Biometric payments in school cafeterias: Privacy nightmare or lunchroom revolution?
Lunchrooms have gone through some significant changes since the days of mystery meats, food fights, and anything with traces of peanuts. But beyond Jamie Oliver’s Food Revolution, technology is changing the cafeteria experience in the form of biometric payments.
Around the world, many cafeterias are being fitted with biometric payment systems for students to purchase lunch, and these systems tout some appealing benefits: kids don’t need to carry cash, kids who lose money don’t need to go without food, lunch lines will shrink and students on a subsidized meal plan no longer need to feel isolated by being made to sign for food in front of their peers.
The idea behind biometric payment systems for cafeterias is often essentially the same: student biometrics are registered in the system and converted to a numerical sequence for verification, parents or students can load money into an account and then instead of paying for lunch with cash, students are verified by their biometrics and money is taken out of their pre-loaded account.
All this being said, many recent deployments have been opposed by parents and community members, concerned for the privacy of their children.
A major concern is the storage of this biometric information and how secure the system of encryption and verification is. Most, if not all systems work under the principle that it’s not student biometrics that are actually stored, but it is instead a numerical sequence used for verification. But how reliable is this system? Is there a way to reverse-engineer the process to derive fingerprints or palm prints from their assigned mathematical representation?
In a Boing-Boing article from 2006 on Walt Disney World’s use of fingerprint scanners, Cory Doctorow argues that whether it’s a fingerprint or a numerical sequence means little difference in terms of personal identification.
“Saying that you only store the mathematical representations of a fingerprint is like saying that you only store the mathematical representations of a JPEG, not the actual paint, canvas and frame that it depicts. It’s true, but it sure doesn’t mean that you haven’t captured something important,” Doctorow writes.
In the case of fingerprint systems, these representations are often minutiae templates from the fingerprints themselves, derived from minor details in prints. Minutiae mainly include ridge ending and ridge bifurcation, but also consider details such as ridge length and independence, islands, enclosures, spurs, crossovers, deltas and cores. These details alone have been claimed to be some of the most reliable unique identifiers in fingerprint analysis.
A research paper from 2007 From Template to Image: Reconstructing Fingerprints from Minutiae Points, authored by Arun Ross, Jidnya Shah and Anil K Jain, challenges the notion that minutiae points don’t reveal any information about the original fingerprint, and instead suggests that three levels of information about the parent fingerprint can be elicited from the minutiae template alone. This includes orientation field information, class or type information and friction ridge structure. Following their analysis, the researchers determined that ridge reconstructions, based on minutiae points alone, were observed to be visually similar to the parent print and could feasibly be used to generate synthetic prints to compromise the security of a biometric system.
From their conclusions: “If other information, such as the location of singular points, the class of the fingerprint, the type of minutiae and interridge attributes are available in the template, then, perhaps, the original fingerprint can be reconstructed in its entirety.”
Fujitsu Frontech North America manufactures many of the systems used in schools today, though they are not fingerprint systems, they instead leverage palm biometrics.
In an email to BiometricUpdate.com, Bud Yanak, director of product management & partner development at Fujitsu Frontech North America explains how the FFNA system protects from reverse-engineering, and also how palm vein scanning differs from fingerprint systems, which typically rely on minutiae templates.
“We have never had a person’s biometric identity stolen. As a matter of fact, our customers deploy PalmSecure biometrics to protect their customers’ identity from being stolen […] We deploy multiple layers of encryption and protection to secure the biometric information. For example- we do not capture and transmit the biometric palm image. We take this image and convert it to a ‘template’ that is encrypted with a private encryption key. Only the encrypted template is sent from our palm imager. This makes it virtually impossible for ‘man in the middle’ attacks to be perpetuated. Additionally, this encrypted template is virtually impossible to ‘reverse engineer’ to create the palm image of the person from which it was taken.”
“If someone were able to ‘hack into’ one of our customer’s databases and take the templates that are stored, they are worthless, because our software differentiates ‘enrollment templates’ (the templates stored in the database) from ‘identification templates’ (the templates that we capture to compare against the ‘enrollment templates’ when our software searches to establish a person’s identity),” Yanak adds.
“Even if someone were able to steal a template, decrypt it, then re-encrypt it with the private encryption key from another customer’s database and resend it to the other database to present himself as that person, our software would reject it, because it is an ‘enrollment template’ and not an ‘identification template’.”
In addition to encryption, the Fujitsu system relies on the unique flow of hemoglobin throughout palm vein system, which adds significant liveness detection. According to Yanak, this makes it nearly impossible to spoof, even with a stolen or recreated template.
Reported previously in BiometricUpdate.com, the Carroll County Public School Board in Maryland has halted the implementation of Fujitsu palm scanners within the school district, and a recently proposed bill threatens the collection of biometrics from school children altogether.
The proposed bill, Senate Bill 855, would prohibit school boards from collection biometric information for the use of electronic identification.
According to Joseph Getty, the Republican State Senator who proposed the bill, the issue came up in Carroll County as the county board of education decided to make the purchase without wide notification and public process.
In addition, says the State Senator, the use of biometrics is questionable for something like expediting the cafeteria lunch line, and should instead be reserved for a process with what Getty calls an “elevated purpose.”
“It might be different if it was going to be used for school security, in which there was a process of parent notification and consent,” Getty said. “How much shorter are you really going to make the lunch line, especially when most kids could be assigned a pin number and type it on a keypad?”
Lastly, Getty thinks that school boards must be cognizant of the kind of sensitive information used to identify students. For example, there have been cases where social security numbers have been used, which is a policy violation. Privacy is also a relevant concern for many in the Carroll County School district, as previously, a high school student in the system successfully hacked into student information files.
Operation Kidsafe founder and National Program Director, Mark Bott tends to agree that biometrics and children are a worrisome combination, and has built his own service around this notion.
Operation Kidsafe is a program that aims to provide free fingerprint ID kits to parents, which could help identify their children in the case of emergency. To date, Bott says Operation Kidsafe has fingerprinted over 1 million children.
Using a Cross Match fingerprint scanner, Operation Kidsafe takes children’s fingerprints and prints them in a standardized format to give to parents. Bott, an advocate for privacy, says that children’s prints are never maintained in the system, and are instead, erased at the beginning of each new session.
“I think the only people who should have information on your child are parents and doctors” Bott said. “I am a firm believer that privacy is number-one and that’s why families flock to our program.”
Reported previously, starting in September 2013, schools in England will be banned from collection students’ biometric data without parental consent.
According to the Department of Education, 30 percent of secondary schools and five percent of primary schools in the country use fingerprinting or facial recognition to record attendance, enable students to borrow library books, pay for lunch of access certain buildings within school systems.
Last year, the Biometrics Institute, an independent international body representing biometrics users, academia and the industry called for caution in widening access to the National Pupil Database (NPD) as proposed by the UK government.
According to the Biometrics Institute, the government’s proposal would allow private sector and other previously excluded groups to access the national database in order to enable research, education planning and other services to be performed.
Whether it’s an issue of adoption, privacy, security or cost, it’s likely biometric systems will increasingly be implemented in schools, and their use in cafeterias is just the tip of the iceberg. Biometrics are rapidly becoming a part of everyday life.
The global biometrics market is set for significant growth. The Biometrics Research Group projects that the market will grow to $15 billion by 2015, from its 2012 estimated value of only $7 billion.