The FBI is gearing up to create a massive computer database of people’s physical characteristics, all part of an effort the bureau says to better identify criminals and terrorists.
But it’s an issue that raises major privacy concerns — what one civil liberties expert says should concern all Americans.
The bureau is expected to announce in coming days the awarding of a $1 billion, 10-year contract to help create the database that will compile an array of biometric information — from palm prints to eye scans.
Kimberly Del Greco, the FBI’s Biometric Services section chief, said adding to the database is “important to protect the borders to keep the terrorists out, protect our citizens, our neighbors, our children so they can have good jobs, and have a safe country to live in.”
But it’s unnerving to privacy experts.
“It’s the beginning of the surveillance society where you can be tracked anywhere, any time and all your movements, and eventually all your activities will be tracked and noted and correlated,” said Barry Steinhardt, director of the American Civil Liberties Union’s Technology and Liberty Project.
The FBI already has 55 million sets of fingerprints on file. In coming years, the bureau wants to compare palm prints, scars and tattoos, iris eye patterns, and facial shapes. The idea is to combine various pieces of biometric information to positively identify a potential suspect.
I am not one who believes that biometric identification is inherently bad, but the problem is that we don’t have the appropriate legal architecture in place to use it responsibly. For example, data security is woeful — whether it be government entities or private sector companies — and the law has not effectively grappled with this problem yet. As we move toward biometric identification, what if that data falls into the wrong hands? It’s one thing for one’s Social Security number to be leaked, a number which a person can change with a lot of bureaucratic hassle. But people can’t change their eyes or other biometric characteristics. All this makes a recipe for disaster. What are the odds that biometric information will actually be kept secure? My guess, especially given the massive number of data security breaches over the past few years, is that there will be some big leaks of biometric information in the future. I can see the data security breach notification letters already:
Dear John Doe:
We regret to inform you that your biometric data, including eye scan, fingerprint, DNA, and other information, have been leaked. An employee took it home on a laptop and that computer was stolen by a band of identity thieves. Your information might now be used for all sorts of illicit purposes, and you may find yourself suddenly arrested, deported, or sent to Guantanamo based on something the thief may have done with your data. There’s no credit monitoring or freeze or similar measure you can use to protect yourself. We suggest that you change your eyes, fingerprints, and DNA. Otherwise, all we can say is that we’re really sorry, and we’ll be sure to be more careful in the future. Of course, although we want you to have a lot of anxiety about all the dangers and risks we’ve exposed you to, we’re not foolish enough to admit you’ve been harmed, and if you sue us, we’ll be sure to insist adamantly that you weren’t ever harmed at all.
An additional problem is that there currently is not a good regulatory system in place to guard against abuses in the system or to provide oversight. How long can the data be stored? How broadly should it be collected? According to the article, “[t]he FBI says it will protect all this personal data and only collect information on criminals and those seeking sensitive jobs.” But there’s nothing stopping the FBI in the future from expanding the database at its own discretion. Who will ensure the accuracy of the data? Right now, data maintained by government agencies is protected by the Privacy Act of 1974, 5 U.S.C. § 552a, but this law has proven to be very ineffective at maintaining control over how government agencies collect, maintain, and use personal information.
Originally Posted at Concurring Opinions
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.