Bypassing The Password, Part 3: Freedom Compromised - InformationWeek
IoT
IoT
Government // Cybersecurity
Commentary
4/22/2015
10:34 AM
Joe Stanganelli
Joe Stanganelli
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
100%
0%

Bypassing The Password, Part 3: Freedom Compromised

Want to protect your privacy from government snoops? Say no to biometrics. Say yes to strong password protection and encryption.

In this three-part series, I've tried to address the serious data privacy and security tradeoffs that biometrics require when used to replace passwords wholesale -- not least of these being the federal government's interest in "moving beyond passwords" to make searches and surveillance easier. (See parts 1 and 2.) To make this possible, the Obama Administration has been working with the private sector to introduce a federal Internet ID and increase biometric adoption through the National Strategy for Trusted Identities in Cyberspace (NSTIC).

Cozy biometric partnerships between big business and big government are naturally suspect because of the latter's penchant for surreptitiously collecting massive swaths of data on US citizens and its voracious desire for as much biometric data as possible on as many people as possible. For starters, of course, there are Edward Snowden's revelations of the NSA's massive domestic spying campaigns on US citizens and companies, including the NSA's collection of biometric data from picture files stored on the Web and sent via email, MMS, videoconference, and other high-tech technologies at a rate of millions of images daily.

(Image: jarmoluk via Pixabay)

(Image: jarmoluk via Pixabay)

Other examples include the following:

  • Advanced law enforcement biometric technology, available to the FBI and police departments, collects biometric data from security cameras, government records, and a variety of other unspecified sources to continuously enable rapid personal identification by face, scars, tattoos, birthmarks, and fingerprints.
  • The TSA's controversial full-body scanners can store and rapidly transmit images of the people they scan -- a capability the TSA specifically requested in its own procurement specification documentation for said scanners.
  • According to recently leaked US Customs and Border Protection (CBP) documents, CBP is deploying extensive biometric measures to identify and track all international travelers by obtaining and storing their biometric and travel data via facial recognition, iris scanning, and fingerprint reading.
  • Schools, too, are getting into the biometric storage and tracking act. The school board in Encinitas, Calif., recently voted to develop and deploy facial recognition technology on students' mandatory, school-assigned iPads. In 2013, outrage erupted in Polk County, Fla., when schools there began scanning bus-riding students' irises and storing the data without parental notification or permission. (Since then, the State of Florida has entirely banned school collection and use of student biometric data.)

In regard to these considerations, Apple is way ahead on good customer information security than Microsoft. Although Apple's biometrics are far from breakable (you may recall this, this, and this from parts 1 and 2 of this series), the company's latest mobile encryption and data protection, when implemented properly, is very strong -- not to mention backdoor-proof.

[Read: Bypassing The Password, Part 1: Windows 10 Scaremongering and Bypassing The Password, Part 2: Trusted Identities.]

This feature has been a bad shrimp in the federal government's net ever since Apple introduced it. So desperate are federal agencies to backdoor Apple's encryption (and, indeed, all encryption not their own) that they have gone on record equating it to pedophilia and child murder.

The NSTIC website's FAQ demonstrates just how little the federal government cares for individual liberties where Big Brother is concerned. As an answer to the question "How will implementation of NSTIC enhance privacy and support civil liberties?" the FAQ goes on for paragraphs about keeping the private sector in line privacy-wise, but has only this to say on the topic of civil liberties -- an afterthought at the very end:

"[T]he Identity ecosystem allows you to continue to use the Internet anonymously, which supports civil liberties like free speech and freedom of association."

Read that again. It is a bland statement about the the Internet, in general, "support[ing] civil liberties" -- without saying anything about NSTIC, federal Internet IDs, or the government.

Yes, the Internet supports liberty and freedom ... when government is not tracking an individual citizen's every move. If the government really supported anonymous Internet use and data privacy, its agencies probably wouldn't have it out for Tor users -- people federal law enforcement agencies have likened to terrorists.

Even the NSTIC page, however, recommends multifactor sign-on, making the case that a single multi-use password with an accompanying credential is more secure than different passwords on different sites. The position is debatable, but there is no question that multifactor authentication offers superior information security -- and that passwords remain an integral authentication component.

Attend Interop Las Vegas, the leading independent technology conference and expo series, designed to inspire, inform, and connect the world's IT community. In 2015, look for all-new programs, networking opportunities, and classes that will help you set your organization's IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Joe Stanganelli is founder and principal of Beacon Hill Law, a Boston-based general practice law firm. His expertise on legal topics has been sought for several major publications, including US News and World Report and Personal Real Estate Investor Magazine. Joe is also ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nomii
50%
50%
nomii,
User Rank: Ninja
4/29/2015 | 2:40:27 AM
Biometric is the Solution?
After compromising a password there is still an option of changing it but if a biometric is compromised, I won't be able to change it. How would I feel if my biometric is available for free download on a hacker site or a torrent is available online having 2 million people biometrics.
HAnatomi
50%
50%
HAnatomi,
User Rank: Apprentice
4/27/2015 | 4:36:43 AM
Passwords must stay but need to be enhanced.
Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

At the root of the password headache is the cognitive phenomena called "interference of memory", by which we cannot firmly remember more than 5 text passwords on average.  What worries us is not the password, but the textual password.  The textual memory is only a small part of what we remember.  We could think of making use of the larger part of our memory that is less subject to interference of memory.  More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
4/23/2015 | 7:13:52 AM
Interesting point
That's a very good point. WIth a password at least you can change it up on a regular basis - not so with biometrics. I really don't like the idea of being tracked like that.

That said, I wonder if we're fighting a lose battle for privacy in this age of technology? Is it something we can legitimately achieve with cameras on every phone and the skies about to fill with drones? I'm not so sure. 
BPID Security
50%
50%
BPID Security,
User Rank: Apprentice
4/22/2015 | 12:49:33 PM
Compromising freedom is evolutionary.
Thank you Joe. very well written, well considered and on point.

The issue of passwords is seasoned by money.

As you point out when passwords are eliminated as a system of identification and biometrics used a 'big brother' mentality takes over. A national identity system has been the goal since , well my lifetime, and likely going back to the very first tribal war so the survivors could identify the dead.

Biometrics, like all contemporary systems are based on a matching token. This is symmetrical, not even mirroring. My retinal scan matches a stored retinal scan, my password matches, my pin matches, my pattern matches. Answering questions as in a 2FA is similar to matching tokens though closer to mirroring symmetry.

The weak link in all this is two fold: 1) the user is system of securing the token; and 2) the gatekeeper's ability to secure it's token. Both are weak. Some biometrics can't change such as DNA and perhaps facial, while other biometrics may, such as retina. Unfortunately when biometrics are compromised you are permanently compromised for life. But again it is the money and ignorance that causes me to see biometrics as a the "Digital Security Edsel."

 

If you really want to eliminate the password, you can. We developed an asymmetrical algorithm which changes on each login preventing a copy or clone. You can learn more at bpidsecurity.com . But yes Joe, national identity is the government's choice. You are right, our choice should be authentication not identification.

Paul Swengler CEO BPID Security

 
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
4/22/2015 | 11:04:26 AM
The ongoing struggle in balancing privacy and security
I agree full heartedly that multi-factor authentication is an absolute must when it comes to ensuring security for users, but this article hits the nail in the head.  It has to be backed by good intentions.  While I like the idea of starting to look at ways to reduce password usage in favor of better security controls, having it backed by government entities is worrisome when it comes to what they have access to as a result.  We have to figure out ways to balance security while ensuring that it doesn't factor into larger programs aimed at surveillance and inappropriate collection of user data.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll