Diff for Privacy expectations around biometrics

Stephen Wilson's Babysteps

Ideas to demystify identity, privacy, authentication and safety online.

Thu, 04/24/2008 - 04:43 by Stephen.WilsonWed, 03/04/2009 - 19:54 by Stephen.Wilson
Changes to Body
Line 2Line 2
 
Here's one of the most bizarre lines I've ever seen in biometrics and
 
Here's one of the most bizarre lines I've ever seen in biometrics and
 
national security:
 
national security:
-
</p>
  
-
<p>
  
-
&nbsp;
  
 
</p>
 
</p>
 
<p class="MsoNormal">
 
<p class="MsoNormal">
 
<em><span><strong>Fingerprints 'not particularly private,' security
 
<em><span><strong>Fingerprints 'not particularly private,' security
-
czar says</strong></span></em>
+
czar says</strong><br />
-
</p>
+
Edmonton</span><span> Sun, Thu 10 April 2008<br />
-
<p class="MsoNormal">
+
http://www.edmontonsun.com/News/Canada/2008/04/10/5244996-sun.html</span></em>
-
<em><span>Edmonton</span><span> Sun, Thu 10 April 2008</span></em>
+
-
</p>
+
-
<p class="MsoNormal">
+
-
<em><span>http://www.edmontonsun.com/News/Canada/2008/04/10/5244996-sun.html</span></em>
+
 
</p>
 
</p>
 
<p class="MsoNormal">
 
<p class="MsoNormal">
Line 20Line 13
 
Canadians shouldn't fear plans to expand international sharing of biometric
 
Canadians shouldn't fear plans to expand international sharing of biometric
 
information such as fingerprints. Michael Chertoff says a person's
 
information such as fingerprints. Michael Chertoff says a person's
-
fingerprints are like footprints.</span></em>
+
fingerprints are like footprints.&quot;They're not particularly private,&quot;
-
</p>
+
-
<p class="MsoNormal">
+
-
<em><span>&quot;They're not particularly private,&quot;
+
 
Chertoff said yesterday during a visit to Ottawa.&quot;Your fingerprint's hardly personal
 
Chertoff said yesterday during a visit to Ottawa.&quot;Your fingerprint's hardly personal
 
data, because you leave it on glasses and silverware and articles all over the
 
data, because you leave it on glasses and silverware and articles all over the
 
world.&quot;</span></em>
 
world.&quot;</span></em>
 
</p>
 
</p>
-
<p>
+
<p class="MsoNormal">
-
&nbsp;
+
Actually there is a technical legal principle here that invalidates Chertoff's interpretations.  In most privacy law, if information is personally identifiable, then it is treated as &quot;private&quot;, insofar as there are legislated limitations on what anyone can do with that information, how they may collect it, store it and share it.  In general, if you collect personally identifiable information, in any way about any individual, then you owe certain duties of disclosure to that individual. <em>That's what privacy is all about. </em> It's not about security per se, and it isn't nullified just because fingerprints are readily available for collection.  It's about a duty of care.  
 
</p>
 
</p>
 
<p>
 
<p>
-
But so what if I leave my fingerprints lying around? Is there no room for
+
From a common sense perspective, even if people do leave fingerprints lying around, they surely have a presumption of privacy? If you try to have a quiet conversation in a park
-
a presumption of privacy on my part? If I try to have a quiet conversation in a park
+
then you expect some privacy, even if your voice might be picked up by a sensitive microphone at a distance.
-
then I expect some privacy, even if my voice might be picked up by a sensitive microphone at a distance.
+
 
</p>
 
</p>
 
<p>
 
<p>
Line 42Line 31
 
<p>
 
<p>
 
I also leave DNA all over the place. How soon before national security people say
 
I also leave DNA all over the place. How soon before national security people say
-
that's public too?
+
that's &quot;public&quot; too? Remember the legal technicality: any personally identifiable information, collected by any manner, comes under privacy law.  Certainly there are national securityprovisions that trump privacy, but they're not automatic, and they do not allow personally identifiable data like fingerprint files to be shared willy-nill, on the basis that fingperints are &quot;not particularly private&quot;.  
 
</p>
 
</p>
 
<p>
 
<p>
-
And even if fingerprints are left lying around in public, I have a strong sense that someone else going to the trouble of picking them up,
+
Even granting that fingerprints are left lying around in public, if someone else goes to the trouble of picking them up, 
-
scanning them, digitising them and running checks to track my
+
scanning them, digitising them, linking them to my identity, and running checks to track my
-
whereabouts represents a continuum of privacy invasive secondary uses.
+
whereabouts then they commit a host of privacy invasions relating to the Collection and Secondary Use principles.
 
</p>
 
</p>
 
<p>
 
<p>
 
Finally and rather ironically, the reasons given for saying fingerprints are not private amount to an
 
Finally and rather ironically, the reasons given for saying fingerprints are not private amount to an
-
argument that they're really not much good for security.
+
argument that they're really not much good for security!
  +
</p>
  +
<p>
  +
Cheers,
 
</p>
 
</p>
 
<p>
 
<p>
-
<br />
+
Stephen. 
-
Stephen.
+
 
</p>
 
</p>
 
<p>
 
<p>
Current revision:

Stephen Wilson's Babysteps

Privacy expectations around biometrics

Here's one of the most bizarre lines I've ever seen in biometrics and national security:

Fingerprints 'not particularly private,' security czar says
Edmonton
Sun, Thu 10 April 2008
http://www.edmontonsun.com/News/Canada/2008/04/10/5244996-sun.html

The U.S. homeland security czar says Canadians shouldn't fear plans to expand international sharing of biometric information such as fingerprints. Michael Chertoff says a person's fingerprints are like footprints."They're not particularly private," Chertoff said yesterday during a visit to Ottawa."Your fingerprint's hardly personal data, because you leave it on glasses and silverware and articles all over the world."

Actually there is a technical legal principle here that invalidates Chertoff's interpretations.  In most privacy law, if information is personally identifiable, then it is treated as "private", insofar as there are legislated limitations on what anyone can do with that information, how they may collect it, store it and share it.  In general, if you collect personally identifiable information, in any way about any individual, then you owe certain duties of disclosure to that individual. That's what privacy is all about.  It's not about security per se, and it isn't nullified just because fingerprints are readily available for collection.  It's about a duty of care.  

From a common sense perspective, even if people do leave fingerprints lying around, they surely have a presumption of privacy? If you try to have a quiet conversation in a park then you expect some privacy, even if your voice might be picked up by a sensitive microphone at a distance.

Then consider the legal status of something that is lost. In some jurisdictions, it is not simply a case of "finders keepers"; there is an offence called "theft by finding". If I accidentally drop a thousand bucks and someone picks it up, then it is still my money. So ... if I drop my personal diary and it's found by a stranger, I think I still have a right to privacy. And I should think that expectations for privacy of fingerprints left on glassware might similarly be entirely reasonable.

I also leave DNA all over the place. How soon before national security people say that's "public" too? Remember the legal technicality: any personally identifiable information, collected by any manner, comes under privacy law.  Certainly there are national securityprovisions that trump privacy, but they're not automatic, and they do not allow personally identifiable data like fingerprint files to be shared willy-nill, on the basis that fingperints are "not particularly private".  

Even granting that fingerprints are left lying around in public, if someone else goes to the trouble of picking them up,  scanning them, digitising them, linking them to my identity, and running checks to track my whereabouts then they commit a host of privacy invasions relating to the Collection and Secondary Use principles.

Finally and rather ironically, the reasons given for saying fingerprints are not private amount to an argument that they're really not much good for security!

Cheers,

Stephen. 

Lockstep Consulting provides independent specialist advice and analysis
on authentication, PKI and smartcards. Lockstep Technologies develops
unique new smart ID solutions that safeguard identity and privacy.

XML.org Focus Areas: BPEL | DITA | ebXML | IDtrust | OpenDocument | SAML | UBL | UDDI
OASIS sites: OASIS | Cover Pages | XML.org | AMQP | CGM Open | eGov | Emergency | IDtrust | LegalXML | Open CSA | OSLC | WS-I