I very rarely write about anything to do with work, usually I intentionally avoid topics that would relate to it but I feel that it is my moral duty to provide information should people look for it. I’d also like to defend the system I wrote which doesn’t seem to be happening in the media.
Firstly I feel people should know a little about the background before they read the actual article:
1) I disagree with ID cards and biometrics as a requirement for things, there should be no reason you need to constantly prove who you are and you should always have a choice to avoid needing to prove your identity. Maybe you will loose some benefits that you would have gained, but there should never be an infringement of your rights or make something more difficult than it is now.
2) I’m the programmer of a cashless catering system that allows fingerprinting students and using their finger instead of carrying the equivalent of a debit card. I’m responsible from a technical standpoint for how it works technically underneath (although we do buy in the algorithm to analyse the image of a fingerprint that comes from the reader and work out what bits we’re interested in). Yes, I write one of those systems that is being both criticised and is massively in demand right now for various reasons.
Okay now that’s out of the way I see a lot of publicity about the fingerprint systems in use today and I will leave the other companies and people involved to defend their own systems, but more than likely they are using a similar technique to what I have used simply because it’s easier.
I’ll start by explaining why I believe the system I wrote isn’t a threat to privacy, then I’ll add what we’re going to provide shortly to ENSURE it isn’t a threat to privacy where the customer (the student usually) wants and we’ll cover why I think our system benefits from having support for fingerprints.
How the System Works, and How it Protects the Fingerprint
The system I developed does not store a fingerprint. We really don’t want to store one - we don’t want to have to comply with police requests for a forensically valid database of fingerprints. It shouldn’t be our responsibility and the student didn’t give us their fingerprint for that reason. What is needed for criminal forensics is a picture of the fingerprint otherwise there’s doubt, and our system deliberately introduces doubt in favour of:
- Lower storage requirements
- Lower memory requirements
- Accuracy of detecting the closest fingerprint (note: not the exact person, but just the most similar)
- A degree of privacy.
To achieve this we store relative points on the fingerprint and discard data that applies specifically to the persons fingerprint. Techie bit: We also cryptographically hash the details where possible so there’s no way to get back to the original ones to allow generating a fingerprint that would pass as the original from the data, but you can read up on irreversible encryption at wikipedia or somewhere else. Basically if you don’t have the data the hash is made from it makes the data useless (that being the person’s real fingerprint).
So what we have is a map that says something like this: “left one unit and up one unit there’s an interesting point that goes up, right two of those distances there’s an interesting point that goes down” – that’s two points but you get the picture. It’s like street directions only we add in that the directions are actually stored in a one way method. The unit of distance is actually not specified in any way other than the relative distance either, so what you end up with is a set of street directions that is like “Turn left, then turn right then right again. Turn right, turn left, turn right.” Could you work out what city those directions are for? I hope not. But if you were given a bunch of maps and tried them all, it would only be possible on a few.
So it is my belief that our system stores sufficiently little of the fingerprints they can’t be used anywhere else. In reality it causes us business problems as schools would like to have a single fingerprinting session for all their students but that’s a trade-off we willingly make.
I won’t go into the protection we apply to the database, if someone wants that just e-mail me and I’ll cover it. Needless to say if you turned up on site you shouldn’t be able to just stick a USB key in and copy it without physically getting to the server and entering valid usernames and passwords. Which in most circumstances we as a company don’t have and only the school have.
And finally, the last step is that (as far as I’m aware) we require both the students and parental permission prior to fingerprinting. In many cases our projects department has helped draft the consent letters the schools send out, and we will provide assistance should anyone not wish to be fingerprinted – or indeed change their mind and want their fingerprints removed from the system!!
Measures Being Taken and Who Benefits
To buy a meal you would either pay cash (we provide full support for cash by an account, or cash from anyone without an account in our system) or swipe a card/place your finger on the reader and the till operator sees your picture on screen and selects the food you have on your tray. They then press confirm sale and you walk off having paid for the meal. If the person is on free school meals (low income family) then there’s nothing said, the money is just there as if it were loaded on by the student earlier in the day.
Kids love it! Bullying gets reduced a little! Till staff love it as it’s quick and easy! Catering companies love seeing how much of something they are selling easily, how much it changed during the year (who would guess that sandwiches get more popular in the summer?). The schools love the fact they don’t handle as much cash – it all goes through an ATM like machine that eats the money and counts it up for them, or an online service that the parent uses. Parents love it as they can ask for what their son/daughter has been eating and see their balance online!
Privacy advocates hate it! Kids that steal dinner money really do hate it (they pass a card over to the till operator and a different picture appears and it’s known they stole the card), and anyone that was stealing from the tills must hate it.
Occasionally the two ends up as the same thing, so in this case we can offer a few options:
- The tills accept cards (proximity and magnetic stripe) as well as biometrics, so we can give the students cards if that satisfies their discomfort with using their fingerprint.
- The person can always opt out of the entire system and pay cash, as long as they aren’t free school meal. If they are free school meal they need to pay cash and use a voucher (we support the idea of a voucher sale in our software).
But we just had a request from a parent to not store data about a student. And the school don’t want them to just use cash; they want the system to still behave as it does now. But the government need us to be able to back up our financial transactions!!
Talk about contradictory requirements. How do we do this? I’ve not finished the work to do it yet, but I fully intend to find a solution that makes the transaction of the individual totally anonymous:
- We will not store who the sale was made to.
- Or by, because we don’t want the human operator being asked.
- Or on what till.
- We still need to store their name and balance, and financial transactions. So we’ll flatten the financial transactions and have just one transaction for how much they loaded and one for how much they bought.
- If the person is free school meals they will need to use a voucher and say they are free school meals at the till. We can give them some paper vouchers they can give to the till operator then. If the person that is marked uses a voucher, we’ll make two separate entries, one for the voucher purchase and one for the items they were sold. We won’t store the time on the voucher purchase.
If anyone can think of anything else I need to do, please e-mail me. Also if you have any questions about biometrics or indeed anything to do with the system I write (or want contact details of our sales people to buy it!!) please feel free to e-mail me. My contact details are on the right.
I would rather not have my name posted on sites like http://www.leavethemkidsalone.com/ and my employer already is, so please respect my privacy as much as I do others.
This article is being posted publicly though so anyone can feel free to link to this. If you have any criticism, please feel free to comment (sign up with fake details if you wish) or e-mail me!Permalink