Unwrapping the Biometric Present

Continued from page 2

There is a distinction, though between the uses of biometrics to verify identity from those that are designed for primary identification.

It's a good idea to add fingerprints and digitally-signed photographs to passports and visa applications. Nobodys interest is served by having weak identification schemes on our passports: such systems actually increase the chances that passports will be stolen, altered, and fraudulently used. Indeed, the 9/11 Commissions report details a factory that Al Qaeda had created in Afghanistan for doing just that with captured passports.

At the same time, it's a bad idea to start using biometrics to pick individuals out of a crowd --- that is, to use them for primary identification -- since it's notoriously inaccurate and far more subject to abuse.

There also needs to be clear rules about what uses of this information is appropriate and what uses are not. For example, bars in Boston are prohibited from serving alcohol to people under the age of 21, so its entirely appropriate to demand to see a drivers license or identification card before letting in a potential patron. On the other hand, its inappropriate for the bar to swipe the patrons drivers license through a card reader and capture the patrons name -- as some bars around the country have started doing. This can happen when technology is deployed by the government without regulations that governs the technologys use.

But there are bigger dangers in our deployment of biometrics -- dangers that arise from the very nature of identification technology and the theories that underpin it.

The accuracy and reliability of biometrics is frequently viewed in terms of the biometric recording itself, rather than the entire process. Fingerprints and iris scans may be exceedingly accurate and hard-to-fake, but entries in the databank themselves may nevertheless be vulnerable. If the system really does provide foolproof identification, then it will be that much more rewarding to the bad guys to get fake entries inserted. And it will be that much harder for a person, falsely identified as a terrorist, to prove that they arent one.

Such mistakes are likely to be compounded if biometric information is shared with other countries.

Another problem is this notion that the government can identify all of the terrorists --- or at least a subset of them. Although some of the 9/11 terrorists were on watch lists, many others were not.  There are people who are not terrorists today but who may turn to terrorism tomorrow.

This is the fundamental problem with watch lists, whether they are biometric or not: the people that you really need to worry about are not the known terrorists, but the unknowns.