Fingerprint technology is unsafe as a security measure claims leading cyber crime and compliance expert

121019_fingerprint_machine_lgThere are growing concerns among data protection experts that current safeguards in place for the collection and storage of fingerprints is deeply flawed and are likely to be in breach of the forthcoming EU General Data Protection Regulation, expected to be approved in 2015.

At the convention of Chaos Computer Club, a computer hacker known as “Starbug” claims to have cloned the thumbprint of German Defence Minister Ursula von der Leyen simply by using a standard smartphone and other pictures taken of her when she spoke at a conference recently.

Fingerprint identification is a commonplace security measure. It’s used on Apple and Samsung devices and was recently used to identify voters at polling stations in the Brazilian presidential elections in 2014.

Such technology can’t now be considered safe and those organisations, public bodies and companies that use such devices are strongly advised to carry out a Data Protection Impact Assessment (DPIA) as a matter of urgency.

Martin Hickley, a leading cyber-crime and data security expert in the UK warns: “Biometric data such as fingerprints may have been considered ‘fool-proof’ but advances in technology have now put a massive question mark over the use fingerprint technology as such data can now be easily replicated.

“Remember this – once a finger print has been stolen, it’s been stolen for life,” warns Martin Hickley.

“We’ve rapidly reached the point where identity theft has far-reaching consequences not just for the individuals concerned but for data controllers and data processors that now face significant financial penalties not to mention negative media interest where data breaches are on a massive scale and adequate security protection hasn’t been put in place,” he adds.

Children fingerprintMore alarming for millions of parents is that around 50% of all secondary schools in the UK use biometric technology as a means of identifying pupils for registration and other purposes.

Recent research showed nearly a third of all such schools failed in their duty to seek parental consent before introducing such a system and have created a culture where children as young as 12 years-old think it’s completely normal to share their identity in this way without fully understanding how secure their data is being stored.

The figures are based on Freedom of Information request returns from 1,255 schools to the civil liberties campaign group Big Brother Watch with the group warning pupils will grow up believing “it’s normal to be tracked like this all the time”.

The most common uses of the system are at meal-times where head teachers claim it can be a more “discreet” method of ensuring those pupils entitled to free school meals get them as well as removing the need for children to carry cash as an online account usually through Parent Pay or other similar systems link the fingerprint to money in the account.

Based on the FOI returns in September 2014, Big Brother Watch estimates 1.28m pupils have been fingerprinted. Of those surveyed, an estimated 31% didn’t consult parents before using biometric technology from September 2014.

“Going to school shouldn’t mean kids are taught that they have no privacy, especially at a time when we are sharing more data about ourselves than ever before,” warns Nick Pickles, director of Big Brother Watch.

“Fingerprinting them and tracking what they do might save some admin work but the risk is pupils think it’s normal to be tracked like this all the time. Schools need to be transparent about what data is being collected and how it’s being used.

“Parents will be rightly concerned to hear so many schools didn’t seek their permission to fingerprint their children while pupils may not have been made aware they now have a legal right to ask to use a system that doesn’t require a fingerprint to be taken.”

Malcolm Trobe, deputy general secretary of the Association of School and College Leaders that represents secondary school heads defended the use of fingerprint technology in secondary schools.

“It’s significantly easier for schools to use this system in a number of ways – for example for taking books out of libraries and paying at meal-times. Most kids don’t lose their fingers whereas losing cards is far more likely. This cuts down on the need for youngsters to carry cards. Children can also have their cards stolen or be bullied for them,” says Malcolm Trobe.

The system also meant pupils entitled to free school meals no longer had to present a card which could identify them to other pupils and therefore saves them from any potential embarrassment.

Although such arguments on the surface appear perfectly reasonable, they ignore the substantive issue of data protection where the risks outweigh the benefits.

“The ICO must now act to provide schools with better guidance about the use of such technology and how it needs to be made much more secure than at present,” adds Martin Hickley.

On its website, the ICO provides the following guidance:

“Some schools are collecting fingerprints for registration, library book borrowing and catering. However, some people are concerned about their fingerprints being used in this way. The Data Protection Act says that personal data (in this case fingerprints) must be fairly obtained. In other words, the school should ensure that pupils are fully aware of the implications of having their fingerprints taken before doing so. Depending on the level of understanding of the pupils, this may need to involve their parents.

“Schools should explain the reasons for needing to collect fingerprints, and how the fingerprints and any other personal details will be used and kept safe. Schools should respect the wishes of pupils and parents who object to school fingerprinting, especially where a card can be used instead of a fingerprint.”

Parents should also raise questions from schools that deploy fingerprint technology in order to ensure that they have undertaken a recent DPIA and are confident that they have implemented sufficient safeguards to protect children’s data.

In addition, parents should check that written consent has been obtained and this is capable of being withdrawn at any time.

In circumstances where the school can’t provide adequate assurances, then parents are free to withdraw any previous consent and the school is under a legal obligation to put in place alternative arrangements.

Leave a reply