Friday, April 18, 2014

Florida bans biometrics in schools, and the industry's "emerging fight" against it

It has been interesting to follow the progress of the Florida legislature to ban schools from taking and processing children's biometrics, the process of which started late last year.  It is the first time in the USA or worldwide that biometrics have been banned in schools.  Some have argued that the UK Protection of Freedoms Act 2012 should have gone this far but instead we have that schools can only process a child's biometric data with written parental consent.  However, how parents are fully informed to make that consent still leaves the process open to spin and ambiguity surrounding the technology and its capabilities.

In Florida three bills were filed dealing with Florida schools using biometrics, during September and October 2013. With one, SB188 relating to education data privacy, being passed on April 11 2014. It reads (see lines 49-66):

(1) An agency or institution as defined in s.1002.22(1) may not:
(a) Collect, obtain, or retain information on the political affiliation, voting history, religious affiliation, or biometric information of a student or a parent or sibling of the student 

The bill passed by 113 Yeas to 1 Nay

This news been met by the biometric industry in the United States with fears it may lead to other states approving similar bills.  There are already laws in other states concerning parental consent for schools to use biometric technology but SB188 goes one step further, by banning it.

Many experts, privacy organisations and others have aired concerns over children using their biometrics in school for a variety of reasons:
     - Security of data - What does a child do if their biometric data is compromised?  How and when would that become apparent?  Leaps and bounds in technology cannot possibly foresee how this could play out in the decades to come.
     - The personal information that is held against the biometric - Reading or eating habits, who views that?
     - The sharing of biometric data and personal data stored against it - Government agencies now routinely take biometric data and upload it to other databases.
     - The subtle psychological message using this technology gives to children, that to gain access to books/knowledge, food/money, normalises the use of biometrics for mundane yet essential activities.   

Janet Kephart of the Secure Identity and Biometrics Association (SIBA), set up in February 2014, states that one of four biggest challenges of 2014 is to help clear the air in "a newly emerging fight in state legislatures whereby there is a push to ban biometrics in public schools".  

Kephart claims that, "Biometric technologies do not store identities; they store templates".  Surely template/s based on a particular person are designed to identify said person, otherwise how would the system work?  Then the next statement contradicts her earlier statement by saying, "To further assure privacy, names are kept separate from the biometric templates, encrypted, and not directly linked with the biometric data".  Yes, so they are linked then but encrypted.  Indeed, one might liken this to doublespeak?

She then, unsurprisingly, states the usual line to be seen and heard in the spiel dished out to schools in the USA and UK by biometric vendors, "...the outline of fingerprints aren’t stored like an image – they’re turned into a set of series of numbers that can’t be reverse engineered."  Yes, a set of numbers that is digitally transferable between databases.

With regards to Florida banning biometrics in schools (an unfortunate state of affairs with SIBA only being set up two months earlier with a view to, "educate folks about the reality of biometrics, bridging the gap between Washington and the industry") Janet Kephart states:

Nobody in Florida decided to do due diligence on this... [presumably she has proof of this allegation]  No one clearly went out and asked how biometric technology actually works … nobody asked the question. It was just basic public servant due diligence that they didn’t do and there’s really no excuse for that.”

Just a minute... where was the "due diligence" of the biometric industry from 2001 onwards effectively testing biometric technology on children by fingerprinting 4 year olds to get a library book out, using infrared palm scanners trialled on primary school children in 2006 so they could eat, iris scanning children for lunch lines in 2007, facial scanning kids in 2010 to stop them from turning up to school late, voice biometric planned in 2007 for students, and (partly what prompted SB188) a Florida school district iris scanning 700+ children to travel on a bus?  All without parental consent or appropiate discussion, hence the legislation in the US States and the UK.

And SIBA want to talk about due diligence?   An apology would be more fitting.

Let's tell it how it really is.  In this article is an astonishing, yet bluntly open, account of why Saudi Arabia are introducing biometrics in schools, explaining below the exact reasons for biometrics and CCTV.  Surveillance.  It is a "form of supervision", to" install a sense of discipline", to "track children", to make them "respect regulations" and gain "better productivity".  At least there is some honesty here, more than we have had from the biometric industry and government on this issue in the US and UK for the past decade.

Kevin Townsend, original founder of ITsecurity.com, puts it most succinctly in his March 2014 article - Why we must keep biometrics out of schools - definitely worth a read.

Sunday, March 30, 2014

Swalecliffe Primary running out childrens biometrics for catering, registration, library and printing - caterer supplies the biometric system

After a few years of biometric vendors steering clear of selling biometrics to primary schools (it seemed that 'fingerprinting' younger children was less palatable that older children), Swalecliffe Community Primary School have decided to role out biometric technology so the children there can eat lunch and potentially print documents, log their registration and take library books out.

After sending Swalecliffe a Freedom of Information request, it turns out that surprisingly the system was not paid for by the school, instead the generous catering company GS Plus (the school caterers) are providing the system.  Which begs the question - who is the data controller?  Who exactly is processing the children's biometric data - the catering company or the school?  Seemingly also the biometric software the caterer is providing also will be used for registration... so is the catering company branching out into registration or is another company providing that?


The school did not effectively communicate to parents that the child had the right to refuse this, instead flanneling the issue up in an "e [electronic?] safety" discussion within school.  The template Department of Education letters (see page 14) do not advise this.  In their template letters this is communicated unambiguously to the parents in writing.


As always biometrics are used as a solution to a problem, and indeed the technology is effective at authenticating users, but the efficiencies come with the system not the authentication process.

The school justifying the introduction of biometrics by apparently "ensuing greater" safeguarding is an emotive, and I find a slightly distasteful, use of language (unless the school really did have child safety issues?).  Unfortunately "safeguarding" is a word that is overused to the point of almost dangerous dilution of the meaning of it, especially when it is used to effectively 'sell' a system to parents.  Other less invasive, proportional identification processes can be used to ensure equal safety of children - especially with young children, whose biometric data had to be ubersecure, and not compromised at their early age.


See my comments in red below.  Another Freedom of Information request will be sent to the school as this throws up more questions (as is often the case) to gain clarity of how who has access to the children's biometric data, i.e. who is the data controller, what companies are involved and who is ultimately actually paying for this?

I can't really imagine the caterer is paying for this altruistically... (?)  I'm sure the tax payer will be propping this up.  Commercial companies do not survive by 'gifting' computer hardware/software to schools.  The cost will be obviously worked into the price of the contract or meals.



24 Jan 2014


Dear Swalecliffe Community Primary School,

Under the Freedom of Information Act please could you supply the following information within 20 working days.

As per the article

http://www.canterburytimes.co.uk/School-swaps-ditches-dinner-money-woes-hi-tech/story-20343882-detail/story.html#ixzz2o2awFg5z


1) In the above article it is quoted that the biometric system
would “save the school essential funds”. Please advise:
i) how this would save the school essential funds

Swalecliffe Answer: As a school we are responsible for any debt accrued by parents not paying for the meals their children have. This is part of any school’s meals contract. 
In addition we require an admin assistant to manage the monies coming into school, sending the debt letters, checking the registers and then making phone calls to parents who still haven’t paid their debt. In total this amounts to approximately 15 hours per week of school admin time. This does include the time of the contractor’s cash collector which obviously impacts on the meal prices.



ii) the amount of funds estimated to be saved per year.


Swalecliffe Answer: Admin costs: £7,098 per annum
Debt costs: £1,200 per year on average each year since 2009 (although these costs have been increasing with a debt of £1,300 from September 2013 – December 2014)



33 weeks x 15 hours a week = 495 hours
£7098 divided by 495 = £14.33 per hour (incl physical expenses i.e. letters)
Will a member of staff loose 15 hours a week from their employment i.e. will someone be financially worse off?


iii) the cost benefit analysis done showing savings to the school.




Swalecliffe Answer: As above



2) Please advise the cost of the biometric system

Swalecliffe Answer: The details of this are not transparent to the school because the system is being provided by the school caterers with no costs incurred by the school 


Nice.  Just a thought but perhaps the school caterer could have subsidised the debt incurred by the missed payments rather that incur more debt by providing a biometric authentication system?    


So then who is the data controller then and who has access to the children's biometrics?



3) Please advise any ongoing licensing or maintenance costs

Swalecliffe Answer: There are no specific costs linked to the biometric system and cashless catering for schools. However as the software is now in school we have decided to upgraded our registration system, combining the two together to make morning registration more efficient and ensure even greater health and safety and safeguarding procedures within the school. This has cost the school £480 per annum but will also save us £48 per annum as we wont be using other software we currently purchase. 


How can biometric technology ensure *more* health and safety.  I'd have thought the hygiene of the scanners having hundreds of fingerprints on them (not to mention the added expense of wiping them clean) would have created a health risk.  Safeguarding... how many issues have the school had with 'safeguarding procedure' at registration time to justify a biometric registration system?



4) Please supply the documents sent to parents for meetings and
letters sent about the biometric system, including letters sent regarding parental consent.

Swalecliffe Answer: Please find attached [documents need to be provided externally]


Another post on this topic is warranted as the Head Teacher's comments regarding the alternative identification offered is unorthodox and not a response I've seen before.



5) Please show how the school communicated to the students that
they had a right to refuse to use the biometric system.

Swalecliffe Answer: The system was shared and talked about in an assembly and by the class teachers as part of our e safety and ICT day in school. The children were asked to talk about it at home and decide with their parents what was right for them. During the actual process of registering for biometrics the staff were very careful to ensure that if any child was worried or anxious that they stopped and spoke to the parents before taking the reading. This only occurred with one child who has a specific learning difficulty and Asperger’s Syndrome. The children were very excited about the process. 



6) Please advise what the “right information” was given by the
school to parents who had concerns about the system

Swalecliffe Answer: Please see the documents sent to parents. Following our information sessions and our drop ins we collated the most frequently asked questions and shared them with the whole parent body.

Again I will deal with this in another post, details given were inaccurate - details to follow.  Suffice to say I will point this out to the school ASAP so they have the opportunity to the rectify information given to parents. 


7) How many parents consented to their children’s biometrics to be
processed by the school?



Swalecliffe Answer: There are 649 children on roll.
578 children are able to use the system 
535 have permission for biometrics (82% of the children)


82% efficiency for a biometric system?  What if other procedures in schools were only 82% efficient? - that would not be acceptable.  I don't think that's a great endorsement of the system. 


8) How many parents refused for their children to use the biometric system?




Swalecliffe Answer: 13 families have refused to allow their children to use the system 
However 11 of these do not use the catering facility and their children do not have school meals. 
Only 3 of these families attended the consultations evening, the information evening or the drop in sessions. 



9) How many consent forms were not filled in by parents?




Swalecliffe Answer: 41 have not completed any forms but all of these are families who do not have school meals 



10) How many children refused to participate with the biometric system?

Swalecliffe Answer: We had one child who was distressed by the process but they have a specific learning need and anything unusual is challenging for them. We also had one family who communicated that they were discussing the options with their child and would like their child’s opinions to be seriously considered in their decisions.

Monday, February 17, 2014

Defiant 13 year old - "stand up for what they believe in, even if it means standing alone"

Melody, 13, protesting the
 United Kingdom's policy of
 obtaining biometric data
 from minors at school.
Photo: Kirstie
After reading about a 13 year old's plucky stance objecting to her school using a biometric fingerprint system last week, by wearing an Anonymous Mask, it gave me some hope that having a choice in this matter is filtering through to children.  Children that do not want to be part of a biometric system ultimately have the last say on this - if they do not want to participate their decision overrides consent given by their parents (though in this case the parent did not consent).

The school involved in this, should have made clear to the students that they have a choice in this.  The Department of Education's template letter for schools to send to parents states:

'Even if you have consented, your child can object or refuse at any time to their biometric information being taken/used. [His/her] objection does not need to be in writing. We would appreciate it if you could discuss this with your child and explain to them that they can object to this if they wish.'

Not knowing the name of the school Melody attends, the student who objected, I am not able to ask the school or check their website, to see if they made this fact known to students or their parents.  Maybe they didn't judging by Melody's comments to the Digital Journal

"Many didn't want their fingerprints taken, but on the day when the fingerprinting was to take place, there was only me and a friend. And she has now had her fingerprints taken."

The next statement made by Melody is quite concerning:

"The dinner lady got my finger and tried to move it onto the scanner even while I was wearing my mask, I had already explained I'm not doing it and didn't have my mum's consent [to be fingerprinted]. I just pulled my hand away and refused again."

Really?  Isn't that assault, an adult trying to move a child's finger onto a scanner when they have already expressed their legal right to refuse?  This is highly irregular and indicates the staff have no idea of the child's rights in law as contained in the Protection of Freedoms Act 2012, Chapter 2, 26 (5) which reads:
But if, at any time, the child— 
(a) refuses to participate in, or continue to participate in, anything that involves the processing of the child’s biometric information, or 
(b) otherwise objects to the processing of that information,  
the relevant authority must ensure that the information is not processed, irrespective of any consent given by a parent of the child under subsection 
Good for Melody that she held out from this intimidation.  She knows her rights and that of her parents and is exercising them.  If only more children had this conviction maybe biometric technology would not be viable in schools.  As it seems that schools are not telling students they have this right, then in a compliant environment which school is, students are going to feel compelled to conform and give up their biometric identifier if they do not know they have the right to say 'no'.  As Melody's Mum stated in the Digital Journal's article"You can either be part of the solution or remain part of the problem".   Parents can be "part of the solution" and not consent to this and so can the students - if they are given that choice by the knowledge they too can refuse.

Let's hope the message Melody sends out by her opting out inspires other children to do the same.

When Melody was asked what do you think will happen next and a message to give, she replied:

"In all honesty, I don't know. But I hope my actions have encouraged my generation to stand up for what they believe in, even if it means standing alone... We shouldn't be scared of giving our opinion or not following the rules."

Words of wisdom and strength of heart coming from a 13 year old.  We should take stock of what this teenager is saying here.  There is incidious surveillance creeping into schools which is slowly desensitising the next generation into a Big Brother state, so it is heartening to see that Melody has refused to use by wearing an Anonymous mask conveying her opinion on "taking children's privacy away." 

Tuesday, February 11, 2014

13 year old exercises her legal right not to be fingerprinted

I will write more on this later but really heartening to see this plucky teenager exercising her legal right to refuse to use this surveillance technology.  Inspirational!

Well done Melody! :-)

13-year-old defies ‘big brother’ and refuses to be fingerprinted
http://www.digitaljournal.com/news/world/13-year-old-defies-big-brother-and-refuses-to-be-fingerprinted/article/370009

"They can even confiscate my mask, but they can't confiscate the idea. I'm allowed to make my own decisions and have my own opinions."