One of the hassles of the Yahoo! breach was clearly the coming-home-to-roost quality of the mega-stupid 90’s era “something about you” secret questions, a relic of the “portal” fantasy-based business model, under which you were expected to voluntarily subvert the freedoms of the Internet by turning over all your new-found freedom by allowing one company to be your primary Internet gateway. That would never work… right, Facebook?
Anyway, since we all now know that we can only really have one mother’s maiden name unless we used a random-name generator to give mom a new maiden name for every site we visit (and few of us were clever enough to do that in the halcyon days before OnePass) – and hell, why would we? I mean, who would ever care about something like my mom’s maiden name, you ninny? – all of us would turn it all over like lemmings falling off the cliff of Internet stupid into a sea of despair, to finish the longest paragraph of mixed metaphors ever written in English.
I am reminded of this today, having recently turned in the chapter on mobile device security to Weldon Owen for our forthcoming book, Cyber Survival. In that, I refer to the case Commonwealth of Virginia vs David Charles Baust. In that
landmark case (a friend rightly points out that, while many have raised it, it’s a state court decision and not a landmark), presiding judge Steven C. Frucci drew a very important distinction between a passcode and a fingerprint. It has been established in case law, Frucci ruled, that a passcode represents “testimonial communication.” Unlike with measurements, or a voice exemplar, or a handwriting sample, forcing someone to reveal his passcode is the government forcing him to testify and divulge through his mental processes something that is known only to the person. The password, if it exists, is not a physical thing, it is something that resides in the defendant’s mind.
On the other hand, a fingerprint is not testimony. Judge Frucci pointed to well established concepts that, “There is a significant difference between the use of compulsion to extort communications from a defendant and compelling a person to engage in a conduct that may be incriminating.” … “The privilege offers no protection against compulsion to submit to fingerprinting, photography or measurements, to write or speak for identification, to appear in court, to stand, to assume a stance, to walk, or to make a particular gesture.”
Frucci concludes that the act of exhibiting physical characteristics is just not the same as a sworn communication by a witness relating either express or implied assertions of fact or belief.
All this means that, basically, the court can’t force you to produce the combination to a lock, but it can make you produce the key to a lock.
Why do I bring all this up? Because it’s important. When forty-six squidgillion Yahoo! passwords and challenge questions about whether my mom used to be called Abromowitz or McGillicuddy out there in the Deep Juicy Goodness Of the Dark Recesses Of The Internet’s Lady Bits (or whatever is the current parlance for ‘places on the Internet where we can buy cool shit’), mixed and matched with the hundred and ninety four midvillion metaplippers of information on sale from the OPM disaster and the Target unpleasantness and the soon-to-come “small-cool-device-of-last-year-that-the-Chinese-copied-and-now-sell for-a-tenth-the-price” hack, all our datas really are all belong to them.
This came to me in sharp relief when the bored dude standing by the Delta-Clear gizmo today told me that, since I had a CLEAR account before the company went bust a few years ago, I still do. That’s right: whatever Chinese-funded entity that bought the assets of CLEAR bought my biometrics – and unlike my mother’s maiden name, which I actually can make up fresh every time, with my fucking iris scans, and my right handprint, they’ve been out there for the past five years or so. Gone. Poof.
When I hear lawyers talking about biometric security, I just laugh. As should you.
Data breaches are for real, yo. Sometimes the cost is your upcoming product.
Sometimes, the cost is your entire company.
Sometimes, the cost is, believe it or not, the digital personification of you (they and untold others still and forever have my fingerprints and iris scans).
Most of the time, though, for the next few years? It’s your credit card. So it’s all fine, right?
This is a Security Bloggers Network syndicated blog post authored by Nick Selby. Read the original post at: Professionally Evil Insights