Biometrics must balance privacy and security
Using body parts to prove 'I am who I say I am'
By Marsha Walton
A hand geometry scanner measures 14 different lengths of a user's fingers.
Biometric tools such as fingerprint and iris scans provide security and retail ease, but privacy watchdogs raise concerns. CNN's Daniel Sieberg reports. (November 30)
CNN's Daniel Sieberg has a look at privacy in the workplace and monitoring workers. Just how far can employers go? (December 2)
What happens when a scientist goes from building robots for space to making robots for kids? CNN's James MacDonald reports. (December 1)
Online 'phishing' -- a form of identity theft -- is hooking more and more victims. CNN's Daniel Sieberg explains. (December 1)
MORGANTOWN, West Virginia (CNN) -- Humans have always recognized one another through physical traits: seeing a loved one walk through the door, hearing your boss's voice on the phone, finding the right tribal campfire.
Visual cues have helped us to differentiate friend from foe.
But what happens when technology enters the equation, and a machine determines whether "you" are really "you"?
Biometrics, an automated way to authenticate a person's identity, is being used from airports to grocery stores for both security and convenience.
"I may forget my credit card, but I'm not forgetting my finger," laughed Michelle DuBose, a shopper at the Piggly Wiggly grocery store in Mount Pleasant, South Carolina. A scan of her index finger at the checkout counter is all she needs to prove her identity, access her account, and make a purchase.
DuBose and hundreds of others have enrolled in the store's biometric payment system. Registration involves providing a credit card or other payment method and the capture of a digital fingerprint. San Francisco-based Pay By Touch operates the technology for Piggly Wiggly and several other retail stores.
"One of the reasons people are adopting it so quickly is that there have been so many new ways to pay in the last few years, especially with the Internet," said Caroline McNally, chief marketing officer of Pay by Touch.
"When ATMs were first introduced 20 some years ago, people were very hesitant and cautious, but over time people became accustomed and trusted it," she said.
Some researchers say biometrics can be more secure than passwords, personal identification numbers, or even physical keys.
"Basically, what the biometric does is, it requires an individual to be physically present," said Larry Hornak, director of West Virginia University's Center for Identification Technology Research. "Whereas [with] a password, you can easily provide that to someone else."
Before the terrorist attacks of September 11, 2001, biometrics research was geared mostly to convenience like retail transactions and employee access to buildings. That has shifted toward security and anti-terror measures -- and raised privacy concerns.
"Maybe it's the events of 9/11 or maybe it is our experience with the information age that is making people approach biometrics carefully," said Lisa Nelson, attorney and professor at the graduate school of Public and International Affairs at the University of Pittsburgh.
"If biometrics are implemented incorrectly, or without a lot of thought, there will be huge consequences, not only for the industry, but also for the legislators who are facilitating the use of biometric technology," she said.
Nelson said it is critical that legal safeguards keep pace with the technological advances in biometrics. And she said it probably won't be rolled out on a wide scale unless there is increased public acceptance of using fingerprints, eye scans, or voice recognition technologies.
"I don't see it as being a panacea. I see it as another layer of protection, and therein is the strength of it," said Nelson.
The most common "Big Brother" fears and concerns parallel the types of questions people first asked when they had to decide whether to put their credit card numbers on an e-commerce site on the Internet: Who has access to my information?
If a shopper gives a fingerprint to a department store to pay her bills, she wants to be sure that it's not being accessed by other merchants or government agencies.
"What we teach is that there should never be third party use of the data," said West Virginia University's Hornak. "You have an arrangement using your biometric to acquire some service from that second party, and that's the only place that information is retained."
Because human bodies change constantly, a palm scan or a facial geometry scan never match perfectly. So deciding where to set the bar is critical.
"The question is, What is the cost of making an error?" said Arun Ross, assistant professor of computer science at West Virginia University.
"What is the cost of falsely admitting an impostor? If I'm falsely rejected, maybe I'm going to be upset for a couple of seconds, and I could just place my finger again. But if it is a false accept, you just let the wrong person into the nuclear facility," Ross said.
Privacy watchdog groups such as the Electronic Frontier Foundation also urge caution.
"You can change a password, you can re-key a lock, but your fingers, your iris, your voice, they're you. So when someone compromises the security of that kind of biometric, you're stuck," said Lee Tien, senior staff attorney at EFF.
"Our feeling is that it's just not ready for prime time right now. There are a lot of applications where it can be used, but they tend to be small scale. But if you want security and any kind of a high volume application, it's probably not going to be very effective," he said.