Wednesday, December 22, 2004

Why would they want all ten fingerprints?

"Why would [the Texas Department of Public Safety] want all ten fingerprints?" from Texas drivers and ID card holders, a reader queries via email.

The reasons are as varied as the people proposing the idea, but mostly it has to do with law enforcement. After all, if the only issue were identity authentification
to get a Texas drivers license, just the thumbprint would do. Bottom line, police already have access to fingerprints from everyone they arrest and book into jail. They want fingerprints from people who haven't been arrested to match when they're investigating crimes. Right now, thumprints given for your drivers license application can't be used for that purpose in Texas.

For others, fingerprint biometrics will be the lynchpin for the movement toward a national ID card. In a fascinating item posted this morning entitled "Hot Fingerprint Trends in 2005," Jason Tan relays this prediction:

"'One major trend in 2005 will be the use of fingerprint technology in combination with national identity cards,' stated Christer Bergman, chief executive officer and president of Precise Biometrics, a Sweden-based provider of biometrics security solutions using fingerprint authentication.

“'Here, we are seeing more and more projects asking for Match-on-Card -- the technology where fingerprint templates are stored on smartcards and smartcard processors are used for comparison. Hence, fingerprint templates never leave the smartcards."

Right now the thumbprint image that drivers give isn't on the magnetic strip on the back of a Texas drivers license, so those sort of uses would require changes in Texas law, but that's where some "Big Government Conservatives" want to go with the idea.

Tan's article also shows how the biometrics industry's own push for new markets drives many of these new government initiatives:

"The main market remains government projects [said Bergman]. 'We see both the health-care and financial sectors picking up as mandatory regulations are implemented.'

Echoing his view, [Czech biometric company sales manager Karl] Audaert added that Thailand, Hong Kong, Malaysia and Singapore are among the Asian countries that have adopted biometrics in passports and national identity cards or have plans to do so soon.

“The global driver for these projects is fear of terrorism and identity theft. Technological challenges include pushing for wider deployment, while remaining easy-to-use, secure and reliable,” he explained.

Where does it all lead? Tan quoted Audert describing "MyKad--the Malaysian identity card, which incorporates features such as fingerprint biometrics and medical history, while serving as a driving license, ATM and electronic purse. The government plans to use it even as a travel document to replace passports for border transit among neighboring countries.

"It is compulsory for citizens above 12 years old to have a MyKad by end of this year; everyone will, therefore, be carrying a smartcard with them. This presents huge opportunities to develop more applications, added Audaert."

Now, just because Malaysia created such a card doesn't mean it'd be a good idea here. As my mother would have said, God rest her soul, "If Malaysia ran to the edge of a cliff and jumped off, would you jump off too?" But that's what the kind of sweeping promises vendors are making to the Department of Public Safety and other state officials backing the biometrics push.

These pie in the sky fantasies ignore grave risks -- if my credit card number is stolen, I can get it changed with some trouble. But if someone figures out how to fake my fingerprint or my iris scan to access my credit, my bank account, medical data or other personal information, how can anyone ever return what's been taken from me? At the University of Texas last year, hackers stole 55,000 social security numbers from the university's computer system. (The university, like many, used social security numbers as a student ID number, but now is phasing them out.) So what if students' fingerprints or iris scans had been stolen? If biometrics become a standard form of ID that can unlock things like access to bank accounts, public benefits or even the ballot box, they become just another piece of valuable data waiting for a thief to steal.

Biometrics in personal consumer products -- fingerprints in lieu of passwords on home computers
, for example, to activate cell phones, or certainly as part of safety mechanisms for firearms -- offer great utility and low privacy risks. Those privacy risks increase, though, when a company gathers biometrics into databases on its employees and customers, since protection of their privacy then depends largely on the good will and security acumen of the company. When government gathers such data, the privacy issues become much more comprehensive and troubling. Folks at all levels of government need to take a deep breath, think about what all this means and whether we're prepared for it before rushing forward.
See recent Grits coverage on this issue: "Biometrics Blues," Stanzas One, Two and Three, What Do Fallujah and Texas Have in Common?, Whither Texas on Biometrics After Intelligence Bill?, The Biometrics of Face Veils, and No Smiling.

No comments: