The increasing use of biometrics in schools for the provision of front-end services including registration, cashless catering and library management has come under increasing scrutiny in recent months, with fresh input from decision makers, independent data security experts, and parents' pressure groups. David Clouter, a parent at a school that recently considered introducing a biometric scanner in the library, examines the implications this may have for schools that have deployed, or are considering introducing systems based on these technologies.

At first sight biometrics offers significant benefit for schools in reducing and streamlining day-to-day administrative tasks in a timely and cost-effective manner. Indeed, numerous schools now have several years' experience in the use of such systems and many end users report successful integration with existing administrative infrastructure. Recent vociferous opposition, [1] however, has moved the debate into the political arena with some leading data security consultants also voicing their concerns. In order that bursars may perform a comprehensive risk assessment prior to the introduction of any such system, a good starting point is to revisit manufacturers' claims that the systems cannot be hacked and that fingerprints are not stored. [2]

Andrew Clymer is an identity management security expert with more than 8 years' experience at Cisco Systems working with the likes of Fidelity and Merrill Lynch, providing them with a secure network environment. His view is that such claims are over-optimistic. "Typically sufficient measures are put in place so that the estimated time required to crack the security makes the data redundant. In this case however we are talking about a person's lifetime, and once broken there is no possibility to change the underlying data as this is based on an individual's biometrics." [3]

Information Security consultant Dom Devitto adds "I would never condone holding large amounts of biometric information on almost any school site. Fundamentally, such information may be used one day to legally validate the individual, e.g. on a passport. Consequently the value of this information, and the length of time it has this value, is high."

When asked about claims that systems installed in schools were unhackable, Mr Clymer states "Can I seriously make a bet today that the information will remain secure for a lifetime? I don't believe any IT security expert would be able to make such a guarantee - and especially in these cases on a shoestring budget." It would seem that today's military security is tomorrow's childsplay, particularly with the distinct possibility, as reported by the New Scientist, that immensely powerful Quantum computing will become a reality by the time today's children are in their thirties. The Nazis' wartime state-of-the-art Enigma code could be broken with ease on today's home PCs. [4] And even the 1976 state-of-the-art 64-bit Data Encryption Standard (DES), developed by the National Institute of Standards and Technology in the US, can now be cracked on today's supercomputers. [5]

Schools need to bear in mind that airports, passport offices and banks have multi-million pound budgets to regularly update the security of their systems against the ever-sophisticated techniques employed by hackers, and some experts fear that educational establishments with strictly limited resources might not be able to keep up.

Professor John Daugman OBE, who developed iris recognition technology at Cambridge University, states: "such technologies are imperfect, and it is all a bit of an arms race with James Bond gadgets and counter-gadgets. (Remember the arms race? For each anti-ballistic missile, there was an anti-anti-ballistic missile... etc etc.)" [6]

Andrew Clymer addresses manufacturers' recent statements that full fingerprints are not recorded on systems used in schools. "The fact that the fingerprinting system does not store the actual print as a picture is irrelevant. The fact that it is able to compare an input against this number and determine a match is the critical issue. It does not seem beyond the bounds of possibility that by understanding what the vital points are you should be able to manufacture a print that exhibits these points. The burden of proof has to be that this couldn't be done in a person's lifetime."

In another recent development German researchers claim they have now succeeded in extracting full fingerprint scans from cheap scanners such as the ones used in schools. [7] Rufus Evison, consultant to a number of computer industry bodies, raises further concerns about the physical security of the data "Claims that the child giving a fingerprint in an insecure area cannot result in identity theft is reminiscent of the claims that the banks used to make in the early days of cash machines. Now of course we know to look out for additions to the cash machines that strip our cards and so allow access to our bank accounts. Perhaps schools need to train teachers in the technology thoroughly enough that they can spot non-standard hardware concealed behind the library computers?" [8]

Dom Devitto adds "I am sure all schools will be encouraged to backup the data to avoid having to re-enroll all the students in case of failure. This has to therefore pose the question of where the backup media will be stored, and how easily it could be lost or stolen - or worse, simply sold - without anyone really noticing."

Andrew Clymer makes the further point that it is virtually impossible to completely erase data on a a computer's hard drive. "It needs to be physically destroyed, putting further pressure on schools regarding the disposal of such systems. A university forensic science course purchased a number of hard drives from ebay and then used a variety of tools to extract the data from used blank drives. In a sample of twenty such drives they found a s*x offender, two schools' pupils databases and a customer list from a mobile phone shop."

If pupils' biometric data, which obviously cannot ever be changed like a PIN, were to leak into the public domain as the result of any such security breach, your school might not only compromise the children's future ability to have a passport, ID card, or to access their bank account, but would also face the possibility of litigation and multiple claims for substantial damages.

Accordingly, schools should seek independent legal advice in this respect and if necessary arrange comprehensive insurance cover for such an event which would place both a considerable financial and time burden on resources. It seems likely that the school and not the LEA, DfES or manufacturers would bear the full brunt of any legal challenge in such an event.

A further area of concern for schools thinking of using biometrics must be the distinct possibility that any future government may impose restrictions on the use of this technology in schools. A recent news feature on Teachers' TV, which included interviews with Nick Gibb MP (Conservative Shadow Minister For Schools) and Sarah Teather MP (Liberal Democrat Shadow Secretary of State for Education), raised the distinct possibility that a future administration would go beyond a statutory requirement that schools should obtain parental consent, with a total ban on school biometrics. [9] Hence it is very important for schools to have a backup strategy for this worst case scenario, and they should ascertain from manufacturers that any systems installed can be used effectively without their biometric modules.

Secure integration of biometric systems in schools that may still use outdated networks and software is also an area that should be addressed. Under certain circumstances it may be advisable to look at upgrading a school's entire network before biometrics is added. Schools are recommended to seek the advice of an independent security expert in this respect.

A further point to bear in mind in considering the introduction of biometrics in your school is the potential effect of parental opposition to such a move. In a number of recent cases, schools have been forced accept delays of up to a year, or even abandon the deployment of biometrics altogether, in the face of strong opposition. [10] The obvious way to avoid this happening is to ensure that informed explicit parental consent is obtained prior to the introduction of any such systems, in line with current DfES guidelines.

There can be no doubt that biometrics will play an increasing role in our society in the years ahead. Schools that wish to be at the forefront of this technology need to ensure that they evaluate the risks as well as the benefits of rolling out the technology well in advance of other sectors, and they should ensure that a comprehensive risk assessment and cost-benefit analysis are carried out in good time prior to the commissioning of such systems.

© LeaveThemKidsAlone 2006

- ENDS -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Notes for editors:

[1] Parents' campaign against schools using biometrics without express
parental consent http://www.LeaveThemKidsAlone.com

[2] Finger on the pulse, Education Executive, October 2006
http://www.microlib.co.uk/news/press_releases/EducationExec.pdf

[3] Do Biometrics have a role for school registration? by Andrew Clymer
http://www.LeaveThemKidsAlone.com/docs/Do_Biometrics_have_a_place_in_school__3_.pdf

[4] Amateur PC Collective Cracks 2nd Enigma U-boat Message, never deciphered during WWII
http://www.techweb.com/wire/security/183700196 (March 16th 2006)

[5] DES is now vulnerable to a brute-force attack from a supercomputer or Beowulf cluster
http://www.techworld.com/security/features/index.cfm?FeatureID=993 (November 15th 2004)

[6] Countermeasures against subterfuge (these go far beyond anything found in cheap scanners such as those used in schools)
http://www.CL.cam.ac.uk/users/jgd1000/countermeasures.pdf

[7] German researchers claim to have reconstructed full fingerprints
http://www.heise.de/ct/english/02/11/114/ (final section)

[8] School fingerprinting data security concerns - Rufus Evison MA (Cantab)
http://www.LeaveThemKidsAlone.com/docs/scenario.htm

[9] Nick Gibb MP (Conservative Shadow Minister For Schools) and Sarah Teather MP (Liberal Democrat Shadow Secretary of State for Education) condemn school biometrics
http://www.teachers.tv/video/5093 (second item in news bulletin dated Oct 13th 2006)

[10] School fingerprinting halted in Dundee, 12 September 2006
http://www.eveningtelegraph.co.uk/output/2006/09/12/story8750465t0.shtm

"Education, Education, Education" Tony Blair     "Consent, Consent, Consent" Concerned parents

We are campaigning to have the widespread use of biometrics in schools debated in Parliament, and henceforth strictly regulated and closely monitored, with a statutory requirement for explicit parental consent wherever biometrics are used.

More about schools fingerprinting our children     Please help us!