What do hackers want with fingerprints in a retina-scan world?

Earlier this summer, the United States suffered one of the worst data breaches in history, when someone (maybe the Chinese, maybe the Russians) broke into the Office of Personnel Management’s computers.

The Office of Personnel Management is the primary Human Resources office for the federal government. Because it is the federal government, a lot of the files have to do with security clearances, many for employees in sensitive or even clandestine positions. The US government has been a bit coy about which agencies’ data was breached, but has made clear it included the Defence Department.

For many employees, the data breach is primarily of intelligence concern in that it exposes their personal vulnerabilities, things like debt, past problems with booze or drugs, the kind of stuff that makes it easier to manipulate and recruit someone. And there is a lot of fodder for a foreign intelligence service to work with – the hack affected a staggering 21.5 million federal employees and their families, a full 7 per cent of the entire United States population.

But what about those fingerprints? The Office of Personnel Management now admits it lost an estimated 5.6 million fingerprint records. Why would a foreign adversary want fingerprints?

To identify Americans travelling under false documents, ie, spies. And through that, negate the enormous and very expensive efforts America’s undercover folks go to create alternate identities. 

It works a lot like in the movies. Peter Parker joins the Central Intelligence Agency fresh out of college. The agency constructs a cover life around him under a new name, or several covers under several names. This takes time, and money, and a fine sense of detail, especially when it is expected that a person have all sorts of information about himself already on Facebook and the like. A 25-year-old without Facebook or LinkedIn? Hmm. Peter is drilled on each backstory so he can switch between being “Peter” or “Paul” or “Pat” seamlessly. His appearance can be changed, and so, with false passports, Peter can travel as a businessperson to China in June, Paul can be the tourist who visits in late July and Pat the guy finally assigned to a new job at the embassy come August. That stuff has been going on with spies since the beginning of time.

It worked. Or at least it used to work.

The science of biometrics changed the game. New technologies like facial recognition, vocal prints and iris scans allow unique indicators to be collected and stored digitally. Once one matches an iris scan from Peter with one collected from Paul, they know they are the same person. Peter can only ever enter China under one name, albeit with the option of it being a false one. But he must be consistent and stick to the one. His clandestine usefulness is thus very limited.

The concept has worried American intelligence for some time, particularly because the United States overtly collects biometric information on every person entering the United States and understands the value as well as anyone. The Central Intelligence Agency even produced a defensive how-to manual for its undercover people.

Nonetheless, the Office of Personnel Management downplayed the danger posed by stolen fingerprint records, saying the ability to misuse the data is currently limited. “An inter-agency working group with expertise in this area … will review the potential ways adversaries could misuse fingerprint data 

now and in the future,” it said.

Such reassurances aside, the problem of biometrics reaches much further than just within one country. What about for an intelligence officer who travels among various nations?

Biometrics collected when Peter/Paul/Pat crosses an international border can be shared among allied nations, or sold to less friendly ones. Oh – the Peter from China is the same person known as Paul in Vietnam.

If not shared between friends, broad-based biometric data can also be collected via a link up with immigration authorities, either by agreement or via computer hack, say at major hubs like Frankfurt, Dubai or Narita. One news source reported a former intelligence service employee as saying “Just before I left, they were gearing up to make a request for CIA officers to recruit foreigners with access to immigration databases.” But all that is a lot of work just to collect the information, can involve delicate deals with other nations and must be followed by even more work to sift through a very large haystack looking for a few suspicious government employees. Wouldn’t it be easier if someone were to hand you a 5.56 million record library of fingerprints, all known Federal employees, all organised by real names, and all accompanied by biographical and work data?

It is entirely plausible the offices inside the American intelligence community which focus on altering or disguising fingerprints just saw their budgets increase, with a little note saying “With thanks to the Office of Personnel Management hack.”

That is why the new information on the fingerprint hack is so significant.

 

Peter Van Buren, who served in the US State Department for 24 years, is the author of “We Meant Well: How I Helped Lose the Battle for the Hearts and Minds of the Iraqi People”.