As the costs of the technologies fall, biometric identification tools — such as fingerprint, iris or voice-recognition scanners — are increasingly being used in everyday life. There are significant privacy questions that arise as biometric data is collected and used, sometimes without the knowledge or consent of the individuals being scanned.
Biometrics use has become more commonplace. Many smartphones, including iPhones, have fingerprint “touch” ID scanners that people can use instead of numeric passcodes. And law enforcement personnel have been using fingerprint scanners for years, both domestically and internationally. In the past few years, we’ve see banks capturing customers’ voice prints in order, the institutions say, to fight fraud. Or gyms asking members to identify themselves using their fingerprints. Reuters recently reported that companies are seeking to expand fingerprint-identification systems to credit cards and railway commuters.
And the voluntariness of a person submitting his or her biometric has also been questioned. Do you realize when you’re calling your bank that you’re handing over your voice print? Another situation a few years ago in Washington, D.C., also raised at the issue of voluntariness. The District considered requiring that all visitors to its jail “have their fingerprints scanned and checked against law enforcement databases for outstanding warrants.” So if you wanted to visit a friend or relative who was in the D.C. jail, you would have to volunteer to submit your biometric data. The plan was dropped after strong criticism from the public and civil rights groups.
Your biometric data can be gathered for any number of innocuous reasons. For example, I had to submit my fingerprints to obtain my law license, not because of a crime. Family members, roommates and business colleagues of crime victims have submitted fingerprints in order to rule out “innocent” fingerprints at a crime scene in a home or workplace. Some “trusted traveler” airport programs gather iris scans. Some companies use iris-recognition technology for their security systems.
There are a variety of privacy, security and usage problems that can arise from the widespread use of biometric data. Such problems could lead to discrimination or disenfranchisement of people who can’t submit their biometrics. For example, it’s possible that some people won’t be able to give the biometric. Some people with missing limbs or prints that are difficult to capture consistently. Or the machinery used to capture the biometric could have difficulty capturing diverse users – very tall or very short, etc. people could have problems with iris scanners, for example.
Or there are religious or cultural problems and you can’t use facial recognition as a biometric because the person wears a beard or a headscarf. Or a person is just plain uncomfortable handing over their biometric. The reason for discomfort could be because of privacy or civil liberty questions or a fear that the biometric would be misused or stolen.
Some people are wary of the covert collection of biometrics. For example, there are systems that can scan a person’s iris from a distance. And there’s the problem of mission creep — fingerprints added to a database for innocuous reasons (ruling out “innocent” fingerprints at a crime scene) are then used for other purposes. What if iris scans are collected for building-access control but are later added to a criminal database? Data submitted for one purpose should not be used for a different purpose without the individual’s knowledge and consent.
Another privacy and security issue has to do with how biometrics can be compromised. A person could capture a biometric, say a fingerpint, from a person and later use it to gain access. And capturing a biometric for misuse can be easy, depending on the biometric. Fingerprints are left everywhere, faces can be photographed, voices can be recorded. How do you solve the problem of misuse of your fingerprints, which you cannot change?
There are ways to lower the privacy and security risks in biometric systems. You need to look at the system as a whole. How is the system set up, protected, and maintained? Are there stringent security and audit trails, among other security protocols?
But even strong biometric systems can fail or be hacked. So the march toward centralizing identification using biometric data such as fingerprints, voice prints or iris scans should be halted. It decreases security to have a centralized system of identification, one ID for many purposes, as there will be a larger amount of harm when the one biometric is compromised. A better system is one of decentralized identification, which reduces the risks associated with security breaches and the misuse of personal information.