« Commencement Day Happy Hour | Main | In the Shadow of the Law »

Thursday, June 09, 2005

Biometrics and the "Titanic Phenomenon"

Biometrics_1 A Washington Post article discusses the growing use of biometric identification, which involves authenticating identity by using immutable characteristics of the human body.  Some methods include fingerprint readers, iris scanners, and facial recognition systems.  According to the article:

Three or four days a week, Darren Hiers gets lunch at a Sterling, Va., convenience store near the car dealership where he works. He grabs a chicken sandwich and a soda and heads to the checkout counter, where a little gadget scans his index finger and instantly deducts the money from his checking account.

Hiers doesn't have to pull out his wallet to buy lunch -- and if it were up to him, he'd never have to write a check or swipe a credit card again.

The finger scan used at the shop in Sterling, known as a biometric payment system and made by a Herndon, Va., firm, is just starting to be installed at convenience stores and supermarket chains around the country, another step in a revolution that is turning the human body into the ultimate identification card.

Already faces and fingerprints are used to track visitors coming into the country. Computer passwords are being replaced by thumbprints at some companies and iris scans are giving consumers in England and Germany access to their bank accounts at ATMs.

The owner of BioPay LLC, which makes the technology used at the store, predicts the finger scan soon will be ubiquitous, offering speed and convenience for consumers. But civil libertarians have raised privacy concerns, citing some recent problems. In February, ChoicePoint Inc., a background-screening company that collects personal information -- including biometric data -- said it accidentally sold more than 100,000 individual profiles to identity thieves. . . .

Biometric payment systems work by connecting images of an individual's fingerprint to his bank account. At the Sterling convenience store, a BP gas station owned by Rich Gladu, users enroll by handing the cashier a personal check (verified with a driver's license) that is scanned into the computer. Then they place each index finger on a tennis-ball-sized reader that captures the unique characteristics of their fingerprints.

Biometrics have been touted as a more reliable form of identification.  The technology does have some promise, but there is a dark side.  A lot of faith is being invested in biometric technology without much thought about the potential risks.  One risk is that there are scant legal restrictions from the government accessing private sector data.  As more businesses begin to use biometric identifiers, the government will have ready access to this information.  This issue should be addressed before biometric identification methods proliferate.

Another major problem is

what I call the "Titanic Phenomenon."  This is having too much faith in technology, in believing that technology is foolproof.  The problem is that although identification based on passwords or cards may not be as relaible as biometrics, the consequences are much less severe if the a password or identification card falls into the wrong hands.  If one loses a credit card, it can be readily replaced.  But if an identity thief gets one's fingerprint or picture of one's eye, these cannot be replaced.  What then? 

As security expert Bruce Schneier observes in Beyond Fear, a thief can obtain biometric information by hacking into a database where the data is stored.  Moreover, people leave fingerprints wherever they touch (p. 187)  Given the fact that companies are having such a difficult time keeping people's information secure these days, I wonder whether adding biometric information into the mix is a wise idea.  And the law provides very little guidance in this area, as there is no standard for the accuracy or security of biometric data.

Posted by Daniel Solove on June 9, 2005 at 03:49 PM in Daniel Solove, Information and Technology | Permalink


TrackBack URL for this entry:

Listed below are links to weblogs that reference Biometrics and the "Titanic Phenomenon":


best site

Posted by: Online Casino | Oct 14, 2006 6:46:37 AM

The law regarding biometrics in Canada is unsettled particularly in an employment setting.The analysis usually takes a course involving a consideration of the legitimate interest of the employer in gathering the information, how that relates to the needs of the business and an examination of less intrusive means that would accomplish the same employer goal. Underlying this is a consideration of the privacy interest of the employee and employee group subject to the request for information.The approach to date has been cautious and reasonably well balanced. Each case will turn on the facts at hand.

Outside of the workplace most of us here still rely on a credit card or a debit card and some old fashioned folks still use good ole cash. Given that the use of my cards allows a vendor and, those that the vendor shares the information with to, track my eating habits, my choice of consumables such as gas, food, toothpaste, video selection, ect., I'd say that I've already pretty much laid my cards down on the table. And as for finger prints they are already in the public domain ( my house and office door handles, my car door handle and my office coffee cup). The new technology makes packaging, organizing and sharing the information that much easier and therein lies the objection.

Posted by: Johannes Schenk | Jun 9, 2006 1:02:56 PM

It would be nice to think that the users of biometric data are taking advantage of its underlying principles – i.e. that it is immutable and unique (hopefully). Can someone familiar with the use of biometrics please explain the following:
Let’s say a hypothetical would-be immigrant applies to the INS (ok, USCIS) for employment authorization last year, and duly completes all administrative requirements, including a trip into deepest darkest metro-inaccessible Virginia to undergo fingerprinting, digital imaging, and an ear scan (?). One year later, with no green card yet in sight, it becomes necessary to file for renewal of said employment authorization. And along comes another identical request that the wannabe-immigrant should attend again to have biometrics taken.
What’s going on here? I thought the principle underlying the system was that biometric measurements were supposedly immutable and unique? Once biometric data are already on file, why is it necessary to repeat measurements a year later? Am I naïve to hope that there must be another reason, apart from the large fees required each time?

Posted by: skibird613 | Jun 10, 2005 9:25:57 AM

Might we also see a rash of finger-snatchers, thieves who cut off people's fingers?

Posted by: no one you know | Jun 9, 2005 4:03:18 PM

Post a comment