The ability to maintain a healthy balance between personal privacy and stringent enterprise security standards has been a sensitive and long-lasting struggle among security vendors and privacy advocate groups.
Now, biometrics, a technology used for measuring and analyzing human body characteristics such as fingerprints, irises and voice patterns, is gaining serious attention from all sides to address this age-old debate and provide a safe harbor for enterprise users worldwide.
Biometric authentication is the first step in the establishment of an audit trail, which is an essential factor in securing user identity. An audit trail creates an electronic log of activity from beginning to end, tracking authentication and the full enrollment process, and can also be used to track unauthorized attempts to gain access to restricted areas.
While providing secure access, audit trails also enhance privacy by protecting the identity of users. Protection is executed by enrolling users into a biometric infrastructure, which assures that their identity cannot be falsely duplicated. Unlike passwords, which can easily be shared, guessed or stolen, biometric identifiers never change and empower the individual with complete control of his or her own data. There is no way to reverse-engineer a biometric to find out who the user is, and it cannot be used to link records together - in fact, the technology by definition prevents it.
A clear audit trail can be used to track someone trying to obtain data without permission. This additional security layer allows the user to create documentation to see who has tried to look into records that they should not have access to. For example, if someone from a national security, immigration or tax department looks at a user's file, an ineradicable audit trial is left behind to identify the individuals. This feature reinforces the fact that audit trails enhance privacy rather than deter it. Privacy is about keeping users' data with them at all times. We can enhance privacy by protecting data in a better way, either keeping it with the user or by creating a record of who looked at it.
While the issue of biometrics and privacy is often about people stealing others' biometric identity, the reality is that this technology can protect data and the actual identity of the user.
Biometric encryption replaces normal key characters with a user's personal identifier, thereby making standard character encryption obsolete. There can only be one perfect match for a user's personal identifier, and without this biometric key, the information is inaccessible. In other words, the only way the user's identity can be pulled out of the database and asserted to an application is by the user actually being there through putting his or her finger on a device.
Although the concept of privacy remains difficult to define, it is fair to say that many of the commonly perceived views regarding the sanctity of the right to privacy are at odds with the reality of the technological society in which we live, where the disclosure of personal information, for example bank numbers, addresses, age, etc., is commonplace in modern daily life. Bulletproof audit trails present users the ability to protect and secure their privacy while running parallel with the ubiquitous nature of internet and almost all forms of commerce.
While the debate revolving around all the many interpretations of privacy can linger forever, adoption of biometric security standards is an issue that needs to be taken seriously. More and more companies, throughout a wide range of industries - including the financial services, travel/transportation, public sector and pharmaceutical markets - have made biometric integration a top priority. Enterprises are beginning to understand that privacy and security go hand in hand and that biometrics enhance privacy by protecting the identity of users, making it virtually impossible to cheat the system.
Government bodies worldwide are also starting to be cognizant of privacy by establishing sector-specific regulations and legislatures to enable, support and ensure the effective rollout of biometric identity solutions. Although more and more are beginning to work together on consolidating their citizens' data for homeland security, the biometric enrollment process assures users that privacy will not come at the expense of security and vice versa. In fact, privacy can be safeguarded in that kind of environment by protecting one's consolidated file biometrically.
The most significant U.S. legislation to date supporting biometrics is the Enhanced Border Security and Visa Reform Act, which was signed and approved by George W. Bush on May 14, 2002. The law requires that all travel and entry documents, including visas, be machine-readable, tamper-resistant and include a standard biometric identifier. In addition, it requires that federal law enforcement and intelligence agencies share this data with the Immigration and Nationalization Service and the State Department. Although this is a significant step forward for biometrics adoption, the U.S. Government will need to be cognizant of the privacy concerns of non-nationals and other jurisdictions, each with their own regulations. Insensitivity to this matter could result in certain other countries being reluctant to participate.
It's no secret that today's world presents issues for the scope and protection of individual rights that could not have been imagined even 30 years ago. Biometrics increases the relationship between security and privacy and allows global organizations to run smoothly in today's high-tech era without network intrusion or interference. Embracing the use of biometrics in all areas will allow users to strengthen their grip on their identity while making it nearly impossible for outsiders to infringe on their privacy rights.
Oliver Tattan is CEO for Daon Limited (www.daon.com).
Daon Limited are exhibiting at Infosecurity Europe, Europe's largest and most important information security event. Now in its 8th year, the show features Europe's most comprehensive FREE education program, and over 200 exhibitors at the Grand Hall at Olympia from April 29- May 1, 2003. www.infosec.co.uk