Personal
Identity technology (ID-tech) is the complex of devices and techniques
by which the identity of individuals is established and/or verified. It
largely consists of biometric systems, that is, automated technical
systems that measure physical human characteristics, some of them
dynamically and in real time. The biometric device matches the input
sample against a stored template, in order to include or exclude an
individual from some action or activity. It is used for verifying who
you are (with smart card, username or ID number) or identifying who you
are. The data so collected could be used for purposes other than those
initially intended.

Fingerprint biometrics were first used at
the 2004 Olympic Summer Games, Athens. In the USA, Australia, UK, EU
and other countries biometrics are being introduced into passport and
visa control. For example, citizens of Brazil have their signature,
photo, and 10 rolled fingerprints collected by passport requests. There
is a very wide variety of uses e.g. in immigration, customs, ATMs,
retail, schools, policing, and intelligence.

While ID-Tech has
many uses and conveniences it poses risks to privacy, and most
significantly is a technology that could lend itself to government
tracking and profiling of individuals on a wider than acceptable scale.
In a nutshell the convergence and synchronising of of ID-tech
capabilities lends itself to the potential for a ‘Panopticon State’,
one that has the policing powers to profile any citizen almost
continuously and simultaneously in several dimensions of life, anywhere
on the globe.

Both physiological and behavioural traits can be
measured and recorded by biometrics systems. The former include
fingerprinting, face identity, facial thermogram, hand and footprints,
iris, retina, ear canal, DNA, and even personal odour and scent. The
latter include computer keystroke dynamics, signature and writing,
speech, voice (speaker), and gait. We should also note the potential of
RFID (radio frequency identification) implants and body scans.

The benefits of biometric systems

Biometric
systems have benefits in the prevention and reduction of crime
generally, especially fraud and impersonation, and terrorism. They may
also help to solve crime, including ‘cold cases’, and stop the evasion
of arrest. It is often claimed, and may be true in many instances, that
such systems make for an efficient use of resources (creating new
demands, however). In the Super Bowl event of 2001 Florida police used
the facial recognition software FaceIt to search the crowd for
criminals, and found 19 people on arrest warrants. In the case of the
disappearance of Madeleine McCann (2007), the UK police asked visitors
at the Resort in Portugal in the two weeks prior to child’s
disappearance to provide any photographs of passers-by for use in a
biometric facial recognition system. Since 2001 a retinal system has
helped apprehend thousands of persons re-entering the wealthy UAE with
fraudulent travel documents.

How reliable are they?

There
are many issues of technical reliability, and these will raise worries
about misidentification. A biometric identification system is expected
to be universally applicable, whereas some individuals may not qualify
e.g. missing limbs, burns, loss of organ, injury-related changes to
gait, and cataract. They must be capable of unique identification,
whereas there is always some (very small) margin of fuzziness,
especially with family relatives and twins. They should be resistant to
the ageing of the individual; but faces etc. change with age, illness,
and injury and cosmetic surgery.  There is also the problem of ‘data
collection’ being affected by overload and noise, e.g. in a crowd. The
efficiency and effectiveness may be in doubt because there will be
thresholds of definition (eg, a face at a distance), too slow a
response of the device, poor light, and software deficiencies.
Biometric data will ‘ideally’ be correlatable with other individual
data, whereas these may not be available or be compatible. There are
also issues of standardisation and interoperability.

With all
these difficulties, and the inevitable dose of human incompetence, one
may give a sigh of relief for the future of individual freedom and
privacy. However, great efforts and resources are being put into
resolving them. Ultimately, developers of such technologies know that
their techniques must be socially acceptable, whereas public may
reject. We have recently seen that there have been human rights
concerns about airport body scans (admittedly, a detection technology
rather than an ID one).

The Hydra Effect

In
any case, history has shown that technologies will be implemented,
sometimes widely, even when there are known difficulties (as well as
difficulties that emerge in practice). In this case a fundamental issue
is that the identity of the ‘target’ person may be compromised. There
is the impersonation issue: the system depends on the individual who is
the subject of the test being correctly identified at original
enrolment. If a biometric profile is stored for person ‘A’ then that
data becomes definitive even if this person is not in fact A. This is
fundamental, and has little to do with how sophisticated the technology
is, and yet there is a tendency in some quarters to assume that the
technology cannot be wrong. But if the ‘input’ is wrong, then the
technology will simply process it efficiently.

There are least
another two fundamental problems. Firstly, there is the possibility of
someone using as a test input what is in fact a hacked copy of the
stored template. (Some suggest a way around this is to technically
exclude any absolutely ‘perfect match’.) Secondly, an ID device does
not ‘know’ what it is looking at. For example, face
recognition systems are fooled with a high-quality photograph of a face
instead of a real face, so are unsuitable for unsupervised applications
such as door access. There is a similar problem with fingerprints and
iris patterns.

There
are genuine concerns about the security of storage of biometric data. 
It should be obvious, but is often forgotten, that a security system is
only as trustworthy as the people operating it, from low level
operatives to high level authorities. Malicious verifiers may wish to
steal templates from the database (although it has been suggested this
could discouraged with ‘reverse engineering’ technique). Then there is
the possibility of the ‘secondary use’ of biometric data: a user who
accesses two systems with the same fingerprint may allow another person
to ‘impersonate’ him. Most of these problems, evidently, have to do
with human not technological weakness. Technology does not make people
better.

You may think that internal hacking is unlikely. Yet, to
give one example, in 2007 tens of millions of credit card users were
put at risk by financial-transactions company Heartland Payment Systems
(USA) when malicious software was installed inside the system.

If
dependency on such systems grows then permanent identity loss is not
impossible. A system must retain the uniqueness of the trait template
unchanged (changed within narrow range), over the lifetime of the
individual. This ‘life-time’ property brings a risk. If biometric data
obtained by unauthorized users (eg, compromised from a database) then
the owner loses control over the data and loses his identity. Lost
passwords can be changed, but e.g. if someone’s face is compromised
from a database, they cannot cancel it or reissue it. A proposed
solution is the ‘cancellable biometrics’ technique which distorts the
biometric image before matching. But for every solution there is
another problem. A criminal employee could undistort the template with
knowledge of the distortion key. If we distrust the employees
sufficiently to require a distortion key, why would we trust them with
the distortion key?

There is what I call a ‘Hydra Effect’ in
technology. In Greek mythology whenever the Hydra beast was decapitated
it grew two more heads. Similarly, every technical solution creates at
least one more problem, which is often trickier to solve. A technical
solution is eventually found at great cost, and then more problems
appear. There may well be diminishing returns on the resources being
put into this ceaseless round of technical innovations that ultimately
cannot overcome the fundamental issue of human weakness and failure.

Can we preserve our privacy?

We
may take privacy to be the state of being free from unsanctioned
intrusion into one’s personal life. It is a value that is embodied in
human rights, national laws and diverse regulations. ID-technology
gives rise to the possibility of the misuse (real or perceived) of
personal biometric information for gainful intrusion. Examples of known
misuses are surveillance videos of vehicle licence plates being used to
record license plates to blackmail people, to stalk women and to track
estranged spouses. In some cases it has been police officers who have
been guilty of these offences.

Fingerprint recognition for the
ignition of your car might seem like the latest desirable innovation in
hi-tech protection. But one may forget the human factor. In 2005
Malaysian car thieves cut off the finger of the driver of a Mercedes
S-Class car so that they could steal his car. If he had not had a
sophisticated biometric device in the ignition he would at least still
have his finger. In the USA and EU some fear that biometric information
can be ‘skimmed’ and sold to criminals to identify individuals for
ransom-kidnapping and the like. In even worse scenarios a racist or
totalitarian government ( Hitler, Pol Pot, etc.) could use data to
determine unwanted traits in humans for population control

The Panopticon state?

One
future scenario that does not receive enough serious attention is the
convergence of different ID-technologies into one (more or less)
interconnected system. Intelligence services world-wide are well on
their way. We could already be witnessing an information cascade, held
back only by lack of harmonisation, human incompetence and poor
communications. Public protest is not yet a major hindrance.

The
utilitarian philosopher Jeremy Bentham conceived a plan in 1791 for a
new kind of prison, the Panopticon, the novelty of which was that any
prison could be seen from anywhere at any time. A variety of modern
technologies, including those based on biometrics, may be converging
towards the possibility of a Panopticon State, in which any citizen can
be tracked and a life-profile composed without their ever knowing. Body
scans, bank details, credit card trails, Google, RFID, fingerprints,
face and iris, recognition, GPS, health records, mobile phone use, bus
and train cameras, spy satellites, street cameras, wire taps and now
body scans could, in theory, be brought together in various
configurations. Perhaps only the political will stands in the way.

Biometric information may be shared or different databases may be networked, eg, telebiometric
systems join biometrics with telecommunications. There is the
possibility of tracking individuals. For example, security cameras can be linked to a
facial recognition system or a public transport system using biometry.
At the moment, in most cases the information from different sensors
generate differently encrypted outcomes so cannot be compared, but this
can be overcome. The unification of different biometric outcomes by
means of data exposure or through global or regional standardisation is
not impossible. Already there are some public concerns about ‘leakage’
of fingerprint data from schools to health, insurance and other
agencies with a discriminatory effect on access to services.

Sir
Ken MacDonald QC,  the UK's Director of Public Prosecutions (2003-08) has said,
"We need to take very great care not to fall into a way of life in
which freedom's back is broken by the relentless pressure of a security
State.” Richard Thomas, the Information Commissioner is reported as
saying “My anxiety is that we don’t sleepwalk into a surveillance
society”. He was thinking mainly of the UK’s National Identity Scheme. These two people are hardly radicals, and know ‘from the inside’ what they are talking about.

We
may think the main issue is National ID cards, but they have a lesser
role than the database they are linked to, i.e. the National Identity
Register.  A new law specifies 50 categories of information that the
Register can hold on each citizen, including up to 10 fingerprints,
digitised facial scan and iris scan, current and past UK and overseas
places of residence, throughout their lives and with indices to other
Government databases which would allow them to be connected into a
personal profile. The legislation also says that any further
information can be added. The amount of data which can be recorded on
the scheme’s Register is unlimited. Still, the good news is that
fingerprints are not yet being taken, and plans to take iris scans have
been dropped, although not ruled out.

This is not the place to
go into the detail of the scheme but the Home Office forecasts that 265
government departments and as many as 48,000 accredited private sector
organisations would have access to the database, and that 163 million
identity verifications or more may take place each year. The cost of
the scheme is variously put at between 5 and 15 billion pounds over 10
years.

Naturally, the Commission for Racial Equality and
ethnic/religious minorities are expressing concerns about
discrimination. If one thinks this is far-fetched or alarmist one
should recall that in the USA not so long ago the FBI head J. Edgar
Hoover (and his vast fingerprint records) pursued not only  criminals,
but people he chose to classify as "security risks," "subversives,"
"agitators," "deviants," "black nationalists," and "peaceniks."

Provisions for consent to biometric schemes

Public
acceptance of the national ID scheme has been mixed and controversial
(but not controversial enough), with diminishing support after reports
of the loss of  millions of items of public service information  in
several quarters (See the NGO called “NO2ID”). Meanwhile, some UK parents have been protesting school fingerprinting since 2001. These
are used for purposes of registration, truancy control,  parental
payments, replacements of library or meal cards, and possibly for exam
ID.

Protests
sometimes take a more colourful form. The Chaos Computer Club of
hackers published a fingerprint of the German Minister of the Interior,
Wolfgang Schäuble, in its magazine Datenschleuder (March 2008). The
magazine included the fingerprint on a film for readers to give them
access to whatever the Minister had access to. If they can do it,
criminals can do it, and undemocratic governments can do it.

A
particular focus for protest in the UK has been school fingerprinting
without consent. One surprising facet of this is that the Data
Protection Act does not explicitly require schools to gain consent. The
Act is, apparently, about information, not images. More research also
needs to be given to how the Human Rights Act and the Freedom of
Information Act relate to the storage and transmission of ‘data’ which
is perhaps not ‘information’ in the sense of text. A democratic future
depends on asking many questions that are currently not even being
conceived, let alone asked.

Professor Geoffrey Hunt teaches at
St Mary's University College in London. This
article by Professor Hunt was originally published on the website of
BioCentre, a think-tank focusing on emerging technologies and their ethical,
social and political implications.