An interesting post on biometrics and privacy from an informed observer (via usernet):
In reply to Dennis Glatting <dennis.glatting@software-munitions.com>
"Has there been any debate on the privacy of biometric data? Is it
really in my best interest to give banks the ability to scan my finger prints or retina? It seems to me if they scan the information then they have to compare it to something, which makes me wonder about the security issues of that data since digital data has low entropy."
"There has been no debate on the privacy of biometric data that could be characterised as international, but pockets of debate certainly exist. In Europe the data protection laws recognise biometrics as exemplars of Privacy Enhancing Technologies (PETs). In The Netherlands, where strong privacy laws exist, biometric templates are increasingly held only on smart cards carried by the individual, governing access to the private data on the card. Renewal of such a card, after its loss or theft, might require reversion to the 'old-style' system of verifying identity (i.e. mother's maiden name, place of birth etc), rather than a biometric verification against a centralized database of biometric records. This highly devolved use of biometrics is directly related to the extensive privacy debate amongst Dutch legislators.
"The problem as David Glatting points out is the digital nature of templates. In Europe what follows from the use of biometrics as PETs is the increased potential vulnerability of (or threat to) the stored biometric template, and the vulnerability of digital archives once again becomes the issue. If we are not to go full circle, the digitally stored biometric template must have storage governed by either better technology (strong encryption and/or smart cards are among the proposed solutions) or by legislative measures such as privacy laws that disinguish personal identifiers used for authentication from other types of personal data.
"In the USA attempts have been made to develop the latter. In 1998 the California Bankers Association joined, in an unlikely alliance with the Center for Law in the Public Interest, to push an amendment (AB50) to an identity theft bill passing through the Californian Senate. It failed. The aim of the bill was to avoid the kind of mis-appropriation of identifiers that has weakened the social security number system. Banks collecting customer biometrics for storage would be liable to a $5000 fine for each instance of mis-appropriation of a stored biometric: the financial incentive and the onus for reform would then be on the banks. On this occasion the legislation may not have been all that well debated beforehand as to the technical implications for users and suppliers of biometrics, but the customer implication was clear: it should be possible for a bank customer to substitute a biometric for a PIN/password without the fear of a loss of privacy. On this point the banks and privacy advocates remain agreed.
"As a contribution to the debate, and to show where the industry itself stands, the recently formed International Biometric Industry Association (http://www.ibia.org) has just released its outline privacy principles concerning biometric technology.
--
"Calum Bunney
Editor, Biometric Technology Today (Btt)" |
