This is a repurposed post on enrollment in a biometric system that was originally published on the M2SYS Blog, August 05, 2011
Considering the many benefits of biometric technology for identification and authentication, some people raise concerns about privacy and security issues. Many people believe that when placed in the wrong hands, a person’s biometric data in a biometric system can be misused resulting in severe consequences. Some advocates also believe that collecting individual biometric credentials (even when used by the private sector for uses such as employee authentication) is a violation of individual privacy. This post is an explanatory approach to this issue in an attempt to clarify why privacy violations should not be a concern when it comes to biometric technology.
Biometrics is a Growing Identification Technology
Understanding biometric technology must be predicated by an explanation of how it works. First, it should be noted that biometric technology deployments for identification and authentication are on the rise globally. Regardless of whether you believe the technology violates individual privacy, more businesses and governments around the world are starting to use biometrics for individual identification.
Increasingly, businesses are catching on to the unique benefits and security that biometric technology offers to positively identify an individual by their physiological characteristics. The rapid growth of biometric technology seemed to begin shortly after we shifted to a society aggressively focused on safety and security in the wake of the rise in global terrorism, identity theft, and fraud in all aspects of life from banking to employee time and attendance.
As the price points of biometric technology dropped and the technology became more refined, deployments began to shift from government to the private sector as companies took notice that biometrics had strong potential to help them with problems such as employee time theft, inventory shrink, identity theft, compliance, and fraud. Widespread adoption by the private sector fueled the growth of biometric systems designed to positively identify individuals to prevent these problems and with this growth came increased scrutiny (specifically how individual biometric data was stored and what it may be used for other than identification) by Privacy advocates and proponents of civil liberty protections. Their collective feelings are that biometric system violates individual privacy without a 100% guarantee that templates are safely stored and unable to be stolen and governments are using the data to track citizens and subsequently disseminating the information collected to external entities.
These arguments have merit but perhaps a closer look at how the technology works would help uncover some answers to these concerns and clear up some misconceptions about biometric technology.
The Privacy Issue – How Does Biometric Technology Actually Work?
Most people believe that when an individual places their finger on a fingerprint reader to register their identity in a biometric system, an image of their fingerprint is stored somewhere on a server or a computer. In actuality this is typically not the case. Instead, the biometric matching software extracts and stores something that is known as an identity template. This is a mathematical representation of data points that a biometric algorithm extracts from the scanned fingerprint.
The biometric identity template is simply a binary data file, a series of zeros and ones. The algorithm then uses the template to positively identify an individual during subsequent fingerprint scans. No image is ever stored or transmitted across a network.
In addition, the algorithm is “one way” which means that it is nearly impossible to recreate the original biometric image from the template. In other words, it is nearly impossible to reverse engineer the data that is sent to positively identify an individual and successfully “steal” their biometric identity.
Understanding these processes is central to realizing how the danger of identity theft or a security breach is significantly lessened, if not completely eliminated, through the use of a proprietary algorithm with data encryption and no stored image. Biometric templates are also not linked to anything in a closed system that can positively identify an individual outside of that system.
However, privacy advocates strongly feel that the idea of to assemble a comprehensive citizen knowledge base and thus exercise covert control of society in general is a violation of individual privacy and proves to be a valid point.
Can an Employee Claim that using a Biometric System is a Violation of Their Privacy?
If you adopt biometric technology for time and attendance, access control or another deployment within a business, do employees have a right to refuse participation on the grounds that it violates their privacy and/or individual civil liberties? It brings up an interesting question. Without irrefutable proof that a biometric database can’t be hacked into and the templates reverse engineered into images, if an employee did decide to decline participation, would they be able to prove their claim that the technology did in fact violate their civil liberties?
There have not been any known cases here in the U.S. of an employee taking their employer to court for their refusal to enroll in a biometric identification system that resulted in wrongful termination or a violation of their equal opportunity rights. In fact, most employees would agree to the advantages of using biometric technology for workforce management. However, shouldn’t biometric information be treated as any other personally identifiable data that an employer keeps on file like social security numbers, pictures, or bank information if you request a direct deposit? Information that, if stolen, could be used to recreate your identity?
Most companies already have policies in place that govern the safe protection of this data and biometrics should arguably be included and not treated any differently. It should be treated the same way as the data you have already given up and is stored just by being an employee of the company.
Most employers also monitor their employee’s activities while they are at work which could include video, email and telephone monitoring. An employee is then asked to sign that they received and read the employee manual that explicitly states their acknowledgement that they will be monitored throughout their employment tenure. Remember that this is not a request for permission to be monitored; it is an agreement that the employer will be doing it.
It is important to note if you have a Twitter or Facebook account, purchase on the Internet, use credit cards at brick and mortar establishments, subscribe to publications on the Internet, have any form of insurance or bank account, etc. you no longer have any privacy. If you use one or more credit cards, the credit card company knows where you eat, what you eat, what kind of car you drive, where you live, what insurance you have, where you spend your vacations, what you read, how much you spend on shoes and more.
If you use most social media platforms, you have publicly given up every bit of privacy you ever had. Although these are personal preferences, it makes the argument hard to justify that enrollment in a biometric system is any more egregious that most of the other daily online and offline activities that we participate in.