Data Security

Your Digital Body: Bias and Biometrics in Tech

Your Digital Body: Bias and Biometrics in Tech

What can possibly be more uniquely you than your physical body? Fingerprints, iris patterns, voice… These (and more) are what biometrics is all about. Biometrics are generally used in two ways: to determine if a person is who they claim to be or to find out who a person is by searching a database.

Believe it or not, the use of biometrics as a means of identification has been documented back nearly 4,000 years ago, when Babylonians used fingerprints to sign contracts. Since then, fingerprints and other forms of unique physiological data have been used to identify individuals for a variety of reasons, such as to identify criminals or to authorize access to a resource like a document or a physical location. With modern computers (including smartphones and tablets), it is easier than ever to automatically take a complex image and compare it in detail to an image on record. Sounds pretty much perfect… or does it?

Bias in Biometrics

True story: a friend of mine tried to use one of the automated passport scanners to get through customs. It kept telling him that it didn’t see his face for a photo, even though he could clearly see himself on the screen. The officer minding the queue walked over and put a piece of paper over my friend’s head to add just a bit of shade, and suddenly everything worked. My friend is white and bald, and the glare from the overhead lighting on his head tricked the software into thinking his face wasn’t there. 

There are lots of stories out there about biometric-based services unable to handle dark skin tones, light skin tones, congenital disabilities, transgender faces, and so on. Much of the earlier modern bias resulted from the use of very limited datasets that contained more of one type of image than any other. For example, a database might have thousands of fingerprints to use for testing purposes, but they would include just one skin tone for the hands. Or a database might have a million faces, but mostly from middle-aged white males. Anyone that fell outside the parameters of what the developer tested for might be identified as “not white,” but uniquely identifying them would fail. 

The good news is that, at least when it comes to biased datasets causing havoc, there are efforts to improve the space. This has been a particularly important area of research for Artificial Intelligence and Machine Learning (AI/ML) and organizations like the Organisation for Economic Cooperation and Development (more commonly known as the OECD; think high-powered, treaty-based, international organization) have guidance for how these types of systems should be designed. Microsoft, a company that does quite a bit with AI, has some pretty extensive guidelines and governance as well. So there is hope and some established guidelines out there. These guidelines, if followed by everyone, would greatly improve the computer bias in this space.

Other weaknesses of biometrics

If everything works as intended, biometrics are a great way to uniquely identify yourself to a computer. As long as no one does something gruesome to steal a body part, it’s all you, right? Well, sort of. The problem is that yes, your fingerprint (or face print, or iris pattern, or whatever) is on your physical body, but as soon as you scan it to be used for identification and access, it becomes an electronic asset. And as we all know, electronic assets can be hacked and stolen. Some call this the ‘fatal flaw’ of biometrics.

Back in 2019, a data breach of a company called Suprema exposed records affecting 1 million people, including fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, and more. And when those kinds of records are stolen, it’s not like you can actually change the information. You can change a password or PIN code, but you can’t (practically speaking) change your fingerprints. In those cases, all you can do is participate in identity theft prevention programs that will at least prevent new accounts that involve things like credit checks from happening without lots of hoops to jump through. All credit agencies have these kinds of programs (here’s one from Experian, and they’ll communicate things like fraud alerts to the other big credit agencies like TransUnion), as do some government agencies.

What you can do in 5 minutes

  • Make sure that the devices that are using biometrics have an alternative way to access the device, like setting a passcode for when facial recognition doesn’t work.
  • Use that passcode every once in a while so you don’t forget it!

What you can do in 15 minutes

  • Sign up for a credit monitoring service that will keep an eye out for when and where your information might be exposed in a data breach so that you’ll know when to take further action to prevent accounts from being opened with your information.

What you can do in 30 minutes

  • Interested in really learning more about the challenges of biometrics? Read this fascinating pre-print study submitted to the IEEE Transactions on Technology and Society to learn more!

Wrap Up

Biometrics are pretty cool, and if your accounts are using them as part of your login process, that means you’re using multi-factor authentication (MFA). You get a gold star! But, alas, biometrics are not perfect and while your physical attributes are yours, once they have been turned into bits and bytes on a computer, they can be stolen and used. 

If you have a choice between biometric MFA or no MFA, go ahead with the biometrics. If you have a choice between some other factor–like an authenticator app–and biometrics, go with the authenticator app. No technology is perfect, so the goal is to make it harder for hackers to get to your accounts rather than impossible.

Good luck! It’s a crazy world out there.

Posted by heather in Data Security, Topic, Subject Level, Line Dancing, 0 comments
Security in the Metaverse: What You Need to Know Now

Security in the Metaverse: What You Need to Know Now

Ahh, the metaverse. Depending on who you ask, it is either an impressive evolution of the online experience or a poorly defined marketing ploy. And, at least for now, there isn’t just one metaverse, which has lots of implications for how to protect yourself from one to another  Regardless of how many there are or what side you take on whether any of them will succeed, you can sum up the idea like this:

The metaverse is almost like a parallel dimension—it blurs the lines between the physical world that you and I know and the virtual world…like artificial reality and cryptocurrency. –  from IFM’s metaverse blog post

Wouldn’t it be fantastic if we could plan for digital identity and security in the metaverse even while the metaverse is still being figured out? When the Internet was first designed, it missed the boat when it came to building in digital identity and security. Everything we know about how to verify someone’s identity online was added long after the bones of the Internet were set. 

Owning your security in the metaverse

The old saying is, “On the Internet, no one knows you’re a dog.” In the metaverse, no one will know if the “person” they are interacting with is really a person or a computer simulation. Creating digital accounts is really pretty easy. Making them realistic is just as easy, as humans don’t do a good job of protecting their personal information. Birthdates, location data in photographs, responses to Internet memes—it’s all out there waiting to be used to either hack existing accounts or create new ones that look like a real person for the purposes of fraud or harassment

Several of the companies working on their version of the metaverse hope to include identity and security by using Web3 technologies like blockchains that guarantee the uniqueness and ownership of a piece of information online. Which is good as far as it goes, but it doesn’t go far enough (yet). NFTs, built on supposedly secure Web3 and blockchain technologies, have already seen their fair share of fraud despite the technology. Still, we’re in the early days of figuring out how to make NFTs and Web3 long-term useful ideas, so there may be something there. Or not. We’ll see.

Regardless of whether fancy new technology will try to come in and save the day, you as the human actually have a lot you can do to help make your experience more secure. The good news is that what you can do to secure yourself in the metaverse are the same things you should do to protect yourself online today:

  • Control the information you share online (and don’t respond to silly memes, no matter how much you want to know what your name should be on the next royal wedding invitation).
  • Use good passwords. (We have a post about that.)
  • Never assume that the new person you’re talking to is who (or what) they say they are. 

Authenticating when you’re already there

Let’s look at where the metaverse is closer to reality: virtual reality! Those companies already branching out into metaverse products, like VR meetings or immersive games, now have to figure out how to authenticate users in VR (remember, use good passwords!). They could try and go old-school and have someone type on a virtual keyboard…except most users will only be using the VR headset. So, what are they supposed to do? A laser pointer at a virtual keyboard, hunting and pecking for each key? Uh, no. There are always biometrics, of course. Retinal scans, voice scans, fingerprints…But each of those needs a fallback for when the physical reality means biometrics aren’t feasible

No problem! Let’s make the VR device itself be your password! That actually has some promise and is an area already being explored, but there are still issues with how to handle shared devices (as anyone with more than one kid can tell you when it comes time to share the game controllers) as well as the reality that gamers rarely sign in as themselves. Also, the idea of moving away from traditional passwords is not without its challenges. Hacks are still possible (drat those hackers!), and there are questions as to whether it’s even a good idea to tell users to just “trust the magic” of what they don’t see.

At the end of the day, there’s just a lot that needs to be explored to make the metaverse a more safe and secure experience for everyone. 

Conclusion

The metaverse is expected to be THE online experience of the future. Right now, it seems like it is not only inheriting the security flaws of the Internet, but it’s coming up with new ones all on its own. CNBC has a great article on what kind of dangers are being introduced, which is scary, but it’s also an opportunity. We know the dangers (at least, we know some of them) which means we can plan for them. 

Posted by heather in Web3, Data Security, Line Dancing, 0 comments
A Very Useful Article About Online Passwords

A Very Useful Article About Online Passwords

Is there anything more likely to make a non-techie yawn than a lecture about passwords? “Make them hard!” “Don’t put them on sticky notes!” “Change your passwords like you change your underwear!” So much lecturing when people just want to get into their online accounts! Well, guess what, my friends. That advice is actually pretty outdated. Let’s talk about real-world, up-to-date dos and dont’s for passwords!

Passwords: So Last Decade

Quite a bit of the old advice out there is either based on old technical limitations or a lack of understanding about how people actually think. For example, requiring frequent password changes—this is NOT necessary.

Passwords Are Not Underwear

According to the National Institute of Standards and Technology (NIST)—the US government department that provides some of the most well-recognized, current advice on digital identity—websites that require users to reset their passwords every few weeks or months are just causing people to use (and reuse) easily cracked passwords. Should users change their passwords after a breach? Yes, definitely. Should they change their passwords every month? No. The way NIST puts it, “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future.” So, yeah, requiring frequent changes does not have the effect people think it should.

Hard for a Computer, Not for a Human

Did you ever see someone stuck with a password like “$*&fas09iur3jfsk#” that they created because of requirements to use letters, numbers, and certain other characters? Yes, that’s a fine password if a site allows for it, but you know what else really works? “My cowlick speaks batteries.” Or “My cat paw no tail!” Those are passphrases, and a nice long passphrase is actually better for most people than a random character generator. (The smart folks at NIST said that, too.) Just make sure the passphrase isn’t actually a grammatical sentence and you’re golden.

Reality of Recording

It’s been a long-standing tradition to mock people who write their passwords on sticky notes and put them on their computers. But that said, if I had to choose between a person who is more comfortable with writing their passwords in a little black book they keep in a drawer at home near their computer or someone that uses a single password for all their accounts because technology is hard, then by all means! Bring out the book! This really boils down to a question of what risk are you trying to manage—someone physically breaking into your house and stealing your passwords, or someone hacking accounts online. 

The Brave New Password World

If frequent password changes, gobbley-gook passwords, and physically recording passwords somewhere is the old guidance, is there anything new? Why yes, yes there is! Well, relatively new. Let’s start with my personal favorite, multifactor authentication.

Multifactor or Second Factor Authentication (MFA or 2FA)

If a website or service is doing The Right Thing, then just asking you for your password isn’t going to be enough to get you in. It should also ask you for another piece of information, either a one-time code it sends you, a scan of your fingerprint, or even a code from an authenticator app like Google Authenticator or Authy. This is called either second-factor authentication or multifactor authentication (2FA is a subset of MFA; there are Super Top Secret Secure sites out there that will require a third or even fourth factor. Multiple factors are a thing.)  

There’s a really good reason for requiring at least one additional factor.

Let’s say that your username and password were hacked. If the hacker has that, and MFA wasn’t enabled, then they can just waltz in and do whatever they want. If it’s your banking password, then there goes your money as they transfer it away. If it’s your language learning app, there goes your progress as they delete your account. And so on.

But if MFA has been enabled, then even with the password, the hacker is kinda stuck. There is a short-lived piece of information they don’t have, and that’s a way harder nut to crack. Can it be done? Yes, there are techniques that will help a hacker work around MFA security. But that has to be very targeted to an individual; wide-scale account compromises become way harder.

Screening Your Own Passwords

The moment has come. It’s time to set a password. For some reason, you aren’t using a passphrase (probably because outdated sites are limiting the number of characters you can use for your password. Bad site! Bad! No biscuit!) You might want to just do a quick check that you aren’t using one of the really super common passwords out there. 

Wait, you’re not a hacker! How are you supposed to know what other people’s passwords are? As it turns out, lots of people tend to use the same passwords. There are websites dedicated to sharing the top 10, 20, or even top 100 common passwords out there on the Internet. Even baby hackers can pick up that list and have a decent chance at hacking into a bunch of accounts. It won’t take but a moment for you to do a quick scan of those lists to see if the password you set your heart on (don’t say ‘qwerty,’ don’t say ‘qwerty’) is on the short list of common passwords out there.

Password Managers

Password managers are MY FAVORITE THING, at least when it comes to basic Internet security hygiene. This is the electronic version of the Little Black Password Book mentioned earlier. Even with the use of passphrases and MFA, it’s still a really good idea to use different passwords for different sites. The thing is, that really adds up! One study out there says that the average person these days has around 100 passwords to worry about. That’s just too many to remember.

Some mobile devices have a built-in password manager. Some web browsers do, too. The trick is to find a password manager that actually lets you work across platforms and devices. Probably the top-rated one out there right now is LastPass (which has both a free and a premium version), and 1Password (which is entirely subscription-based, and is rated pretty highly, too). 

One bonus to a good password manager is that they’ll actually do the password screening described earlier for you.

The Future of Passwords

If you talk to people who actually work in the digital identity and cybersecurity space, they will tell you how much they want passwords to just not be a ‘thing’ anymore. The good news is that there is a LOT of work underway to make that dream a reality. One particular effort coming out of the FIDO Alliance really looks brilliant. In that brave new world, a user can unlock the security by “swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.”

Technology is constantly evolving. The guidance you may have learned when you first started surfing the web is probably out of date. For that matter, the guidance you learn today might eventually become obsolete thanks to efforts like FIDO making passwords entirely a thing of the past. Keep your eyes open!

Posted by heather in Data Security, Mosh Pit, 0 comments
A Call Made Round the World…And More On Internet Resiliency

A Call Made Round the World…And More On Internet Resiliency

If you look at a map of the world, you see lines around cities, states, and countries that mark the boundaries of those regions. Those lines seem so tidy when looking at a map of the world. Of course, that assumes you’re looking at a well-surveyed area with a stable political infrastructure. 

The Internet is nowhere near that tidy; its boundaries are not well defined. Maps of the Internet don’t look like anything in the physical world. There’s an interesting map based on all known websites and where their domains are registered as of  2011 called The Internet map. There’s a super-fun map called The Map of the Internet that maps out the World Wide Web and gives you a sense of scale. Heck, you can go to Vox and look at “40 maps that explain the Internet,” but none of those map out the Internet itself. When it comes right down to it, there is no single authoritative map of the Internet.

Why is it this way, and why does it matter? Read on!

Why the Internet is Resilient

Did you know the Internet started as a US military defense project? Think about the mindset that would result in: any military would want a computer system to stand up to anything and everything. It would need to be resilient if some pieces went offline. It would need to allow lots of different types of computers to talk to each other any time, day or night. Think of those requirements as the DNA of the Internet. Technical implementations build from there.

But wait, if the Internet started as a military project, how did the rest of us get to use it??? That kind of exchange, from government to private sector and back, is pretty common. That’s a post for another time.

Back to the Internet. The way things work, it’s a lot like a postal letter. Someone writes a letter and it includes the address of where it’s trying to go. And at every step, the delivery system asks, “what’s the best next step from here?” These systems are always chatting with each other, sharing the best path to get from anywhere to everywhere. If one path goes down because a computer broke, that’s ok, because the systems will tell each other a new way to get there. And that happens fast. And it is one part of what makes the Internet so resilient. There is always a path forward.

A while back, I videoconferenced with my mother in Chicago from a hotel in Taipei. I opened an app, clicked on her face, let it ring a few times, and voilá, there she was. WOW, seriously, how cool is it that within a second, the computer I was on in Taipei figured out how to get to my mom’s computer in Chicago? We were nearly 7500 miles apart. I was on a hotel network in Taiwan. She was on a mobile network in Chicago. I opened my app, which itself has the addresses of the computer used by that video service. The network I was on said, ‘ahHA! You’re trying to get way over there! Let’s start routing you through lots of different countries, under the ocean, or maybe into space via satellite.’ 

It is possible for a local region or country to cut itself off from the rest of the Internet, but to do it, it has to get into that delivery system and take its information out of the network. Then any system trying to get there from here won’t know how to do that anymore. (It’s obviously a bit more complicated than that, especially when you throw satellites into the mix, but you get the idea.)

Controlling (Mis)Information

The Internet is resilient, which means it can route information around many different kinds of interruptions like broken computers or weird human error. Yay! That means that cat videos can be available day and night! Well, true, but not everyone is a fan of this level of resiliency, and there are reasons for that. 

The thing about technology is that technology itself is neutral. It’s like a bunch of bricks—you can build houses or you can vandalize windows. It’s not the brick that’s an issue, it’s how the brick is used. But if you’re in a situation where people are using bricks to break things, then you almost certainly want to do something to prevent that. One of those preventative measures is likely to be controlling access to the bricks. Same goes for technology like the Internet—if you use it to harm, someone is going to want to prevent that by controlling what gets posted.

Now more than ever, we are seeing people and their governments demand ways to prevent the spread of information they don’t like on the Internet. From addressing “fake news” that attempts to skew democratic elections to reactions to cyberwarfare, controlling information is considered by many to be necessary for a safe society.

Some governments go so far as to demand restrictions between the Internet within their country and everyone else. This has been top of the news when it comes to Russia, but Russia is just the latest example. China has its Great Firewall, which had its start in 1997. Several other countries in Asia and Africa censor the Internet to various extents. In the US, free speech laws prevent much government censorship, which has many people turning to the social media platforms themselves and demanding action, either to restrict content or to stop restricting content, depending on their point of view.

Why Does This Matter?

Identity Flash Mob is a passion project led by two women who want people to have a better understanding of how the Internet works and why it really matters to know more about it. So, if you take away anything from this article, it should be two things:

  1. The Internet is incredibly resilient, but it’s not invincible. While individuals will always be able to build connectivity to the Internet (if they have the technical know-how and access to satellite networks) that’s not the case for most everyone. Governments may well be able to control big chunks of it, and through that, they control the information people have access to.

Which leads to the second thing:

  1. Not everyone sees the same thing on the Internet. What seems obvious to you based on what you’re reading in the news or social media might not be obvious to others who are not seeing the same thing. 

The resiliency of the Internet that lets me call my mom from halfway around the world is an incredible thing. Hopefully, we’ll still keep in mind all the good things that resilience as a foundational principle allows us in today’s online society.

Posted by heather in Data Security, Mosh Pit, 0 comments