IBIA -- Biometrics Advocacy Report
Guest Column:
Editor's Note
John Siedlarz is Vice Chairman of IBIA and one of the four founders of the association. He was President
and CEO of IriScan, Inc., now Iridian Technologies, Inc., from its startup in 1993 through 2000. He
continues to serve Iridian in a strategic advisory role. He earlier founded and managed other companies
in the security industry after leaving an Air Force career in 1980.
Guest Column:
"Biometrics and Privacy: Platitudes or Attitudes"
John Siedlarz
It is increasingly difficult to find an article in the general media, if not the industry
press, that discusses biometrics without a link or reference to the "privacy issue."
Normally, this appears as a cautionary note, but not infrequently it is hostile in tone.
IBIA has never avoided this issue, and, in fact, adopted a proactive stance at the
formation of the association that acknowledged a concern and a need for a clear
policy of self-regulation. While no one realistically expected this initiative by IBIA to
pre-empt the controversy, it often appears that few even bother to read the principles
we espouse. Others believe that we will not adhere to them anyway, ultimately
convinced that our members will be seduced by the economics of operating in an
unrestricted environment.
While the focus of this article is not the privacy "rules" per se, but rather the attitude
of the industry and an action plan for the future, we should establish some
boundaries that carve out the extreme positions. There is little common sense, and
hopefully no rational support, for a position that argues that we can function in an
environment of total anonymity within a complex society. We simply cannot expect to
have the convenience, efficiency, and flexibility, with speed, that we have come to
enjoy in our personal and public transactions without some sacrifice of our private
"space." At the other end of the spectrum, that sacrifice must not create an
environment in which every move that we make; every product we buy (or consider
buying); every action that we take; and every financial, medical, and personal fact
about us is tracked, recorded, analyzed, used, sold, and re-used, to gain a
commercial, administrative, or bureaucratic advantage. Between these extremes lies
a sensible and rational compromise that can meet our needs in commerce and
government, without an intrusion so onerous that a loss of personal freedom is at
stake. Cooler heads must prevail.
The tidal wave of concern over privacy is neither trendy nor trivial. It is based on
reasonable evidence, and early abuses, showing that the flood of information
promoted by technology provides access to data that was previously gained only with
considerable difficulty. At the same time, many who are concerned with this issue
have lost perspective by supporting the illusion that we are a substantially private
society today, when in fact, much privacy has already been sacrificed to gain the
benefits of accessibility. In any event, this controversy engenders a significant level of
legislative and administrative activity. Consider the following:
Nineteen bills addressing privacy in different applications have been introduced
in the new Congress. Forty-seven articles have appeared in the Congressional
Record on the subject thus far this year. The new Chairman of the House
Commerce Committee, Congressman Tauzin (R., Louisiana), a man very
knowledgeable about information technology, regards privacy in the IT
environment as a top priority for early action by the Congress. Senator McCain
(R., Arizona), the astute Chairman of the Senate Commerce Committee, can be
expected to address this issue as well.
State legislatures are equally active. An aggregate of 74 privacy bills are
pending in the legislatures of Texas, Pennsylvania, New York, and California
alone.
Federal regulatory agencies have sharply increased their focus on protecting
privacy. Among significant initiatives are the following:
Implementation of standards in the Health Insurance Portability and
Accountability Act (HIPAA) to protect the privacy of medical records.
Implementation of standards in the Financial Services Modernization Act to
protect the privacy of "personally identifiable financial information."
Workshops sponsored by the Federal Trade Commission on the role of
technology in personal authentication.
Inquiries by the Departments of Defense, Justice, and Commerce about
improving the security of network infrastructure to deter identity theft.
On the international scene, the EU and the European Commission are
implementing the Data Protection Directive and member countries are adopting
and developing privacy laws to support this policy. Canada is in the process of
enacting and implementing new privacy protection rules.
To be sure, most of this activity does not specifically address biometrics and it is not
my intent to raise the cry that the "sky is falling" in that regard. Nevertheless, it would
be prudent to assume that conflict with the proper use of biometrics would be
inevitable in many of the laws, rules, and regulations under consideration. The
nascent biometric industry can sit back and hope for the best, or actively promote a
legislative agenda that seeks compromise on the privacy issue and defines and
supports biometrics as a guardian of privacy in the information technology age.
It is ironic that biometrics, the very technology that may offer the best key to this
difficult compromise, is frequently characterized as an inherent threat to privacy. It
would be a mistake however, to write this attitude off to technophobes or hidden
agendas. We have a responsibility in the industry to understand the perspective that
sees the technology as threatening, to explain how biometrics can be used to guard
against real threats, and to educate the public about how biometrics can be used to
enhance personal privacy while increasing convenience in a complex world. I think it
is time to go beyond a public relations program that will always be viewed by some as
merely self-serving. I think that it is also time to go beyond total reliance on
self-regulation by the industry as adequate to the task.
Self-regulation, no matter how well constructed or advocated, will not adequately
meet expanding concerns about protecting privacy. It's patently obvious that no one
controls the biometric industry and its end-users well enough to guarantee protection
against abuse. Even if that were so, few believe in the inherent good will of business
or government (with different levels of concern depending on which side of the planet
you're on) to enforce regulations without the rule of law. Partly for this reason, a large
high-tech trade association, AeA (formerly the American Electronics Association)
decided recently to shift from a policy of self-regulation on privacy issues, to a
recommendation for adoption of privacy standards by the Federal government. I
believe that IBIA, and members of the industry whether or not members of the IBIA,
should consider a similar course of action. Just as IBIA took the initiative in 1998 in
advocating self-regulation, our position should be proactive in defining the content of
new Federal privacy law.
With due respect to our friends in other high-tech areas, I believe that we are in the
best position to advocate not only the necessary prohibitive aspects of such
legislation, but to define opportunities available to exploit biometric technology in
order to defend and secure privacy. Without that knowledge-based advocacy, we
stand a real chance of seeing all the emphasis in legislation on prohibition rather than
a balanced approach that can benefit everyone, from the provider to the individual
consumer.
Civil Liberties, Consumer,
Educational, Library, and Labor Interests
Form "The Privacy Coalition" and
Urge Congress to Adopt "The Privacy Pledge,"
Including Restrictions on Biometrics
On February 12 in Washington, D.C., a powerful alliance of consumer, civil liberties,
educational, library, and labor organizations created The Privacy Coalition and
announced The Privacy Pledge, calling it "the standard for future protection of
privacy."
The Privacy Coalition is asking Members of Congress and state legislators to sign
the pledge and thereby commit themselves to a set of principles to be embodied in
future legislation to protect privacy.
Most of The Privacy Pledge is generic and unexceptionable. At its core, however, is a
remarkably specific reference to technologies that manifestly include biometrics in
particular applications.
The Privacy Pledge reads as follows:
"Privacy is one of America's most fundamental values.
The Fourth Amendment states that 'The right of the people to be secure in
their persons, houses, papers, and effects, against unreasonable searches
and seizures, shall not be violated.' In addition, the U.S. has adopted many
laws protecting Americans from privacy invasive practices by both the
public and private sectors.
Recognizing the need to protect this essential freedom, I, (insert Member's
name), pledge to my constituents in (State and District) and to the
American people that I will support a privacy framework to safeguard the
rights of Americans in this information age.
This framework includes:
1. Fair Information Practices: the right to notice, consent, security, access,
correction, use limitations, and redress when information is improperly
used,
2. independent enforcement and oversight,
3. promotion of genuine Privacy Enhancing Technologies that limit the
collection of personal information and legal restrictions on surveillance
technologies such as those used for locational tracking, video surveillance,
electronic profiling, and workplace monitoring, and
4. a solid foundation of Federal privacy safeguards that permit the private
sector and states to implement supplementary protections as needed."
Point three of the "framework" evidently both acclaims biometrics ("Privacy Enhancing
Technologies") and calls for regulation of technologies, clearly including biometrics,
used for surveillance. A benign reading of this paragraph would not be inconsistent
with IBIA's Privacy Principles and a recent public statement by IBIA recommending
restrictions on the use of biometrics in surveillance (See "Biometrics and Privacy:
Industry Policy on Crowd Surveillance." dated February 2.) The devil, of course, is in
the details, none of which are set forth in The Privacy Pledge but naturally would
appear in subsequent legislation.
Members of The Privacy Coalition include the American Association of Law Libraries,
American Library Association, American Civil Liberties Union (ACLU), Center for
Media Education, Consumer Federation of America, Consumers Union, Eagle Forum,
Electronic Privacy Information Center (EPIC), Junkbusters, Media Access Project,
National Consumers League, Privacy Times, United Automobile, Aerospace and
Agricultural Implement Workers of America (UAW), and U.S. Public Interest Research
Group (PIRG).
This is a politically potent combination. Its strategy is smart. The Privacy Coalition will
certainly succeed in persuading a large number of individual Federal and state
legislators to sign The Privacy Pledge, and thereby create personal commitments that
can be transformed into votes in future to pass actual legislation. IBIA plans to closely
monitor the initiatives of The Privacy Coalition in order to ensure that when it
advocates laws to carry out The Privacy Pledge, the end result is an informed and
fair balance between encouraging uses of biometrics that protect privacy and
discouraging abuses of biometrics that invade privacy.
--Verrick O. French
Executive Editor
ibia.org
steve |
