Friday, April 01, 2005

Biometrics debate hinged on ID theft

The Texas House Defense Affairs Committee yesterday heard HB 2337, which would create a database of facial recognition metrics of Texas drivers and ID card holders, as the last item on a long agenda, then left it pending. I was the only speaker against the bill, but got the sense my testimony on behalf of ACLU of Texas was well received. Nobody seemed to have a good answer, especially, to the identity theft concerns raised. The bulleted items in yesterday's post provide a pretty good summary of the subjects covered in my testimony. A couple of highlights, though:

Freshman Rep. David Leibowitz raised the specter of a Choicepoint scenario where drivers' personal data was stolen, but DPS officials told him they were establishing sufficient safeguards. Since DPS forgot to mention it, I followed up during my testimony to let the committee know that Digimarc, one of the two companies bidding on Texas' drivers license contract, was responsible for data recently stolen from the DMV in Nevada. With biometric data increasingly common for use as computer passwords, I argued, a similar theft at DPS in a couple of years might compromise thousands of businesses' and individuals' cybersecurity.

The committee also seemed surprised that DPS had included facial recognition technology in their drivers license re-engineering RFP, even though the Legislature did not approve it. Confusing matters a bit for everybody, a "resource witness" from a local Austin firm that manufactures "smart card" technologies testified "on" the bill describing his company's work. But his firm isn't one of the bidders, and Texas DPS is not moving to a "smart card" system, so I'm not sure the committee understood that his testimony was actually a complete non sequitir.

Bill sponsor and committee Chairman Frank Corte questioned me fairly vigorously. At one point he asked if it wouldn't be a good thing if Texas caught five identity theft attempts per week using the system, as they apparently do in Colorado. I replied that, under those assumptions, we might catch 260 identity theft attempts per year, while almost 9,000 people had personal information stolen in one day in Nevada. If the information stolen included data corresponding to computer passwords, the harm could be immeasurable, I said.

Nobody seemed to have a response to that argument at the hearing, but afterward, DPS Drivers License Division Chief Judy Brown told me that DPS security measures made what happened in Nevada "impossible" because their database isn't stored on the individual terminals. That sounds to me like hubris. There's an old saying around these parts: "There's never been a horse that can't be rode, never been a cowboy can't be throwed." As far as I'm concerned the adage works just as well in the digital age.

1 comment:

Nam LaMore said...

What an interesting post .. I had the pleasure to work at a research lab where I got to learn alot about biometrics; so reading your post reminded me of my time with some of the most futuristic scientists I've ever met [yes, I've met a few due to work].

I'm sure you're aware that biometrics is always used in movies; of special interest is the movie "6th DAY" (about cloning, really) with Arnold in it. If you can stomach his non-acting, it has a decent story.

my post on electronic ID