Fingerprint recognition in schools

PeteM ukcrypto at chiark.greenend.org.uk
Sun, 05 Oct 2008 20:58:08 +0100 

Ian Batten wrote  on 5-10-08 09:18:
> 
> Interestingly,  the new scheme comes with advantages for parents that 
> the older --- smartcard --- scheme doesn't have.  There's no reason it 
> is related to the change from cards to prints, but parents whose 
> children are already in the school are heartily sick of the fact that 
> payment has to be made by cheque, and the new system's tie in to online 
> payment is incredibly attractive.


I'm lost here, before we even get to the fingerprint technology. What is 
difficult about paying by cheque? It takes 30 seconds to write a cheque. 
  It can take several minutes just to log into an online bank account, 
and that's if you are prepared to have one anyway. I'm not.

Anyway, a parent who *is* addicted to online banking but objects to 
fingerprints should simply insist on using online anyway. How can the 
school reasonably object?


snip

> 
> The main risk I can see if that actual fingerprints can be reconstructed 
> from systems that are probably not wildly physically or logically 
> secure: the security of the fingerprint rests in the quality of the 
> hashing algorithm used to store the reference copy.  I can remember 
> seeing a paper which claimed that you can reconstruct the fingerprint 
> from the information stored in these sorts of systems, but I can't run 
> it down.
> 
> What's the thinking on (a) the slippery slope argument 

I agree it's a worry but I don't think there's much anyone can do about 
it. It's not as big a danger as things like the CRB system, the 
children's database, the ID card, RFID tagging of passports etc.

> and (b) the 
> problem of reconstruction of prints from hashes?

I am told by a friend who manufactures these things (FWMTT) that you 
can't reconstruct a fingerprint image from the hash. I accept that, but 
it doesn't reassure me. The police can still use these school databases 
when (not if) they get hold of them. Suppose they have a fingerprint 
from somewhere that they want to match, perhaps lifted from a crime 
scene, like a bus to Fairford. All they do is scan it onto the system 
scanner and create a hash. Then they compare this hash against all the 
hashes produced by pupils' fingerprints. If they find one, they infer 
that the actual fingerprints matched as well as the hashes. Don't laugh, 
they do it all the time with DNA. You can hear the prosecutor now, "... 
ten billion to one chance of a misidentification blah blah ... "

The FWMTT told me that can't be done because you can't scan a 
fingerprint, only an actual finger. But I think you probably can. In 
fact I think it's been done, using wax and araldite or something. Like 
"The Norwood Builder".

-- 
Pete Mitchell