Florida Ruling Highlights Continued Urgency to Educate Public on Biometric Technology
You may have heard that the State of Florida recently voted to ban the collection of biometric data from school students. The legislation was a direct response to several Florida school districts capturing student biometric data and using it for various purposes including purchasing lunch in school cafeterias and tracking students on school buses. Ongoing concerns over the protection of student biometric data as well as who has access to it sparked discussion on the use of the technology in schools and prompted legislators to stop it.
One major concern is the storage of biometric information and how secure the system of encryption and verification is. Most, if not all systems work under the principle that it’s not student biometrics that are actually stored, but it is instead a numerical sequence used for verification. The worry is that criminals will find a way to steal a student’s biometric template, reverse engineer it, and then use it to access the current system or another one that relies on the same biometric credential. A legitimate concern since biometrics are quite different from and ID card or token which when lost or comprised, can be replaced. Biometrics on the other hand, are said to be an “irrevocable” attribute since they are based on human physiological characteristics and can’t be “replaced.”
In response to the FL State Legislator’s decision to ban biometrics in schools, Janice Kephart from the Security Identity and Biometrics Association (SIBA) made the following statement:
“I’m concerned this precedent could spill over to other states due to mostly a lack of education on what these systems do or don’t do,” Janice Kephart, the founder of the Secure Identity & Biometrics Association (SIBA) and an outspoken advocate for the use of new authentication technologies said in a recent interview with BiometricUpdate.com. “It’s really concerning.”
After a thorough review of the legislation, Ms. Kephart went on to say that the logic used as the body of the bill was based on “misunderstood science” and essentially penalizes the entire State for the actions of 2 districts who failed to properly notify parents and secure their permission for students to “opt-in” to having their biometric credentials captured. If you read statements from FL lawmakers on the issue, it’s clear that the genesis of their actions seem to be tied more into constituent fear of “Big Brother” and privacy/civil liberty violations then arguments based on fact about how the technology actually works. The use of palm vein biometrics in Pinellas County school lunch lines for example is a clear illustration of how the technology can be misunderstood.
If one were to extrapolate the argument that student biometric data from a palm vein reader could easily be stolen and used by a criminal, the argument seems flawed when you look at the facts about the science. Fujitsu, the company who manufacturers the palm vein device has clearly stated that they use multiple layers of encryption to secure biometric information and don’t even capture an image of the palm vein but instead convert it into a template with a private encryption key. Furthermore, Fujitsu relies on the unique hemoglobin through the bloodstream as a “liveness detection” security measure which again makes the technology virtually impossible to spoof and use another person’s credentials to access a system. Ultimately, is it possible to “steal” someone’s biometric credentials and reverse engineer them to create an image whether it’s fingerprint, palm vein, iris, or another biometric modality. The answer is that anything is possible in this day and age, but the chances of it actually happening are extremely remote. One read at some of the logic behind the FL State legislation and you would think that it’s a piece of cake to recreate a student’s biometric credentials.
Unfortunately, the biometrics industry often falls victim to misperceptions about how the technology actually works and these can be magnified by people who are intent on stopping the inevitable advancement of this technology as a more modern identification platform. As most know, in life perception tends to be 9/10 of reality and this has never been more evident than in biometrics. People who do not completely understand the technology but perceive government as rapidly encroaching on our personal lives and the slow disappearance of personal privacy in our digital world jump on biometrics as just another tool to control our lives. In reality, biometrics is used all over the world and has drastically improved security, saved a countless amount of money, resources, and time for business and governments, and continues to be used in new and creative ways to establish accountability and protect individual privacy.
It’s crystal clear that the biometrics industry has a lot of work left to do when it comes to public education on how the technology works. We hope that biometric vendors take this call to action seriously and embark or continue their push to educate and inform so more rational decisions can be made about the use of this technology in the general public. We need to be taking steps forward in biometrics, not steps back.
After all: Truth is universal. Perception of truth is not.
In what ways do you feel the biometrics industry can better educate the public about the technology?
The anti-biometrics case isn’t only about identity theft. It isn’t even mainly about identity theft. The issue at hand in Florida and Senate Bill SB 188 is privacy.
I’d love to know your position on these privacy issues:
– Is palm scanning and the like a proportionate response to the problem of lunch time queues and attendance on the buses? If a biometric collection of Personal Information is not proportionate to the security problem being solved, then privacy suffers. There are lower tech (and cheaper) solutions to the problems that do not bring the side effects of biometrics, nor the data management overhead.
– How secure are the biometrics scans and biometrics templates stored in school systems? Do school IT functions really have what it takes to manage secure databases? Who’s liable in the event that a school computer is hacked and biometric data is stolen?
– M2Sys seems to hold conflicting views about the storage of raw images. You have previously recommended that raw images be retained for dispute resolution purposes in hospitals.
Thank you for the comments. Yes, we understand that the legislation passed in Florida does not exclusively focus on identity theft but also includes concerns about privacy.
We are not privy to other biometric vendor system infrastructure to know how they secure their data – perhaps you can check with the vendors who have deployments in the State and ask them that question? It is also not possible for us to comment on whether school IT functions have the ability to manage secure databases, not sure that an assessment like that can be made without internal access to school system IT departments. Again, perhaps that is a question better fielded by the vendors that operate in that state within that market.
Thank you again for the comments.
Fair enough.
What about the retention of raw images?
We defer to the end user’s choice of whether or not to retain raw images.
Has your policy of retention of raw images shifted and stabilized now? A couple of years ago you varied between extremes. Sometimes you advised hospitals to retain raw images. Other times you claimed your platform isn’t capable of retaining raw images. Please see: https://www.hitconsultant.net/2012/11/14/biometric-patient-id-technology-with-m2sys-president-michael-trader/#comment-715195623
It has been an educating experience for us. Thank you for the comments.
Pingback: Biometrics | Zahal IDF Blog News