Re: Big Brother Is Watching ATMs

[Vin McLellan <vin@shore.net>]

	Robert A. Costner <pooh@efga.org> wrote:

>As wonderful as eye scanning technology may sound, it promises to offer
>very weak identification and only be reliable in the short run.  This is
>based on the premise that a reproduction of an eye will work as well.  Just
>as a reproduction of a driver's license seems to work for check forgery.

	With respect, I disagree.  I think it is quite likely that an
iris-scan technology can effectively differentiate between a living eye and
a reproduction (or, as one of my many correspondents on this topic
suggested, an eye forcibly removed from the socket of a potential fraud
victim.)  In any case, the issue of false positives/negatives will be
settled with evidence. I think the technology will probably be useful, in
those terms.

	My concern is rather with who owns and controls the scan data from
an individual's own eye: whoever scans him or her?  Scans at a distance?
Surreptitiously?  Whatever entity claims the right to validate or
authenticate the individual's identity, for his or her own good?  for the
public good?

	If the value of eye-scanning (or any other type of biometric
authentication) is to be short-lived, it will be because the scan-data
itself will be poorly held, or transferred insecurely.

	While it may be difficult or impossible to fake out the camera with
a phony eyeball, it will _certainly_ be possible to inject a copy of the
proper scan-data somewhere into the linkage between the camera lens and
probably remote authentication server which will support it.

	The inherent weakness of biometric identifiers is that, if (or
when) there is a breach in the authentication system (or the access
controls or crypto system which secures the database which supports it,) it
will be impossible to correct the situation (as we might issue a new ATM
card or smartcard, or a new SecurID, or change a user's password.)

	The real victim of a poorly-designed authentication system which
uses biometrics will be the citizen/consumer who trusted his (irreplacable,
being often single and unique) biometric scan to an entity which handled it
with improper care and precautions.

	My sarcastic reaction to Jonathan's initial post was in reaction to
his report that some commercial banking organization was planning to
surreptitiously collect these iris scans and use them to replace
user-memorized PINs for validating cash disbursements.  (Jon tells me that
he originally heard this version on AM radio is San Francisco: the Barbara
Simpson show, KSFO 560AM, which he has found an often-reliable source.)

	I still consider this unlikely -- if for no other reason than the
fact that banking regulators (i.e., insurers) would never allow it.

	There is, of course, a whole set of political and sociological
issues which revolve around the rough equivalence of effective biometric
system, and the database which will give it value, and the traditionally
feared "national ID" paper-document system.  Jonathan's initial post
validly raised that fear.

	There is also an important public-policy discussion in the question
of whether the commercial value of such a system (and its database) to
consumers will again tempt the mass of (US) citizens into voluntarily
giving up control over this authentication technology (for easy credit or
faster and bigger ATM withdrawals) to business... for the government to
later take advantage of as it will, when this aspect of our privacy is just
another commodity.

	[Much of American privacy has already been traded off by our
citizens in a similar fashion.  Europe, where privacy was redefined when
governments extended citizen property rights to include information about
that citizen, presents a different model.  With some problems,  which
Libertarians are prone to stress;-) and some valuable protections.]

	(Did anyone note the European Commission's denunciation of US
crypto policy specifically noted that forcing European citizens to include
a message-recovery mechanism for government eavesdropping in their legal
e-mail or other electronic message systems would probably be a violation of
privacy rights commonly held by all citizens of the European Union?)

	Biometrics (something you are) is one of the three classic
mechanisms by which we convince a computer that we are indeed someone whose
identity was previously registered with the computer: something one knows
(password, PIN,) something one has (token, smartcard, ATM card,) or
something one is (the biometric.)

	Biometric identifiers, because they are static -- and thus,
inherently subject to replay attacks from _somewhere_ in their process or
procedures -- will likely always require  confirmation from other
authenticators.  Certainly they will require a secondary confirmation
before they are used to validate an active transfer of value like an ATM's
disbursement of cash.  (The lawyers and auditors will demand it.)

	I actually expect that the current standard for "strong
authentication" in business practice -- "two factors;" typically a password
and a token/card (often enhanced with a one-time password generator, which
provides proof that the token is in the users hand at the moment the
authentication code is generated) -- will soon be expanded to three.

	It is far more likely that auditors in the future will define
"strong authentication" systems as requiring (1) a user-memorized PIN, (2)
a token, and (3) a biometric, than that they will do away with the
requirement for either the PIN or the token.

	Tokens (by classical definition, personal and mobile, usually
pocketable) are becoming personal repositories for encryption and digital
signature keys, eventually secure crypto-engines, so these hand-held
authenticators will likely become even more valuable.

	And a PIN or password will, at the very least, still be required to
secure the smartcard's internal data so that the crown jewels are not
readily available to every pickpocket.

	The interesting question is what sort of controls will be placed
(probably by legislation) on second or third party access or traffic in
consumers'/citizens' biometric data.  It may be that all parties (citizens,
government, business) will have a common interest in holding systems which
capture or store these data-files to a very high infosec or crypto standard
in order to keep biometric files from falling into the realm of meaningless
index data (like Bob's example of the US social security number.)

	The use of biometrics as an authenticator will have commercial
value -- to the citizen/consumer and to commercial entities -- only if the
biometric scan-data is handled securely and respectfully.

	The use of biometrics as an administrative tool is probably
inevitable -- something we already see with photographs and fingerprints
(which are, of course, also biometrics.)  And as machines are better
adapted to scan for fingerprints, or faces and irises (remotely, as in an
airline terminal, bank lobby, or street corner?) -- and then to search,
match, identify and log the presence of these consumers/citizens at this or
that place --  our culture will inevitably get more constipated and the
freedom of our anonymity will be cramped (albiet, a protected place may be
"safer," as some will argue.)

	Hey, no one said the future was going to be easier to live than the
past;-) This record-keeping has been an obsession of modern governments
since the French Revolution, and only if we keep explaining and making the
impact of the technology a political issue -- as in the way
computer-monitoring can cut the cost of a $70,000 typical wiretap to a few
dollars, vastly increasing the capability of government to listen to more,
quite cheaply -- can citizens grasp what is at stake and strive to defend
themselves and the next generation.

	Random thoughts, shared for comment.

	Suerte,
		_Vin

"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which by
its nature will resist efforts to restrict it to bureaucrats and others who
deem only themselves worthy of such Privilege."
_ A thinking man's Creed for Crypto/ vbm.

 *     Vin McLellan + The Privacy Guild + <vin@shore.net>    *
  53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548