School fingerprinting data security concerns

Picture the following:

I walk into the school with my hair in a pony tail wearing a suit and go up to the library. I tell the librarian that I am there about the new database system, that I will be adding a couple of new features and I ask how it has gone so far. After listening to their comments and noting them in my organiser I explain that there has been some pushback from civil liberties people and that therefore we it has been decided that we ought to have information about the system and how it is going to be used available in the library. I give the librarian a pamphlet which they can read and make available to parents on request. I also have two pamphlets with cable ties and bubble chains to secure to the fingerprint scanners. When I am told that there is only one thumbprint scanner I say that I know, and that I will be putting the new one in place while I am here. I then fit the new scanner, and attach the pamphlets one to each scanner. I then thank the librarian and leave.

The next week a friend of mine turns up and explains that the problems that they have been having are because the person who fitted the new scanner was not genuine, and shows the librarian the manual. The scanner is to be removed, and the librarian is asked not to publicise the breach in security, even though we have caught it just in time. The librarian is then given a number to call if the fake engineer returns, and asked to say the equipment has been put in store as it did not seem to be working right. My friend then leaves with the scanner.

The pamphlet put behind the counter describes the system the school put in place, as does the pamphlet on the genuine scanner. The pamphlet on the new scanner explains that it has been put in place to capture thumbprints for a database to be sol commercially. As it has been available at the scanner people have had an opportunity to read it, so while dodgy this is not really any more illegal than the school doing it. The dodgy scanner was put there with the permission of the librarian with no untruths being told. I now have a database of fingerprints that is worth a fair bit of money. Here are a few of the uses it could be put to:

Sell it to a p*edoph*le ring, thus allowing them access to secured laptops to aid with 'grooming'.

Sell it to credit card fraudsters in a few years when the children are out of school (if it is done in a secondary school this can be as little as a few months).

Make latex fingerprints, grease them and leave fingerprints at any crime scene.

There are many more possibilities, but the first two will more than pay for the work done, and as the pamphlet explains the use it is more closely within the bounds of the data-protection act than the school's use.

An interesting sub-point on the scenario is that storing the information as described would potentially be illegal under the Data Protection Act but doing the whole thing without storing the information would not (no data, no requirement for data protection registration).

I am not sure, given the permission of the librarian, whether there is any crime at all in doing the whole thing as an exercise to expose the security hole.

I know of many schools where this scenario would work. If 3,500 educational establishments are currently using biometrics there is considerable cause for concern.

Rufus Evison MA (Cantab)
Chief Technical Officer at Clickstream Technologies plc

21 Jun 2006