Proof of Age in UK Pilot

There’s a really interesting article by Toby Stevens at Computer Weekly, “Proof of age comes of age:”

It’s therefore been fascinating to be part of a new initiative that seeks to address proof of age using a Privacy by Design approach to biometric technologies. Touch2id is an anonymous proof of age system that uses fingerprint biometrics and NFC to allow young people to prove that they are 18 years or over at licensed premises (e.g. bars, clubs).

The principle is simple: a young person brings their proof of age document (Home Office rules stipulate this must be a passport or driving licence) to a participating Post Office branch. The Post Office staff member checks document using a scanner, and confirms that the young person is the bearer. They then capture a fingerprint from the customer, which is converted into a hash and used to encrypt the customer’s date of birth on a small NFC sticker, which can be affixed to the back of a phone or wallet. No personal record of the customer’s details, document or fingerprint is retained either on the touch2id enrolment system or in the NFC sticker – the service is completely anonymous.

So first, I’m excited to see this. I think single-purpose credentials are important.

Second, I have a couple of technical questions.

  • Why a fingerprint versus a photo? People are good at recognizing photos, and a photo is a less intrusive mechanism than a fingerprint. Is the security gain sufficient to justify that? What’s the quantified improvement in accuracy?
  • Is NFC actually anonymous? It seems to me that NFC likely has a chip ID or something similar, meaning that the system is pseudonymous

I don’t mean to try to allow the best to be the enemy of the good. Not requiring ID for drinking is an excellent way to secure the ID system. See for example, my BlackHat 2003 talk. But I think that support can be both rah-rah and a careful critique of what we’re building.

Another personal data invariant that varies

Just about anything a database might store about a person can change. People’s birthdays change (often because they’re incorrectly reported or recorded). People’s gender can change. One thing I thought didn’t change was blood type, but David Molnar pointed out to me that I’m wrong:

Donors for allogeneic stem-cell transplantation are selected based on their HLA type (tissue type), and not on their blood type. Therefore, it is quite common that the donor and patient have different blood types. The blood type is determined by the red cells. After transplant and bone-marrow recovery the red cells will come from the donor and have the donor’s blood type. As an example, if the patient is blood type A, and the donor is blood type O, the patient after transplant will become blood type O. The long-term outcome of an allogeneic stem-cell transplant is affected only to a small degree by the blood types of the donor and recipient. If an ABO difference exists, the transplant itself may create some technical difficulties, but these can be easily overcome. Red-cell recovery may be delayed after such transplants, and the patient may need support with red-cell transfusions for a prolonged period of time. More importantly, the patient should be aware that the blood type has changed or will change, and that old blood type cards are no longer valid. IBMT will provide you with a laminated card that indicates that your blood type may have changed. After your bone-marrow function has fully recovered, you may receive red cells of your new blood type. During the transplant process, usually red cells of blood type O are used, since these can be used for any patient (universal donor).
(“Indiana Blood and Marrow Transplantation“)

David continues:

The Seattle Cancer Care Alliance is the #1 by volume in the U.S and does several thousand per year. So that means several people per day are having their blood type changed right here in Seattle.

Does your database and e-health record support updating your blood type record?

Makeup Patterns to hide from face detection

Adam Harvey is investigating responses to the growing ubiquity of surveillance cameras with facial recognition capabilities.

face-detection.jpg

He writes:

My thesis at ITP, is to research and develop privacy enhancing counter technology. The aim of my thesis is not to aid criminals, but since artists sometimes look like criminals and vice versa, it is important to protect individual privacy for everyone.

[...]

What will these forms look like and how well will they integrate into our cultural expectations of body decoration while still being able to function as face detection blocking devices? How can hats, sunglasses, makeup, earrings, necklaces or other accessories be modified to become functional and decorative? These are the topics that I’ll be exploring in thesis on CV Dazzle.

Very interesting stuff in Adam Harvey’s CV Dazzle Makeup blog posts. I think everyone will be wearing them in the future.

Biometric Fail reported

A South Korean woman entered Japan on a fake passport in April 2008 by slipping through a state-of-the-art biometric immigration control system using special tape on her fingers to alter her fingerprints, it was learned Wednesday…

During questioning, the woman allegedly told the immigration bureau that she had bought a forged passport from a South Korean broker who told her to purchase an air ticket for Aomori Airport.

The woman also was quoted as saying that the broker gave her the special tape with someone else’s fingerprints on, and that she slipped past the biometric recognition system by holding her taped index fingers over the scanner.

So reports the Yomiuri Shimbun, “S. Korean woman ‘tricked’ airport fingerprint scan.” The story doesn’t mention a name, but if anyone has more details, I’d love to know more.

[Update: DanT has some interesting speculation in the comments about both operational aspects of the entry being an inside job, and that the bureaucracy in question would re-assign the insider rather than prosecute.]