The BBC has a reasonably detailed report on the start of the Project Lantern trials of mobile fingerprint scanner units by roadside Police patrols.
The claim is that, currently, these are only used to save trips back to the Police station for fingerprint identification purposes, and that the fingerprints are not stored to be used as evidence.
This may well be true, and it is to be welcomed in terms of providing more Police resources on the street, instead of back at the Police station or in transit.
However, we want to be reassured about what happens to the digital fingerprint minutiae i.e. the encoded pattern of characteristic ridges, whorls etc. which are derived from the digitised fingerprint image.
These are what the database searches actually use, not the raw images of finger prints. How can we be sure that these fingerprint minutiae, many of which will inevitably be taken from innocent motorists, with no criminal record, who are not arrested or charged with any crime, are actually destroyed ?
Who independently audits the destruction of these fingerprint images and of their derived digital fingerprint minutiae ?
(obviously our use of the word "digital" means "digital computer" rather than "finger" or "toe")
Just because these systems are first being trialled with mobile ANPR roadside checkpoints, does not mean that that is their only planned use, as the BBC article says that British Transport Police are going to be issued with these systems as well, and there is not much opportunity for ANPR on the railways.
What happens when you are are stopped and searched either on foot or in a vehicle, under the notorious Terrorism Act 2000 section 44 ? Will your digital fingerprint minutiae be matched against secret terrorist blacklists held by the Security Service or the Police Counter-terrorism Command etc? Will they destroy ever destroy these digital fingerprint minutiae and the details of the time and location of the stop and search , even when the Police find nothing, which is what happens in the vast majority of these without "reasonable suspicion" stops and searches ?
We have asked similar questions about Automatic Number Plate Recognition systems like the London Congestion Charge scheme, where the images of your car number plate are thrown away after 24 hours or so, but the number which has been scanned and read from them is not.
Similarly "DNA fingerprints" are matched on databases because they are a string of numbers representing each allele or genetic sequence marker which has been processed and read, The "DNA fingerprints" of innocent people were retained illegally for several years, before the Labour Government, instead of prosecuting the bueaucrats and officials involved, simply changed the law to cover up this illegality, and to permit it to continue to this day, and into the future.
How can they be trusted not to do the same with digital fingerprint minutiae ?
The Serious Organised Crime and Police Act 2005 section 117 Fingerprints and footwear impressions amends the Police and Criminal Evidence Act to allow these roadside fingerprint scanners to be used, but not as evidence, only for identification purposes.
However, the weasel words about the destruction of "fingerprints" does not specifically mention digital fingerprint minutiae:
"(1BA) Fingerprints taken from a person by virtue of section 61(6A) above must be destroyed as soon as they have fulfilled the purpose for which they were taken."
How can we be sure that this is happening, not just in the handheld device itself, but throughout the mobile phone and computer networks involved in the fingerprint lookups and matching of records in the National Automated Fingerprint System (IDENT1) and the Police National Computer (PNC) ?
What about the other systems to which these devices are already in the process of being linked to i.e. Immigration and Nationality Directorate (IND), Facial Images National Database (FIND) and Intelligence Management, Prioritisation, Analysis, Co-ordination and Tasking (IMPACT) ?
If you do not appear on any of these databases, what is there to prevent the Police from using the powers given to them in the Identity Cards Act 2006 section 18 Prevention and detection of crime, to try to match your fingerprints, without consent to those fingerprints and name and address and other records which will be held on the centralised National Identity Register ?
Is it a crime to refuse to give you fingerprints in this way?
Don't know if you remember this story from 2000 about the voracity of fingerprints. I wonder if the new digital digits will be subject to the same 'fast-track to guilty' as analog digits? How long before roadside DNA testing? One step nearer to Dredd....
@ Kalvis - it is not a (yet) a crime to refuse to be fingerprinted at the roadside, but if that means that you are arrested, remembering that every offence is now an arrestable one, when otherwise you might have been let off with a verbal warning etc. you will then be taken to the Police station, to be fingerprinted, DNA sampled, photgraphed, and perhaps have impressions of your footwear taken.
To resist these compulsory identifications whilst you are under arrest is another crime, and these will be retained for several years, or up to your 100th birthday, or, in the case of DNA forever, even if you are never charged with any offence, and even if you are taken to court and found to be not guilty of it.
@ abcwarrior - the roadside scheme use only two fingers, which is not enough for a full identification of everyone, as the Passport Service Biometric 10,000 user trial showed
There is plenty of scope for error, especially if the fingerprints are being taken in winter weather, i.e. snow, rain, freezing temperatures etc.
Police criminal records fingerprints have all 10 fingers or thumbs and both palm prints, where these are available.
The time it takes for these roadside scanners to send data to the central system also seems to have drifted out to a target of 5 minutes, from the 3 minutes which they were claiming earlier.
They are having to use the GPRS mobile phone network with extra encryption, rather than the encrypted Airwave Tetra radio and data network, designed for the Police and other emergency services, which is, in most parts of the country too slow.
There are too few Tetra base stations, which therefore have to be shared with more users, hence a bandwidth of only
arounda maximum of 28.8Kbs, using multiple time sloS. This level of bandwidth is more liekly to be guaranteed, as iot is not shred with random numbers of other public users.Voice traffic still takes priority over data
How long will the queues at the airports be, if it takes up to 5 minutes to check the fingerprints of each passenger, during the regular "security theatre" panics ?
> What happens when you are are stopped and searched either on foot or in a vehicle, under the notorious Terrorism Act 2000 section 44 ?
The problem is much larger than just for fingerprinting. Stop & Searches under PACE are supervised by the MPA (and this time, it looks like the MPA board is doing a good job), but there's no supervision whatsoever for Stop & Searches under S44. See http://gizmonaut.net/bits/suspect.html#20060622 for more on this. In London and other designated zones, the Police have the choice between a S&S under PACE that is supervised and for which they need reasonable suspicion, and a S&S under S44 for which they don't need any reason and that is not supervised - guess which one is more likely.
> these will be retained for several years, or up to your 100th birthday, or, in the case of DNA forever
There's conflicting information on how long the DNA profiles are kept for. According to the ACPO report published yesterday it does seem to have been extended to eternity. More at http://gizmonaut.net/bits/suspect.html#20061122
br -d
What happens is you prepare a Gummi Bear fingerprint stamp of your own fingerprint, and offer that?
From the link, "A Japanese cryptographer has demonstrated how fingerprint recognition devices can be fooled using a combination of low cunning, cheap kitchen supplies and a digital camera.
First Tsutomu Matsumoto used gelatine (as found in Gummi Bears and other sweets) and a plastic mould to create a fake finger, which he found fooled fingerprint detectors four times out of five."
The digital camera is used for lifting someone else's print, what if you produce a copy of your own fingerprint?
What if you offer this stamp to the police officer rather than your finger? Surely, any arrest that he makes is illegal? What law have you broken? You offered your fingerprint as requested.
Legal opinion sought.
ps ... if you do this bear in mind that gelatin decomposes over time (and pongs); however, Middlesex University, provides a useful thermosetting plastic as a replacement.
@ anon - a "Gummi" fake finger is not likely to be of much use when the mobile fingerprint scanner is being operated by a human Policeman, who will literally take you by the hand to ensure that the two correct fingers are presented to the scanner device.
There are a wide range of systems which have been proposed to use unattended, unsupervised fingerprint biometric systems, e.g. airport "fast check in" schemes, or , bank ATM cash machines, access to the National Identity Register at a private sector employer's premises etc., or even as a "security measure" for lost or stolen laptop computers or mobile phones (which are likely to have the latent fingerprints of their authorised users all over them).
All of these could be circumvented with the "Gummi finger" approach.
"wtwu - a "Gummi" fake finger is not likely to be of much use when the mobile fingerprint scanner is being operated by a human Policeman, who will literally take you by the hand to ensure that the two correct fingers are presented to the scanner device".
So, you're saying that the Policeman will assault you even though you have offered him your fingerprints for scanning; even though they aren't in the form he expected, viz, the Gummi fake finger.
Any legal opinions around here? A Gummi fake finger (see earlier for link) which reproduces your fingerprints is offered to a policeman for a roadside fingerprint test. With referrence to the statute, can anyone tell me the basis for the officer's refusal to accept your bona fide (both in actus and intent) offer? If the officer suspects that your fingerprint isn't on the Gummi fake finger, doesn't he have to prove it? If he makes an arrest, what is the basis for the arrest?
On a related note - is it possible to copyright your own fingerprints? The link here isn't that forthcoming.
Welcome to the new Orwellian society.
Within another five to ten years this kind of technology will be routinely used in all kinds of situations. Two combined biometrics may even be used as a method of paying for supermarket groceries. Police head-mounted cameras which are an experimental oddity right now will be routine technology in five years, and it won't only be the police wearing them. Many people will be online most of the time, transmitting their visual streams to blogs and web sites. Some will become celebrities in this way.
Fingerprint patterns (not the original fingerprint images themselves) will be stored and used without much fuss. There will be no digital hiding place for enemies of the state (whatever that might mean), and undesirables may be turned into non-personas as the press of a button.
I am beginning to believe that all this state snooping and data base building is now going beyond what is reasonable. One thing that everyone has to remember is that this is really only the start. Technology will improve and unless we actually make a stand now and say enough is enough, privacy and the idea of the individual will for all intents and purposes disappear. A full DNA database cannot be far away and then what comes next? An intelligent society has to realise they can control the extent to which they give away their freedom. To be a slave to the 'you cannot stop progress' or 'if you are not doing anything wrong, you have nothing to worry about' dogma is really asking for trouble. I cannot believe that the majority of the population are willing to put up with all this stuff.
Sorry if this has already been posted. Article about hacking one of the new passports. Disturbingly easy, so it would seem.
www.guardian.co.uk/idcards/story/0,,1950226,00.html
Just been browsing Halsbury's 2006 edition with a view to presenting my fake gummi finger (see earlier post).
'Fingerprints' in relation to any person, means a record (in any form and produced by any method) of the skin pattern and other physical characteristics or features of: (1) any of that person's fingers; or (2) either of his palms: Police and Criminal Evidence Act 1984 s 65(1) (definition substituted by the Criminal Justice and Police Act 2001 s78(8); Code od Practice for the Identification of Persons by Police Officers para 4.1.
So, by my reading of the above we don't even need to make a 'fake gummi finger'. We (for example, I'm sure there are many others) simply get our chewing gum out of our mouths; make a finger print impression - see above in any form and produced by any method - and hand that to the officer.
Now ... is there a lawyer in the house? Comments would be very much welcome; such as double checking Halsbury's.
@ anon - How can you prove that the fingerprint your are proffering with a "gummi finger" or an ID Card is your fingerprint, and that you are not abusing someone else's ?
The wording of various bits of legislation, such as the Statutory Code of Practice for PACE, the Serious Organised Crime and Police Act 2005 etc. seem to give a Policeman the power to "take fingerprints from a person", and also to collect and compare latent fingerprints from the scene of a suspected crime, or from records or databases.
Surely a "gummi finger" or even the fingerprints on an passport or identity document are not the same as taking a fingerprint from a person ?
They can even take your fingerprints without charging you of any offence, when they have simply "reported" you for an offence.
When the Identity Card starts being issued in 2006, if you proffer an ID Card to the Police, as a form of identification, then you have no way of stopping them from checking your fingerprints against those on the ID Card and or the National Identity Register, since it is a criminal offence to have anybody else's ID Card in your possession, without good reason,
Similarly is a criminal offence to have an ID Card which has been tampered with e.g. your own ID Card, fiddled to show "permission to work in the UK",
This means that although, technically you do not have to carry the ID Card with you at all times, if you do, you have no way of preventing it from being read and compared with your fingerprint, irsis and facial biometrics, because the Police will always have the excuse that they are have "reasonable suspicion" of an Identity Card crime, if you refuse, and so they can arrest you and do the comparisons by force, if necessary.
The same will also apply to any "Designated Documents" under the Identity Cards Act i.e. very likely Passports (UK or Foreign), Foreign ID Cards and UK or Foreign Driving Licences.
It appears that section 117 of the Serious Organised Crime and Police Act 2005 has still not yet been commenced, i.e. it is still not yet in force, for some unfathomable Home Office reason, but section 110, the "make every offence an arrestable offence" section is in force.
Parliamentary Written Answers, Monday 11th December 2006:
http://www.publications.parliament.uk/pa/cm200607/cmhansrd/cm061211/text/61211w0023.htm#column_829W
The Lantern device apparently only stores 100 fingerprint images in its memory which then rolls over. Presumably this means after 50 suspects, since two fingerprint images seem to be taken per person.
However, what the roadside equipment does, is only part of the story.
Which is of course, a typically misleading McNulty statement, focussing on the roadside equipment, rather than the central databases.
Once these systems become more widespread after these initial small scale trials, there will no doubt, be some data warehousing analysis routine which attempts to correlate and match up all the time, date and locations when each set of previously anonymous fingerprint minutiae has been checked on the central databases.
Where is the guarantee that the central database lookup transactions and audit trail log file records of these allegedly "voluntary" identification only fingerprinting sessions are deleted ?
Where is the guarantee that these "innocent" or "anonymous" fingerprinting sessions, which do not match with existing criminal records, will not be later matched up with the forthcoming compulsory National Identity Register biometric database ?
There is no such guarantee, and the legislation is already in place to allow this - all the clauses of the Identity Cards Act 2006 have been commenced are currently in force.
My employer has recently installed a fingerprint scanner, which is intended to be used as a register for timekeeping. None of the staff currently employed were consulted on this matter, and we are going to be forced to use it, as there will be no other way of registering attendance for payroll. Surely this should not be allowed, and we can reasonably refuse to provide our fingerprints? Any input would be gratefully received, as my employer seems to think that refusal to adhere to this system will be grounds for dismissal.
@ CDI - if your employer chooses to make it part of your contract of employment, then refusal could be grounds for dismissal - there is no right of privacy in any Act of Parliament in the UK.
What safeguards, if any, are there regarding this biometric fingerprint data, linked to payroll records ? This is definitely "sensitive data" according to the Data Protection Act.
You might want to check if the system is actually registered under the Data Protection Act 1998:
http://www.ico.gov.uk/ESDWebPages/search.asp
If not, then complain to the Information Commissioner's Office, and in about a year or so, they might get around to investigating:
http://www.ico.gov.uk/complaints/data_protection.aspx
https://www.ico.gov.uk/Global/contact_us.aspx
Depending on the environment in which you work, the fingerprint reader(s) could become a biohazard, e.g. spreading diseases like MRSA in hospitals or doctors' surgeries, or SARS or H5N1 influenza viruses etc. at airports or where tehre are lots of international travellers, salmonella bacteria in kitchens or other food preparation areas etc.
You could get the appropriate Health and Safety inspectors to investigate.
There is a good chance that the equipment will not work reliably for all of the people in the workforce e.g. if anyone does manual labour involving bricks or cement or concrete, or is constantly washing or immersing them in water.
Some groups of people are actually discriminated against by the technology e.g. older peopl and especially women who are ethnically from SOuth Asia, tend to have thinner skin, and fainter fingerprints.
It is sometimes possible to fiddle the software to allow such people to use the system, but that amounts to racial discrimination, which may well contravene one of your employer's stated policies.
Why are your employers using a fingerprint system, when a contact smart card and/or PIN would be so much more secure and less brittle in terms of systems failure ?
Smart Cards and PINs can be changed, when the central database security is breached, but fingerprint biometrics, short of surgery, cannot.
Do you have any manufacturer or supplier details about the particular system your employer has inflicted on you ?