April 12, 2005

How much is your finger worth?

Adam points at the story of the S-Class Mercedes owner who lost his finger. The finger now makes a comeback in the fight against poorly thought out biometrics.

(Links: BBC, Scheier, German commentary, bigger)

The problem with the biometrics push is as always poorly thought out risk scenarios. If I as a corporate decide that all my employees will make their fingers available to the juggernaught of corporate security, that's fine, as within that world, we have a strictly contained risk analysis. The fingers are at risk, and these risks are offset against the rewards and risks of the corporate. Frankly, there ain't nothing in my corporate offices that's worth a finger.

But it changes when we get into a federated scenario. If my system is being used by some other corporate, my risk analysis is broken; even if I calculate that requiring my employees to use fingerprints to gain access to offices is a good risk, I cannot calculate the risks involved if the local bank starts using my biometrics system to issue banking products to the fingerprints of my employees.

And when national governments start working the biometrics genie, it shifts the risk unreality up several more notchs. The governments are calculating vague and unspecifiable benefits in some "war against today's enemy" but what they cannot calculcate is the risks involved with the use of the system in ordinary businesses.

We see this writ large in the US. Initially, social security numbers were only to be used for ... social security. Then it was tax. Then, employee identification... and loans and credit and banking accounts and ... well, everything. The system was designed with an assumption of one use only; which just marginally made it acceptable from a security risk analysis.

Use by others might be termed federated security, but from a risk analysis point of view it looks more like parasitic security, and if the fraud by impersonation (a.k.a. identity theft) example of the USA is anything to go by, nobody would adopt that risk knowingly.

Posted by iang at April 12, 2005 08:11 AM | TrackBack
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.