I’d like to spout off about fingerprints and biometric ID cards, but I’m running into several problems. First of all, I know enough about computer security, and security in general, to realise that I don’t actually know very much at all. Secondly, getting to the point where I could talk about it knowledgeably and maybe contribute an original thought or two would take a good deal of effort, and I’m waaay too lazy for that. And finally, I have friends who do security for a living, and they’d lay the smack down on me if I decided to talk buttocks instead of doing a properly researched article.
A small note on buttocks: this has become my new favourite word after listening to last week’s edition of The Now Show on Radio 4, when Marcus Brigstocke uttered the wonderful line:
“Your argument is buttocks. It stinks, it has a large crack up the middle, and frankly, it’s beneath you.”
So I’ll point you to some articles by Bruce Schneier instead: Fingerprinting Visitors Won’t Offer Security, IDs and the illusion of security and America’s Flimsy Fortress.
I don’t think that biometric identification is a bad thing in principle, so long as it is applied in a limited, secure, and privacy-conscious fashion. If there does have to be some way of “definitively” proving that a passport, ID card, or bank card belongs to the person holding it, then fingerprints or iris scans are relatively simple and immutable. Photographs are dodgy, signatures are too easily forged, and PIN numbers and passwords are too easily forgotten if you don’t use them regularly. (Ask the IT helpdesk of any moderately large organisation.)
However, that’s all it does: prove that the holder of the card in question is who they say they are. It doesn’t say anything about what you can do with that proof, like withdraw money from an account, or enter a country. Would a US customs official allow, say, Osama Bin Laden to enter the country just because his passport confirms that it geniunely belongs to him, and no-one else? No. You can’t do anything with identity alone. It’s like having a user ID with no email account to use it on. In order for identities to be useful, they have to be linked to some information.
For bank cards, this information is a bank account. Once you’ve proved who you are, a bank can link this identity to their database of accounts, and allow you access to the right funds. Likewise, what the new US border controls are intended to do is link your identity (as proved by a fingerprint, or a biometric passport) to their database of naughty people. If you are a naughty person, they will arrest, deport, or disappear you as appropriate. (Did I say “disappear”? Surely not!).
Generally, people will agree that keeping naughty people out or their country, or arresting them so they can’t do any harm, is a good thing. And it is. The real problem is how we define “naughty,” and how we allow that definition to change over time. Right now, we might be just talking about criminals with outstanding warrants, and visa violators. Should speeding tickets or parking violations be taken into consideration? How about information about your P2P music sharing habits? The allegedly defamatory comments you once left behind on someone’s weblog? History shows that once governments are granted a new power, they are very reluctant to give it up again. From Bruce Schneier’s essay “Fingerprinting Visitors Won’t Offer Security“:
“The U.S. system of government has a basic unwritten rule: The government should be granted only limited power, and for limited purposes, because of the certainty that government power will be abused. We’ve already seen the Patriot Act powers granted to the government to combat terrorism directed against common crimes. Allowing the government to create the infrastructure to collect biometric information on everyone it can is not a power we should grant the government lightly. It’s something we would have expected in former East Germany, Iraq or the Soviet Union. In all of these countries, greater government control meant less security for citizens, and the results in the United States will be no different. It’s bad civic hygiene to build an infrastructure that can be used to facilitate a police state.”
Security, as Schneier is fond of saying, is a trade-off. How much convenience and privacy are you willing to give up in return for a given increase in security? For a measure like fingerprinting visitors and requiring biometric passports, which won’t go any great distance towards combating terrorism, the answer should be: not much. But once these measures are in place, the potential for future privacy abuses will be boundless.
Good rant, but it’s probably worth pointing out that a security system needs to offer both authentication and authorisation. Authentication is defined as identifying the user, and authorisation as the provision of rights and privileges based on the user’s identity. So once authenticated at a border check point using a passport, fingerprint or iris scan, the authorisation stage should decide what happens to the individual after that. This second stage is the one that’s lacking, and the one that governments (especially the US government) are going to abuse.
On a side note, the use of biometrics is an authentication mechanism, and ostensibly provides a better way of identifying an individual as it’s assumed to be more difficult to fake an iris scan than to get someone’s password, for example. However, it’s worth bearing in mind that unlike passwords, biometrics never authenticate users with 100% certainty. One letter or bit wrong in a password, and the user is denied entry. For a biometric match, it only needs to be close enough within acceptable limits to be successful.
The Register has an article on fingerprints possibly not being that reliable anyway.
http://www.theregister.co.uk/2004/04/06/identity/
andy