[Dave Birch] I've been spending a lot of time on biometrics recently, trying to work out the best way for our customers to exploit some advances in the technology. In particular, especially given the ICO's recent "Privacy by Design" report, I've been trying to think of ways to make biometric authentication support identification in a reasonable business model that allows for appropriate privacy settings. One of the reasons why this is complicated is that the temptation to use biometrics for identification purposes is very strong.

Biometric authentication has a role in maintaining and defending our control of our own identity and personal data. This emerging technology makes it virtually impossible to assume someone else's unique identity.

[From Understanding anonymity and the need for biometrics | The Industry Standard]

But biometric authentication of what? If it is biometric authentication of a single, unvarying, "full disclosure" identity (eg, a national ID card of some description) then it's hard to justify the architecture. In other words, why bother with authenticating people against some identity token when you can just match them to their identity in some sort of database: instead of showing the supermarket an ID card to prove you are old enough to buy cigarettes, why not have the supermarket send your fingerprints off to a database and have the database tell the supermarket how old you are? There's no need for card. Or is there?

We have to expect that people will see us when we are in public and that our open public acts will be just that. But we have to worry that, in an anonymous world without authenticated identity, privacy will be violated when others can assume our identifying characteristics and take control of transactions and interactions outside the home that are indeed personal and unique to us.

[From Understanding anonymity and the need for biometrics | The Industry Standard]

With the right identification and authentication architecture, the card provides a means to prove authentication without necessarily disclosing identification. Thus, my ID card can tell you that I am its rightful owner (by matching my, say, fingerprint with an on-card template) and that I am 18. But there is no reason for it to tell you who I am.

So are biometrics good or bad? Again, let's use this phrasing: if biometrics did work properly, what are the implications for the connection between real identity and virtual identity? One thing to bear in mind is that the systems are used by real people. If we implement biometric systems, we'll get results that have nothing to with the technology (or privacy) and everything to do with human nature:

However, according to senior officials those employees who have been forced to come on time due to the biometric way of attendance are trying to `sabotage' the machines.

[From Glitches galore in MCD biometric machines-Delhi-Cities-The Times of India]

On balance, I think I'll come down on the side of "help", because there is the potential to implement useful systems in a privacy-enhancing way, even if it is not currently being fulfilled.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

3 comments

  1. I think they are only helpful if they are used by your own devices to authenticate you before running a zero knowledge proof with a remote system – so that the device, its operations and your own biometric measures remain firmly under your own control. It means identity fraudsters have to steal both the device and your biometrics rather than just pick up your fingerprint from anything you touched. And it reduces the ability of governments to use your biometrics to create a super-intrusive dossier of your activities.

  2. “I’ve been spending a lot of time on biometrics recently, trying to work out the best way for our customers to exploit some advances in the technology.”
    It would be interesting to hear what advances these are that you refer to.
    Unless real advances have been made, we are still in the position where mass consumer biometrics don’t work well enough to be relied on, http://dematerialisedid.com/BCSL/Genealogy.html, which would imply that you are wasting your time looking for ways to exploit the technology.
    Not unlike the British Consumer Society meeting in four days time where you aim to discuss the business opportunities offered by the UK ID card scheme which may achieve 80% coverage in 13 years time or not, http://digitaldebateblogs.typepad.com/digital_identity/2009/01/business-and-id-cards.html
    This threatens to become habit-forming, Dave!

  3. “It would be interesting to hear what advances these are that you refer to”
    There are two of particular interest at present. One is the combination of voice recognition and voice authentication, where relatively small improvements in the underlying biometric have led to a significant improvement in overall useability, and the other is face recognition (Apple’s new iPhoto includes this and I’m looking forward to trying it out this week).

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this:
Verified by MonsterInsights