With Canon, You Can

Or indeed, with any camera. In Germany, there is an ongoing discussion about biometric data – how secure it is, how easy it is to be faked etc. The Chaos Computer Club has added a little spice to the discussion by fetching and sharing the fingerprint of our Minister Schäuble, arguing that „by Schäuble’s definition, there is no difference between the personal data of, say, a photograph, and a finger print“. So, the CCC says, all they did was publishing a „finger photo“ of the minister.

The story gets even more interesting as the same CCC openly publishes a way to reproduce fingerprints to fool fingerprint scanners. Like all things the CCC does, they openly share ways to exploit security loopholes for the sole purpose that people lose their naive belief that theere are technologies that are actually „fool proof“ (or misuse proof). If people (and juries) think that fingerprints cannot be faked, any person (including Mr. Schäuble or you) can be arrested and sentenced on the grounds of fingerprints collected as proof.

The CCC way to fake fingerprints is quite easy – collect them from any smooth surface like a drinking glass or a product glass touched in a supermarket, use superfast glue to make them visible, scan them, print them on foil, paste the foil with wood clue, cut the fingerprint and paste it to your finger – and it even fools „pay per fingerprint“ system like the ones from EDEKA (a seven-eleven variant here in Germany).

There is a TV video on Youtube showing how it works – and comments on that Youtube video are already suggesting using the minister’s fingerprints to go shopping (which MAY not be a wise move, considering that those EDEKA shops have camera surveillance, duh ;) ).

Well, that’s it for today’s episode of the brave new world we’re living in, and what dark futures we are drifting to (because: Edeka and the manufacturer of the pay-per-fingerprint systems have already stated that they still feel the system to be safe and that they do not have any plan to change or replace it).

Stay tuned for the next episode, and be sure to check out this article from Great Britain where some criminologists feel they can predict which kid has an above-average chance to become a criminal at a later age, urging the politicians to pass laws that will allow the collecting of DNA samples from five-year-olds. Ooh, the fun of Cyberpunk NOW.

For aspiring German Cyberpunks: Here’s a link to the CCC’s FAQ on „all things dark and cyberpunk“ (like online and cell phone security issues etc.). As the address to the FAQs ends with „lang=de“ I believe there should be a „lang=en“ version as well, but I sure don’t see much of a difference by entering the changed address ;)

Blog | Richter schaffen IT-Grundrecht!

Man mag es kaum noch für möglich gehalten haben: Was die deutsche Politik – dank Schäubles Hintergedanken? – seit Jahren nicht geschafft hat, haben nun die Richter selbst erledigt: Die Anpassung des Deutschen Grundgesetzes auf das Informationszeitalter.

Am 27. Februar 2008 erteilte das Verfassungsgericht Schäubles „Vorbeugendem Schnüffeln“ eine klare Absage. Es muss – so die Richter – „Gefahr für Leib und Leben bestehen“, bevor der Staat Mails und Festplatten ausspähen kann. Und darüber, ob das der Fall ist, müssen Richter Fall für Fall entscheiden – Massenabhorchen adé!

imax.jpg

In dem Urteil der Verfassungsrichter steckt eine verborgene Sensation. Denn das bisherige „Grundrecht auf Telekommunikationsfreiheit“ war zu eng, deckte nur den Schutz der Wohnung ab, berücksichtigte weder Handy- noch mobile Laptop-Nutzung. Auch andere Grundrechte (wie der Schutz der Privatsphäre) deckten Computer und Mobile Kommunikation nur unzureichend ab.

Woraufhin die Richter des Verfassungsgerichtes einfach ein neues Grundrecht erfunden haben:

Das Grundrecht auf Gewährleistung der Vertraulichkeit und Integrität informationstechnischer Systeme.

Anzeige

Oder kurz: das IT-Grundrecht. Willkommen, Deutschland, im 21. Jahrhundert! Gerichtspräsident Hans-Jürgen Papier laut dpa-Meldung:

„Das Bundesverfassungsgericht leitet in seinem heutigen Urteil aus dem allgemeinen Persönlichkeitsrecht erstmalig ein Grundrecht auf Gewährleistung der Vertraulichkeit und Integrität informationstechnischer Systeme her. Dieses aus Artikel 2 Absatz 1 in Verbindung mit Artikel 1 Absatz 1 Grundgesetz abgeleitete Grundrecht tritt zu den anderen Freiheitsgewährleistungen, wie insbesondere dem Schutz des Telekommunikationsgeheimnisses, der Unverletzlichkeit der Wohnung sowie dem Recht auf informationelle Selbstbestimmung, hinzu, soweit diese keinen oder keinen hinreichenden Schutz gewähren.Das Grundrecht auf Gewährleistung der Vertraulichkeit und Integrität informationstechnischer Systeme ist nicht schrankenlos. Eingriffe können sowohl zu präventiven Zwecken als auch zur Strafverfolgung gerechtfertigt sein. Der Einzelne muss aber nur solche Beschränkungen seines Grundrechts hinnehmen, die auf einer verfassungsgemäßen gesetzlichen Grundlage beruhen. In dem heimlichen Zugriff auf ein informationstechnisches System liegt ein Grundrechtseingriff von besonderer Schwere und Intensität. Dieser Eingriff entspricht im Rahmen einer präventiven Zielsetzung nur dann dem Gebot der Verhältnismäßigkeit, wenn bestimmte Tatsachen auf eine im Einzelfall drohende Gefahr für ein überragend wichtiges Rechtsgut hinweisen, selbst wenn sich noch nicht mit hinreichender Wahrscheinlichkeit feststellen lässt, dass die Gefahr schon in näherer Zukunft eintritt.

Anzeige

Überragend wichtige Rechtsgüter sind zunächst Leib, Leben und Freiheit der Person. Ferner sind überragend wichtig solche Güter der Allgemeinheit, deren Bedrohung die Grundlagen oder den Bestand des Staates oder die Grundlagen der Existenz der Menschen berührt. Zum Schutz sonstiger Rechtsgüter Einzelner oder der Allgemeinheit in Situationen, in denen eine existenzielle Bedrohungslage nicht besteht, ist eine staatliche Maßnahme grundsätzlich nicht angemessen, durch die – wie hier – die Persönlichkeit des Betroffenen einer weitgehenden Ausspähung preisgegeben wird. Zum Schutz solcher Rechtsgüter hat sich der Staat auf andere Ermittlungsbefugnisse zu beschränken, die ihm das jeweils anwendbare Fachrecht im präventiven Bereich einräumt.

Das Gesetz hat zusätzlich sicherzustellen, dass der unantastbare Kernbereich privater Lebensgestaltung als Teil der uneinschränkbaren Menschenwürdegarantie geschont wird. Der verfassungsrechtlich gebotene Kernbereichsschutz lässt sich im Rahmen eines zweistufigen Schutzkonzepts gewährleisten. Die gesetzliche Regelung hat zunächst darauf hinzuwirken, dass die Erhebung kernbereichsrelevanter Daten soweit wie informationstechnisch und ermittlungstechnisch möglich unterbleibt. Wenn dies – wie beim heimlichen Zugriff auf ein informationstechnisches System – praktisch nicht in Betracht kommt, hat der Gesetzgeber durch geeignete Verfahrensvorschriften sicherzustellen, dass erhobene kernbereichsrelevante Daten unverzüglich gelöscht werden, eine Weitergabe oder Verwertung ist auszuschließen.

Diesen Anforderungen genügen die angegriffenen Vorschriften zur Online-Durchsuchung nicht.“

Blog | The Anonymity Experiment

The loss of privacy is no longer a secondary theme in Cyberpunk fiction. As we are still waiting for real cyberware to hit the streets, rising sea levels and skys that look like TV turned to a dead channel, total surveillance now is the main theme (or one of the major themes) and anchor(s) of many „post-cyberpunk“ books, films and settings.

The thing is this: Total surveillance is already upon us. And not all of it has to do with fear of terrorist attacks, evil government plots or secret service spooks. Most of it is so mundane that we don’t even recognize it happening.

The following text is from Popsci and is definetly worth reading. Here are some quotes to give you an overview of this complex (and often quite scary) issue:

The Anonymity Experiment

By Catherine Price

„In 2006, David Holtzman decided to do an experiment. Holtzman, a security consultant and former intelligence analyst, was working on a book about privacy, and he wanted to see how much he could find out about himself from sources available to any tenacious stalker. So he did background checks. He pulled his credit file. He looked at Amazon.com transactions and his credit-card and telephone bills. He got his DNA analyzed and kept a log of all the people he called and e-mailed, along with the Web sites he visited. When he put the information together, he was able to discover so much about himself—from detailed financial information to the fact that he was circumcised—that his publisher, concerned about his privacy, didn’t let him include it all in the book.

I’m no intelligence analyst, but stories like Holtzman’s freak me out. So do statistics like this one: Last year, 127 million sensitive electronic and paper records (those containing Social Security numbers and the like) were hacked or lost—a nearly 650 percent increase in data breaches from the previous year. Also last year, news broke that hackers had stolen somewhere between 45 million and 94 million credit- and debit-card numbers from the databases of the retail company TJX, in one of the biggest data breaches in history. Last November, the British government admitted losing computer discs containing personal data for 25 million people, which is almost half the country’s population. Meanwhile, some privacy advocates worry that the looming merger between Google and the Internet ad company DoubleClick presages an era in which corporations regularly eavesdrop on our e-mail and phone calls so they can personalize ads with creepy precision. Facebook’s ill-fated Beacon feature, which notifies users when their friends buy things from Facebook affiliates, shows that in the information age, even our shopping habits are fit for public broadcast. Facebook made Beacon an opt-in service after outraged users demanded it do so, but the company didn’t drop it completely.

Then we have Donald Kerr, the principal deputy director of National Intelligence, who proclaimed in a speech last October that “protecting anonymity isn’t a fight that can be won.” Privacy-minded people have long warned of a world in which an individual’s every action leaves a trace, in which corporations and governments can peer at will into your life with a few keystrokes on a computer. Now one of the people in charge of information-gathering for the U.S. government says, essentially, that such a world has arrived.

So when this magazine suggested I try my own privacy experiment, I eagerly agreed. We decided that I would spend a week trying to be as anonymous as possible while still living a normal life. I would attempt what many believe is now impossible: to hide in plain sight.

A Gallup poll of approximately 1,000 Americans taken in February 1999 found that 70 percent of them believed that the Constitution “guarantees citizens the right to privacy.” Wrong. The Constitution doesn’t even contain the word. And in a fully wired world, that’s an unnerving fact.

(…)

Hoofnagle had tried his own version of the same thing, partly for fun and partly because of fears of retribution from private investigators he had irritated in his previous job at EPIC. “When moving to San Francisco two years ago, I deliberately gave my new address to no business or government entity,” he told me. “As a result, no one really knows where I live.” His bills are in aliases, and despite setbacks—like having his power turned off because the company didn’t know where to send the statement—he’s been successful at concealing his home address.

Now that he’s a senior fellow at the University of California at Berkeley’s Boalt Hall School of Law, Hoofnagle doesn’t keep his office location a secret, so on a sunny afternoon, I set off to meet him there.

Tall and friendly, Hoofnagle has an enthusiastic way of talking about privacy violations that could best be described as “cheerful outrage.” He laid out my basic tasks:

[ Checklist for aspiring Cyberpunks – blogger’s remark ]

– Pay for everything in cash.

– Don’t use my regular cellphone, landline or e-mail account.

– Use an anonymizing service to mask my Web surfing.

– Stay away from government buildings and airports (too many surveillance cameras)

– Wear a hat and sunglasses to foil cameras I can’t avoid.

– Don’t use automatic toll lanes.

– Get a confetti-cut paper shredder for sensitive documents and junk mail.

– Sign up for the national do-not-call registry (ignoring, if you can, the irony of revealing your phone number and e-mail address to prevent people from contacting you)

– Opt out of prescreened credit offers.

– Don’t buy a plane ticket, rent a car, get married, have a baby, purchase land, start a business, go to a casino, use a supermarket loyalty card, or buy nasal decongestant

By the time I left Hoofnagle’s office, a week was beginning to sound like a very long time.“

Please read the full, exciting and highly interesting article here.