Although it is undoubtedly useful, personal identity technology could
potentially lend itself to the gradual erosion of democracy and support
for an authoritarian, protective state.
Personal Identity technology (ID-tech) is the complex of devices and
techniques by which the identity of individuals is established and/or
verified. It largely consists of biometric systems, that is, automated
technical systems that measure physical human characteristics, some of
them dynamically and in real time. The biometric device matches the
input sample against a stored template, in order to include or exclude
an individual from some action or activity. It is used for verifying who
you are (with smart card, username or ID number) or identifying who you
are. The data so collected could be used for purposes other than those
initially intended.
Fingerprint biometrics were first used at the
2004 Olympic Summer Games, Athens. In the USA, Australia, UK, EU and
other countries biometrics are being introduced into passport and visa
control. For example, citizens of Brazil have their signature, photo,
and 10 rolled fingerprints collected by passport requests. There is a
very wide variety of uses e.g. in immigration, customs, ATMs, retail,
schools, policing, and intelligence.
While ID-Tech has many uses and conveniences
it poses risks to privacy, and most significantly is a technology that
could lend itself to government tracking and profiling of individuals on
a wider than acceptable scale. In a nutshell the convergence and
synchronising of of ID-tech capabilities lends itself to the potential
for a ‘Panopticon State’, one that has the policing powers to profile
any citizen almost continuously and simultaneously in several dimensions
of life, anywhere on the globe.
Both physiological and behavioural traits can be measured and recorded
by biometrics systems. The former include fingerprinting, face identity,
facial thermogram, hand and footprints, iris, retina, ear canal, DNA,
and even personal odour and scent. The latter include computer keystroke
dynamics, signature and writing, speech, voice (speaker), and gait. We
should also note the potential of RFID (radio frequency identification)
implants and body scans.
The benefits of biometric
systems
Biometric systems have benefits in the prevention and reduction of crime
generally, especially fraud and impersonation, and terrorism. They may
also help to solve crime, including ‘cold cases’, and stop the evasion
of arrest. It is often claimed, and may be true in many instances, that
such systems make for an efficient use of resources (creating new
demands, however). In the Super Bowl event of 2001 Florida police used
the facial recognition software FaceIt to search the crowd for
criminals, and found 19 people on arrest warrants. In the case of the
disappearance of
Madeleine McCann
(2007), the UK police
asked visitors at the Resort in Portugal in the two weeks prior to
child’s disappearance to provide any
photographs of passers-by for use in a
biometric facial recognition system. Since 2001 a retinal system has
helped apprehend thousands of persons re-entering the wealthy UAE with
fraudulent travel documents.
How reliable are they?
There are many issues of technical reliability, and these will raise
worries about misidentification. A biometric identification system is
expected to be universally applicable, whereas some individuals may not
qualify e.g. missing limbs, burns, loss of organ, injury-related changes
to gait, and cataract. They must be capable of unique identification,
whereas there is always some (very small) margin of fuzziness,
especially with family relatives and twins. They should be resistant to
the ageing of the individual; but faces etc. change with age, illness,
and injury and cosmetic surgery. There is also the problem of ‘data
collection’ being affected by overload and noise, e.g. in a crowd. The
efficiency and effectiveness may be in doubt because there will be
thresholds of definition (eg, a face at a distance), too slow a response
of the device, poor light, and software deficiencies. Biometric data
will ‘ideally’ be correlatable with other individual data, whereas these
may not be available or be compatible. There are also issues of
standardisation and interoperability.
With all these difficulties, and the
inevitable dose of human incompetence, one may give a sigh of relief for
the future of individual freedom and privacy. However, great efforts and
resources are being put into resolving them. Ultimately, developers of
such technologies know that their techniques must be socially
acceptable, whereas public may reject. We have recently seen that there
have been human rights concerns about airport body scans (admittedly, a
detection technology rather than an ID one).
The Hydra Effect
In any case, history has shown that technologies will be implemented,
sometimes widely, even when there are known difficulties (as well as
difficulties that emerge in practice). In this case a fundamental issue
is that the identity of the ‘target’ person may be compromised. There is
the impersonation issue: the system depends on the individual who is the
subject of the test being correctly identified at original enrolment. If
a biometric profile is stored for person ‘A’ then that data becomes
definitive even if this person is not in fact A. This is fundamental,
and has little to do with how sophisticated the technology is, and yet
there is a tendency in some quarters to assume that the technology
cannot be wrong. But if the ‘input’ is wrong, then the technology will
simply process it efficiently.
There are least another two fundamental
problems. Firstly, there is the possibility of someone using as a test
input what is in fact a hacked copy of the stored template. (Some
suggest a way around this is to technically exclude any absolutely
‘perfect match’.) Secondly, an ID device does not ‘know’ what it is
looking at. For example, face recognition systems are fooled with a
high-quality photograph of a face instead of a real face, so are
unsuitable for unsupervised applications such as door access. There is a
similar problem with fingerprints and iris patterns.
There are genuine concerns about the security of storage of biometric
data. It should be obvious, but is often forgotten, that a security
system is only as trustworthy as the people operating it, from low level
operatives to high level authorities. Malicious verifiers may wish to
steal templates from the database (although it has been suggested this
could discouraged with ‘reverse engineering’ technique). Then there is
the possibility of the ‘secondary use’ of biometric data: a user who
accesses two systems with the same fingerprint may allow another person
to ‘impersonate’ him. Most of these problems, evidently, have to do with
human not technological weakness. Technology does not make people
better.
You may think that internal hacking is
unlikely. Yet, to give one example, in 2007 tens of millions of credit
card users were put at risk by financial-transactions company Heartland
Payment Systems (USA) when malicious software was installed inside the
system.
If dependency on such systems grows then permanent identity loss is not
impossible. A system must retain the uniqueness of the trait template
unchanged (changed within narrow range), over the lifetime of the
individual. This ‘life-time’ property brings a risk. If biometric data
obtained by unauthorized users (eg, compromised from a database) then
the owner loses control over the data and loses his identity. Lost
passwords can be changed, but e.g. if someone’s face is compromised from
a database, they cannot cancel it or reissue it. A proposed solution is
the ‘cancellable biometrics’ technique which distorts the biometric
image before matching. But for every solution there is another problem.
A criminal employee could undistort the template with knowledge of the
distortion key. If we distrust the employees sufficiently to require a
distortion key, why would we trust them with the distortion key?
There is what I call a ‘Hydra Effect’ in technology. In Greek mythology
whenever the Hydra beast was decapitated it grew two more heads.
Similarly, every technical solution creates at least one more problem,
which is often trickier to solve. A technical solution is eventually
found at great cost, and then more problems appear. There may well be
diminishing returns on the resources being put into this ceaseless round
of technical innovations that ultimately cannot overcome the fundamental
issue of human weakness and failure.
Can we preserve our privacy?
We may take privacy to be the state of being free from unsanctioned
intrusion into one’s personal life. It is a value that is embodied in
human rights, national laws and diverse regulations. ID-technology gives
rise to the possibility of the misuse (real or perceived) of personal
biometric information for gainful intrusion. Examples of known misuses
are surveillance videos of vehicle licence plates being used to record
license plates to blackmail people, to stalk women and to track
estranged spouses. In some cases it has been police officers who have
been guilty of these offences.
Fingerprint recognition for the ignition of your car might seem like the
latest desirable innovation in hi-tech protection. But one may forget
the human factor. In 2005 Malaysian car thieves cut off the finger of
the driver of a Mercedes S-Class car so that they could steal his car.
If he had not had a sophisticated biometric device in the ignition he
would at least still have his finger. In the USA and EU some fear that
biometric information can be ‘skimmed’ and sold to criminals to identify
individuals for ransom-kidnapping and the like. In even worse scenarios
a racist or totalitarian government ( Hitler, Pol Pot, etc.) could use
data to determine unwanted traits in humans for population control
The Panopticon state?
One future scenario that does not receive enough serious attention is
the convergence of different ID-technologies into one (more or less)
interconnected system. Intelligence services world-wide are well on
their way. We could already be witnessing an information cascade, held
back only by lack of harmonisation, human incompetence and poor
communications. Public protest is not yet a major hindrance.
The utilitarian philosopher Jeremy Bentham conceived a plan in 1791 for
a new kind of prison, the Panopticon, the novelty of which was that any
prison could be seen from anywhere at any time. A variety of modern
technologies, including those based on biometrics, may be converging
towards the possibility of a Panopticon State, in which any citizen can
be tracked and a life-profile composed without their ever knowing. Body
scans, bank details, credit card trails, Google, RFID, fingerprints,
face and iris, recognition, GPS, health records, mobile phone use, bus
and train cameras, spy satellites, street cameras, wire taps and now
body scans could, in theory, be brought together in various
configurations. Perhaps only the political will stands in the way.
Biometric information may be shared or different databases may be
networked, eg, telebiometric systems join biometrics with
telecommunications. There is the possibility of tracking individuals.
For example, security cameras can be linked to a facial recognition
system or a public transport system using biometry. At the moment, in
most cases the information from different sensors generate differently
encrypted outcomes so cannot be compared, but this can be overcome. The
unification of different biometric outcomes by means of data exposure or
through global or regional standardisation is not impossible. Already
there are some public concerns about ‘leakage’ of fingerprint data from
schools to health, insurance and other agencies with a discriminatory
effect on access to services.
Sir Ken MacDonald QC, the UK's Director of Public Prosecutions
(2003-08) has said, "We need to take very great care not to fall into a
way of life in which freedom's back is broken by the relentless pressure
of a security State.”
Richard Thomas, the Information
Commissioner is reported as saying “My anxiety is that we don’t
sleepwalk into a surveillance society”. He was thinking mainly of the
UK’s
National Identity Scheme. These
two people are hardly radicals, and know ‘from the inside’ what they are
talking about.
We may think the main issue is National ID cards, but they have a lesser
role than the database they are linked to, i.e. the National Identity
Register. A new law specifies 50 categories of information that the
Register can hold on each citizen, including up to 10 fingerprints,
digitised facial scan and iris scan, current and past UK and overseas
places of residence, throughout their lives and with indices to other
Government databases which would allow them to be connected into a
personal profile. The legislation also says that any further information
can be added. The amount of data which can be recorded on the scheme’s
Register is unlimited. Still, the good news is that fingerprints are not
yet being taken, and plans to take iris scans have been dropped,
although not ruled out.
This is not the place to go into the detail of the scheme but the Home
Office forecasts that 265 government departments and as many as 48,000
accredited private sector organisations would have access to the
database, and that 163 million identity verifications or more may take
place each year. The cost of the scheme is variously put at between 5
and 15 billion pounds over 10 years.
Naturally, the Commission for Racial Equality and ethnic/religious
minorities are expressing concerns about discrimination. If one thinks
this is far-fetched or alarmist one should recall that in the USA not so
long ago the FBI head J. Edgar Hoover (and his vast fingerprint records)
pursued not only criminals, but people he chose to classify as
"security risks," "subversives," "agitators," "deviants," "black
nationalists," and "peaceniks."
Provisions for consent to
biometric schemes
Public acceptance of the national ID scheme has been mixed and
controversial (but not controversial enough), with diminishing support
after reports of the loss of millions of items of public service
information in several quarters (See the NGO called “NO2ID”).
Meanwhile, some
UK parents have been protesting school
fingerprinting since 2001. These are used for purposes of
registration, truancy control, parental payments, replacements of
library or meal cards, and possibly for exam ID.
Protests sometimes take a more colourful form. The Chaos Computer Club
of hackers published a fingerprint of the German Minister of the
Interior, Wolfgang Schäuble, in its magazine Datenschleuder (March
2008). The magazine included the fingerprint on a film for readers to
give them access to whatever the Minister had access to. If they can do
it, criminals can do it, and undemocratic governments can do it.
A particular focus for protest in the UK has been school fingerprinting
without consent. One surprising facet of this is that the Data
Protection Act does not explicitly require schools to gain consent. The
Act is, apparently, about information, not images. More research also
needs to be given to how the Human Rights Act and the Freedom of
Information Act relate to the storage and transmission of ‘data’ which
is perhaps not ‘information’ in the sense of text. A democratic future
depends on asking many questions that are currently not even being
conceived, let alone asked.
Professor Geoffrey Hunt teaches at
St Mary's University College in
London. This article by Professor Hunt was originally published on the
website of BioCentre, a
think-tank focusing on emerging technologies and their ethical, social
and political implications.
|