Zoe, the daughter of Li-lian and David, is now two and a half years old, and enrolled in kindergarten, and so Li-lian has returned to work.


Scene 1: Getting ready for work

Li-lian and David are getting ready to leave for work and are dropping Zoe at the kindergarten. Li-lian got home late the evening before, returning from one of her regular business trips. She still feels upset by something her good friend Joanne told her over the phone while she was waiting for her departure at Cairo airport. Li-lian closed an inexpensive supplementary health insurance contract a couple of months ago which among other additional treatments offers better protection during her trips abroad. She had told her friend Joanne of the policy because Joanne works as a flight attendant and hence travels a lot. Joanne had told her that the day before she had received an offer 35 percent more expensive than Li-lian’s insurance rate. This offer came as a surprise because Joanne is only three months younger than Li-lian, she has one child slightly older than Zoe and no prior severe illnesses.
Joanne’s research on the internet revealed that the reason for the offer may have been an exploit of biometric raw-data. The application procedure for the insurance required a standard digital picture to be taken as well as a fingerprint. She was told that the picture would be printed on the insurance card and that the fingerprint would be used as a key for personal data stored on the card. Joanne found out that biometric raw data can be used to identify health risks. A photo reveals data such as sex, age and ethnic origin but apparently can also contain hints to health conditions such as stroke (asymmetry of the face), liver diseases (yellowish skin) or Marfan syndrome (special symmetry of the face). The fingerprint may reveal information on the nutrition status of the mother during pregnancy or the risk of certain types of stomach problems. In Joanne’s case it may have been a slightly yellowish taint as she had been on a special diet during the time the picture was taken. She was led to this conclusion by the fact that the company offered the same insurance rate Li-lian was offered, if any liver related illnesses were excluded from the insurance protection. 
David, whose cousin works as an insurance agent, is not very surprised at the story. He explains to his wife that after all that is what insurance companies have to do: assess possible future risks of events covered by insurance. If several causes are known to exist for a certain biometric feature the insurance company will, if they cannot rule out benign reasons, proceed based on a negative conclusion. As far as David can recollect, the precision of biometric profiling regarding biometric pictures has increased. A large collection of high resolution photographs made it possible to create a register of health risks. Data was taken from the internet and social networks using advanced face recognition software to compare the pictures and to align them with the database. This database is operated by H.E.L.L – Health Profiling Ltd. The company had repeatedly stressed that only publicly available pictures were used to build the database. Rumours had spread that pictures may have been attained by spoofing biometric passports, health cards, or some membership cards. An investigation by the Information Commissioner’s Office however found no evidence supporting these rumours.
After all, David argues, Joanne can always submit a medical statement indicating that she does not suffers from liver disease. Li-lian disagrees. She feels insurance customers should not be obliged to rule out that they suffer from certain diseases. The duty to inform insurance companies of known prior diseases is sufficient for risk assessment, especially if the methods used by insurance companies to gather further information are as error-prone as the method of biometric raw data analysis seems to be.
Li-lian had heard of several US-based insurance companies asking all of their customers for a genetic test. Based on the results many customers faced a rate increase. In the UK and other European countries national ethical committees were currently discussing this kind of genetic profiling.

Scene 2: At Work

Li-lian’s first day back at work after her business trip is dominated by administrative tasks. She recalls all of the changes that took place while she was on maternity leave and cannot help but smile at the thought of how surprised she was that day. The RFID-based service cards had replaced the time registration device for employees. The cards were also handed out to hotel guests and used for payment at the hotel’s lounge and recreation areas. Li-lian’s colleagues had used the cards for access control to the hotel’s office rooms too, until the cards were corrupted. The proprietary crypto-algorithm used by the RFID-access card had been broken. Further, using the cards was too unsecure for the high class hotel. To all employees of the hotel strict security and confidentiality requirements apply because the hotel regularly accommodates politicians, diplomats, businessmen and celebrities. Any case of indiscretion would lead to damage to the hotel’s image and reputation among its distinguished guests. Li-lian is in charge of the security department at the hotel chain. For this reason her work requires an entry security level approved by the national government.
On that first day after her maternity leave the IT-department issued her a new password. Then she was asked to type a given text into her computer. The access control of the hotel’s new computer system goes far beyond inserting her service card and entering a password. Once the machine, a portable computer for presentations at business partners’ premises, cannot connect to the hotel network, the computer is set to travel mode. Being enabled, this mode does not only require Li-lian’s login but continuously monitors her keystroke pattern. Should anyone get access to the notebook or even force Li-lian to hand it over while she is logged in, the computer will lock out the intruder once the deviation in pattern is recognised by the machine. The evaluation of the keystroke pattern method was praised by the privacy reviewer as less privacy-invasive because the keystroke pattern is a biometric that changes over time and thus features a built in expiry date. However, the advantage of not being traceable after some time turned out to be a disadvantage on her first day back at work. As Li-lian’s typing pattern changed massively during her maternity leave she had to spend two full hours typing specimen text.
Li-lian’s thoughts turn to her 70-year-old colleague Adriel (people now work up to 72 years in most EU jurisdictions) who was warned by the system about emerging Parkinson’s disease. She wonders whether the system does not only warn the affected employee but also informs her employer about identifiable health risks. However, storing the keystroke pattern is still less invasive than other methods of analysing biometric raw-data like the insurance company’s procedures she heard of from Joanne.
Having just returned from her last business trip, Li-lian has to arrange her next trip to Toronto. She has come to feel at ease with the idea of presenting her travel documents (she holds a Chinese and a UK passport) to foreign authorities. Since cases of identity theft skyrocketed in the past when organised criminals used the weak standard of the first generation of biometric passports, the EU together with the USA and some other nations reinforced the extended access control standard (EAC) to prevent illegal readout of biometric data. The new standard was improved to offer a considerably higher level of security and allows Li-lian to protect her data from being read by third parties. Public key cryptography allows only accredited scanners to read out the data. All ICAO MRTDs issued these days have extended access control implemented. Her Chinese passport, she is convinced, supports EAC.
The EU, being an international driver for passport security advancements, decided to implement encapsulated biometrics on the European biometric passport. Since encapsulated biometrics are used, external readers do not access the biometric data any more. All data processing is done by the microprocessor in the passport itself. It scans and checks the fingerprint of its owner and confirms his identity when the check is successful. Li-lian read that encapsulated biometrics does mitigate privacy risks as no central biometric database is required and the risk of corruption or disclosure to unauthorised entities is addressed. After all, if biometric data is corrupted, it is corrupted for good. For this reason, Li-lian prefers using her UK passport.

Scene 3: A brief break

Li-lian and her friends grew up using social networks which became a vital part of their everyday life, allowing them to stay in contact, share news and to always feel connected to their loved ones even on extended journeys or while living abroad. But the attitude of many employers towards social networks has changed in recent years. As social networks have become so common most employers allow their employees to let their MyComm device connect to their different social network profiles.
Nafiseh, a friend of Li-lian applied for a job and got rejected. It seems that it was due to some negative information in some social networks. Someone created an account, using her name and address, copied some of her pictures from other web pages and pictures of a student party that took place several years ago. Even though her friend had not been on any of these party pictures, her reputation was damaged. Furthermore, someone tagged her former home address with negative information about her on a neighbourhood rating form.
Much of the information was collected at an old social networking site where Li-lian’s friend entered much information during her student time - it was the thing to do at that time (2008) to have comprehensive CVs on the web. The service provider of the social networking platform did not use a technology for identity verification, thus allowing anyone to forge accounts.
Li-lian uses a number of portals. However, it is important to her that the service provider uses some kind of authentication. The social networks used by Li-lian offer an anonymous verification. For this purpose the government citizen portal is used.
Li-Lian also used a social network for health related questions informing herself about pregnancy and labour related issues. In particular she trusted some postings of someone claiming to be a physician who indeed was not. She now uses another network which has technology enabling identity management. Specialists can use credentials to anonymously write posting but are still able to show their expert status. Thus a physician or lawyer etc. can show his qualification to the system without disclosing his identity to other users or the service provider. Li-lian has expert status for facility security issues.

Scene 4: At the kindergarten

Zoe has been at the kindergarten for one month. To pick her up Li-lian usually uses her MyComm device to open the kindergarten gate. Today, however, she forgot it on her desk. The backup system would use her biometric data instead but Li-lian and David refused to provide this data, as the kindergarten was not able to prove that they implemented Privacy Enhancing Technologies to avoid misuse of the data. As Zoe is still new at the kindergarten the replacement nursery teacher did not know Li-lian personally and had to check her passport and the files before he allowed Li-lian to take Zoe with her. Initially the kindergarten did not plan to keep the old-fashioned file system logging the parent’s entitlement. However, a parent initiative successfully fought for it, as not everyone was willing to provide a raw-data photo.
Even if Li-lian and David can avoid their biometric data being spread widely, it does not seem likely that they can prevent Zoe’s data from being collected. A new programme of the local government envisages taking biometric pictures of every child and using the raw data to identify possible health risks and to automatically check for suspicious signs of child abuse or neglect by their parents. This, so argued a government spokesman to Li-lian’s infuriation, should provide pre-indications for the school doctor programme enabling the focus to be set on suspicious children and saving tax money on the service. But rumours spread that the acquired data will also be fed into the governmental databases on children, evaluating the likelihood of future criminal or offending behaviour and the possible need for assistance by social workers. When such databases were first introduced for convicted criminals nobody would have ever thought of registering children at kindergarten-age within such a database. But as pupils have been surveyed in this way for many years and intervention of social workers, and juvenile authorities is more effective the younger the children are, the step to include data collected at pre-schools and kindergartens was just a question of time.
While waiting for the passport to be checked against the files, Li-lian thinks of a case in another kindergarten where a divorced mother not having received the right of custody managed to have somebody access the kindergarten’s Wi-Fi and the verification reference database. By injecting her reference data in the profile of her authorised mother-in-law she received the desired entitlement. She then picked up her daughter and left for her country of origin. As everyone thought the girl was with her grandmother no one was suspicious until it was too late.
After finally accrediting Li-lian to pick up her daughter, the nursery teacher uses a display to locate Zoe. All children are tracked throughout the day by cameras using face recognition. Other parents even use the online-service to watch the movements of their children on a floor plan of the kindergarten viewed on their MyComm. Li-lian knows of another mother who uses the cloth-clean function. Using this, the system does not allow her daughter to enter the backyard when it is wet and thus dirty outdoors. She even defined the sandpit as a no-go area. Li-lian disliked this idea. Instead she spends some extra money for children’s clothes made from smart materials which are very robust and easy to clean.
When thinking about tracking Zoe, a conversation with her father-in-law comes to her mind. While Li-lian does not want to be tracked when she is old, David’s father appreciated the new possibilities. His mother had Alzheimer’s disease and got lost during a vacation when she left the hotel at night. It took a long search to find her, dehydrated in the middle of a forest. While her father-in-law feels comfortable with the idea of being tracked, Li-lian thinks that she would only agree to a system that uses an on-demand approach which only sends the location data when she initiates a request for aid.
Having given it much thought, Li-lian gets concerned with all the tracking. She does not want Zoe to get too accustomed to tracking and currently considers another kindergarten for Zoe.