Tuesday, March 27, 2007

Suffer the children

Kim Cameron reports on a rather worrying situation with UK education - fingerprinting kids without their parents' consent. This from the BBC:

The guidelines, published next month, will "encourage" schools to seek consent before taking biometric data. The move comes after it emerged some primary schools stored children's thumb prints for computerised class registers and libraries without parental consent. The Department for Education and Skills (DfeS) says it does not have figures for how many schools are already using biometric data. However, a web poll by lobby group Leave Them Kids Alone, estimated that 3,500 schools had bought equipment from two DfES-approved suppliers.

Under the Data Protection Act, schools do not have to seek parental consent to take and store children's fingerprints.


Great. So, now the UK government is forcing children to sleepwalk into a privacy quagmire. No doubt these records will be handed over to some A.N.Other vendor, probably to get sold on the black market when that vendor goes bust. My two big problems with this are that you've got absolutely no idea to what uses that data could be used in some future time (so it is best to err on the safe side - aka the "negative option value" hypothesis), and that it is just bad policy making.

The first point should should be pretty obvious - we all know that these databases are never secure. It probably isn't good form to quote oneself (but heck, it's not good form to make death threats, so I think I can get away with it), but what I was talking about regarding giving away the keys to location counts at least as dramatically for your fingerprints:

In the same way that option value depends on the potential multiple uses of an asset, giving away generic and highly fungible personal data such as location can result in negative option value.


Second, this policy of sitting on the fence and "encouraging" schools to get permission is just annoyingly fudging the issue, and pushing the responsibility down to the overworked schoolteachers. I'm reminded of one of my favourite pieces by the late Nico Colchester, a former deputy editor of the Economist, who invented the science of crunchiness - keep things clear, else we'll all pay the consequences.

1 comment:

silpol said...

No doubt these records will be handed over to some A.N.Other vendor, probably to get sold on the black market when that vendor goes bust. My two big problems with this are that you've got absolutely no idea to what uses that data could be used in some future time (so it is best to err on the safe side - aka the "negative option value" hypothesis), and that it is just bad policy making.

privacy breach usually kicks back earlier - when yet another sysadmin with access to data is kicked out from job, with last copy of user DB on flash stick in a pocket... the very problem is that public on general level is not careful about their privacy OR or rather appear-to-be-careful but lullabied by typical corporate "privacy.html" doc ... in other words, logical level of security & privacy with general public achieved usually with lemming-style methods: from 30 million of lemmings some few hundreds of thousands could die, so what? ;) yes, I know - it sounds too cynical but it is current level of typical privacy and nobody care because nobody want to pay real price tag of real security and privacy.