Why biometrics might just bite back
Immediately following the events of September 11, 2001 there was a great deal of interest in biometric technologies to help track or identify terrorists.
The biometric industry raced to tout the virtues of its technology to help with identification or recognition purposes, and the government was eager to embrace this technology as crucial in the global war on terrorism. (GWOT, in wonkspeak.)
This was a sudden and huge change in the scope of, and hopes for, biometric use.
Previously, biometrics had been used in a narrower role, as an authentication or verification technology. With identification, it is vastly more difficult to obtain acceptable false acceptance rate (FAR) and false rejection rate (FRR) values.
Even with a more narrow use of biometrics for authentication, obtaining acceptable FAR and FRR values has been an industry challenge.
However, this excitement about the expanded use of biometrics for identification purposes was soon tempered by the public's memory of Super Bowl XXXV and the disastrous use of facial recognition technology in Tampa, Florida in January of 2001.
Use of biometrics was further embarrassed in January 2002 when it was revealed that even fingerprints could be faked.
Now, however, the hype is returning. Two factors are driving this. First is Homeland Security Presidential Directive (HSPD)-12: "Policy for a Common Identification Standard for Federal Employees and Contractors."
Although HSPD-12 does not explicitly mandate use of biometrics, it does direct the Secretary of Commerce to promulgate "a Federal standard for secure and reliable forms of identification." This has been completed by the National Institutes of Standards and Technologies (NIST) Federal Information Processing Standard (FIPS) 201, "Personal Identity Verification (PIV) of Federal Employees and Contractors."
The second driving factor is the global introduction of biometric passports, ostensibly demanded by the International Civil Aviation Organization (ICAO), but driven by the U.S. Enhanced Border Security and Visa Entry Reform Act of 2002. The lack of viable biometric standards to date has hindered widespread adoption of the technology, limiting deployments to point implementations.
But if standards adoption is successful, large-scale federated authentication will be possible, which will carry huge privacy risks.
With the American public keenly aware of the number and scope of privacy breaches within the United States over the past few months, federated authentication through biometrics will hardly put people's minds at ease when it comes to identity theft. After all, what is a biometric other than a very long password – one that cannot be reset.