this post was submitted on 22 Mar 2024
68 points (98.6% liked)

Europe

8484 readers
1 users here now

News/Interesting Stories/Beautiful Pictures from Europe 🇪🇺

(Current banner: Thunder mountain, Germany, 🇩🇪 ) Feel free to post submissions for banner pictures

Rules

(This list is obviously incomplete, but it will get expanded when necessary)

  1. Be nice to each other (e.g. No direct insults against each other);
  2. No racism, antisemitism, dehumanisation of minorities or glorification of National Socialism allowed;
  3. No posts linking to mis-information funded by foreign states or billionaires.

Also check out !yurop@lemm.ee

founded 1 year ago
MODERATORS
poVoq@slrpnk.net
68
EU top court upholds ruling on fingerprints for ID cards (www.dw.com)
submitted 5 months ago by throws_lemy@lemmy.nz to c/europe@feddit.de
30 comments fedilink hide all child comments
all 31 comments
sorted by: hot top controversial new old
[–] tal@lemmy.today 23 points 5 months ago* (last edited 5 months ago) (3 children)

privacy

Ultimately, there are too many databases with people's fingerprints out there, and my expectation is that they're gonna leak at some point.

So that means two things:

  • First, don't use biometrics to check identity unless you're in a position where a person forging them can actually be checked for forged biometrics and get in trouble if caught. Like, customs at an airport, where you could see if someone has fake caps on their fingers or something. Biometrics cannot normally be invalidated. If it leaks and you're using the fingerprints to authenticate yourself to, say, your laptop or your bank or something, you can never invalidate those credentials, and people will always be able to get into your bank account. Specifically in the case of fingerprints, it's often not even that hard to get ahold of a specific individual's biometrics -- you leave a record of them on any smooth surface that you touch.

  • Second, if you're in a position where you don't want to leave behind a signature, you might want to wear something that masks biometrics. If you have widely-leaked biometrics databases floating around that anyone can get access to, and you, say, put your hand on something, you've just left a signature that anyone can map to identity. Maybe bring back gloves, say. I don't think that we're at a point where there are systems that can do iris scans at a distance without someone knowing. Facial recognition is definitely doable at a distance, and that happens today. People at political protests who are worried about being identified, some military people, stuff like that, will mask their face. Maybe it makes sense to roll back anti-mask laws if facial databases are gonna be floating around. I dunno about gait recognition, whether that's sufficiently-unique to distinguish among a large number of people at a distance.

[–] lemmyvore@feddit.nl 18 points 5 months ago* (last edited 5 months ago) (1 children)

A "database of fingerprints" would only contain checksums. They can be used to verify the result of a reading but not to get the whole print.

Most of the time they don't even contain that. The primary checksum is stored only on the ID, which outputs a secondary one, which is matched against a verification checksum produced independently by a reader.

The national database doesn't need any of those, it holds the person ID numbers and their civil status and stuff like that not how they are verified.

[–] MilderRichter@feddit.de 1 points 5 months ago (1 children)

A “database of fingerprints” would only contain checksums

that's the case for fingerprint readers in phones/laptops

But does that also apply to prints collected for government ID cards?

[–] lemmyvore@feddit.nl 1 points 5 months ago* (last edited 5 months ago)

But does that also apply to prints collected for government ID cards?

Most probably, for several reasons:

  1. If the government or a goverment organization wants to fake the fact you've presented your fingerprints somewhere they can just fake the results of the checkup itself. And if they're up to this level of fuckery it's probably a short distance to where they just imprison or kill you, so having your prints faked is the least of your problems.
  2. If the goverment is well-meaning they don't want to store fingerprints because they're not needed and they'd just be storing highly sensitive personal information that, if ever breached, could be used for all kinds of shenanigans. The best way to protect data is to not have it in the first place.
  3. The goal of these systems is to log and attest the checks, not the fingerprints. They document the fact that at a certain time and location the checksums for a set of biometrics did or did not match some reference checksums. They don't care what those biometrics mean, or what the result of the check being passed or failed means, or what the actual biometrics are (we're talking about fingerprints here but there's lots of biometrics that can be used).
  4. Storing actual biometrics would take a lot more space and add complexity. The checksums are much smaller and simpler.
[–] take6056@feddit.nl 16 points 5 months ago (3 children)

Good to mention that (in the Netherlands) when you've provided fingerprints for a new identification card, the fingerprints are wiped from any system after you've received the card, remaining only on the card itself.

[–] Vincent@feddit.nl 3 points 5 months ago (1 children)

I didn't know that, but that's nice.

Now how do I dispose of the card once it's expired? 🤔

[–] MudMan@fedia.io 1 points 5 months ago (1 children)

Over here you hand it over when you pick up the new one and it gets physically marked (a corner gets cut, typically) to prevent it being used as a duplicate.

Or you can shred it.

[–] tb_@lemmy.world 1 points 5 months ago (1 children)

a corner gets cut, typically

That doesn't get rid of the markings on it, which could still be used.

[–] MudMan@fedia.io 1 points 5 months ago

It doesn't. But it's a personal ID card, You can also lie about having lost it and get a replacement.

All security is mitigation. There aren't a ton of uses for a second expired ID of yourself in any case. It's not like an old timey passport where you'd see someone in the movies physically changing the photo and expiration date. This thing is printed right on the plastic with hard to reproduce security measures similar to paper money.

[–] ReversalHatchery@beehaw.org 2 points 5 months ago

Probably this is an EU-wide law, because my east-leaning country says this too

[–] letmesleep@feddit.de 1 points 5 months ago* (last edited 5 months ago)

Same in Germany. But I wouldn't be surpised at all if wiretapping agencies like the NSA manages to get most of the data anyway. Then again, the same can be said for phones which are supposed to only keep the data on the device.

[–] MudMan@fedia.io 10 points 5 months ago (1 children)

Last time I used my mandatory ID for a public transaction I actually had to use a webcam and held the card up to it and then my face so a human could check them.

Turns out, in a country where these have been in use for decades some people have put some thought into it. Go figure.

Of course now we have real time deepfakes and that is again obsolete, so we'll see where we go from here. I hope I don't have to bring my meatsuit to an actual office for routine tax transactions again, because that sucked and this is better.

[–] DarkThoughts@fedia.io -2 points 5 months ago (1 children)

Last time I used my mandatory ID for a public transaction I actually had to use a webcam and held the card up to it and then my face so a human could check them.

Are you seriously unironically saying this is an example of "putting some thought into it"? That's literally this ludicrous idea that politicians had to verify the age of users visiting porn sites. It's nothing but invasive.

[–] MudMan@fedia.io 4 points 5 months ago (1 children)

Yeah, I'm saying that unironically. Depending on the transaction you're trying to make it can require a digital certificate you acquired previously in person, but it can also be human-verified in real time by checking your ID and matching it over videoconferencing.

The person checking my ID would have had to check my ID if I went to the office in person, too. Because, you kmow, they were gating my accessing my own private data. So remote human verification isn't "invasive", it's literally the same thing we would have done in person without the hassle of going to the office, which helps people who can't move around easily and during the pandemic it also kept everybody else safe.

It's fascinating how consistently the anglosphere assumes identifying yourself is an attack rather than a service. My ID has just as many protection features as my money, and that's how I want it, because my ID gates people being able to act in my name and access my records in a number of ways. Reliable, universal ID is a feature, not a bug.

[–] DarkThoughts@fedia.io -1 points 5 months ago (2 children)

Because my biometric data is none of 99% of peoples business and should not be saved by anyone at all, neither state nor private company. And it is also none of people's business if I want to visit adult sites or services. There's literally non invasive methods to verify someone's identity & age too, but you think that somehow it is completely fine to expose yourself in front of a camera to someone. Might as well open up a profile on Chaturbate and expose some more. The only fascinating thing here is how little people give a shit about privacy nowadays. Honestly, just move to China with that kind of thinking. There you can see what those biometric databases are used for.

[–] MudMan@fedia.io 4 points 5 months ago* (last edited 5 months ago)

Eh... I think now you're having an argument with somebody in your head.

I don't care how you wank, friend. Wank away.

I showed my face over a webcam next to my official ID to access tax data or medical records. I sure expect identity to be verified for those things, on site or remotely. If your government is not checking your identity to access your private data, how the hell is that working? If you don't think the health care system should keep your medical records or the tax system should keep your tax records, how do you think those services can work?

Is this one of those things where you got angry about a thing once and now there is no room for nuance or compromise on it online? Because I get that people think privacy is important, but maybe it's time to just say out loud once that "privacy" doesn't mean "nothing I ever do leaves a trace anywhere, ever", which is an absurd statement.

[–] KiraKo@feddit.de 3 points 5 months ago

Could you explain what non invasive methods exist? Really would like to hear them.

[–] CaptObvious@literature.cafe 10 points 5 months ago (2 children)

Europe mostly gets it right. Then this.

Again, 1984 was a warning, not a handbook!

[–] MudMan@fedia.io 16 points 5 months ago (2 children)

We've had fingerprints in our ID cards for decades.

It's fine. Quite useful, really. Less of a totalitarian state now than when they were introduced, actually.

I know in the anglo world the whole national ID card thing is seen as intrusive, but it's kinda fine. I just know my number, which is great for some transactions, and I can get right by airport security without interacting with any humans just by tapping my biometric ID on a reader. Plus it can be upgraded to a full on digital signature certificate, although the implementation is terrible and I hate it.

[–] lemmyvore@feddit.nl 11 points 5 months ago (1 children)

Yeah, totalitarianism is kept in check by society being vigilent, not by hiding your fingers. This stuff can be put to good use (like making identity theft impossible, which is a huge quality of life improvement).

[–] MudMan@fedia.io 1 points 5 months ago

"Impossible" is a big ask, social engineering still works, and for light checks all you need is your publicly available number.

But "a lot harder" is nice.

[–] BastingChemina@slrpnk.net 10 points 5 months ago (1 children)

Almost all the passports around the world include biometric as well.

[–] Squizzy@lemmy.world -1 points 5 months ago (1 children)

How so?

[–] lemmyvore@feddit.nl 7 points 5 months ago (1 children)

If you see this symbol on your passport, it's biometric.

[–] BastingChemina@slrpnk.net 1 points 5 months ago (1 children)

These passports are storing your fingerprint, iris scan and facial ID features. Very few countries don't use these kind of passport.

[–] lemmyvore@feddit.nl 3 points 5 months ago* (last edited 5 months ago) (1 children)

They do not store the features themselves. When the passport is made, a reader takes those features, makes checksums of them, and stores the checksums on the passport along with a signature to make sure they haven't been tampered with.

When you present the passport, another reader takes in your features and makes checksums of them. Then a computer compares the checksums with the ones on the passport, checks the signatures, and says yeah, this person is the one the passport was issued to.

None of this requires your features or your identity to be stored anywhere, it's done on the spot whenever needed.

There's other information on the passport (a unique identifier) that can be used to obtain other data about you if needed, but to tie the passport to you none of that is needed.

[–] noobnarski@feddit.de 8 points 5 months ago

Well, right now my government (Germany) doesnt have any of my fingerprints.

But the US has all 10 fingers because i visited once.

[–] autotldr@lemmings.world 7 points 5 months ago

This is the best summary I could come up with:

The European Court of Justice (ECJ)  said the 2019 regulation was in line with fundamental rights to respect for private life and the protection of personal data.

A German court in the western city of Wiesbaden asked ECJ to review the validity of an EU regulation  calling for two fingerprints to be stored on an individual's identity card after a German challenged the city's decision to deny him a new identity card if he did not provide his fingerprints.

The ECJ  justified its decision saying fingerprints on IDs were important in the prevention of identity theft and the interoperability of verification systems.

The court ruled that the benefits of such a system made it compatible with the right to respect for private life and the protection of personal data.

The court additionally said that a facial image can be inefficient, as a face can change due to illness, aging, lifestyle, and surgery.

Some civil rights activists were disappointed with the court's decision, arguing that other options could be explored to combat identity theft.

The original article contains 227 words, the summary contains 162 words. Saved 29%. I'm a bot and I'm open source!