Unless you want to put users in danger of having their fingers chopped off or their eyes gouged out, steer clear of biometric technology for critical security applications. That's the view of at least one UK security expert, and although he may be a bit paranoid, his opinion highlights the suspicion and extreme emotions the technology elicits in some quarters. Resellers thinking of getting into biometrics need to be aware of such perceptions and how to deal with them.
In the wake of 11 September, the biometrics industry has gone on the offensive, pooh-poohing its critics and promoting its products as the most effective way to improve security in a changed world. Airlines and airports are looking at biometric systems with interest. Some have already gone live, such as the iris-scan system introduced to authenticate frequent flyers at Amsterdam's Schiphol Airport.
What a good idea
Recent surveys in the US and the UK have shown that a sizeable majority of users now consider biometrics a good idea - and not just for security checks at airports, but for tasks as mundane as retail transactions. In one survey, conducted for Compaq shortly before Christmas, more than two-thirds of a sample of 1,000 UK consumers said they would be happy to provide fingerprints, or even DNA samples, if it helped cut down fraud. In the past, such widespread acceptance would have been unthinkable. Civil liberties concerns were paramount and there was consternation at the idea of third parties holding databases of people's biometric data.
Rick Norton, executive director of the International Biometric Industry Association (IBIA), welcomes the change of attitude. "Because of the events of 11 September, people stopped contemplating their belly buttons on this issue and looked at what the technologies could really do. Usually people throw in some imaginary privacy issues. The fact of the matter is, the technologies were invented to protect privacy and most of them operate in exactly that way. I think what has happened here is that people have become educated since 11 September and realised there is nothing to fear." He adds that those still concerned should look at IBIA's privacy guidelines.
But not everyone's attitude has changed. Ben Laurie is director and founder of The Bunker, a secure hosting provider - very secure in fact, given that The Bunker is situated in an old MoD nuclear bunker in the wilds of the Kent countryside. He's also the author of the open source secure Web server, Apache SSL. "Tagging and tracking of people is something that's difficult to sell because of the civil liberties aspect, but 11 September gave the manufacturers a great handle to say: 'Yes, but look at how it will save us from the threat of terrorism - so therefore you should spend lots of money with us please.' I think we've been going down the Big Brother route for quite a long time now and this is just another brick in the wall," he says.
Laurie is also concerned that the use of certain biometrics for secure access control could put users at risk of serious attack and maiming. "Technically, scanning irises or fingerprints works reasonably well. The snag is you want the eye or the finger to be attached to the person that owns it - but desperate people will go to desperate measures to get what they want."
Keep things in perspective
You may think anyone who owns a nuclear bunker may be overly concerned about security - and you may be right. The industry counters that current technologies include features for 'liveness testing' so that severed body parts will be rejected by the system. "The idea that people are going to be plucking out eyes, cutting off fingers and lopping off heads in order to pose as people is preposterous," says Norton. "Liveness testing means people aren't exposed to this sort of risk."
But Laurie is not convinced. "What really concerns me is that liveness testing is done on things like pulse or temperature - what's to stop me from faking that with electronics? Say hand scanning was being used to control access to a prison. Prisoners trying to escape wouldn't necessarily know the system had built-in liveness testing - they might not escape, but the guard could still lose a hand," he argues.
While it may seem far-fetched, even people within the biometrics industry accept that there are valid concerns over the ability to fool systems. Mark Yadegar is CEO of Portsmouth-based biometrics developer and distributor Bio4. "There are ways to get round biometric systems, there's no doubt about it," he says. "The criminal fraternity is far more resourceful than we could ever believe - largely because they've got the time and the money. But one of the things I always ask people is what do they have at the moment? Most systems are password-based and any mug can break a password."
As for privacy concerns, Norton says: "Biometric technologies erect walls between unauthorised people and personal data. At the moment, you've got all that personal data out there without any protection on it. What biometrics does is provide a layer of security to do that. The only concern about privacy is whether or not somebody might abuse that data, but abuse what? The string of bits that represent a biometric template? What are you going to do with it? You can't extract it to pose as someone else, you can't reverse-engineer it to find out who somebody is and you can't cross-reference it to create any sort of a massive database. It's a travesty to wring our hands over whether or not there may be some massive conspiracy of corporates or government leaders to corrupt our privacy."
But then again, he is American. On this side of the pond, we tend to be a little more cynical about what governments may be up to. Leslie Bowie is technical director at ABM UK, which supplies biometric systems to most of the UK's police forces and others internationally. He believes people need to keep a close eye on civil liberties. "In France, they're very strict about what's recorded about French nationals and what data is shared, largely because of what happened in the war - people coming in and databases getting into the wrong hands. I would hate to build huge databases of biometric information because if we look back at history, we can see abuse has happened," he says.
However, monitoring abuse is not down to people who sell biometric technology. The technology itself is neutral and, as Norton points out, there are many applications where it can actually enhance privacy. It's up to resellers to be aware of the issues, address customers' concerns and offer compelling applications. After all, people will be willing to part with personal data if they see they're getting something worthwhile in return.
Although attitudes to biometrics have changed since 11 September, there's no telling how temporary that shift may be. Past experience shows people are very wary when it comes to anything that smacks of Big Brother, as Bowie points out: "A few years ago, M&S introduced face logging as a way to monitor returns to see if they could spot the same people coming up again and again. But the customers were up in arms and it was taken out after about a day."
This was first published in February 2002