Fingerprints, Really?
Posted in privacyinfosec
The post COVID-19 lockdown period we are currently in here in the UK has lead to many new experiences all round, but today I experienced one from the most unlikely of sources in a way I never expected.
The introduction of the track and trace system by the NHS has left me with many security and privacy concerns floating around in my head. The news from the government the other week that they were finally adapting Apple and Google's decentralised APIs for contract tracing in the official app was welcome indeed, but the interim system of it all being done over the phone has been far from ideal. I've already known of at least one confirmed case of a phishing call claiming to be from NHS Track & Trace team attempting to extract personal details, and with so much information on offer with people so afraid of everything that's going on, I don't think it'll be long before we see more of this type of scam appearing.
The re-opening of pubs has also presenting a huge can of worms for data protection as pubs are required to keep the name, address, and contact details of the lead member of a group of people, with many venues deciding they need to keep it for everyone just to be certain. This presents some pretty obvious questions:
- What is the final scope of the data?
- How is that data stored?
- How long is it kept for?
- Who is responsible for ensuring it is securely destroyed when it is no longer relevant?
Whilst all of these are important individually, even as somebody who takes their privacy very seriously and often lambastes others over their lax practices, I am willing to put all those concerns aside in the public interest whilst a better system is under development.
All that however is probably a topic for a separate article, because what I came across today was so unexpected and out there that I initially didn't believe it, and have since been unable to stop thinking about it, as well as a bemusement at peoples responses.
So what I hear you ask is so heinous? Well a venue I regularly go to for a community event also takes the form of a nightclub by evening. They have decided that the best way to do track and trace is to sign everybody who comes up to their door ID system, something that I had not previously been aware of having never been to the venue in an evening. This system validates your government issued ID, crosschecking the details on it, and verifying through the use of a doorman that it is for the person presenting it. The name and date of birth are then dutifully stored alongside a fingerprint, so they can be recalled in the future and avoid the need for ID. A brief conversation revealed this to be a system called Scannet made specifically for the nightclub industry.
Now, I'll confess, my initial reaction to this was "huh, that's pretty neat". It certainly wasn't a system I wanted to be a part of, but from a technical standpoint it has some merits as a quick, reliable way to assert somebodies identity. The big question I had, "What happens if you don't wish to provide a fingerprint?". After all, biometrics are some of the most genitive data we can readily provide if only for the fact that we have no way of changing them. A cursory search of the Information Commissioner's Office site revealed that biometrics used for identification as a special category of data afforded extra protection by the GDPR. They also link to an opinion from the Article 29 Data Protection Working Party which helped draft the legislation providing specific examples for membership services using biometrics:
In the absence of other alternative legitimate grounds, a biometric authentication system could be used to control access to a video club only if the customers are free to decide whether to avail themselves of the said system. This means that alternative, less privacy-intrusive mechanisms must be made available by the movie club owner. Such a system will permit a customer who is unwilling or unable to undergo fingerprinting because of his/her personal circumstances to dissent. The sole choice between not using a service and giving one’s biometric data is a strong indicator that the consent was not freely given and cannot be considered as legitimate ground.
-- 00720/12/EN WP193, Opinion 3/2012 on developments in biometric technologies, Page 11
I think it is pretty clear from this quote alone that an alternative biometric identification must be provided in cases such as this. The opinion also provides plenty of additional examples agreeing with this interpretation, as well as some examples of when providing an alternative would not be considered necessary, for example in the control of hazardous materials such as pathogen samples.
After checking myself to make sure this wasn't just a tinfoil hat incident as I seem to be particularly prone to, which this admittedly cursory research seemed to support, I decided to ask if there was an alternative. Now given what I've learnt so far, and knowing some members attending this event may be considered vulnerable or not wish to be later identified, I assumed I would get a reasonable and proportioned response with the possibility for sensible discussion around what could be done.
The response I got from the event organiser and venue owner, who I am choosing not to identify as it is not relevant to the larger discussion, well it was not what I would call satisfactory. I am including the full message for the sake of transparency:
No it’s our operational policy and governed by GDPR, if people don’t like it, we say thank you but no thank you and turn them away.
A lot of big clubs use the Scannet ID system. It also takes a photo of you as you enter to ensure your who you say you are. It also stops people using other ID to gain access.
We’ve over 38,000 people on there to date and it’s been in operation with the business for 3 years
Now, there are a number of issues with this statement, which I shall address:
- Despite a request for the full policy showing GDPR compliance, non was provided. Additionally, applying the logic from the working group opinion, it would not be possible for this policy to comply with GDPR as consent cannot be provided as a legitimate ground for processing due to a lack of genuine choice.
- In my 4.5 years as a near full time event technician, I have never encountered such a system at any other venue, but I don't club much so will concede this point.
- The photo simply proves after the fact who it was if a comparison can be made. Some level of facial recognition may also be performed on the official ID presented to match against a live feed, but that was not clarified, and would further be subject to the opinions of the working group above.
- A fingerprint does not stop somebody using a false ID to gain entry. The only assertion that can be made is it is the same person returning as first presented the ID, and the ID has not been used before if OCR/RFID scanning is performed on it.
The last point I will address separately as it deserves further consideration. 38,000 enrollments is a lot of biometric data, making it a pretty valuable target security wise. The Scannet website provides little to no information about how this is stored, although given it is a future matching system it will have to store a trained model to compare against in the future. I do not know enough about biometrics to know how this can be done, so I shall accept on trust that this is a one way hash system that cannot be reverse engineered to a full image. Even assuming good faith though, it is still a lot of personal data and official ID on file, and at some point in this process the scanner will need to acquire a full scan image in order to perform the hashing and comparison.
The large number does however pull into question the retention time of this data, how long is it considered appropriate to keep a copy of somebodies ID, photo and fingerprint on file after they last visited a venue. What audits are in place to ensure that if somebody hasn't visited the venue in a number of months their data is securely destroyed? If the data is kept for so long, what limits the scope it can be used for to just the original purpose as per GPDR?
Some of these questions I put forward in the group chat, only to be told by several others this was the system and that's how it was going to operate. It was at this point I decided that I had been directed towards the door, and it was time for me to use it, which I did with great regret as I consider many of the people I only see in that group as friends. I remained amenable and invited those involved to discuss it further in a more appropriate setting outside of the main group, as of the time of writing I have not been approached. The issues raised above may well have been resolved after I had decided to leave, but I would not have seen them.
This whole incident though has raised one bigger question in my mind. If businesses are collecting all this information specifically against the laws that have been put in place to protect consumers, and are unwilling to listen when the issue is raised, then what power do we have to alter them. Yes, I could approach the ICO with my concerns, and they may well take action, although that seems unlikely and would involve a significant amount of time and energy on my part. If action was taken, what would be the ultimate outcome? If I was to hazard a guess in this case I would be barred from the venue, or if not certainly unwelcome back there, somewhat defeating the purpose of the point I was trying to make. Ultimately, even with the law behind us, we have no real power to control our data here.
The irony of all this, if there hadn't been a debate and just a simple "oh, we can do it this way", I probably wouldn't have cared. My grief is not with the system itself, which as I said earlier, I thought was pretty cool, it was with the complete lack of choice over what I data I can choose to give. Even just the choice of a simple opt-out with an alternative system, as recommended, would have solved all of the issues. Instead, I now find my position within the group untenable, and as such have had to walk away from a group I care about.