Biometrics gathers steam, but DOD may tag personal data as off-limits
Privacy concerns over the use of biometrics technology to secure data may lead the Defense Department to change how that information is labeled and handled — by tagging biometrics data as personal information protected under the Freedom of Information Act.
Biometrics includes such technologies as voice recognition, digital fingerprints, iris scans and facial recognition programs. Most technologies require an initial scan of a person's fingerprint, iris or face and will then construct a digital template that is stored and replaces a person's password. The technology is increasingly being considered, especially by the Pentagon, for protecting physical facilities and information networks.
In fact, DOD is testing new Common Access Cards — so-called smart cards — that perform double duty as an employee identification card and as a digital card for providing admission to secure facilities, such as the Pentagon itself, and to computer networks. These cards are expected eventually to include digital fingerprints.
Some DOD officials are pushing for advanced weapon systems, such as the futuristic Joint Strike Fighter, to include biometrics technology so that if an aircraft is shot down, enemy forces would be less likely to gain access and use the plane against U.S. forces.
Biometrics technology is attractive for a number of reasons, according to various officials within DOD and other federal agencies. Those reasons include:
n The cost of biometrics is decreasing rapidly, with some programs being offered for free with the purchase of a new computer.
n Biometrics reduces the number of passwords that employees are expected to remember. Currently, people sometimes write down passwords, a common security no-no. Biometric information will make it much harder for would- be intruders to forge or otherwise work around passwords.
But as DOD and other agencies charge into unexplored territory in using the relatively new technology, they are finding that some employees worry that the digital templates might be used to invade their privacy.
"We are in terrain we've never been before," said Phil Loranger, director of the Pentagon's Biometrics Management Office, at a recent conference on biometric technologies. "If it's personal, why don't we treat it like medical records or financial information, and why don't we have the kind of protection we have on that [personal] information applied to [biometric] templates?... Now you're talking about the Freedom of Information Act [FOIA]. It looks like we may be able to put templates under Section 6 of that act."
Loranger's office did not respond to a request for more information on how his DOD group operates, so details of the plan remain unclear. But Section 6 of FOIA essentially prohibits government agencies from making public or sharing with other agencies any personal information that could be considered an invasion of an employee's privacy.
And biometrics could take privacy violations to unprecedented levels.
"For me, the real concern with biometrics arises in that it provides irrefutable evidence of who you are," said Ann Cavoukian, commissioner of information and privacy for the province of Ontario, Canada. "When you start collecting that, over time your ability to track people and to gather information about them grows exponentially. It can serve as the ultimate identifier."
Having the ultimate identifier available in a government database hints at George Orwell's Big Brother in the novel "1984." But it could also prove a dead end for identity thieves, providing irrefutable evidence to authorities that the person who stole the digital fingerprint or iris scan does not match up with the victim, according to Cavoukian.
Loranger said tagging biometrics data as personal information subject to FOIA would require "substantial encryption for a template at rest and a template on the move." That "makes me feel personally better about going off in this direction, because I am concerned about the vulnerabilities of some of this technology," he added.
But heavy encryption might not prove good enough, according to Cavoukian, who has recommended several steps in Canada to ensure that biometric technology is "the ultimate privacy- enhancing technology," rather than the ultimate threat to privacy.
Those measures include requiring the biometric information to be encrypted, ensuring the encrypted template is not used as an instrument of social control or surveillance, ensuring an identifiable fingerprint cannot be reconstructed from a template in a database and ensuring strict controls are in place as to who may access the biometric information.
Loranger says he is aware of how suspicious citizens can be about the government gathering personal information. "I don't want to be the guy accused of putting the mark of the beast on folks. We remain cautious about that," Loranger said.
The Biometrics Management Office
Mission: To ensure the availability of biometrics technologies within the Defense Department. Vision: To serve as the focal point for a full spectrum of biometrics systems and technologies to provide military users an edge in all operational environments via the most reliable and available security access systems. Lead agency: U.S. Army as of Dec. 27, 2000.
NEXT STORY: Powell prioritizes State IT