A Washington Post article discusses the growing use of biometric identification, which involves authenticating identity by using immutable characteristics of the human body. Some methods include fingerprint readers, iris scanners, and facial recognition systems. According to the article:
Three or four days a week, Darren Hiers gets lunch at a Sterling, Va., convenience store near the car dealership where he works. He grabs a chicken sandwich and a soda and heads to the checkout counter, where a little gadget scans his index finger and instantly deducts the money from his checking account.
Hiers doesn’t have to pull out his wallet to buy lunch — and if it were up to him, he’d never have to write a check or swipe a credit card again.
The finger scan used at the shop in Sterling, known as a biometric payment system and made by a Herndon, Va., firm, is just starting to be installed at convenience stores and supermarket chains around the country, another step in a revolution that is turning the human body into the ultimate identification card.
Already faces and fingerprints are used to track visitors coming into the country. Computer passwords are being replaced by thumbprints at some companies and iris scans are giving consumers in England and Germany access to their bank accounts at ATMs.
The owner of BioPay LLC, which makes the technology used at the store, predicts the finger scan soon will be ubiquitous, offering speed and convenience for consumers. But civil libertarians have raised privacy concerns, citing some recent problems. In February, ChoicePoint Inc., a background-screening company that collects personal information — including biometric data — said it accidentally sold more than 100,000 individual profiles to identity thieves. . . .
Biometric payment systems work by connecting images of an individual’s fingerprint to his bank account. At the Sterling convenience store, a BP gas station owned by Rich Gladu, users enroll by handing the cashier a personal check (verified with a driver’s license) that is scanned into the computer. Then they place each index finger on a tennis-ball-sized reader that captures the unique characteristics of their fingerprints.
Biometrics have been touted as a more reliable form of identification. The technology does have some promise, but there is a dark side. A lot of faith is being invested in biometric technology without much thought about the potential risks. One risk is that there are scant legal restrictions from the government accessing private sector data. As more businesses begin to use biometric identifiers, the government will have ready access to this information. This issue should be addressed before biometric identification methods proliferate.
Another major problem is
what I call the “Titanic Phenomenon.” This is having too much faith in technology, in believing that technology is foolproof. The problem is that although identification based on passwords or cards may not be as relaible as biometrics, the consequences are much less severe if the a password or identification card falls into the wrong hands. If one loses a credit card, it can be readily replaced. But if an identity thief gets one’s fingerprint or picture of one’s eye, these cannot be replaced. What then?
As security expert Bruce Schneier observes in Beyond Fear, a thief can obtain biometric information by hacking into a database where the data is stored. Moreover, people leave fingerprints wherever they touch (p. 187) Given the fact that companies are having such a difficult time keeping people’s information secure these days, I wonder whether adding biometric information into the mix is a wise idea. And the law provides very little guidance in this area, as there is no standard for the accuracy or security of biometric data.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 950,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.