Aug
1
WAY BACK—well, five years ago—when Apple introduced iPhone 5s’s thumbprint scanner, fear mongers lost no time claiming that phone thieves would now take your phone and your finger. Never mind that it wouldn’t work—irrational panic spreads faster than rational calm—and besides, what if your phone thief doesn’t know that iPhone can’t scan a dead finger?
Safe as your digits are, there are valid reasons for concern about thumbprint scanners. According to the New York Times,
… researchers at New York University and Michigan State University suggest that smartphones can easily be fooled by fake fingerprints digitally composed of many common features found in human prints. In computer simulations, the researchers from the universities were able to develop a set of artificial “MasterPrints” that could match real prints similar to those used by phones as much as 65 percent of the time.
Carry around enough masterprints, reasons one NYU professor, and you could unlock up to half the smartphones out there.
But the NYU professor’s statement indulges a bit of hyperbole.
For one thing—one, very big thing—testing was done in a lab, not on real phones, and laboratory conditions often fail to predict what happens in the real world. For another, Apple places the odds of a rogue fingerprint’s opening your phone at one in 50,000. It’s reasonable to assume bias on Apple’s part, but then, besides making phones, Apple is also in the business of not getting sued for shoddy security.
But just to be safe, if you know that 49,999 of your friends tried to hack your phone, beware the next one.
Other forms of biometric ID are a burgeoning business. And that leads to bigger biometrics questions having less to do with thumbprint security and more to do with privacy. Namely, who owns your biometric information? Who can share it, and with whom, and for what purposes? And what to do if your biometric identifiers are stolen or compromised? You can’t exactly change them.
No longer the stuff of movies
Readers may remember the 2002 movie Minority Report, which depicted a futuristic world where eye scanners tracked people’s location, greeted them by name in shopping malls, and served up personalized advertising. The possibility is not so far off. India has already scanned into a national database the irises and fingerprints of 1.2 billion residents. Researchers at the University of Tokyo have come up with a way to replace car keys with a butt-scanning driver’s seat. Smartphones complement fingerprint recognition with facial recognition. Biometric devices recognize your ECG, your walk, even your body odor. (That last one might not be terribly secure. I know a few people who could activate such a device from several miles away.)
A national database of biometric information can be useful for second- and third-world nations. For first-world nations, however, especially those with something akin to the Fourth Amendment to the United States Constitution, it opens a can of worms as to where illegal search begins and ends. USA Today raised valid concerns:
The rapid rollout of biometric ID systems holds some promise [for underdeveloped nations]. Hundreds of millions of people lack formal identification, and that’s an obstacle to participating in society …
… [But in] the United States, Europe and other regions, the worry is not that the state doesn’t know who you are, but that it knows too well—like Big Brother. Critics of biometric programs argue that important questions haven’t been resolved.
Who has the right to collect your biodata? Who gets to access it? How can it be used? And what happens in case of security failures? After all, you can change your passwords after a Heartbleed bug, but you can’t change your irises.
From a technology standpoint, it’s not necessary to obtain your permission or even your cooperation to collect your biometric data. As Scientific American reported:
Since 2011, police departments across the U.S. have been scanning biometric data in the field using devices such as the Mobile Offender Recognition and Information System (MORIS), an iPhone attachment that checks fingerprints and iris scans. The FBI is currently building its Next Generation Identification database, which will contain fingerprints, palm prints, iris scans, voice data and photographs of faces.
Moreover,
Department of Defense–funded researchers at Carnegie Mellon University are perfecting a camera that can take rapid-fire, database-quality iris scans of every person in a crowd from a distance of 10 meters.
Such data gathering can make linking criminals to crimes easier. It can help put names to unidentified remains. But at what point does collecting—and distributing—your biometric data intrude? Clearly, what is technologically possible must be tempered by what is legally allowed and morally supportable.
The age of biotech legislation
Per the American Bar Association:
A few states have enacted legislation specifically to regulate third parties’ use and collection of individuals’ biometric information. State laws concerning biometric information fall roughly into one of three categories: (1) laws with respect to the collection and use of biometric information belonging to students; (2) laws dealing with collection by government actors; and (3) laws targeting the collection and use of biometric information by businesses.
And per the Security Privacy and the Law website:
So far, Illinois is the center of biometrics privacy litigation, thanks to its strongest-in-the-nation law regulating the use of biometrics. The Illinois Biometric Information Privacy Act, passed in 2008, imposes requirements with respect to the retention, collection, disclosure, and destruction of biometric information. Only two other states, Texas and Washington, currently have biometric-specific privacy laws in force, each of which for its own reasons has not had quite the impact of the Illinois law. (Note that some states, through their criminal laws, already protect biometric data against identity theft.)
2018 may bring big new developments, however. For one thing, look for courts to rule on the application of the Illinois law to parties located outside of Illinois. For another, a fourth state has passed a law containing biometrics privacy protections, set to go into effect in April. With various pieces of biometric-related legislation pending across the country, it’s a good bet that other states–and perhaps the federal government–will follow suit in the coming year.
In sum, your fingers and thumbs are safe, at least from informed thieves. But there remain daunting questions both philosophical and legal as to collection, distribution, and use of your biometric data. It’s no longer the stuff of science fiction. I need hardly point out how the use of biometric ID could help out—and, in some cases, compromise—the banking industry. It behooves us to keep abreast of, or even get involved in, future developments.