This kind of biometric security is getting a bit ridiculous. It would be different if it was done in a secure way and by that I mean secure in the sense that the person who provides the biometric data you had the ability to secure it wherever it went. This could absolutely be done but the reason it's not is companies totally want to gather this data from people and then sell it to other companies for machine learning and other purposes. Same with our government that wants to gather this kind of data.
It would be quite straightforward to make your biometric identity a public private key kind of setup. Companies have access to your public key and you yourself carry your private key as some sort of physical identification that is unlocked with a two-factor method. This way any physical biometric thing is done on a device you own that could be mandated to be open technology completely auditable to be secure and all you do is use your physical doodad to interface with their thing to authenticate that yes you are the private key holder for this given public key.
It would be much more secure than identification cards that we have now such as driver's licenses or passports. It would also be far more secure than the biometric style authentication they want to do now with them essentially owning a copy of your biometric data. But there is no profitability in true security and privacy for the citizens.
Worth remembering the US Army built a biometric database of Afghan officials (police officers included) and they lost control of it to the Taliban. They sold it as a "for your own safety", and now it's a kill list.
- "The biometrics initiative was initially tested in 2002. Its goals then were to prevent criminals and Taliban insurgents from infiltrating the Afghan army and police force[...]"
- "The Taliban may also be using the Afghan government’s biometric-based ID card known as the Tazkira to track and target people, Ramanjit Singh Chima, Asia Pacific Policy Director at Access Now, told news agency Reuters."
- "Particularly at risk are individuals in central positions in the Afghan military, police and investigative units."
The main issue there is that the mantra something you know, something you own, something you are is completely wrong in the authentication context. The issue there is that the biometric “something you are” cannot be revoked and also depends on the relying system having some kind of secure path to whatever sensor measured it. So in the end as an authentication it is only useful as convenience feature (eg. how TouchID/FaceID works on Apple platforms). Identification is another thing and obviously biometrics are useful there, but well, there are not that many ethical uses for system that does identification without authentication.
Seems like the key issue here is this: what is the purpose of conducting the authentication? In the case of personal accounts, it's for the benefit of the individual. They get their own account to safely store personal data. Here, the individual management of biometric authentication devices, as you described, is a great thing. A passkey can be generated without exposing biometric data. The individual has the responsibility and incentive to keep their devices secure.
But the above article is an example of the opposite case, where the authentication is for public security. In this situation, the individual cannot be entrusted with their own auth, so if each person were to use their own device, it would need to be quite tamper-proof. Seems far simpler at this point to do face / fingerprint auth, where the security guard ensures that no one is wearing a mask or fake finger. Yes, there is the concern that the bio-data could be stolen / misused, and for that reason I think that bio-auth for public safety should be limited to a single standard type (e.g. face), with the others being reserved only for private auth. That way, a compromise can be reached between public safety and individual privacy.
> It would be quite straightforward to make your biometric identity a public private key kind of setup.
How would that work? Maybe the biometric part acts as a domain name from which the public key might be downloaded? Who is the custodian of face-public key pairs?
The Apple and Google pushes for digital IDs are basically that, but support is limited at best since it's depending on 50+ different local governments to get up to speed on all this tech stuff.
More importantly than being outraged over the biometrics invasion (which you should 100% be outraged over). You should be more outraged at the hypocrisy.
Las Vegas runs a fusion center which has some of the most invasive monitoring, capturing, metrics/data collection of most agencies.
They do the following:
- license plate recognition on every intersection.
- microphones through the city which listen to conversations
- drones which fly into and above people’s back yards.
- Weaponized drones, ie fly drones into windows to break them, or people to stop them
- thermal imagine of people’s houses and backyards.
- facial ID against social media from cameras, as well as NCIC and more.
- they have fake social media profiles they use to follow pages, groups, individuals suspected of bad behavior
- they purchase PI from brokers en masse and run against it.
- they probably have more cameras than almost any city in the US.
- they have taps into all casinos cameras and microphones.
… these are the same officers who are upset over the new facial ID policy.
Here’s a brief news clip. But I also know these details because I’ve seen them first hand.
AI is already being used to keep out fans they don't want, they don't need them to submit photos or give permission[1]. In addition to being a vastly smaller and harder to replace group than fans, police are also far more organized than fans. That's the only reason they are being asked.
This is the same police union that’s argued that releasing the names of police formally accused of misconduct is a privacy violation, their concern for privacy does not extend further than the ranks of their union and certainly not to the broader citizenry.
The title confused me because here in Germany the police are civil servants and they generally don't have a right to strike or just choose not to do their job as they're an executive organ of the state but apparently here the police is just.. side hustling?
"conversations with officers “making them very well aware of what they’re agreeing to.” But the decision may come down to what individual officers are comfortable with, Grammas said. Overtime security work is not mandatory for officers, but voluntary."
Maybe it's a cultural thing but blurring the line between an officer in their public capacity and what is basically private security at a sports event should be two separate things. Hiring the police out as a private security force where they then get to negotiate what rules they have to play by has a Judge Dredd vibe to it
Often at large private events the city will require a certain number of police, that the host must hire. And they can only hire from local departments that have worked out these deals letting officers do this on their own time, but in uniform.
> Hiring the police out as a private security force where they then get to negotiate what rules they have to play by has a Judge Dredd vibe to it
The work is voluntary overtime work.
They're not forced to accept voluntary overtime work. It's an optional thing they can choose to do above and beyond their base job, if the pay and terms are interesting enough.
I don't see why it's a problem. What are the alternatives? Forcing police to do security for private events inside of private venues as part of their job?
yeah, this is super common here in the US. Off-duty cops are in demand as security guards and they can work in uniform, which to me is all kinds of weird. You can literally "rent a cop" (an expression used as a joke about mall security guards who are typically not cops at all) this way, complete with full police powers.
They are probably more annoyed that it will be harder to pull off no-show or low-show details.
These are usually pretty sweet overtime or moonlighting gigs, and where there’s a sweet gig for cops, there’s always an asshole or two ready to milk it.
They don’t sell data, they just collect it to target relevant ads. If you can find an instance of them (or Google) actually selling data to brokers, please share
elmerfud|1 year ago
It would be quite straightforward to make your biometric identity a public private key kind of setup. Companies have access to your public key and you yourself carry your private key as some sort of physical identification that is unlocked with a two-factor method. This way any physical biometric thing is done on a device you own that could be mandated to be open technology completely auditable to be secure and all you do is use your physical doodad to interface with their thing to authenticate that yes you are the private key holder for this given public key.
It would be much more secure than identification cards that we have now such as driver's licenses or passports. It would also be far more secure than the biometric style authentication they want to do now with them essentially owning a copy of your biometric data. But there is no profitability in true security and privacy for the citizens.
perihelions|1 year ago
https://www.independent.co.uk/tech/taliban-afghanistan-biome... ("Taliban likely to have access to biometric databases of Afghan civilians who helped US" (2021))
- "The biometrics initiative was initially tested in 2002. Its goals then were to prevent criminals and Taliban insurgents from infiltrating the Afghan army and police force[...]"
- "The Taliban may also be using the Afghan government’s biometric-based ID card known as the Tazkira to track and target people, Ramanjit Singh Chima, Asia Pacific Policy Director at Access Now, told news agency Reuters."
- "Particularly at risk are individuals in central positions in the Afghan military, police and investigative units."
akira2501|1 year ago
There is no repudiation, attestation or key rotation in this setup, with all the attendant problems that creates.
dfox|1 year ago
lucaspfeifer|1 year ago
But the above article is an example of the opposite case, where the authentication is for public security. In this situation, the individual cannot be entrusted with their own auth, so if each person were to use their own device, it would need to be quite tamper-proof. Seems far simpler at this point to do face / fingerprint auth, where the security guard ensures that no one is wearing a mask or fake finger. Yes, there is the concern that the bio-data could be stolen / misused, and for that reason I think that bio-auth for public safety should be limited to a single standard type (e.g. face), with the others being reserved only for private auth. That way, a compromise can be reached between public safety and individual privacy.
adolph|1 year ago
How would that work? Maybe the biometric part acts as a domain name from which the public key might be downloaded? Who is the custodian of face-public key pairs?
crooked-v|1 year ago
digi59404|1 year ago
Las Vegas runs a fusion center which has some of the most invasive monitoring, capturing, metrics/data collection of most agencies.
They do the following: - license plate recognition on every intersection. - microphones through the city which listen to conversations - drones which fly into and above people’s back yards. - Weaponized drones, ie fly drones into windows to break them, or people to stop them - thermal imagine of people’s houses and backyards. - facial ID against social media from cameras, as well as NCIC and more. - they have fake social media profiles they use to follow pages, groups, individuals suspected of bad behavior - they purchase PI from brokers en masse and run against it. - they probably have more cameras than almost any city in the US. - they have taps into all casinos cameras and microphones.
… these are the same officers who are upset over the new facial ID policy.
Here’s a brief news clip. But I also know these details because I’ve seen them first hand.
https://www.fox5vegas.com/video/2023/11/14/fox5-takes-an-ins...
codedokode|1 year ago
xnyan|1 year ago
[1]:https://www.nytimes.com/2022/12/22/nyregion/madison-square-g...
HillRat|1 year ago
blackeyeblitzar|1 year ago
enricotr|1 year ago
Barrin92|1 year ago
"conversations with officers “making them very well aware of what they’re agreeing to.” But the decision may come down to what individual officers are comfortable with, Grammas said. Overtime security work is not mandatory for officers, but voluntary."
Maybe it's a cultural thing but blurring the line between an officer in their public capacity and what is basically private security at a sports event should be two separate things. Hiring the police out as a private security force where they then get to negotiate what rules they have to play by has a Judge Dredd vibe to it
lokar|1 year ago
It’s weird, and often sort of extortion
Aurornis|1 year ago
The work is voluntary overtime work.
They're not forced to accept voluntary overtime work. It's an optional thing they can choose to do above and beyond their base job, if the pay and terms are interesting enough.
I don't see why it's a problem. What are the alternatives? Forcing police to do security for private events inside of private venues as part of their job?
xp84|1 year ago
susiecambria|1 year ago
Spooky23|1 year ago
These are usually pretty sweet overtime or moonlighting gigs, and where there’s a sweet gig for cops, there’s always an asshole or two ready to milk it.
unknown|1 year ago
[deleted]
jarsin|1 year ago
121789|1 year ago
codedokode|1 year ago
acchow|1 year ago