, food/money, normalises the use of biometrics for mundane yet essential activities.   

Janet Kephart of the Secure Identity and Biometrics Association (SIBA), set up in February 2014, states that one of four biggest challenges of 2014 is to help clear the air in "a newly emerging fight in state legislatures whereby there is a push to ban biometrics in public schools".  

Kephart claims that, "Biometric technologies do not store identities; they store templates".  Surely template/s based on a particular person are designed to identify said person, otherwise how would the system work?  Then the next statement contradicts her earlier statement by saying, "To further assure privacy, names are kept separate from the biometric templates, encrypted, and not directly linked with the biometric data".  Yes, so they are linked then but encrypted.  Indeed, one might liken this to doublespeak?

She then, unsurprisingly, states the usual line to be seen and heard in the spiel dished out to schools in the USA and UK by biometric vendors, "...the outline of fingerprints aren’t stored like an image – they’re turned into a set of series of numbers that can’t be reverse engineered."  Yes, a set of numbers that is digitally transferable between databases.

With regards to Florida banning biometrics in schools (with SIBA only being set up two months earlier with a view to, "educate folks about the reality of biometrics, bridging the gap between Washington and the industry" , maybe SIBA was set up because of SB188?) Janet Kephart states:

Nobody in Florida decided to do due diligence on this... [presumably she has proof of this allegation]  No one clearly went out and asked how biometric technology actually works … nobody asked the question. It was just basic public servant due diligence that they didn’t do and there’s really no excuse for that.”

Just a minute... where was the "due diligence" of the biometric industry from 2001 onwards effectively testing biometric technology on children by fingerprinting 4 year olds to get a library book out, using infrared palm scanners trialled on primary school children in 2006 so they could eat, iris scanning children for lunch lines in 2007, facial scanning kids in 2010 to stop them from turning up to school late, voice biometric planned in 2007 for students, and (partly what prompted SB188) a Florida school district iris scanning 700+ children to travel on a bus?  All without parental consent or appropiate discussion, hence the legislation in the US States and the UK.

And SIBA want to talk about due diligence?   An apology would be more fitting.

Let's tell it how it really is.  In this article is an astonishing, yet bluntly open, account of why Saudi Arabia are introducing biometrics in schools, explaining below the exact reasons for biometrics and CCTV.  Surveillance.  It is a "form of supervision", to" install a sense of discipline", to "track children", to make them "respect regulations" and gain "better productivity".  At least there is some honesty here, more than we have had from the biometric industry and government on this issue in the US and UK for the past decade.

Kevin Townsend, original founder of ITsecurity.com, puts it most succinctly in his March 2014 article - Why we must keep biometrics out of schools - definitely worth a read.

1 comment:

Anonymous said...

Huge Applause. In security-terms, biometrics is absolute snake-oil, and is never suitable for anything. It is easily stolen and forged (think - the OPM megahack), and it is sufficiently unreliable that alternative systems always need to be in place to handle when biometrics does not work, like fingerprints after swimming etc (that alternative effectively means that anyone using biometrics is actually REDUCING any security they might have - because the alternate-means will always exist, and now biometrics introduces a second new way to break/forge/bypass the security, and, in a way that can never be changed when that data gets stolen! How many US Government employees have changed their fingerprints since the Chinese stole them all eh?)