Ubiquitous Biometrics

|

Guest Post from privacy expert Kathy Harman-Stokes

Speakers at the National Defense Industrial Association (NDIA) 2010 Biometrics Conference emphasized the value of “ubiquitous biometrics.” For biometrics to become ubiquitous, one speaker said biometrics should be widely used for facilities access, by employers for time and attendance recording of employees, and customer identification for various transactions, such as financial transactions. One goal of this NDIA Conference was to address government progress on implementation of U.S. Homeland Security Presidential Directive 24, which calls for interoperability of government biometric systems to aid the fight against terrorism. Speakers at the conference spoke of the promise for biometrics to minimize terrorist activities and also improve our everyday lives.

In my presentation I addressed the ways that biometrics are rapidly expanding in the private sector. Over 100 companies in the UK and Middle East are using a particular facial recognition systems for their employees – for access to construction sites and airports, and time-keeping of employees and contractors. This system links into the attendance and payroll systems, reducing paperwork. One company found a 4% reduction in wage payments after implementing the system, stopping its wage fraud in its tracks. Colleges are using the same system to track class attendance. Iris recognition systems now capture an iris from three-feet away, with people in motion walking toward the scanner. One system can capture the iris of 50 people/minute as they clock in for work at construction and other job sites. To comply with HIPAA, medical centers are using biometrics increasingly for staff access to patient records, and to confirm the identity of patients before dispensing medication.

Admission tests have been using biometrics for years. The GMAT is using a system worldwide that scans the vein pattern of the palm of a test-taker’s hand with infrared light (a “palm-vein” system). The LSAT and some others use fingerprints, all to minimize exam fraud, which results in fraud in the admission process. A bank in Australia is using voice authentication biometrics for some phone banking and banks in Japan are using palm vein systems at ATMs. One system, BioLock, offers a fingerprint systems that can literally protect every mouse click on a computer. An employee scans a fingerprint to log-on, then must scan again for each attempt to access a sensitive transaction, such as authorizing a wire transfer. Every attempt is logged and anyone with fingerprints in the system is identified, catching an attempt by John to initiate a transaction only authorized for Jane. This would certainly put a dent in data breaches caused by insiders.

A company in the Netherlands offers fingerprint biometrics for customer access to fitness centers, swimming pools and similar facilities. It denies access if you haven’t made your monthly payment. It can be used by hotels instead of a room key; you and your children could use your fingerprints for room access and room charges. This system is also being used in lieu of “loyalty cards,” as your purchases are tracked via fingerprint rather than a card. I wouldn’t need to carry around my 20 loyalty cards or remember which of my four phone numbers I used at a store.

Apple® iPhoto® and other photo-sharing sites are using biometric facial recognition to group user’s photos together by person. Of my 4000 photos, one site has grouped together all the photos of my daughter, my son, my mother, my friends, my children’s friends, etc. I just add the names and voila – an album ready to upload to the web and share. This simplifies holiday gift-giving.

I don’t doubt that biometrics will become ubiquitous one day. Personally I find that they can be efficient and offer conveniences, and they offer more accuracy in identifying people. Yet, there are well-known risks. For example, where is the data and how is it secured? After all, if my biometric data is breached, I have no real recourse – I can’t change my fingerprint. Who has access to the data? With how many of the “partners and affiliates” vaguely listed in a privacy policy does a company share the biometric data? How is the data being used – will it be used in an automated way to deny me rights with no recourse, for example, preventing me from entering my fitness center or job site? Despite some claims, biometric accuracy is not perfect; how stable is an iris over a life-time?

In the European Union, there are stringent laws around the use of biometrics. Systems there are being designed to comply with the law, i.e., they are being designed with privacy protections built in. The company in the Netherlands, EasySecure, doesn’t keep the image of the fingerprint collected. It only retains an encrypted string of numbers, the “template.” This eliminates the risk of someone else misusing the image for other purposes, from identity theft, to a government agency trying to apply their own algorithms to match my fingerprint one-to-many against others in their databases.

It’s different in the United States. Some in the U.S. fear the government’s use of biometric data. Yet, the U.S. Government is subject to the Privacy Act of 1974, which limits its data collection, requires published privacy impact assessments and systems of records notices. Freedom of Information Act requests are another check on government data use. No such rules apply to the private sector’s collection of biometrics. Illinois has a law that prohibits private companies from collecting biometric data, unless requirements such as notice and explicit consent are met. It also forbids retention beyond three years. Biometric Information Privacy Act, 740 ILCS 14/1 (2008). To my knowledge, however, no other states have passed similar laws and no Federal law specifically addresses private sector use of biometrics.

My concern is not necessarily the ubiquity of biometrics, but the measures in place to ensure proper use and protection of biometric data. We are entering a world where we need such protections. I would feel much better about using a fingerprint at my grocery store if I knew that the image was not being stored for any later use by anyone, at any time in the future. I would feel better knowing that only an encrypted string of numbers was sitting in the cloud on a server somewhere.

Kathy is an attorney, consultant and CIPP in Washington DC, advising clients on US and international data privacy laws, including biometric laws. She was the Associate GC for the company that owns the GMAT, where she oversaw the data privacy compliance program for collection of biometrics in 110 countries. In a novel decision, after her discussions, the French data protection authority (the “CNIL”) approved the GMAT’s use of palm vein biometric data.