Biometrics is the science of measurement applied to biological entities such as fruit flies, dogs, or human beings. Ever since the discovery that fingerprints are a nearly unique lifelong way of identifying people, we have employed biometrics in some form, but usually only in special situations such as criminal investigations or other law-enforcement matters.
But recent advances in the quality and reliability of digital biometric sensors that work entirely without human intervention have made it possible to log on to your computer, not with a password, but with your right thumb, as I saw a colleague do in my office the other day. He has a new laptop and at the lower left corner of the screen is a little red panel that he swiped his thumb over to turn it on. Although I didn’t try it, I suspect my thumb would not have done the trick.
The San Jose Mercury News carried a roundup article the other day describing some new and upcoming biometric techniques. It turns out that fingerprints are only one of many characteristics that inventive labs and firms are working on. Face recognition software is getting good enough to pick out a particular face in a high-resolution photo of a crowd. And somebody in a government lab is working on the notion, familiar to owners of bloodhounds, that body odor is unique enough to identify you.
I will be the first to admit that being pestered for a new, unique, high-quality password that is also different from all the other new, unique, high-quality passwords you’ve had to come up with in the last six weeks to do everything from buying things online to logging into your organization’s pay system, is quite annoying.
So why am I not jumping for joy over the prospect of simply swiping my thumb or even just grinning into the camera to get my computer to do what I want? Several reasons come to mind.
The first one is pointed out by a researcher quoted in the Mercury News article. There is a basic assumption of anonymity that people have when they go into a public place. Yes, sometimes you put on a nametag at a party or in a social setting where you want people to know who you are.
But if you’re like me, you feel sort of foolish if you leave the event and look down a couple of hours later and you’re still wearing your nametag at the airport. There are places where I don’t necessarily want all and sundry to know who I am, not because I’m doing something nefarious, but just because the information could be abused.
It’s a little far-fetched now, but this is the kind of problem that biometrics could lead to if it gets into the wrong hands. And believe me, if it becomes widely used by consumer-electronics manufacturers, it will get into the wrong hands.
A second problem concerns what I’d call the interoperability problem.
The big pain about passwords is that every little seller of internet toothpicks and offerer of free software wants you to come up with a password for their particular system. Some people use the same password for everything, and I… well, I don’t quite go that far, but let’s just say there are commonalities among the different passwords I use.
If we go whole hog for replacing passwords with biometrics, what kind of biometric identifier will we use? If there’s some industry-standard device, that means basically everyone will be using the same password for everything (read “fingerprint” or whatever the feature du jour is for “password”), and that means one giant database sitting somewhere with everybody’s password on it might not be that hard to compile.
The dangers that could arise from such a concentration of sensitive information are obvious. And if we use a diverse number of systems, well, that means a diverse number of plug-ins or thingamajigs or whatever, will be needed to log in to many sites, and that could be even worse than having to remember all those passwords.
Last but not least, I will remind you that no technology is perfect, and this includes biometric devices as well.
Say you are using face-recognition technology and one day you decide to shave your moustache. Ooops!—facial hair isn’t all you lost. You’ll have to retrain X number of security programs to recognize your new, less hirsute visage. At least when you forget a password, there’s usually some alternate approach that works reasonably well—a security question or two, an email to your known email address, or some such thing that consumes time but otherwise works pretty well.
Biometric security will have to have some kind of backup like that, but who knows what form it would take? We might end up looking at passwords rather like I looked at the little hole in the front bumper of my 1958 Morris Minor (well, technically it was my father’s car, but he let me drive it when I was in high school). It had an electric starter, but in a pinch such as a moribund battery, you could take the tire jack, stick it through the front bumper, and crank the little pint-size motor to start it by hand. (I never got up the nerve to try that, but it’s one of my many lost opportunities of my youth.)
Part of what we are seeing is a generational shift in attitudes toward privacy. Things that annoy me, such as the creepy way items I search for online at one site start magically showing up a few days later in ads at a wholly unrelated site, are things that just seem part of the background of life to younger people who haven’t experienced anything different.
After all, before there were cities, most people lived in little village clans where everybody knew who you were and what you were up to, and we survived that. But there is a disproportion of power and ability between one individual whose identity is increasingly ascertainable, and the giant international corporations who can ascertain it and act on that knowledge. Let’s hope we don’t get so used to the degradation of privacy that by the time we start missing it, there’s nothing left.
Karl D. Stephan is a professor of electrical engineering at Texas State University in San Marcos, Texas. This article has been republished, with permission, from his blog, Engineering Ethics.