Complaints and privacy questions arise from biometric scans at Six Flags Great America

Meh.

I tried wearing my tinfoil hat the other day, but it wouldn't make it past the metal detectors.

People don't really understand what this technology is, and reporters seem uninterested in helping them understand it. This is not a fingerprint. The scanner measures the proportions of the finger at several points, and then runs those numbers through what's called a hashing algorithm. The resulting bytes are stored for comparison later on. In other words, the bytes themselves don't mean anything to anyone. You can't "reverse hash" them, you can only take another scan, do the hash, and compare them to the original. The data is useless for anything other than comparing to another hash.

Incidentally, this is similar to how we store passwords. We take the text you put in, hash it, and store those bytes. When you login, we compare the hash of what you put in to what's stored in the database. I can't look at the hash and reverse it into your password, ever. (There's also something called a salt to make it even more impossible, but that's beyond the point.)

Yes, but you have to be moderately educated and also actually think in order to understand that.

Thinking's hard. I don't care for it.

Just as a super-duper simplified explanation of hashing for the unfamiliar:

Say you wanted to verify a password without actually ever storing it. When the user first assigns their password you run it through some mathematical function, (maybe you add the ascii values of all the characters) then you store that number. You cannot reconstruct the password from that number. If the user tries to use their password, you take the thing they entered into the password field, run the mathematical function on it (add the ascii values of all the characters they entered) and see if it matches. If it doesn't, you are 100% certain they did not enter the correct password. If it does, depending on the robustness of your hashing function you are somewhere between kind-of and super-duper-very certain they entered the correct password.

You can do the same thing for a fingerprint so that the thing stored in the database is not your fingerprint at all, but some weird mathematical function's result when computed on the image of your fingerprint.

Warning: Extra nerdery ahead.

Robustness of hashing functions is a very important topic in computer theory. Obviously you want to be super-duper-very certain that the input is actually the password and didn't just coincidentally hash to the same place which means you want as few different entries to hash to the same value. For instance, if the function is "Add the ascii value of all the characters together" then "pal" will hash to the same value that "alp" and "lap" will, which means you could enter "alp" when the correct password is "pal" and get in. This is bad.

To achieve this, you might think of the function "multiply the first character by 26^2, the second by 26^1 and the third by 26^0" (i.e. the hash function is a base 26 representation of the word) then you will never map 3 letter words to the same place, BUT the password can be reverse engineered from the hash and the function which is also very bad.

Complainy post alert! I don't know what numbers Six Flags is using as a baseline, but I do agree that the new system is much slower. From the article:

"The change from the old photo IDs should make entry faster and more efficient, and the information will not be shared outside the company, spokeswoman Katy Enrique said."

With the old passes, scanning them took all of 2-3 seconds, assuming your pass scans correctly. The new system requires you to still scan your pass, just like you used to, but then now there's the 2nd step of scanning your finger, which generally takes about 5-6 seconds. So they're essentially tripling the time it takes to gain entry for every single passholder.

I went on the 2nd Sunday of operation, and the park was pretty quiet that day, and I got there 10 minutes before opening. It took a solid 15 minutes to get through the gates, with a very small crowd. On a busy Saturday in the summer, I think there will be a lot of unhappy patrons before they even start their day at the park.

The old bottleneck wasn't the scanning, it was security. Probably somewhere around 30 seconds per person.

The new bottleneck is definitely the fingerprint scanner, and I've seen it take 10 seconds (if it works correctly or if the operator just doesn't care) to 2 minutes (of repeated and unsuccessful scanning) per person.

So they bought Universal's old system?

All of these people worried about privacy probably enter the park then post exactly where they are and what they are doing on facebook.