acm - an acm publication


Database nation (book excerpts)

Ubiquity, Volume 2000 Issue February, February 1 - February 28, 2000 | BY Simson Garfinkel 


Full citation in the ACM Digital Library

Between 1989 and 1995, I lived in a house that had a voice print lock on its front door. The lock gave me freedom and power. It gave me the freedom to walk around without fear of losing my keys: as long as I had my voice, I knew that I would always be able to get back into my house. And it gave me the power to control access to my home with tremendous precision. For example, I could voice print a contractor who was doing work on my house, knowing for sure that he would not give the key to one of his employees or make a copy for himself. And I never had to ask somebody for his keys back: all I had to do was erase his voice from the lock's memory.

But the voice print lock was not without its faults. After a few months, I discovered that I could not enter my house if a jet was flying overhead, or during a particularly loud rainstorm. I also discovered that biometrics are not democratic. Certain individuals could not be reliably identified by the system, while others were always identified on their first try. (Similar problems have been reported with fingerprint identification systems.) As a result, I eventually created "voiceless codes" that would let people in without requiring that they first speak a pass-phrase.

As we move into the next century, experiences such as mine will become widespread, as biometrics increasingly replace keys and identity cards. Biometrics will be used to open the doors of office buildings and to unlock computer files. Your computer will recognize you when you sit down in front of it, either by voice or by using its built-in video camera. It's easy to see why people are likely to prefer biometrics-based systems: there will be no passwords to forget and no access cards to lose. Yet at the same time, some people will be discriminated against because their biometrics are not easily read or reproduced.

Imagine a university in the year 2020. At the cafeteria, students take a tray, pick up the food that they want, and then simply walk to the dining room. A computerized system scans each student's tray, calculating the cost of the food they've taken, then looks at the student's face to figure out whose account should be debited. At the library, another face recognition system has long since replaced the student's library card. When the student walks into a laboratory, the computer scans his face to make sure that he has authorized entry--this is especially important for labs that contain material that could be subverted and used by terrorists. And when the student sits down at a computer, the system automatically logs the person in and opens his files.

This university of the future won't need to issue its students identification cards: a smart video camera and a connection to the university's computer network will work just as well. But the university will probably continue to issue student IDs so students can prove their university affiliation to area businesses and other organizations. After all, no university is going to let outsiders tap into its biometric database!

The university biometric identification system works because a university is a total environment and students are voluntary members. Because students are paying a lot of money to earn academic credit, and because a university's library privileges, athletic facilities, and dorms are not available to the general public, the students have a vested interest in being properly identified by the institution.

Many stores now have video cameras that record the image of everyone who walks inside. (Frequently, these cameras are positioned in such a way that they also record the person's height.) Soon these cameras will likely be connected to computers and networks that use the person's face and other information to determine his or her identity. The store's computers might consult public records to find out if the person who just entered is wanted by the authorities. The computer might check other databases to find out if the person has a history of violent behavior, or if they owe too much money on their credit cards, or if they are suspected shoplifters. Place the camera outside the store and you can have the computer automatically lock the store's doors when a disreputable person tries to enter. Because these identification systems won't be perfect, places that use them will have to weigh the risk of not using the technology versus the risk of lawsuits, civil penalties, or simply poor customer relations that might result from misidentifications. In fact, the computer would probably be programmed to weigh the risk for each shopper.

Building a database of all the nation's faces would not be very difficult, since much of the data is already in public hands. In the 1990s, most states began digitizing photographs that were recorded on driver's licenses. These photographs, which are now part of the public record, will increasingly be sold to private businesses unless the sales are prohibited by legislation. The process has already started. In February 1999, the South Carolina Public Safety Department sold photographs of the state's 3.5 million drivers to Image Data LLC of Nashua, New Hampshire. The price was a bargain basement $5,000, or roughly a penny for seven photos, according to an article in the Washington Post.

The Washington Post also revealed that Image Data LLC had received a $1.46 million grant and technical assistance from the U.S. Secret Service in 1998. The company was charged with building a national photo ID database to fight check and credit card fraud, as well as to fight terrorism and verify immigration status.

Image Data's plans cause alarm because photographs provide tremendous potential for abuse. For example, a racist programmer operating inside a bank might gimmick a bank's loan calculation program to automatically factor in a person's skin tone as part of the loan approval process. Alternatively, a bug in a computer program, especially one based on "neural net" technology, might inadvertently factor in this information without anyone's conscious planning. Such calculations could be exceedingly difficult to locate during a routine audit.

Ironically, there is a far cheaper and easier approach for using photography to prevent check and credit fraud. Instead of building a computerized database with all of the nation's faces, simply put each person's photograph on the front of his or her credit cards and checks. The Polaroid Corporation developed a photo credit card in the 1960s, but most banks resisted using the cards. One reason was that photographs, while they decrease fraud, marginally increase costs. The second reason is that if a person's photograph needs to be snapped before that person can be issued a credit card, then banks cannot acquire new customers by target marketing: in order to get a photograph onto the card, the customer needs to come into the bank in person.

The national database of photographs is well on its way to being created. But we as a society need to discuss what this database will be used for, who will have access to it, and how erroneous information will be corrected. It would be a mistake to give private industry unrestricted use of this data without any checks and balances.

Reprinted with permission from "Database Nation" (c) 2000, O'Reilly Associates, Inc. All rights reserved. Orders and Information: 800-998-9938, See also


Simson L. Garfinkel is a journalist, a high-tech entrepreneur and an author.


Leave this field empty