March 5, 2002
In the Boston Globe, Charles Richardson, director of the labour extension program at University of Massachusetts, remarked, “Biometrics is scary because it is noninvasive.” His use of the word “scary” is interesting, since fear is an emotion oft associated with this new type of technology, one that biometric innovators and industry leaders must struggle to overcome if their products are to become more widely accepted.
Biometrics is the science of automatically identifying individuals by noninvasively scanning for physical features, and is heralded by some as the solution to the world’s present security crisis. Some trace its origins back to 1686, when Marcello Malpighi first discovered finger swirls under a microscope. In the final years of the twentieth century, biometric industry transactions increased ten-fold, while a 1999 Lehman Brothers report estimated a 30-35% growth in the biometrics market, projected to reach $400 million by 2004 (1). By many indications, this is a rapidly growing, though still emerging, sector.
A good example of biometric security is using a computer to scan a face, then matching that face with a list of identities in a database. The database is a “watchlist” containing names and descriptions of known and suspected criminals. It theoretically enables the technology to key in on people most likely to be associated with crime. This type of biometric application is called “facial recognition technology” and is being recommended for widespread use in a variety of common security scenarios, such as border crossings.
It is important to note that biometrics represents an important step toward the Holy Grail of computer science: artificial intelligence. The technology essentially allows a computer to simulate some of the higher sensing and recognition functions of a human brain. With regard to the task of identifying individuals, the biometric advantage over traditional human security is that a computer does not suffer from the mind-killing boredom that such activities otherwise entail. No human, armed with mug shots and caffeine, could reliably, consistently and objectively do as good a job as a computer. In the wake of September 11, this technology represents an opportunity to heighten security at minimal cost. But resistance to its implementation has been based not on the technology’s precision, cost or usefulness, but rather on its appropriateness.
The suspicions of the always-antsy privacy lobby have been aroused. Even unintentionally, the argument goes, a society patrolled by automated identifiers compels a normalization in citizens’ behaviours. In the words of Sonia Arrison, Director of the Center for Technology Studies at San Francisco’s Pacific Research Institute, “[biometric] technology can be used to pressure individuals into acting according to majority norms because they worry they will be identified and persecuted.” Who among us does not become more self-conscious when under the camera’s eye? This self-consciousness might lead to less “anti-social” behaviour, but will it also lead to less free expression? The privacy lobby’s concern is that, ultimately, increased surveillance may result in a reluctance of citizens to speak out in public forums, for fear that conspicuousness would automatically place them on the biometric watchlist. In other words, intentionally or otherwise, biometrics can quickly and subtly become a tool for oppression. Industry must acknowledge and address this concern if this particular technology is to be fully embraced and allowed to contribute to the elevation of our security, confidence, comfort and standard of living.
One suggestion is for the use of the technology to be limited to the private sector alone. According to this perspective, government has the will, purpose and power to abuse the technology and circumvent civil liberties in incremental steps, while the private sector lacks such scope. A caveat to such an argument is that private surveillance is ultimately at the mercy of government, as in the cases of bank surveillance tapes subpoenaed for use in criminal investigations. These are rare instances, however. The establishment of sufficient legal precedent could assuage such concerns considerably, helping to solidify that all-important line between governmental and private ownership of biometric data.
Hence a key industrial role in coming years has to be the petitioning for sufficient legal controls to safeguard both companies’ integrity and public confidence. In the USA, Bill SB169 was passed by the Senate. The bill restricts the use of facial recognition technology by both law enforcement and business. There is concern on the industrial front, however, that the bill goes too far, its restrictions hampering the technology’s ability to truly confer improved security upon its users. In an open letter, the Chairman of the International Biometric Industry Association (IBIA) recommends that the government “adopt clear legal standards that carefully define and limit the conditions under which agencies of national security and law enforcement may acquire, access, store and use biometric data.” (2) The IBIA supports SB169’s demand that biometric solutions not be used to store information about innocent and/or unwitting citizens. But the Association decries the bill’s requirement for the technology to be used only when “acting pursuant to a warrant.” Their objection is well founded. In its current state, such a law would reduce the technology’s usefulness to a mere fraction of its overall potential, dramatically shrinking its potential market.
Citizen surveillance and the identification of fugitive and potential criminals is the most high-profile of proposed biometric applications, but not the primary one. The IBIA states that the technology’s true purpose is “to erect a barrier between personal data and unauthorized access.” In other words, it’s meant to replace or augment the current systems of passwords and data cards, which we presently use to access our offices, email, bank accounts and Ebay purchases. On the surface, the biometric solution appears to be the best way to accurately confirm one’s identity, using such proven techniques as fingerprinting and retinal scanning. But like all security systems, databases can be hacked, and an individual’s physiologic data copied onto false documents (for example, using another’s fingerprint on a fake US green card). The escalated danger where biometrics is concerned is that the true owner of the data cannot simply apply for a new ID once the old ID has been co-opted. If someone has stolen your fingerprints, you cannot order a replacement set. Biometrics’ very specificity is its Achilles’ heel in this regard, raising the stakes for the crime of identity theft.
A potential solution is the partnering of biometric technology with old-fashioned passwords, thus using the new science as an enhancement to existing measures, and not a replacement. Such an approach would prove politically more labile and allow the gradual introduction of biometric methods into general society. The technology is best sold as an augmentation to familiar systems, at least in its initial marketing phases. This appears to be the approach indirectly supported by the US federal bill HR3525, which would require that all US passports issued after 2003 contain biometric facial recognition information (3).
It is important that this technology be allowed to improve security and to grow in precision and reasonableness. With the epidemic of data hacking and piracy episodes and the steadily climbing rates of identity theft, technology-based solutions are increasing in value and potency. Despite being slowed by privacy issues and pending bills, biometrics is still a healthily emerging sector. Fingerprint technology remains a strong investor focus, though only a handful of public companies are consistently profitable. This is indicative of an overall confidence in the technology’s value to society. The key to ensuring sustained market expansion, and hence profitability, is industrial participation in the public policy debate.
In the future, instantaneous and surreptitious genetic scans may be possible, and the privacy debate will explode onto a whole new level. Until then, biometrics presents us with a first taste of a basic dichotomy: security vs. privacy, and safety from the government vs. safety from each other. Appropriate partnerships between business, government and the public can set useful limits on technology perfusion now, so that public paranoia and state distrust need not be detriments to market expansion and technology maturity in the future. Despite Charles Richardson’s assertion, biometrics need not be so scary, after all.
Raywat Deonandan is an owner of The Podium and a biotechnology consultant. His personal website may be found at www.deonandan.com.