Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Would You Submit Biometric Data to Join a Gym?

Cliff posted more than 9 years ago | from the your-body-is-no-longer-your-own dept.

Privacy 190

An anonymous reader asks: "I went to my gym (Rocky River, OH branch) yesterday and there was a huge line of people at the counter. When I went to the scanner to swipe my membership card, I noticed they were training people in the use of their new security system that requires the input of your thumb print. There currently a story on boingboing that mentions a tanning salon in Arkansas that is enacting a similar policy. I'm going to call the gym later today and see what type of security they have on their network. I guess we can look forward to a future where these sorts of personal services clubs require the submission of biometric data. I was wondering how the members here at Slashdot feel about the security risks involved in submitting biometric data to small private companies?"

Sorry! There are no comments related to the filter you selected.

No. Thank. You. (2, Funny)

nb caffeine (448698) | more than 9 years ago | (#12383045)

I wouldnt be a member of that gym for much longer (or, any gym, really). I wonder if i can copywright my fingerprints, and then charge royalties for anyone who requires a print? that would be sweeet.

Re:No. Thank. You. (2, Insightful)

tha_mink (518151) | more than 9 years ago | (#12383090)

" I wouldnt be a member of that gym for much longer (or, any gym, really). "

But then, someone could steal your fingerprint without the trouble of hacking some system simply by getting you to hold on to something, for example, a frosty beer or maybe even your gym card.

Then you have to ask (2, Insightful)

Safety Cap (253500) | more than 9 years ago | (#12383136)

If it is that easy to steal, what is the value in collecting it in the first place?

If there is no value, they don't need to collect it, do they?

Re:Then you have to ask (1)

TuringTest (533084) | more than 9 years ago | (#12384731)

How is parent insightful?

Fingerprints don't have value on their own, but they do when used as security keys to your property!

Re:No. Thank. You. (4, Interesting)

Total_Wimp (564548) | more than 9 years ago | (#12383718)

I wouldnt be a member of that gym for much longer

I went to check out a nice large brand-new gym near my house. They handed me a form to fill out including a questionnaire and a space for my name phone number and address. I answered a few of their questions and just put my first name on the form.

They mentioned that they'd like me to fill in my phone number and address and I said, "no thank you, I'd like to check out the equipment first before signing up." They told me they couldn't show me the gym without that information. Still thinking we just had a misunderstanding I pointed out that I wasn't there to use the gym, I just wanted to see what they had to offer before signing up. They then proceeded to point out to me that they were prepared to give me a tour, but would not do so without my phone number and address.

I said, "goodbye" and walked out the door. Even my bank doesn't require biometrics and didn't ask for an address before they told me about their features. These fitness center folks are too big for their own britches. Pushups and situps are free and running shoes don't cost that much compared to a gym membership. I'd like to use the gym, but I don't have to and I certainly wont consider it untless they figure out how to be less intrusive.

TW

Re:No. Thank. You. (1)

Nos. (179609) | more than 9 years ago | (#12384699)

Well done.

In Canada, you could actually bring them before the privacy commissioner for that little encounter. Our wonderful privacy act says that no business can refuse to provide service if the customer refuses to provide information that is not vital to the transaction.

So since the gym really shouldn't need any informaiton about you (including your home phone number and address) and refused you a membership/tour, they've violated the privacy act. The best thing is, if the commissioner finds your complaint "well founded", you may have the option of taking it to court for financial compensation, or the commissione may do it on your behalf. Of course in your case, I don't think there really would be any financial compensation.

Re:No. Thank. You. (1)

porcupine8 (816071) | more than 9 years ago | (#12384710)

I had a similar experience. When I lived in Boston, I stopped by a gym near my apartment to find out their rates. They refused to even tell me how much their monthly rates were unless I took a full tour and filled out forms. I told them flat-out, that's just creepy, I'm leaving.

How secure is their security? (3, Insightful)

AndroidCat (229562) | more than 9 years ago | (#12383050)

Once they've got your biometric data, how secure are they going to keep it? Unlike a password, it's not possible to change your biometric data if someone steals the gym's files and uses it to spoof other systems.

Re:How secure is their security? (0, Troll)

alienw (585907) | more than 9 years ago | (#12383869)

How the hell can you "spoof other systems", short of making a duplicate thumb? What keeps those perps from just getting your thumbprint off a glass door you touched? Besides, what makes you think you can duplicate the thumb from the biometric system's data file? If whoever made that system had a shred of intelligence, they would use a one-way hash for thumbprints and match based on that.

Think before you post next time.

Re:How secure is their security? (1, Informative)

Anonymous Coward | more than 9 years ago | (#12383926)

How the hell can you "spoof other systems", short of making a duplicate thumb?

It's already been done. There was even a Slashdot article on it. The guy took an computer image and make a mold and use gelatin. Then he put the gelatin on his thumb and fooled almost every finger print device he could find. He could also eat the gelatin off if someone got suspicious.

Think before you post next time.

Every time I see this stupid line on Slashdot it's from some idiot who is totally wrong and feel you can think up facts instead of bothering to Google for them.

I don't even want to get started about how clueless your one-way hash is. Or how much easier it is to download thousands of finger prints from a computer than it is to follow thousand of people around looking for a good print.

Next time, don't post.

Re:How secure is their security? (1)

alienw (585907) | more than 9 years ago | (#12384144)

Your post just proved that you don't know what you are talking about. I have read the article you are referring to. The only conclusion one can draw from it is that many biometric systems have security problems. It is almost completely irrelevant to my point, except that part about glass doors (which is the method they used).

The article did not demonstrate that data could be extracted from an existing system and the thumb reconstructed from that data. The above article tested mostly low-security and consumer-grade systems, and admitted that the method did not work with the better systems out there.

Re:How secure is their security? (1)

Atzanteol (99067) | more than 9 years ago | (#12385254)

How the hell can you "spoof other systems", short of making a duplicate thumb?

How in the hell can you be so sure nobody can?

"Ignorance more frequently begets confidence than does knowledge"

Why so worried? (0, Troll)

gazbo (517111) | more than 9 years ago | (#12383055)

If someone got hold of your print, what could they do with it? Nothing.

The only reason you'd not want your thumbprint on file is in case the police got hold of it and put it on record - and then you'd only really need to be worried if you planned to commit a crime; for non-criminals there's really nothing to worry about.

This country was founded by criminal lovers (3, Insightful)

Safety Cap (253500) | more than 9 years ago | (#12383259)

you'd only really need to be worried if you planned to commit a crime; for non-criminals there's really nothing to worry about.

Damn those long-haired freak Founders and their crazy ideas. If only someone would've told them that innocent men have nothing to hide, they could've avoided making many [cornell.edu] unnecessary [cornell.edu] additions [cornell.edu] to the US Constitution.

Re:Why so worried? (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12383747)

You, sir, are a fuckhead.

Its sheeple like you that make life hard for the rest of the free-willed, free-thinkers like us.

This is merely the beginning of the end. And no, I'm not some tinfoil hat wearing conspiracy theorist.

Once shit like this creeps into our everyday lives, it'll be easier for sheeple to accept whatevers thrown at them.

Think about that the next time you're sitting at a red light. Look up at that camera sitting on the pole and smile nice and big while it takes your picture.

It's...um...bad (4, Insightful)

tha_mink (518151) | more than 9 years ago | (#12383058)

I am fearful regarding theft of my fingerprint or any other biometric information since I KNOW that eventually, someone will steal it from anyone who collects it from me. But then, someone could easily get my fingerprint by following me around for a little while and picking up my trash. Same with DNA for that matter.

Re:It's...um...bad (3, Insightful)

sartin (238198) | more than 9 years ago | (#12383463)

But then, someone could easily get my fingerprint by following me around for a little while and picking up my trash.

Yes, but following you around is labor intensive and targets you specifically. For less effort (at most small business networks I've seen), a hacker could recovers hundreds or thousands of fingerprints (or other biometric data). This change in scale changes the nature of the problem and removes control from you. Without the biometric data stored in the business computer, the paranoid can wear gloves or dab their fingertips with various substances to disrupt attempts to get fingerprints. That control is gone when the data gets stored on computers owned by various businesses.

Re:It's...um...bad (3, Interesting)

Total_Wimp (564548) | more than 9 years ago | (#12386007)

That control is gone when the data gets stored on computers owned by various businesses.

Well, not really. It's more like a hash. Unless the people that designed the security sytem didn't have a clue, they wouldn't store reversable fingerprint information at all.

I remember having this discussion with my old boss when he wanted to go biometric a few years ago. He even got ahold of a some fingerprint readers for testing. We found that the industry, and this manufacturer, were very clear on the matter. No one wanted to actually store your fingerprints.

So, feeling confident, he installs the software, plays with it for a little bit and invites me over to try to "hack" his account with my thumb. I put my thumb on the plate and sure enough the device tells me I'm unauthorized... while displaying a giant picture of my thumb accross most of the display.

My conclusion: I believe the companies really aren't storing reversible fingerprint information. I also believe they're doing a lousy job of making people feel confident about this fact.

I think there are enough other downsides that this technology should be condered DOA for most purposes, but this particular issue is probably just a PR problem.

TW

Re:It's...um...bad (0, Redundant)

EnronHaliburton2004 (815366) | more than 9 years ago | (#12383464)

But there is usually little motivation to steal one person's information. They could also go down the street on trash day and pick up used tissues from every house and compile the data that way. But that is not very efficient.

Now, if they stole the info from the Gym, they'd have biometric data for 1000 people, and probably end up with a ton of Credit Cards as well.

Hey stupid mod, how could this be redundant? (0)

Anonymous Coward | more than 9 years ago | (#12384339)

Hey stupid mod, how could this be redundant? He said it first.

You know what redundant means don't you?

Re:It's...um...bad (0, Redundant)

Councilor Hart (673770) | more than 9 years ago | (#12383472)

Yep, but it cost them more effort to yet your fingerprints/DNA.
if it is in some database, it just takes one exploit before a truckload of them are stolen.
To the average thief, it's more advantageous to exploit insecure software than to go around a few thousands people houses and collect their prints/DNA.
And if someone has it in for you, you're done for regardless of what you do.

Re:It's...um...bad (1)

fm6 (162816) | more than 9 years ago | (#12384367)

There's a simple solution to that problem: store the fingerprints using one-way encryption, the method long used to store Unix passwords. That way you can compare a submitted password (or fingerprint) by re-encrypting it, and comparing the encrypted versions. But you can't reverse the process to obtain the original data.

I think simply having a person's fingerprint or DNA will never be as valuable a form of identity theft as stealing more traditional ID data -- social security number, mother's maiden name, etc. Why not? Because fingerprints and DNA are extremely easy to rip off, as any viewer of Law and Order knows.

In any case, the data being used is less important than security surrounding it. Even if my thumbprint or DNA were as hard to steal as my traditional ID data, it wouldn't be any more valuable. Problem is, too many organizations that collect this data are damned careless with it. Perhaps we need a Sarbannes-Oxley act for personal data collection!

But ultimately, I think we're going to have to move away from all these authentication systems that are based solely on you having some particular bit of data nobody else is supposed to know. It's just not working.

Re:It's...um...bad (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12384453)

The problem with that is that while a password is a discrete data set, the technology we have right now prevents any two thumbprint scans from being exactly the same. Scans need to be compared, you can't just hash them.

theft of my fingerprint? (1)

TuringTest (533084) | more than 9 years ago | (#12384532)

I am fearful regarding theft of my fingerprint

Fingerpring? I'm fearful regarding theft of my finger!

Re:theft of my fingerprint? (2, Funny)

PaxTech (103481) | more than 9 years ago | (#12385818)

I'm fearful regarding theft of my finger!

Well, if it goes missing, you can just check all of your local Wendy's franchises. It seems all missing fingers end up in a bowl of chili eventually.

Mmm.. chili. It's finger lickin' good!

thumbs are useful (3, Insightful)

chewy (38468) | more than 9 years ago | (#12383059)

Though I feel you are correct for being sceptical about the security of biometrics, I think that the convenience of using a thumbprint machine for entry into a gym is worth the sacrifice.

Better than having swipe-cards that fail after a single wash. (Thumbs are wash-proof!)

But using thumbs as positive I.D. for your bank account is a bad idea.

See?

Re:thumbs are useful (1)

RealityMogul (663835) | more than 9 years ago | (#12383265)

" (Thumbs are wash-proof!)"

What if you wash them too long and they get all wrinkley?

Re:thumbs are useful (0)

Anonymous Coward | more than 9 years ago | (#12383328)

What if you get a scar on your finger? or burn the fingerprints off?

Re:thumbs are useful (2, Interesting)

KronicD (568558) | more than 9 years ago | (#12383690)

Yeah... I have dermatitis, basically when my skin is exposed to soap (the skin on my hands is more susceptible to this) it starts to "peel" off and the skin does not recover for 4-6 weeks. I avoid soap as much as possible, the non soap alternatives are quite expensive however.

When I am exposed to soap it causes a lot of problems with fingerprint scanners for me. So yeah, cards are a better option for people with my condition.

Why not go for something like card + hand geometry identification if they're so concerned with people "sharing" gym memberships.

Re:thumbs are useful (2, Insightful)

EnronHaliburton2004 (815366) | more than 9 years ago | (#12383734)

I think that the convenience of using a thumbprint machine for entry into a gym is worth the sacrifice.

Sacrificing your deeply personal information for the convenience of a simple consumer product is plain dumb. Aren't you concerned with security? This is plain sleezy, and it wouldn't suprise me to see "24-hour Nautilus" (Sleezebags) use this scheme in a couple years.

The gym isn't doing this for your convenience. They do it to prevent people from sharing memberships, which is fine, but not when they resort to invasive tactics.

Better than having swipe-cards that fail after a single wash.

What if the thumb print machine breaks? I bet the gym bought some cheap thumb print machine out of the Tiger Direct catalog...

My gym just requires me to flash an ID card. If someone else borrows the card for a day, they don't care too much, and don't require some fascist technique to verify my identity.

Re:thumbs are useful (1)

infonography (566403) | more than 9 years ago | (#12384044)

At what point will gym fees be so high that crooks will cut off your thumb so they can work out. I think that somebody at the gym has been wacking off to CSI one time too many. Sure it give you proof that so and so forgot to put down the seat in the toilet but beyond that it's a friggin gym. Unless they prove you will get a Charles Atlas body in one week it's not worth it.

Re:thumbs are useful (2, Insightful)

Bradee-oh! (459922) | more than 9 years ago | (#12384343)

There are other ways to prove identity without sacrificing such fundamentally private information. e.g. At my gym you walk in, they scan your card's barcode, and your PICTURE shows up on the screen and, believe me, they look at you and confirm.

If any argument is made that "well, a hacker could break in and change the picture on record," then you need to realize that it would be exactly as difficult for a hacker to break in and change the thumbprint on record.

The difference is my thumbprint is my own business whereas I already show my face by walking through my front door into public.

Vote with your feet (1)

wrenhunt (704610) | more than 9 years ago | (#12383060)

If their customers take their business elsewhere, they'll soon drop the biometrics in favour of something a little more privacy-friendly. Who wants all those sweaty thumbprints all over the readers anyway? Gheesh!!!

Not feet (2, Funny)

AndroidCat (229562) | more than 9 years ago | (#12383124)

If they want your thumb, give them a finger.

Re:Not feet (1, Funny)

Anonymous Coward | more than 9 years ago | (#12383773)

Which on--- OH.

Copyright (C) Yourself. Right now. (2, Insightful)

torpor (458) | more than 9 years ago | (#12383078)

The only solution is for you to copyright all your details, about yourself.

Someone should fire up a dot-com which allows people to copyright all biometric info about themselves. Yes, it would be a registry. No, it wouldn't be "Big Brother" - the purpose would be to allow any individual worried about protecting their information, to have legal grounds to stand on in pursuing action against any other party using that information inappropriately.

A 'clearing house', or 'group repository of biometrics' database, backed by serious corporate power, with the #1 purpose being the consistent and determined protection of individual members biometric info.

Someone, please do this. Give me a way of registering all of my private details, in a fully legal way, and assign me the copyright to all of that information. So that, from that point on, any other company that wants it, has to go through my corporate 800lb biometric ownership clearning house gorilla...

It might sound odd, but sometimes in life the way you fight something is to become it. We consumericans need to form our own corporations/organizations if we truly want to protect ourselves from other corporations/organizations hell bent on abusing biometric system information.

Something like the person who copyrighted their DNA, only bigger, better, with full disclosure, with teeth, and .. the hard part .. with the money and wherewithal to truly go to bat to protect us in times of violation. Call it a "DNA Cult" if you must, but I think its going to be truly necessary, sooner or later.

Re:Copyright (C) Yourself. Right now. (3, Insightful)

GigsVT (208848) | more than 9 years ago | (#12383280)

You can't copyright facts. There's no creative process involved with recording the length of various things on your body.

Re:Copyright (C) Yourself. Right now. (0, Flamebait)

torpor (458) | more than 9 years ago | (#12383357)

i could combine all of these details, format it in a certain way, trademark that format, use it in some fashion, copyright the use of that fashion, and ...

Re:Copyright (C) Yourself. Right now. (0)

Anonymous Coward | more than 9 years ago | (#12383814)

Maybe my parents could patent me as an invention... though the pool boy might have a claim.

Re:Copyright (C) Yourself. Right now. (1)

Bios_Hakr (68586) | more than 9 years ago | (#12385809)

No, but you could Trademark(TM) it all. TM your fingerprints. If anyone tries to use them, then sue them.

Ahh well.

In reality, this is like trying to stop the tide from coming in. You'd have better luck stopping the sun on it's ecliptic than trying to stop biometrics from becoming the defacto identification.

It will happen!

Eventually, your credit card, bank account, paycheck, network password, car key, and every thing else you can think of will be tied to your voice, fingerprints, or GATTACA-style DNA scans.

Re:Copyright (C) Yourself. Right now. (1)

Jerf (17166) | more than 9 years ago | (#12386414)

I've thought about this [jerf.org] ; it's a nifty idea but no current protection works.

You can't copyright facts about yourself, which is what biometrics is based on, and for that matter most of what your privacy-sensitive information [jerf.org] is.

You can't copyright the collection, because other people will independently collect it, and they can (and do!) claim their own copyright on the new collection.

Trademarks don't work, because they are mostly concerned with preventing other people from fraudulently passing themselves off as your business concern. Even if you could trademark your fingerprint, which is highly unlikely for a variety of reasons, it wouldn't stop people from storing and using it for almost anything they want.

Patents are obviously not a good fit.

Trade secret law is actually the closest IP protection of interest (the forgotten IP protection class here on slashdot), but your privacy-sensitive information suffers from being neither directly related to trade in the sense the name of the law implies (i.e., yes I know your ID at a business is related to trade but that's not what the law means, summaries always drop data), nor is it a secret anymore.

The bad news is, you need new law. The good news is, no aspect of the requisite law is new; you can get there with pieces of the trade secret law, added to copyright, and topped off with some of the protections in trademark. But there is no feasible way to do that under current law, not even with a highly experimental suit.

It's good thinking, though.

(This is a shortened version of the analysis at that first link. If you have some objection, you might want to try that link before replying; it may make your objection go away, it may make it worse, but it's worth checking :-) )

Size of the company does not matter, (1)

Kosi (589267) | more than 9 years ago | (#12383093)

I never submit any personal data to any company if it is not really required for the business I have with this company. I don't see why I should change this policy for biometrical data.

Re:Size of the company does not matter, (1)

Roadkills-R-Us (122219) | more than 9 years ago | (#12384381)

I agree. My first thought on reading the intro was not about security, but "What's the reson for this?" I can't think of any legitimate reason for such a request.

How long until stores want you to give a urine sample before using the bathroom?

Re:Size of the company does not matter, (1)

Kosi (589267) | more than 9 years ago | (#12384552)

How long until stores want you to give a urine sample before using the bathroom?

LOL, I'd rather piss at their manager's leg like a dog! :-)

obUrinetest: It's bad enough that it is legal for an employer to demand a urine sample and other stuff belonging to one's privacy. I'd never work in such an asshole company!

My University did this. (3, Interesting)

dayid (802168) | more than 9 years ago | (#12383099)

I work for (and attend) a State University. Our gym (in 2002) enacted similar policies and equipment. It was *optional* however, and was enacted for people who didn't want to have to carry around a membership-card or student/employee-ID just to be able to get into the gym (since most gym shorts don't have a pockets, and many people on campus just walk to/from the gym rather than driving or bringing a full bag and using a locker). It was an option for about one year, until they realized that the extreme costs of using the hardware and managing it (and its slight errors) far outweighed pleasing a minority of people who attended. It's good to see the technology developing, but I still prefer losing my identity to a bunch of little numbers on a card.

Re:My University did this. (1)

ic0wb0y (728958) | more than 9 years ago | (#12383219)

That sounds reasonable, but what to with the car keys?

Re:My University did this. (1)

dayid (802168) | more than 9 years ago | (#12383256)

There are cars without touch pads to enter the door now?

...that, and you're going to a gym - ride your bike there!

Re:My University did this. (1)

gid (5195) | more than 9 years ago | (#12383694)

what about your dorm/house keys? your cellphone? your wallet?

I never understood why gym shorts don't have at least SOME pockets. Even if it was a mesh bag sewn around the waistline or something like some swimsuits have.

Re:My University did this. (1)

dayid (802168) | more than 9 years ago | (#12383794)

Join a cross-country team... or work out a lot - and you'll quickly realize why that is.

I either leave my house keys locked in my bike-bag that is locked to my bike (which is locked to a pole or the like), or leave them in the car. Cellphone - I'm working out, not taking calls. Wallet - what for? What am I buying at the gym?

Then again, all of this has absolutely nothing to do with the subject article.

Re:My University did this. (1)

gid (5195) | more than 9 years ago | (#12384423)

Heh, this is getting way off topic, but oh well.

I actually do work out on a regular basis... in my cousin's home gym. Which means I usually just wear my clothes to her house. It's fine now since I wear a coat and I can put all my junk in my coat, but come summer time, I have to find something else to do with my car keys, mobile phone and wallet. I suppose I should just leave the phone and wallet in the car, but as I don't always leave right away aftewards, having the mobile phone is nice.

I'm not saying I'd work out with all this junk in my pockets... no way. Maybe I just need a man purse, but everything I've seen looks rather wussy. A gym bag for just keys, wallet and phone is rather overkill. :)

Re:My University did this. (1)

Backspin (245728) | more than 9 years ago | (#12383721)

ride your bike there!

Okay, so you've replaced your car keys with a bike lock key.

Re:My University did this. (1)

Bradee-oh! (459922) | more than 9 years ago | (#12384460)

Okay, so you've replaced your car keys with a bike lock key.

Errr... combination lock...?

Not if I can help it. (1)

Councilor Hart (673770) | more than 9 years ago | (#12383138)

Although I don't have anything in particular against ID cards, I do have something against storing fingerprints.
If needed, it's easier to shed an ID, and get lost in the big mass of people in any world city and take on a new ID. When your fingerprints are out there, it's there for ever. I rather not cut of my fingers.
Perhaps your traveling can be tracked with ID (at borders and such), but at least you know it when you hand over your card. Prints can be found up to a few days after you have left, without you knowing it at all. Same for DNA.

ID cards? Yeah, sure, it has it uses.
Biometric data? Up yours!

And iris scans? Well, it depends on the range of the scans. If it's possible like in Minority Report, then once again: Up yours! If it close range, than perhaps yes.

It's okay if they are Micrsoft Certified (1)

ic0wb0y (728958) | more than 9 years ago | (#12383166)

Seems like it would be cheaper to hire a bouncer and teach him how to identify possible terrorists who want work out or get their nails done, because it will cost many times more to hire a security consultant and buy all new hardware then the firewalls then Norton, then another consultant to remove Norton so the employees can surf the net while checking out all the hot girls bio-measurements, finally after a few years when the novelty wears off, the equipment gets old and uninteresting, costs continue to soar, gates are left open, doors become unlocked, that's when the data will be in the most danger.

I think before I submit my bio-data, I want to be sure the business has the new USHS Privacy Certification or License, and the system should be certified yearly.

Just a thumbprint? Lucky... (0, Troll)

fred ugly (125371) | more than 9 years ago | (#12383174)

In 1997, my YMCA switched their system over to require you to submit a 3D hand scan for entry. You would place your right hand on this little device and punch in a number, then this other thing would go around your hand.

In a word: (2, Interesting)

LouCifer (771618) | more than 9 years ago | (#12383186)

No. And if the gym the wife and I belong to switches to biometrics, I'll demand a full refund of mine and my wife's membership.

Fuck 'em. We already own a treadmill and the wife's been wanting to buy an elliptical [nordictrack.com] anyway.

Slowly things like this get introduced and the stupid sheeple submit en masse. The more people that stand up and argue with the un- and under-educated about such invasiveness, the better.

Sure, these things may not be so bad yet but this may just be the tip of the iceberg. Give 'em and inch and they'll take a mile.

Once these become the norm, it'll be easier for the government and so-called private "security agencies" to strip us of our right to privacy.

GOT ANY NAKED PICTURES OF YOUR WIFE??? (0)

Anonymous Coward | more than 9 years ago | (#12385593)

Wanna buy some?

<Rimshot>

Not a big deal... (2, Informative)

bafio (879076) | more than 9 years ago | (#12383203)

As far as I know, biometric devices store only a signature of your fingerprint (like a digest of key points), so the stolen data would be of little use. Moreover they care about security because they normally control access to places.
I would worry more about the other data they could hold on their machines, which could contain more sensitive personal information and could be stored in less secure machines.
There's still a lot of sensitive data (medical records etc.) stored in Access databases and similar by people not really expert on computer security, often in old not updated windows PCs... that scares a lot me more!

Re:Not a big deal... (1)

yasth (203461) | more than 9 years ago | (#12383308)

So basically all you would have to do is crack the hash and find a finger print that would match then print on a bit of transparency sheet. Yeah no one is going to do that just to work out, but, if biometrics spreads to say an ATM machine, or a globabl payment place? (Of course that is assuming there is a standard finger print format, if there isn't then the gym just lockemselves in forever and ever

Re:Not a big deal... (1)

bafio (879076) | more than 9 years ago | (#12383475)

I am not really that expert, but probably, once you know the signature, you could derive a fingerprint that gives that signature, but cracking a hash is not supposed to be easy! I mean quite many security systems relay on hashing algorithms.
What you point out is anyway interesting, if the system is not well designed, somebody gets in, is able to recover the data of the fingerprint and that data is sufficient to create a new fingerprint, than yes, it could be a really big problem!
I suppose ATM builders would use many different techniques to see that the fingerprint actually come from a living finger.

And wouldn't be easier to get the fingerprint from the glass you left at the bar or your house door or somewhere else?
Probably this simple physical approach would be a lot more effective (no knowledge of security systems required!)

Re:Not a big deal... (1)

yasth (203461) | more than 9 years ago | (#12383903)

What discusion of fingerprints would be complete without http://cryptome.org/gummy.htm [cryptome.org] . So live detection systems probably wouldn't work so well.

Hashes are supposed to be hard to break, but I'm not certain these are hashed (though it would be how I would do it). And hashes might be hard to break, but well they do eventually break. And with a relatively limited source data set they might break pretty fast. (I mean according to this http://www.biocentricsolutions.com/faq.html [biocentricsolutions.com] they take 15 data points through a bit of math, (at least this company) I mean that could be precomputable given enough time and effort. Or at the very least reducible (I mean they must have a margin of error allowance so what if you have to try five different ones).)

And honestly, I am thinking that if fingerprints become too popular, well gloves will be back in fashion ;).

I think the big deal here is that you basically are trusting this company which you have no idea of what they are doing, I mean maybe they are leaving debug on, and taking pictures of every persons fingerprint. But there is no way you can control what they do with your authentication token. I mean basically biometrics is like using the same password everywhere, except you can't change it if a site gets cracked. Unless and until live detection systems work, it really sucks.

I'd like to tell you ... (3, Funny)

cybermage (112274) | more than 9 years ago | (#12383225)

but you'll have to press your thumb in the box below to read my response.

I..........I
I..........I
I..........I
I..... .....I
I..........I

Your unquestioning compliance in this matter would be greatly appreciated.*

Thank You,

The Management

* By supplying your thumb print, you agree to abide by our Terms of Service. You may request a copy of the Terms of Service directly from our Corporate Headquarters.

but... but... (1, Funny)

Anonymous Coward | more than 9 years ago | (#12384623)

I'm handless, you insensitive clod!

Re:I'd like to tell you ... (1)

00Sovereign (106393) | more than 9 years ago | (#12386372)

Oh great, now I've got a big greasy thumbprint on my screen.

wtf (1)

XO (250276) | more than 9 years ago | (#12383228)

I can see using security like that on something important. Your bank account, private things ,etc.
But on a goddamn GYM?!

Hell, I have access to a USB dongle that will store passwords for websites, variable per user, and it identifies the user by the user's fingerprint.

ON A GYM?!

Who the hell is going to have significant problems if someone steals their identity to go to the damn gym?

If the gym has to be secure, fark the membership cards, and just have a database of people allowed in, and have someone at the front desk check their fuckin identification.

Re:wtf (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12383740)

biometrics are LESS SECURE. Repeat this, over and over again. They are trivial to steal (especially fingerprints or DNA - you leave them everywhere) and impossible to change! Lose an ID - get a new one (at my university that deactivates the old one). A password is compromised - change it. Try that with a fingerprint!

so repeat after me - biometrics are LESS SECURE.

Re:wtf (1)

XO (250276) | more than 9 years ago | (#12384914)

obtaining your finger prints may be trivial, but actually implementing them with another finger? how trivial is that ?

All security aside, I think the USB dongle that stores your passwords and fills them in automatically when you apply your finger is a cool idea.

Re:wtf (1)

br0ck (237309) | more than 9 years ago | (#12385326)

how trivial is that

Extremely trivial [theregister.co.uk] if you have a Gummi Bear.

Plus, now if they steal your car which requires a finger to start do you think they're just going to give up? Not in the recent carjacking in Malaysia where they cut off the owner's finger [bbc.co.uk] .

Re:wtf (1)

pnice (753704) | more than 9 years ago | (#12384784)

My guess is that the gym has a problem with people using the swipe card of another user to access the gym without paying. They are losing money by people sharing accounts to access the equipment without each person paying for an account. The fingerprint method is much more effective for the average joe gym user. Their friends can't just bum their thumbprint to access them gym and now they will need a membership of their own.

I think my money (1)

Mycroft_514 (701676) | more than 9 years ago | (#12383295)

would be better spent BUYING an exercise machien - oh wait, I already did....

Not big brother (4, Insightful)

brian6string (469449) | more than 9 years ago | (#12383384)

Alright, everyone take a deep breath here. The idea of a fingerprint to sign in at the gym is there as a customer convenience You don't have to carry a membership card into the place, and then find somewhere to stash it while you're exercising. This is actually a good thing.

And, as someone pointed out already, there is no security concern to be worried about. Even if someone copied their thumbprint database, I mean, what could you do with that? Nada...

Re:Not big brother (1)

porcupine8 (816071) | more than 9 years ago | (#12385153)

And, as someone pointed out already, there is no security concern to be worried about. Even if someone copied their thumbprint database, I mean, what could you do with that? Nada...

Until thirty years from now, long after you've forgotten that some random gym two states away has your thumbprint on file. When your job or bank or something starts using thumbprints, and is actually super-secure about it, so you go ahead and use it there too... But surprise! It doesn't matter how securely the new place keeps them, because someone has already stolen it from the Nowheresville Bally.

Why would you need this kind of security in a gym? (0)

Anonymous Coward | more than 9 years ago | (#12383458)

This seems like madness. Unless your gym happens to be in the middle of a warzone, I can't see the need to have security at all. Who is this security to protect against?

no no no, it's not a thumbprint (0)

Anonymous Coward | more than 9 years ago | (#12383544)

it's supposed to be a tatoo or something. And it's on your right hand, or on your forehead.

sheesh, why do I always explain these things to people.

The right way to do it (2, Insightful)

greenhide (597777) | more than 9 years ago | (#12383561)

In the gym in question, it's clear that this isn't being done to heighten security; it's just to keep people from having to drag a gym id around. Also, it's much faster to slam your thumb on a pad than to hold out a card for someone to scan.

But here's how to implement a thumbprint-as-login system and keep people, including the paranoid freaks here at slashdot, happy.

1) Make it optional. Don't want to submit your thumbprint? Fine. Just make sure you always show up with your card.

2) Make it hashed, using a public key unique to that system. That way, the information stored is effectively useless. If a hacker gets in, all that they will be able to do is see a bunch of GUIDs. Whoop de doo.

I'm almost 100% that this is, in fact, just what is being stored. I mean, imagine actually storing a thumbprint. That's got to take up more space, and is really slow and inefficient for data lookup.

Someone more knowledgeable in biometrics, please rip me a new one if necessary.

Re:The right way to do it (1)

richg74 (650636) | more than 9 years ago | (#12383745)

In the gym in question, it's clear that this isn't being done to heighten security; it's just to keep people from having to drag a gym id around. Also, it's much faster to slam your thumb on a pad than to hold out a card for someone to scan.

It's not clear to me that this is being done to keep people from needing their gym ID, although that is one possible reason. But it does at least address the first question that ought to be asked: what is the problem we are trying to solve here?

Not having to carry the ID is one possibility. Another might be to prevent people from buying one membership to be used by, for example, five roommates. I suppose it's also possible that they want to protect against some sort of identity theft, but I have to say that I think the demand for phony gym IDs for Rocky River OH might be, um, limited.

If the goal is to allow people to come to the gym without their card, I'd think it would likely be easier and cheaper to just store their photos in the membership data base (which they presumably have, since the fingerprint info has to go somewhere). If the goal is to prevent multiple people using one membership, have the desk people look at the picture on the card. It really should not be beyond the wit of man to accomplish this. (At my gym, they take the card when you enter, and return it when you leave.)

I wouldn't worry so much about security technology as about the strong likelihood that the people that run the place ran out of clues sometime during the Reagan administration.

Re:The right way to do it (2, Informative)

NoSuchGuy (308510) | more than 9 years ago | (#12384835)

1) Make it optional. Don't want to submit your thumbprint? Fine.
But if you switch you get a 3% discount and a free drink every month! But you loose a bit of privacy.

That's the way big stores (Walmart&Co) get you to switch to their rabate system. You safe $50 a year. They earn $100 because the sell your data to "data blackhole" companies like ChoicePoint.

How much worth is your privacy?

Don't wait until there is any kind of self regulation in the "data grabbing business".

In Germany the data belongs YOU! You have the right to demand for information regarding your personal data. If the company does not ansnwer in time (14 days) you can inform the data protection officer and he will investigate for you.

Re:The right way to do it (1)

aquarian (134728) | more than 9 years ago | (#12385229)

In the gym in question, it's clear that this isn't being done to heighten security; it's just to keep people from having to drag a gym id around.

Or, to share their gym card with their friends.

Also, it's much faster to slam your thumb on a pad than to hold out a card for someone to scan.

And cheaper than paying someone to check the cards.

Ask them to assume liability (1)

bill_mcgonigle (4333) | more than 9 years ago | (#12383581)

Bring a simple contract to the manager and ask them to assume all liability for any financial losses you may incur as a result of their mishandling of your biometric information. If they sign it you should feel better. At least it might get them thinking.

If that doesn't work, it's summer - you've got 'till fall to find another gym. If you need work to do, I've got trees to clear. :)

And? (1)

samael (12612) | more than 9 years ago | (#12383674)

They sold _you_ a membership - they want to know that _you_ are making use of it. What's the problem with you identifying yourself?

Personally, not having to carry around numerosu bits of plastic that don't actually identify me is going to be a relief.

Re:And? (1)

gstoddart (321705) | more than 9 years ago | (#12385226)

They sold _you_ a membership - they want to know that _you_ are making use of it. What's the problem with you identifying yourself?

It's a matter of what is acceptable to the consumer, as well as the first step of a slippery slope.

What if they said "you must get this RFID chip implanted so we can identify you?" No thanks. "Have this bar-code tatood onto your neck?" Not likely.

This is getting very invasive. And, with everyone in the world having fingerprint information, you can bet that the ever-expanding police powers will allow them to consolidate all of the thumb-print databases and know who everyone is.

And when they have your fingerprint info and can start correlating it to your credit card and spending information, then you're looking at a tremendous opening up of information.

It's far easier to be skepitcal and negative about this stuff before it becomes wide-spread rather than after. Because after it's too damned late to do anything about it.

Cheers

Re:And? (0)

Anonymous Coward | more than 9 years ago | (#12385457)

why do they care if you are using it?

they would rather have you NOT using it, but paying that monthly. (which gym memberships has a common habit of)

if they want to know my name they can ask for it.

At the risk of being offensive... you clowns! (0)

Anonymous Coward | more than 9 years ago | (#12383724)

The minute you think your "privacy" is being violated you're all up in fucking arms, then you run around asking questions like how hundreds of terrorists can walk freely on your streets setting up cells just waiting for the next set of instructions from whatever extremist group's next on the horizon.

Pfft. Privacy my ass. If I wanted you'd fingerprints it would take me approximately 30 seconds to get them unless you're SO fucking paranoid you go everywhere in gloves. DNA, just as easy. And if you really were that interesting or valuable, they'd just take your fingers. Or your life. Or your identity.

You'd be surprised how fast your 93 character password would come out after 30 seconds with a rubber hose.

And to answer the question you've all been bleating about, why would they do this, it's so blatantly simple and obvious it's not funny. Because it's EASY. You walk in and touch the pad, and you're in. No cards to lose, no "lending" your card to a friend. It's a straightforward (and perfectly reasonable) accounting decision.

Watch out for the ones bleating the loudest. They're either so disillusioned that their insignificant little lives are of interest to anybody, or they've got something to hide.

Re:At the risk of being offensive... you clowns! (2, Insightful)

avi33 (116048) | more than 9 years ago | (#12383943)

If I wanted you'd fingerprints it would take me approximately 30 seconds to get them unless you're SO fucking paranoid you go everywhere in gloves...You'd be surprised how fast your 93 character password would come out after 30 seconds with a rubber hose.

...or you could just offer the gym's counter-jockey $200 for a backup of everyone's name, thumbrint, ssn, mother's maiden name, and password. The point is, they don't need any of it, for 'ease of entry' or any other reason.

Maybe the thumbprint is superfluous for identity theft at the moment, but it could be valuable in a couple years if bank x starts using a thumbprint as part of their security procedures.

I notice that you valued your privacy enough to submit this comment as an AC.

Re:At the risk of being offensive... you clowns! (0)

Anonymous Coward | more than 9 years ago | (#12384439)

"I notice that you valued your privacy enough to submit this comment as an AC."

Actually I didn't have the balls to lose all my karma in one fell swoop, and although it really wasn't meant to be a flamebait, just a vent, I thought it might touch a few nerves.

Signed (by thumbprint)

AC ;-/

Answer (1)

4of12 (97621) | more than 9 years ago | (#12383732)


I was wondering how the members here at Slashdot feel about the security risks involved in submitting biometric data to small private companies?

I'd feel fine about it as long as the small private company signed a contract guaranteeing that the information they have about me would only be used for very specific purposes, never disclosed to third parties and that they would post a bond for compensation should any such disclosure, deliberate or inadvertent, ever occur.

I'm sure they'd hem and haw and try to get out of signing such a form and say they just couldn't do it.

Then I'd say that I'd take my business elsewhere.

But by then they would know exactly why they were losing my business. And that awareness is what is so desperately needed among consumers and businesses that take these issues far too glibly.

Not good enough... (1)

Coder Dad (836952) | more than 9 years ago | (#12384630)

I'd feel fine about it as long as the small private company signed a contract guaranteeing that the information they have about me would only be used for very specific purposes, never disclosed to third parties and that they would post a bond for compensation should any such disclosure, deliberate or inadvertent, ever occur.

There are three G's that explain why a contract is not good enough for me:

  • Gates
  • the Government
  • the disGruntled

1. Bill Gates (or some other IT warlord) will eventually attempt to access your biometric info in an effort to "assist" you and organize your "identification profile".

2. I'm sure that governments are chomping at the bit to access these types of data stores in the name of "security". A contract won't protect against a search warrant!

3. The disgruntled employee who downloads everyone's biometric data to his USB dongle on his last day of work and posts them to a web site (and yes, that information can be used by bad guys).

Do it! (1)

mrami (664567) | more than 9 years ago | (#12383864)

Go ahead everybody and submit your fingerprints to as many minimally secure, relatively worthless systems as possible. Maybe we can devalue the damn things to the point that nobody would seriously think of using them to protect anything.

Two problems with this approach - (1)

BluedemonX (198949) | more than 9 years ago | (#12384139)

1) The thumbprint is the hardest one to match. Though 1:1 is very good, still....

2) This is a gym. How many jock boys have opposable thumbs?

And of course, we've got #3, in the tradition of Douggy Adams..

3) Scratches, scrapes, dead skin, flakes, etc. will make the image different enough to screw up the match. Add in sweat, gym chalk, bandages etc...

No Big Deal? (1)

rueger (210566) | more than 9 years ago | (#12384418)

Yikes! Am I alone in being surprised how few people find this demand unreasonable?

Seriously folks, this for a gym membership, not admittance into NASA or the CIA.

If a non-essential or frivolous business like this demanded that kind of personal information I'd be out of the door in an instant, not because I worry about security, but because it's a wholly unreasonable demand to make of your customers.

Perhaps more importantly, every time that you allow a business to record unnecessary information about you you are hastening the day when every transaction, especially those involving government, will demand the same.

Then again maybe the bulk of the population would see an embedded RFID chip as a reasonable request to go to the gym, or Costco, or to walk into a Post Office or board an airplane.

Lest you think that all I will do is complain, I'll offer a solution that will allow them to monitor gym usage and which will probably also increase business.

Hire intelligent and motivated employees, pay them well, train them well, and encourage them to know your customers on a first name basis. Have them get to know the likes and dislikes of your customers, and greet each one by name witha cheery "Hello!"

They will do a better job of keeping strangers out, and will make your customers feel special and appreciated.

No machine can do that as well as a living breathing person.

Re:No Big Deal? (1)

stinerman (812158) | more than 9 years ago | (#12384644)

Hire intelligent and motivated employees, pay them well, train them well, and encourage them to know your customers on a first name basis. Have them get to know the likes and dislikes of your customers, and greet each one by name witha cheery "Hello!"

Not bad.

Unfortunately, most employees don't know about the customers, don't care what they like, aren't cheery, and aren't well trained or motivated because they aren't paid well.

It has something to do with a chicken and an egg.

At Walt Disney World (1)

NBrooke271 (260498) | more than 9 years ago | (#12384673)

They've had biometric turnstiles at Walt Disney World for at least three years now, first for Cast Members, then Annual Pass Holders, and now anyone with a multi-day ticket has their index-middle finger biometrics taken on their first day in the park. If the metrics don't match up on a subsequent day, the greeters will check the signatures on the tickets against a photo id.

I already do (0)

Anonymous Coward | more than 9 years ago | (#12384720)

Whenever I use the gym towels, I discretely wack off into them when I'm done.

Sure. If... (1)

Telastyn (206146) | more than 9 years ago | (#12384749)

The lockers can be keyed to the biometrics. That should help defeat thievery, and serve customers to allow them to not carry around a badge or key while working out or playing sports.

Especially if it's as innoxious as a [almost publically available] thumbprint.

That said, it would be nice to hold biometric data under the same sharing rules as other medical info.

Solving Crimes (1)

Jebediah21 (145272) | more than 9 years ago | (#12384823)

This will only be used to solve crimes, like who left semen on the bench press.

Re:Solving Crimes (1)

smatthew (41563) | more than 9 years ago | (#12386118)

What kind of gym do you go to where people ejaculate on the gym equipment?

We're talking about gyms, not gay sex clubs.

ask for their data retention and privacy policies (3, Interesting)

weld (4477) | more than 9 years ago | (#12385132)


If anyone is collecting sensitive information from you: SSN, biometric data, etc. you need to get a data retention and privacy policy in writing.

Will they transfer this data if the company is sold or goes out of business? Remember eToys had a privacy policy that went out the window during bankrupcy. Will they destroy the data when you cancel your membership. What security mechanisms and audit procedures do they have in place?

When you bring it up it may be the first time they have thought of it so be prepared to wait.

-weld

Wow. How collossally stupid, (1)

gstoddart (321705) | more than 9 years ago | (#12385152)

The fact that for a cash transaction for tanning right now, they still require the fingerprint sounds like the most stupidly conceived plan ever.

This is totally appaling, and not that different from businesses asking for things like your social insurance number for no good reason.

There is no business that I would ever provide this information to. Heck, I wouldn't give this to anyone but the police, and then even only if I was compelled. A gym or a tanning company? Not fsck'ing likely.

I've already decided if I need to get fingerprinted to enter the US they'll see exactly one finger followed by seeing my ass heading back the other direction.

another example (1)

sootman (158191) | more than 9 years ago | (#12385198)

To get into Sea World in Orlando with my annual pass I (usually) have to put my hand into some gizmo that measures my it--how far apart my fingertips are, etc. My last pass had my picture on it but my current one doesn't.

The profit motive (1)

mchawi (468120) | more than 9 years ago | (#12385522)

Everyone that steals your data (in other words - the people we worry about) does it for some sort of profit motive. I have found the perfect defense against this, and it has protected me well from any sort of charges in my name due to identify theft.

My plan? Have a credit rating bad enough that even if they get all of your data, they can't do anything with it.

For only $19.95* a month, I can show YOU how to safely protect yourself as well!

* Only cash accepted!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?