acm - an acm publication


The privacy paradox

Ubiquity, Volume 2002 Issue April, April 1- April 30, 2002 | BY Jennifer Carlisle 


Full citation in the ACM Digital Library

A national biometric database in place of our current flawed identification systems could prevent the loss of liberty and autonomy.

A national biometric database in place of our current flawed identification systems could prevent the loss of liberty and autonomy.

Defending the privacy of our personal data has become more challenging since September 11. Our lives are already tracked and measured in so many ways and our identities can be stolen and abused so easily that the addition of biometric identifiers, as being implemented this year in Hong Kong, seem like the proverbial "last straw." Paradoxically, a true national biometric identification system may hold the key to guaranteeing and protecting our rights to privacy. A single national biometric database, replacing the currently flawed systems used for drivers' licenses, Social Security and passports, may be the best way to protect our privacy and enable us to regain control over who tracks us and who gets access to what data about us.

While writing an honors thesis at USC, I conducted a year-long research study on personal data privacy. Neither legislation nor technology seemed to offer a solution that was both feasible and acceptable to all parties. Most special interests in this country favor weak legislation, and new "security technology" tends to facilitate invasion of privacy rather than its protection. I first examined in detail the EU Privacy Directive and various US responses and then focused on the privacy aspects of the 2001 HIPAA legislation. No major breakthroughs or improvements seemed likely.

As my research progressed, I realized that one of the greatest threats to privacy is flawed security of information, which is compounded by our inability to reliably identify individuals. The fundamental flaws in our identification system allow personal data to be incorrectly correlated, accessed by individuals without the proper clearance and, worse, for others to pretend to be someone they are not. I realized that a significant improvement in personal privacy could be achieved by fundamentally improving the way we identify ourselves. Instead of relying on passwords, tokens, smart cards and other identifiers, which can easily be stolen or forged, we need to be able to identify ourselves based on biometrics (i.e., the use of physical or behavioral characteristics such as fingerprints, iris scans, voice signatures, face scans, etc).

Since the terrorist attacks on the World Trade Center and the Pentagon, there have been numerous proponents of biometric identifiers. But if we have many systems (e.g., DMV, INS, criminal system, airports, sports arenas, schools and Social Security -- all of whom now propose to begin using such identifiers in parallel) then who is to say which is the correct identifier and who is to validate the accuracy of the ID databases? I am loath to trust the DMV and airport security to verify identities.

I came to realize that the greatest risk to society is not the creation of databases -- many of which are essential to our modern lifestyles; rather it is the inadequate protection of data. This led me to a paradox; that our privacy can be better protected though the creation of a universal biometric identification database and that our privacy is far more likely to be compromised by the current plethora of poorly managed, decentralized identity databases. Most Americans have already contributed data to dozens of databases and we are enticed daily to sign away our rights to protect those data. Concealing our identity is not really an option. Rather, the first step in privacy protection is to provide a means of absolute identification, thereby preventing others from impersonation and identity theft. The second step is to overhaul the laws protecting the data collected about us and the third step is to improve cyber security.

There is a great fear of databases by privacy experts due to the increasing access of corporations, the government, hackers and criminals to our personal data. While some of this access is legitimate, in many cases, data can be misused for unauthorized secondary purposes. Corporate and government abuse can be prevented by stronger laws limiting the use of personal data and by better enforcement of these laws. The European Union has passed a comprehensive Privacy Directive, with which US firms must comply when doing business there. The US has adopted a similar model in recent HIPAA legislation, defining the methods for protecting and sharing health data. US laws protecting privacy of financial data leave a great deal to be desired. Our greatest protection from government abuse seems to be the unwillingness of agencies to share data and the primitive nature of the systems they use. Laws and government regulations will not stop hackers and criminals, who gain illegal access to personal data in many ways. Sometimes individuals are careless (e.g., we sell a computer without erasing the disk, send email to the wrong address, leave a list of passwords on our desk or throw it away.) Devious people can access our personal data by gaining access to an administrator account, by hacking into a system or by identity theft. Carelessness can be discouraged through education and penalties, but theft and misuse of the data can only be reduced by means of a better system of identification and access authorization.

In America today, it is far too easy to conceal our own identity or assume the identity of another for the purpose of doing wrong. An individual can steal an identity by obtaining some easily discovered pieces of information about a person or by stealing a card or token that is used to identify the individual. To protect our identity, which is crucial in protecting our privacy, there must be a form of identification that cannot be learned, stolen or forged. The only effective means of accomplishing this is the use of biometrics.

Biometrics uses a digital measurement of a physical characteristic or personal behavioral trait to recognize the identity, or verify the claimed identity, of an individual. Some characteristics that apply themselves well to biometrics are iris scans, fingerprints, voice signatures, retinal scans and face prints. Unless a thief is willing to undergo reconstructive surgery or has extremely sophisticated electronic equipment, it is extremely difficult to fake biometrics, especially if biometrics identification is combined with human monitoring. By this I mean that a security team is checking to ensure that individuals are actually presenting themselves for identification, and not say, hooking up a small computer loaded with other people's biometrics, to try to fool the scanner. Even if biometrics are less than 100 percent perfect, they offer far better identity verification than the easily-counterfeited driver's licenses, Social Security numbers and passports.

There is a great distrust of biometrics by privacy advocates. There is a strong fear of Orwell's Big Brother. However, these concerns can largely be alleviated with the creation of laws, enforcement agencies and monitoring to ensure that the government and corporations do not misuse the data. We do not live in an authoritarian country, but rather a democracy with numerous checks and balances. The key to preventing the loss of our liberty and autonomy is not to prevent the spread of technology, but rather to ensure that it is used properly and in a transparent nature. The development of biometrics should be treated similarly to the development of genetics. It is for the good of society that we learn how to use these technologies, but it needs to be done with observation from government and private watchdog groups to ensure that the technology is not abused. Biometrics is one of the areas that should not be left to market forces and self-regulation as it has been so far.

Once we have reached agreement on the need for biometrics to be used for identification, we still need to prevent a thief from attaching his biometrics to your identity in the many databases that currently exist and are under development. The only viable solution is to have a single, universal biometric identity database, which in turn provides verification to multiple, diverse and distributed databases. Establishing biometric identities with dozens of organizations is inefficient, wasteful, and fails to solve the main problem of preventing identity theft.

The DMV, the Social Security office, the passport office, our local airport and our various dentists and doctors are ill suited to establishing a person's identity. They would benefit from having that identity pre-established and using it to issue their own cards and administering their systems. They could each use a different numbering system, confident that each person is uniquely and accurately identified biometrically. Repeating our information to every group opens the door to forgeries and allows aliases in different systems. How would we settle identity disputes? Are we to carry as many biometric smart cards as we currently carry credit and ID cards?

The logical solution to these problems is the creation of a single system devoted to identification. This National Biometric Identification System should be managed and certified by a government agency, to ensure accuracy and so that identifiers of known criminals, terrorists and holders of passports, travel visas, etc. can be integrated. This system must be managed at a national level, but would be linked into other national and international systems by common standards. To get it approved by Congress, new legislation would be required to define access, security and strong redress for abuses. Rather than threatening our liberty, this may actually be a catalyst for increasing our protection rights regarding our personal data, most of which we have little control over today. I had to get special permission to focus on and advocate such a system for my honor's thesis, but I believed it was more important to follow my instincts and passion and propose something constructive and innovative, than to do a traditional policy analysis. It amazed me that in this age of databases, public debate is still focused on the idea of a national ID card rather than an ID database.

Unlike an identity card, which can be stolen or forged, a national database would provide the necessary structure to certify the identity of all Americans and legal visitors. The government should create and maintain a database of biometric identifiers along with each person's name, unique identification number and several other identifying characteristics, such as eye color and birth date. But that is all. This national database could be carefully guarded and offered via a distributed system for remote verification and for generation of identity cards. This would replace the use of the SSN in many databases.

A national biometric identification system (BIS) should not be used to store behavioral or judgmental data. The BIS should not be used to record and store health, criminal, motor vehicle registration, social security, financial or travel data. Separate systems should continue to manage such databases -- each of which should be regulated and secured appropriately. Assembly of behavioral data into one large database should be prohibited. Sharing and aggregating data should be done under strict regulations.

The new universal identity database must be kept simple and secure so it can support many different applications efficiently. For example, the airline industry could access this system to verify the identity of individuals checking in. First, the airline would access the BIS to confirm each passenger's identity by running a one-to-one match against the biometric database. Then they could check him in for his flight. A third step would be to use the identity number to search a travel alert database to see if each individual is on a risk list of criminals or terrorists. This would allow rapid, yet comprehensive, security checks. The use of biometrics, checked against a secure national database, makes it almost impossible for individuals to use forged identification papers. Of course the database must be developed under strict federal guidelines and maintained in utmost security.

Efficient use requires technology similar to that used for site name recognition on the Internet. A distributed, redundant, secure, high-speed access network can serve many database applications simultaneously. Security is accomplished in two parts, physical and technical. Physical security protects the actual building from intrusion, which is critical in preventing the theft of passwords and access codes. Technical security protects the system from electronic invasion, usually through a network or over the Internet.

It has long been argued that technology is leading to the end of privacy. Rather it is our desire for convenience and our dependence on medical, financial, travel and government systems that has led to the creation of databases that, if poorly managed and protected, threaten our privacy and the loss of our very identity. The best solution to ensure that we can protect our personal data in the future would be national legislation to establish a universal biometric identification system -- concurrent with strict restrictions on use of data in all systems that access it.

Jennifer Carlisle is a student of International Relations and Economics at the University of Southern California.


Leave this field empty