Privacy Act doesn't cover pokie biometrics

Privacy Act doesn't cover pokie biometrics

Summary: The Privacy Act will need to be toughened and guidelines created if the Federal Government wants to use biometric technology in its plans to curb poker machine use, according to a peak technology group.

SHARE:

The Privacy Act will need to be toughened and guidelines created if the Federal Government wants to use biometric technology in its plans to curb poker machine use, according to a peak technology group.

Eye

(Green eye image by Jane Doe, CC2.0)

The government is mulling the controversial idea as part of a deal to secure the support of independent MP Andrew Wilkie.

Prime Minister Julia Gillard warned the states that the government will impose regulation if a mandatory "pre-commitment technology" to curb poker machine use is not in place by May.

Biometrics — which capture data from the body such as finger and iris prints — have not been ruled out as a means of addressing the government demands, although it has not mandated a technology.

The Biometrics Institute general manager Isabelle Moeller said that strict national laws restricting the use of captured data would be required to ensure clubs, pubs and casinos adequately protect and do not abuse sensitive customer information.

"Who ensures how data is collected and when it is destroyed? The [Privacy] Act is not specific enough," Moeller said.

She said that biometric data is not included in the Act, and that government agencies and small businesses with revenues less than $3 million are exempt.

The Federal Government is reviewing the Privacy Act in order to introduce a consistent national scheme. It plans to introduce caveats into the Act that will allow it to be more responsive to changes in technology and also iron out inconsistencies in privacy requirements across the states.

The biometric battle has been long fought by the institute and Moeller would welcome its end.

"We would like to see the Privacy Act completed and new information taken on from the institute code."

She said Australia is a privacy laggard compared to many other nations that already have or are implementing tougher updated laws.

The institute is still struggling to get members to sign onto its voluntary biometric privacy code, despite having the blessing of the Privacy Commissioner and its context has a unanimous tick from the industry.

Moeller said this is because businesses are reluctant to impose guidelines that may restrict their competitiveness against non-compliant rivals. It would also make it tougher to implement biometrics solutions.

Currently, pubs and clubs are charging ahead with biometrics installs, with little or no regard to the code.

Moeller said one business had purchased a cheap off-the-shelf biometric system online which could place customer data at serious risk if it is not adequately secured.

Gummed-up

Any biometric solution used to control poker machine use would also be subject to the many well-publicised obfuscation techniques through which users steal and reuse fingerprints from the readers. Such an attack would allow gamblers to sign in as another, and bypass the financial controls.

Instructions of how to conduct the attacks, including how to make a replica finger from gelatine, are freely available on the internet.

"The body heat sensor [within biometric devices] might also be affected by holding cold drinks, but I suspect that this would be minimised," information security specialist Christian Heinrich said. "Obviously, other successful published attacks against biometrics would also apply."

The concerns come ahead of news that pubs and clubs are gearing up for a coordinated and well-financed advertising campaign to smear the government's plans to impose gambling monitoring.

Industry figures have said the campaign will be like the mining industry's mass-media attempt to attack the government's super-profits tax.

Heinrich said the industry could use biometrics as a physiological deterrent within the campaign by appealing to public fears that the technology is akin to "taking one's soul".

Topics: Security, Government AU, Health, Privacy

Darren Pauli

About Darren Pauli

Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Seriously, why would biometrics be justified for Pokies and not other more significant/relevant applications?

    Assume biometrics become common place for Joe Public. Who is collecting the data, how is it going to be protected, and to what use is it going to be employed?

    Are biometrics going to be used for sensible purposes or is it just another excuse to identify individuals and track their every movement...be it for political or financial gain?
    Scott W-ef9ad
  • Overseas studies in Canada show that simple magnetic stripe cards with PIN numbers are swapped by 37% of poker machine gamblers once they reach their pre-set loss limits in a pre-commitment environment. The level of card sharing is even higher for problem gamblers. The University of Nevada has recommended that this problem can only be overcome by using biometrics to stop card sharing. Our Australian company has patented the use of biometric USB flash drives for pre-commitment, with the player's fingerprint stored within the flash drive and not within a central database. The player's gambling data can even be stored in the flash drive without the need for a central database of player gambling records - which is impossible with old card systems. The whole system can also operate without storing any individual personal records of the player (e.g. name). The USB flash drive also works on all computers so as to simultaneously address the issue of internet gambling, completely eliminates under age gambling and provides a perfect self-exclusion program. I recommend you refer to our website www.responsible.com.au.
    biometricman
  • Casinos, pokie clubs and pokie pubs already collect data on their loyalty club cards that have the ultimate biometric, each member's photo. The information collected and stored includes how much each member gambled, which pokie they gambled on, how much they lost, what meals they bought, how much alcohol they bought and what kind and much more. Many have been collecting and storing this information for years.
    Paul Bendat
  • @DarrenPauli,

    The error threshold of the fingerprint (biometric) reader would have to be lowered due to the social aspects of the club environment (e.g. smoke, cold drinks, etc) which would therefore allow a greater range of possible (biometric) values and therefore be possibly vulnerable to other published attacks.

    The physiological deterrent is based on the application of the "Economics of Information Security" i.e. http://www.cl.cam.ac.uk/~rja14/econsec.html - specifically in this case it would deter the:

    1. Casual punter due to time required for the biometric enrolment process which is greater then the time the casual punter intended to spend gambling.

    2. Particular demographics of the community who are regular gamblers would avoid interacting with biometrics reader due to the perceived poor hygiene standard of the club environment.

    The "taking ones soul" is the application of the "Economics of Information Security" to spirituality.
    cmlh