(disclosure: I am a Googler, but I have nothing to do with this project)
Passwords are problematic, easy to lose, easy to steal, but an issue with biometric identify verification is that you can no longer maintain multiple personas. Using a password with 2FA, you can quite easily maintain two sets of those credentials, assuming that the authority doesn't demand proof of real name or such nonsense.
If you trust the authority, it's no big deal. And, I trust Google... today. But do I trust Google tomorrow? I don't yet know tomorrow's Google.
>>> If you trust the authority, it's no big deal. And, I trust Google... today.
Google yes/maybe. But when you talk to Google who else is involved? Which governments are granted access, with or without google's knowledge? How many 20-something analysts at three-lettered agencies have access? I would like to trust a large publicly-traded company, but the reality today is that they seem in little more control than the individual. We've seen their logos on too many leaked documents.
My trust in Google comes from me believing Google is capable of preventing undetected access, and limiting detected access to that which is legally obligated. I'm not going to try to convince you that this is the case, only state that it's what I believe.
Capable? Have you heard about prism? Google claims to have been in the dark, that data was siphoning off as it flowed between data centers. That is an admission that Google is not capable of protecting against such things. They claim to have not even contemplated the attack.
To quote the boss:
"Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist."
My point is that google's claims today cannot be trusted any more than when those same claims made three years ago. Google was wrong about it's abilities then as it may be wrong about them today.
Google is now so large that 'trust' is impossible. Google's attack surface is now so vast, the data so valuable, and cross-talk of personnel with government so common that the likelihood of another undetected breech is too great to ignore. (Same for apple/facebook et al).
His point is - if I may - that if they could not foresee that this was the case in the past that there is a good reason to assume they won't be able to foresee similar things in the present.
It's not as if it took a great feat of imagination to suspect that data flowing between datacenters would be tapped.
This response is too terse given the calmness and energy other people have put into their discussion. If people were saying blatantly stupid responses, that's understandable -- but that's not apparent here whatsoever.
Google has been penetrated before, and Google has had to comply with government agencies, and legislation has passed legally shielding Google from complying with orders later found to be unlawful.
Now you're saying that Google can't be penetrated again, and can be trusted with user privacy. Nobody is saying that getting Google to lawfully turn over user privacy, or that penetrating Google is easy. But Google is a massive organization, and it's not surprising that the USA or China can penetrate it -- lawfully and unlawfully.
As I mentioned in another post, I'm not trying to convince anyone. I'm just saying I have confidence.
Even so, security is a road, not a destination. If people want to argue that you should put your data anywhere, I'll buy it. But of the places your data can go, right now I think good is the best steward. And that certainly includes just keeping it yourself.
It could be even creepier if the biometric data could be sold to third parties, or if Google were to offer an identification service for third parties.
So, Mr. Owl, I'm afraid that your insurance premiums are going up. Why? Because of that slip on the ice two days ago; our monitoring indicates that you have injured your back. Yes, I know you haven't even seen a doctor yet, but there's a 62% probability that you will be making a large claim shortly, so up with your premiums!
I've stated elsewhere in the thread that there would need to be privacy protections, e.g. require Google or anyone using biometrics to be HIPAA compliant, make it opt-in only, but if anyone is actually going to implement this, medical research should benefit.
Biometrics are an excellent technology for tracking convicts because they can't be changed.
Edit: Downvotes? Prisons and corrections would love this thing for checking convicts identities. They already use fingerprints and mugshots which are cruder biometrics. This is just taking it to the next level.
That's not really true though, if the access to both of these accounts is granted with the same credentials it does not matter whether those credentials are a password or biometric data.
The bad part is when the account disappears completely and you only have the option to use the biometric data.
So there is a middle ground.
> And, I trust Google... today.
I don't. Todays google is the google I saw coming quite a few years ago and it is as bad as I feared it would be and too large to be able to get around without losing out on valuable participation. Facebook, Microsoft and Apple are a lot easier to avoid than Google.
This is really hard problem for our society. A lot of people say 'nothing to hide', most people don't have a problem with gov. surveillance, only because we live in a semi-democratic countries and a lot of them were not hurt by communistic governments. People in Germany and Poland look differently at such things, they still remember Stasi (Ger) and SB with WRON(Pl). Clearly our governments want more power and information and it's not for our safety, this situation is reminding people that communism can be turned into democracy, and democracy into communism, very quickly.
Maybe the biometric verification could be done on a home server, if it makes sense. Make like a hash of the behavior, and share the hash instead. So you'd have privacy, and multiple personas, and the ease of use.
Also, I imagined "contracts of morality", where corporations are enforced into ethical behavior, if they choose to, so they can be 'trusted' on a longer scale, to be 'good' beyond the common law. I understand it's not easy to define.
For the password, I think it could end like Facebook, anonymity sacrificed. It just gives you an edge. It's a form of tragedy of commons. It gives you an edge until it doesn't. (but I trust it'll be worked out)
The server side of major services already perform some very sophisticated probablistic authentication mechanisms. Ever had Google or facebook ask you to sign in again when you got off a flight or accessed a sensitive setting? You've experienced it firsthand.
Taking it down to the device level is just acknowledging the danger of loss or stolen second factors. Further, frameworks like tensorflow may allow the learning model to run directly on your phone, alleviating a lot of the concerns enumerated in this article.
I've never been prompted to reauthenticate to Facebook or Google based on travel, actually, and if I was, I would be paranoid about a MITM attack. Has this happened to anyone?
Facebook in the past has required me to authenticate during travel by showing me pictures in which my friends are tagged, and asking me to name them. Of course this was made more difficult by my friends' tendencies to abuse the image tagging feature...
This sounds bad. We are already forced to use almost exact voice to give voice commands. Now we will be forced to walk the same, speak every so even if you are alone in the room and be sure we dont break our habits. For me this sounds bad. I will be waiting for Google to prove me I am mistaken.
If you combined this with multifactor authentication (e.g. fallback to a password for a 100% trust score), it could potentially match your change in biometrics against a diagnostics knowledge base and use any new data following to further train the diagnostics knowledge base. Of course, that would have to be opt-in with patient confidentiality as strongly defended as possible (there needs to be laws and regulations defending privacy with this model), but it would be an interesting source of data collection.
There's still a lot that can be done to improve passwords without eliminating them. Perhaps the single biggest step is to encourage password managers that can auto-generate strong passwords. I seem to recall an article recently showing that the biggest difference between normal people and security professionals was the use of password managers.
The difference I'm guessing is deep integration would be like IE and Windows in the pre lawsuit days.
Basically, OSes should come with a password manager app by default, but users can download their own to replace it which would replace the default one. Much like how you can set your default browser on desktop OSes.
Has anyone published precise technical details about what this actually does? The writeup here makes it sound like it's being pitched as a replacement for network logins or two-factor authentication, which would be an unmitigated disaster – can't rekey, client compromises are irrecoverable, etc.
There's certainly a tradition of academics without security experience pitching that concept but it'd be surprising for it to get very far at Google given how many qualified security people work there and the actual YouTube video makes it sound like this is just being pitched as an alternative phone unlock mechanism.
I don't see anything in there suggesting that it's being pitched as a replacement for either network passwords or two-factor authentication. Has anyone seen another source for anything that leaves the device or is this just a reporter jumping to conclusions?
Nowhere in this thread/article is any mention of the Credential Management draft[0]. This is something I expect to see in canary in the next yr and a half.
I didn't watch the linked I/O presentation, but I clicked through to the Ars Technica article. Are there any details that suggest this would be more than just v2 of fingerprint unlock?
aka optional, local and circumventable with a password if my fingerprint isn't recognized?
> Cisco engineer Shawn Cooley countered him saying, "very cool until I break my leg or hand & can't auth to any services to get healthcare info since my behavior is diff." Messina said, "you presume that your health records aren't being managed by Verily. You would be wrong."
So Verily would be automatically sharing information with Abacus to modulate its user identification, and they feel can just start doing that because it's also an Alphabet company.
This sets off alarm bells in my head. Is this the attitude toward privacy and data isolation at Alphabet/Google? How long until these health records are also shared with Google's advertising department? It tells me that they have no business managing health records at all.
> Is this the attitude toward privacy and data isolation at Alphabet/Google?
It is a Twitter remark by an ex-Googler who had nothing to do with Abacus and never worked at Verily. That is, some combination of snark and wild-ass speculation.
Maybe it's too obvious or maybe I'm completely missing something, but seems a "fatal flaw" in this scheme is the fact that not everyone owns a smartphone, or even uses web services enough to develop much of an identifiable "profile". Smartphones are fragile, easily lost, not always available or reliable, making their use for the purpose seem far less than optimum.
Furthermore, how high a level of security is needed depends on the situation. Sometimes passwords guard fairly trivial risk exposure, like belonging to some newsgroup to make occasional comments. Hardly any personal info to leak in such cases and simple measures will do just fine.
OTOH my health records needs to be protected far more vigorously, but why would I trust that security to a third party entity like Google? I'd much rather have security for the EHR managed within the EHR system itself, and whatever is adopted, I doubt it would look a whole lot like what's proposed in the article.
> I'd much rather have security for the EHR managed within the EHR system itself
I would trust Google's security team over most EHRs. I base this on finding a few sql injection flaws and single DES usage in one I worked on but I don't have broad experience in many EHRs.
Yeah, I know some EHRs have been attacked re: inadequate security, though AFAIK major vendors in my local area seem to have been doing OK recently. However, it only takes small errors here or there to open up significant holes, a fact I've brought up many times when discussing "interoperability" among EHRs, a favorite subject of governmental planners.
I think the problem trusting Google might not lie with their "security team" (they probably have a number of such teams), but rather with privacy policies and guarantees. IOW Google is no doubt capable of providing security, questions arise about enforcing constraints necessary to assure the high level of privacy required by EHR systems.
The real problem is that bio-metrics are basically unchangeable. As soon as a database gets hacked or stolen, or whatever device does the recording has a vulnerability, your security with such systems is compromised forever -- not just at the original place that was breached, but with everyone else who uses the same metrics.
Yes - my rule is that if the other side knows you're using biometrics, the system is too dangerous to use.
The weird part is how unnecessary the Mission Impossible stuff is: replacing passwords is a legacy hassle so if you're going to do that there's no reason not to do so with a flexible public key design which doesn't make assumptions about the client hardware and can be patched when it's compromised. (Biometrics might be a fine usability option for the client store)
> And then we have fingerprints, which are very secure and onerous to imitate
Fingerprints are SO EASY to imitate that I taught a group of 10-12 years old to do it successfully with something as simple as a drinking cup, superglue an smartphone and a SLA printer.
You can cheat the Iphone sensor with no problems.
Everything you touch has your fingerprint on it. Secure! Ha!
A fingerprint taken from you works today and works tomorrow and it will work forever.
I prefer passwords or tokens that I could change, that you very much.
What Google wants it to do surveillance on everyone all day long. Their interest are different from ours.
I am glad that Google is not focusing exclusively on using biometric factors to implement two or more factor authentication solutions these days, because there are quite a lot of valid arguments against widespread use of it. Biometric properties are limited in number (couple of irises, bunch of fingers), cannot be replaced (at least not with a replacement that can serve as a biometric source of identification), cannot be shared (voluntarily), and are considered by many as an unreasonably invasive manner of identifying yourself. Needless to say that the notion of a microphone analysing my every move and utterance sounds like something from a dystopian sci-fi novel.
Instead of using biometric properties as a second factor, I find user-friendly and reusable hardware tokens to be very much preferable. Fortunately Google is also a backer of FIDO U2F, which outlines a standard for hardware tokens the size of a thumb — but unlike your actual meaty appendages, it is replaceable and not quite as bloody to lend to someone in case he or she has a valid reason to access your accounts for you. These work with USB, NFC, and Bluetooth LTE, on any OS, with (soon) any modern browser (currently only Chrome supports it, but Mozilla is committed to implement this technique in Firefox as well), and can be used for an infinite number of services; without the token being identifiable across services.
Succeed in making having one of these tokens on your (physical!) key-chain as common as having the key your front door there, and use the economy of scale to make these tokens as cheap as a happy meal; that would be an acceptable way to beef up security for Joe Sixpack and privacy conscious netizens alike, but leave my body alone.
This is disconcerting. I don't like the idea of biometric and other characteristic data being used to identify me, but at least with fingerprint sensors, retina scanners and other such devices I am aware what is happening and give consent each time. This system proposes to silently identify me by the way I type, click or use a device, constantly learning and improving. No doubt the processed data, like a signature, will reside in the cloud and eventually be used identify users on any device they happen to be using. Convenience above all else, yet again.
58 comments
[ 26.1 ms ] story [ 1207 ms ] threadPasswords are problematic, easy to lose, easy to steal, but an issue with biometric identify verification is that you can no longer maintain multiple personas. Using a password with 2FA, you can quite easily maintain two sets of those credentials, assuming that the authority doesn't demand proof of real name or such nonsense.
If you trust the authority, it's no big deal. And, I trust Google... today. But do I trust Google tomorrow? I don't yet know tomorrow's Google.
Google yes/maybe. But when you talk to Google who else is involved? Which governments are granted access, with or without google's knowledge? How many 20-something analysts at three-lettered agencies have access? I would like to trust a large publicly-traded company, but the reality today is that they seem in little more control than the individual. We've seen their logos on too many leaked documents.
To quote the boss:
"Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist."
https://googleblog.blogspot.ca/2013/06/what.html
And I'm not sure what your quote adds to the point.
Google is now so large that 'trust' is impossible. Google's attack surface is now so vast, the data so valuable, and cross-talk of personnel with government so common that the likelihood of another undetected breech is too great to ignore. (Same for apple/facebook et al).
It's not as if it took a great feat of imagination to suspect that data flowing between datacenters would be tapped.
Google has been penetrated before, and Google has had to comply with government agencies, and legislation has passed legally shielding Google from complying with orders later found to be unlawful.
Now you're saying that Google can't be penetrated again, and can be trusted with user privacy. Nobody is saying that getting Google to lawfully turn over user privacy, or that penetrating Google is easy. But Google is a massive organization, and it's not surprising that the USA or China can penetrate it -- lawfully and unlawfully.
Even so, security is a road, not a destination. If people want to argue that you should put your data anywhere, I'll buy it. But of the places your data can go, right now I think good is the best steward. And that certainly includes just keeping it yourself.
So, Mr. Owl, I'm afraid that your insurance premiums are going up. Why? Because of that slip on the ice two days ago; our monitoring indicates that you have injured your back. Yes, I know you haven't even seen a doctor yet, but there's a 62% probability that you will be making a large claim shortly, so up with your premiums!
Edit: Downvotes? Prisons and corrections would love this thing for checking convicts identities. They already use fingerprints and mugshots which are cruder biometrics. This is just taking it to the next level.
The bad part is when the account disappears completely and you only have the option to use the biometric data.
So there is a middle ground.
> And, I trust Google... today.
I don't. Todays google is the google I saw coming quite a few years ago and it is as bad as I feared it would be and too large to be able to get around without losing out on valuable participation. Facebook, Microsoft and Apple are a lot easier to avoid than Google.
This is really hard problem for our society. A lot of people say 'nothing to hide', most people don't have a problem with gov. surveillance, only because we live in a semi-democratic countries and a lot of them were not hurt by communistic governments. People in Germany and Poland look differently at such things, they still remember Stasi (Ger) and SB with WRON(Pl). Clearly our governments want more power and information and it's not for our safety, this situation is reminding people that communism can be turned into democracy, and democracy into communism, very quickly.
Also, I imagined "contracts of morality", where corporations are enforced into ethical behavior, if they choose to, so they can be 'trusted' on a longer scale, to be 'good' beyond the common law. I understand it's not easy to define.
For the password, I think it could end like Facebook, anonymity sacrificed. It just gives you an edge. It's a form of tragedy of commons. It gives you an edge until it doesn't. (but I trust it'll be worked out)
I've tried telling google it was me attempting access, but no luck. They still forbid access.
Taking it down to the device level is just acknowledging the danger of loss or stolen second factors. Further, frameworks like tensorflow may allow the learning model to run directly on your phone, alleviating a lot of the concerns enumerated in this article.
Basically, OSes should come with a password manager app by default, but users can download their own to replace it which would replace the default one. Much like how you can set your default browser on desktop OSes.
There's certainly a tradition of academics without security experience pitching that concept but it'd be surprising for it to get very far at Google given how many qualified security people work there and the actual YouTube video makes it sound like this is just being pitched as an alternative phone unlock mechanism.
I don't see anything in there suggesting that it's being pitched as a replacement for either network passwords or two-factor authentication. Has anyone seen another source for anything that leaves the device or is this just a reporter jumping to conclusions?
Aaaaand there goes the article's credibility. A pity, because there's a real need for a cogent debate about this panopticon-as-password program.
[0] - http://w3c.github.io/webappsec-credential-management/
aka optional, local and circumventable with a password if my fingerprint isn't recognized?
So Verily would be automatically sharing information with Abacus to modulate its user identification, and they feel can just start doing that because it's also an Alphabet company.
This sets off alarm bells in my head. Is this the attitude toward privacy and data isolation at Alphabet/Google? How long until these health records are also shared with Google's advertising department? It tells me that they have no business managing health records at all.
It is a Twitter remark by an ex-Googler who had nothing to do with Abacus and never worked at Verily. That is, some combination of snark and wild-ass speculation.
Furthermore, how high a level of security is needed depends on the situation. Sometimes passwords guard fairly trivial risk exposure, like belonging to some newsgroup to make occasional comments. Hardly any personal info to leak in such cases and simple measures will do just fine.
OTOH my health records needs to be protected far more vigorously, but why would I trust that security to a third party entity like Google? I'd much rather have security for the EHR managed within the EHR system itself, and whatever is adopted, I doubt it would look a whole lot like what's proposed in the article.
Relax. We'll chip anyone without a smart device companion.
I would trust Google's security team over most EHRs. I base this on finding a few sql injection flaws and single DES usage in one I worked on but I don't have broad experience in many EHRs.
I think the problem trusting Google might not lie with their "security team" (they probably have a number of such teams), but rather with privacy policies and guarantees. IOW Google is no doubt capable of providing security, questions arise about enforcing constraints necessary to assure the high level of privacy required by EHR systems.
The weird part is how unnecessary the Mission Impossible stuff is: replacing passwords is a legacy hassle so if you're going to do that there's no reason not to do so with a flexible public key design which doesn't make assumptions about the client hardware and can be patched when it's compromised. (Biometrics might be a fine usability option for the client store)
Fingerprints are SO EASY to imitate that I taught a group of 10-12 years old to do it successfully with something as simple as a drinking cup, superglue an smartphone and a SLA printer.
You can cheat the Iphone sensor with no problems.
Everything you touch has your fingerprint on it. Secure! Ha!
A fingerprint taken from you works today and works tomorrow and it will work forever.
I prefer passwords or tokens that I could change, that you very much.
What Google wants it to do surveillance on everyone all day long. Their interest are different from ours.
Instead of using biometric properties as a second factor, I find user-friendly and reusable hardware tokens to be very much preferable. Fortunately Google is also a backer of FIDO U2F, which outlines a standard for hardware tokens the size of a thumb — but unlike your actual meaty appendages, it is replaceable and not quite as bloody to lend to someone in case he or she has a valid reason to access your accounts for you. These work with USB, NFC, and Bluetooth LTE, on any OS, with (soon) any modern browser (currently only Chrome supports it, but Mozilla is committed to implement this technique in Firefox as well), and can be used for an infinite number of services; without the token being identifiable across services.
Succeed in making having one of these tokens on your (physical!) key-chain as common as having the key your front door there, and use the economy of scale to make these tokens as cheap as a happy meal; that would be an acceptable way to beef up security for Joe Sixpack and privacy conscious netizens alike, but leave my body alone.