Sticky Fingers

The article “A Touch of Money” [July] does a great job of outlining the huge potential for biometrics, but it glosses over significant privacy and security concerns. A key issue is that unlike passwords, biometric readings are slightly different each time you measure them. To deal with the variations, most systems store biometrics “in the clear,” as opposed to the hashed or encrypted form that passwords are stored in. Consequently, if the current paradigm of using biometrics becomes widespread, a copy of your iris, fingerprints, and other biometrics might be stored at every business you ever visit, including your gas station and your bank.

With almost weekly news of Social Security numbers, credit card numbers, and other personal information being stolen from government or commercial databases, how long will it be before we start to hear about biometric databases being compromised? These are exactly the sorts of issues that led to the controversy over the initial plan for adding biometric information to the U.S. electronic passport. As the American Civil Liberties Union argued, “A counterfeiter, therefore, could copy the data on a passport holder’s chip and reproduce it exactly. The data skimmed from a passport could also be used to forge a duplicate of the actual physical passport.”

Theft of passwords and credit card numbers is bad, but at least you can always cancel your credit card or change your password. But if your fingerprint, your iris, or some other biometric is effectively your password, what do you do when that biometric record is stolen?

There are a number of techniques researchers are exploring to address these issues, some of them developed by us at Mitsubishi Electric Research Labs. Unfortunately, however, the authors of your article dismiss the security and privacy issues in one sentence: “First of all, it is unlikely that a thief could recover your fingerprint data, because it is encrypted and stored on a flash memory chip that very, very few thieves would have the resources to access and decrypt.”

The promise of simple, cheap, encrypted hardware has been made many times before, but both the scientific literature and the popular press have documented the resulting security failures. One classic example is the DeCSS fiasco that occurred when a Norwegian teenager soon cracked the code of movies encrypted and stored on “secure DVDs.”

Although biometrics have a huge potential, there are real security and privacy concerns that must be addressed. If we don’t find a secure biometrics technology that meets these privacy and security issues, then instead of ending identity theft, biometric data will simply become more pieces of personal information that can be stolen.

Emin Martinian

IEEE Member

Boston

The article correctly points at the too frequently ignored fact that most authentication systems “do not authenticate your identity but rather your knowledge.” It does not, however, state clearly that there are two questions to answer at each authentication: “Are you entitled to operate the transaction?” and “Are you operating it of your own free will?”

Biometric identification answers the first question but is poorer than properly used knowledge-based authentication at the second. If the second question is not answered properly, crimes will not really decrease, just change in nature and dynamics. How much will this cost to individuals and social communities?

Federico Massaioli

IEEE Member

Rome

Wing Interview

Having read “Q&A With Jeannette Wing” [Spectrum Online, July], I ask: What does it take to change the culture? The donation to the National Science Foundation is great, but I think that more solid support from industries that will one day employ those students is important in the effort to change the culture of American schools. It would take not only financial investment but also early involvement in schools and science- and math-related programs. As a student in a low-income community school, I want to know what industries or companies are willing to help my fellow students and school. We are waiting for a change.

Osman Kasimmisak

San Diego

Catch That Car

In “Ring of Steel II” [News, July], there is one major challenge: the police are reading license plates or taking MPEG videos of the license plates and sending large amounts of data to control centers for processing. Instead, they could make bar codes for the license plates and use them as a more efficient means of data transfer; a small sensor could do the job faster and more concisely than current methods. This implementation could provide a more effective and secure way of tracking information.

Keeranmai Mandava

Bangalore, India

Sic Transit Gloria

I read parts of the “Famous People” article by Robert W. Lucky [Reflections, July], in which while discussing famous engineers, he wrote: “Arguably, the transistor was the greatest invention of the last century.” Arguably, the most famous—or infamous—person associated with the invention of the transistor was not an engineer at all, but a physicist: William B Shockley, also from Bell Labs (http://www.time.com/time/time100/scientist/profile/shockley.html).

Joseph Roy D. North

Austin, Texas

Dealing With the DMCA

As both a technologist and a musician with six copyrights, I have a mixed opinion about the Digital Millennium Copyright Act [“Death by DMCA,” June] issue. I dislike overly restrictive or poorly thought-out protection schemes as much as anybody, but the last thing I want to experience is sitting down at a restaurant or on a train somewhere and hearing my music coming over Muzak or out of an iPod and knowing that I never released it. Or, worse, hearing it and seeing someone else take credit for it. Or, still worse, having to pay someone I never met to hear my own music because he decided to put his name on it.

Without some form of protection, all of those situations are possible (and probably have happened). Although I play live regularly, I have held back from putting my music out there in any other form because I don’t want to experience those scenarios.

I would have thought a community that abhors academic plagiarism as much as this one does would have at least understood the concerns of the people who create music and other copyrighted material. A solution needs to be found, but simply faulting the content owners and creators is itself as wrong as inappropriately limiting use of the material.

Lee Allen

IEEE Member

Sunnyvale, Calif.