Biometrics: Privacy's Foe Or Privacy's Friend? - Proceedings of the IEEE

Eli De Souza | Download | HTML Embed
  • May 30, 1998
  • Views: 19
  • Page(s): 13
  • Size: 143.06 kB
  • Report

Share

Transcript

1 Biometrics: Privacys Foe or Privacys Friend? JOHN D. WOODWARD From the INS to ATMs, both the public and private sectors policy advocacy communities so that they can meaningfully are making extensive use of biometrics for human recognition. As participate in the public debate related to biometrics.1 this technology becomes more economically viable and technically Similarly, an understanding of the law and policy con- perfected, and thus more commonplace, the field of biometrics will spark legal and policy concerns. cerns related to biometrics is necessary for the engineers Critics inevitably compare biometrics to Big Brother and the loss and scientists who are responsible for this new technologi- of individual privacy. The probiometric lobby generally stresses cal reality. History teaches us that new technologies, created the greater security and improved service that the technology by engineers and scientists, spark new law and cause old provides. Is biometrics privacys friend or privacys foe? This legal doctrines to be rethought, rekindled, and reapplied by paper explores the various arguments for and against biometrics and contends that while biometrics may pose legitimate privacy the makers of the nations law and policy. concerns, these issues can be adequately addressed. In the final For example, new technology has caused a creative analysis, biometrics emerges as privacys friend. reshaping of existing legal doctrine when the judiciary KeywordsBiometrics, biometrics law, constitutional law, iden- has embraced a technology more quickly than has the tification, information privacy, privacy, regulation of biometrics, legislature, the executive branch, or even the actual market- security, verification. place for the technology. Consider a well-known example from the legal casebooks. In 1928, there was no law I. INTRODUCTION requiring coast-wise carriers to equip their tugboats with radio receiver sets. Moreover, no such established custom On May 18, 1997, in his commencement address at existed in the maritime industry, despite the fact that such Morgan State University, President Clinton stated: sets could be used by tugs at sea to receive storm-weather The right to privacy is one of our most cherished warnings. In T. J. Hooper, a landmark legal case, Federal freedoms. As society has grown more complex and Circuit Judge L. Hand (18721961), one of the greatest people have become more interconnected in every American jurists of this century, deemed tugboats without way, we have had to work even harder to respect radio receiver sets unseaworthy because a whole calling privacy, the dignity, the autonomy of each individual. may have unduly lagged in the adoption of new and . . . We must develop new protections for privacy in available devices [5]. No longer would strict adherence the face of new technological reality. [1] to local custom and industry practice be a valid defense While it is doubtful that President Clinton had biometrics against negligence. in mind during that Sunday speech, biometrics is one such Todays new technological reality of biometrics should new technological reality. From the Immigration and force us to explore from the law and policy perspectives Naturalization Service (INS) to automated teller machines what is required to safeguard the public interest and to (ATMs), both the public and private sectors are making ensure optimal results for society. Engineers and scien- extensive use of biometrics for human recognition purposes tists should not be excluded from this law and policy to provide better security, increased efficiency, and im- examination. Indeed, the law and policy concerns raised proved service [2][4]. As the technology becomes more by biometrics are far too important to be left solely to economically viable and technically perfected, biometrics politicians and lawyers. could refocus the way that Americans look at the brave In examining these law and policy concerns, this paper new world of personal information. focuses on privacy. After briefly discussing biometric tech- Understanding biometrics thus is essential for elected nologies and biometric applications in Sections II and III, officials and policymakers charged with determining how this paper attempts in Section IV to define privacy in the this new technology will be used. An understanding of context of biometrics and to examine which specific privacy biometrics is also important for the legal, business, and concerns are implicated by biometrics. This paper then Manuscript received May 26, 1997; revised June 26, 1997. The author is at 1029 North Stuart Street, #205, Arlington, VA 22201 1 A related article by the author, Biometric Scanning, Law & Policy: USA. Identifying the ConcernsDrafting the Biometrics Blueprint, appears in Publisher Item Identifier S 0018-9219(97)06877-1. University of Pittsburgh Law Review, Fall 1997. 00189219/97$10.00 1997 IEEE 1480 PROCEEDINGS OF THE IEEE, VOL. 85, NO. 9, SEPTEMBER 1997

2 Fig. 1. Biometric man. analyzes the various arguments often made that biometrics Biometrics uses physical characteristics, defined as the poses a threat to privacy. This paper concludes that, to things we are, and personal traits, defined as the things we the contrary, biometrics is privacys friend because it can do, including the following. be used to help protect information integrity. Section V examines the biometric future and contends that biometric 1) Physical characteristics: balkanization, or the use of multiple biometric technolo- chemical composition of body odor; gies deployed for multiple applications, provides greater facial features and thermal emissions; privacy protection than does biometric centralization, or features of the eyeretina and iris; the use of one dominant biometric technology for multiple fingerprints; applications. hand geometry; skin pores; II. WHAT IS BIOMETRICS? wrist/hand veins. A. Definition of Biometrics and Biometric Scanning 2) Personal traits: While the word biometrics sounds very new and high handwritten signature; tech, it stands for a very old and simple concepthuman keystrokes or typing; recognition (Fig. 1). In technical terms, biometrics is the voiceprint [2][4], [6], [7]. automated technique of measuring a physical characteristic or personal trait of an individual and comparing that char- Of these, only three of the physical characteristics and acteristic or trait to a database for purposes of recognizing personal traits currently used for biometrics are consid- that individual [6]. ered truly unique: the retina, the iris, and fingerprints [8]. WOODWARD: BIOMETRICS 1481

3 As such, these three physical characteristics provide the 1) High Government Use: greatest precision for biometrics. a) Law enforcement and prison management: Since Biometric scanning is the process whereby biometric March 1990, the Cook County (IL) Sheriffs Department measurements are collected and integrated into a computer has been using retinal scanning to process prisoners [4]. system. Biometric scanning is used for two major purposes: Retinal scanning is used to identify and keep track of identification and verification. Identification is defined as inmates. Upwards of 300 prisoners are scanned daily, and the ability to identify a person from among all those the Sheriffs Departments database includes more than enrolled, i.e., all those whose biometric measurements 300 000 retinal patterns [11]. have been collected in the database. It seeks to answer b) Military and national security community: While the question, Do I know who you are? and involves a many of these applications remain classified, it is no one-compared-to-many match (or what is referred to as a secret that one of the principal executive-branch orga- cold search). Verification involves the authentication of nizations spearheading biometrics research is the highly a persons claimed identity from his previously enrolled secretive NSA [3]. Primary uses of biometrics for the pattern. It seeks to answer the question, Are you who you national-security community include facilities protection claim to be? and involves a one-to-one match. and personnel access [6]. B. Advantages of a Biometric Scanning System 2) Lesser Government Use: Biometric scanning can be used for almost any situation a) Border control and immigration checks: Confronted calling for a quick, correct answer to the question, Who are with a two-fold increase in passenger volume in interna- you? The unique advantage of biometric scanning is that it tional air travel during the past decade, along with the bases recognition on an intrinsic aspect of a human being. urgent need to keep terrorists, criminals, and illegal aliens Recognition systems that are based on something other than out of the United States, the INS has been experimenting an intrinsic aspect of a human being are not always secure. since 1993 with an automated inspection system using For example, keys, badges, tokens, and access cards (or biometric technologies at select ports of entry. The INSs things that you physically possess) can be lost, duplicated, goal is to remove the law-abiding, frequent traveler from stolen, or forgotten at home. Passwords, secret codes, and the inspection lines and allow the low-risk person to be personal identification numbers (PINs) (or things that you inspected and cleared by verifying his identity with a must know) can easily be forgotten, compromised, shared, biometrics-based system. This method allows the INS to or observed. focus its efforts on potential terrorists and criminals, thus Biometrics, on the other hand, is not susceptible to ensuring that INS resources are better utilized. these particular problems. According to Dr. J. Campbell, The INS has four biometrics projects under way at Jr., a National Security Agency (NSA) researcher and several ports of entry: INSPASS (Airport), the soon-to-be- chairman of the Biometric Consortium, no one technology deployed INSPASS (Land), PORTPASS (Dedicated Com- has emerged as the perfect biometric, suitable for any muter Lane), and PORTPASS (Automated Permit Port). application [9]. While there is no perfect biometric, the INSPASS (Airport) features hand geometry, while PORT- characteristics of a good biometric scanning system are PASS (Automated Permit Port) uses voice verification for speed, accuracy, user friendliness, and low cost. the driver; PORTPASS (Dedicated Commuter Lane) is not yet automated [12]. The INS also uses voice verification for III. HOW ARE BIOMETRICS USED? frequent travelers entering the United States from Canada at a remote border-crossing point in Montana [3]. A. Biometric Applications b) Entitlement programs and licensing: The Los Ange- Biometric applications are broad based, expanding, and les County Department of Public Social Services reported international. As one industry expert recently stated, The that finger imaging of welfare recipients in a pilot program influence of biometric technology has spread to all conti- alone reduced fraud by more than $14 million and resulted nents on the globe [10]. In concrete terms, this influence in the termination of more than 3000 previously approved translates into about $1 billion worth of computer systems entitlement cases over a three-year period [13], [14]. More that include biometric devices expected to be installed than a dozen states are using biometrics to help administer worldwide during 1997 [2]. various entitlement programs. While biometric devices are deployed in many computer In 1995, the Federal Highway Administration awarded systems, the overall size of the biometrics industry remains a $400 000 contract to San Jose State University to study relatively small, though it is rapidly growing. For example, and develop standards for biometric identifiers for use with in 1992, revenue from biometric devices was estimated at commercial truck drivers licenses [3]. Congress mandated $8.3 million, with 1998 units sold. By 1999, revenue is this biometric application because of public safety concerns projected at $50 million, with 50 000 units sold [6]. that commercial truck drivers were obtaining concurrent While a detailed discussion of biometric applications is commercial licenses from various individual states in an beyond the scope of this paper, three major categories attempt to evade the regulatory scheme [15], [16]. Congress highlight how biometric scanning is beginning to touch feared that unscrupulous drivers would use the multiple our lives: high government use, lesser government use, and concurrent licenses in their possession to conceal the true private-sector use. extent of the traffic violations and point totals they had 1482 PROCEEDINGS OF THE IEEE, VOL. 85, NO. 9, SEPTEMBER 1997

4 received by recording their violations over many individ- IV. WHAT IS PRIVACY IN THE CONTEXT OF BIOMETRICS? ual states databases as opposed to any one centralized place [18]. A. Working Definition c) National identity card and voter registration: National identity card proposals are usually met with concern and The issue of privacy is central to biometrics. Critics consternation in the United States. The Government of complain that biometrics poses a substantial risk to privacy the Philippines, however, has decided to embark on an rights. Evaluating this argument requires, first, an under- ambitious national identity card project, with plans to enroll standing of what privacy rights entail. The word privacy up to 63 million people. Likewise, the South African (like the word biometrics) is nowhere to be found in the Home Affairs National Identification System will involve text of the U.S. Constitution. Perhaps the absence of any an identity card combined with a biometric identifier [10]. explicit textual reference to privacy or right of privacy, With respect to voter registration, Jamaica is experiment- combined with the words apparent flexibility of meaning, ing with an elector registration system to register eligible makes it all the more difficult to define what privacy is and voters incorporating an identification card with fingerprint to explain what the right of privacy should be. minutiae data. Most important from the standpoint of biometrics, pri- vacy includes an aspect of autonomycontrol we have 3) Private-Sector Use: over information about ourselves [17], [c]ontrol over who a) Financial services industry: In 1995, Oki Electric can sense us [18] . . . control over the intimacies of personal Industry Limited, Japans leading vendor of ATMs, teamed identity [19], or, as a federal appeals court has phrased it, up with two U.S. companies, IriScan and Sensar, to inte- control over knowledge about oneself. But it is not simply grate iris-recognition technology into its ATMs in Japan. control over the quantity of information abroad; there are Citibank is also evaluating iris recognition for use in the modulations in the quality of knowledge as well [20]. United States [3], [4]. The ATM card holder will first be While the Supreme Court has never explicitly recog- enrolled at his local bank branch. Instead of thinking up nized a constitutional right to privacy (and has never dealt a password, the customer will look into a scanner, which with biometrics), Americas highest court has grappled will video his iris pattern, instantly convert it to a 256-byte with issues of information privacy. In Whalen v. Roe, an digitized code, and store this code on the magnetic strip of influential case decided in 1977, the court decided the his ATM card. The next time the customer needs fast cash, constitutional issue of whether the State of New York could he simply inserts his card into the machine. A video camera record, in a centralized database, the names and addresses installed in the ATM rereads his iris pattern from about of all individuals who obtained certain drugs, pursuant to three feet away and matches it with the code on his card a doctors prescription [21]. Rejecting the privacy claim, to grant him access to his account. In October 1996, Oki the court ruled that a government database containing unveiled IrisIdent, its iris-recognition-based ATM system, massive amounts of sensitive medical information passed in Tokyo, where the system will be tested by a number of constitutional muster because of the security safeguards in Japanese banks. place. The courts opinion concluded with a cautionary note Alternatively, finger images are also being used to control that still echoes loudly today: ATM access. In Indiana, for example, the Purdue Employ- We are not unaware of the threat to privacy implicit ees Federal Credit Union has been enrolling finger images in the accumulation of vast amounts of personal of customers since February 1997 to give them access to information in computerized data banks or other kiosks, or virtual branches, that it will install at several massive government files. [21] Purdue University campus sites later this year. In the context of biometrics, this control over information b) Personnel management: Presently, Woolworths su- about ourselves, or information privacy, lies at the very permarkets in Australia operate the worlds largest time heart of the privacy concerns raised by this new technology. and attendance system featuring biometrics. Finger-imaging Individuals have an interest in determining how, when, technology is used to monitor time and attendance for about why, and to whom information about themselves, in the 100 000 employees [10]. Coca-Cola uses hand-scanning form of a biometric identifier, would be disclosed. technology for time and attendance [2]. c) Access control: Walt Disney World in Orlando, FL, now uses finger geometry to verify customers who pur- B. What Privacy Concerns Are Implicated? chase yearly passes [2]. Previously, annual-pass holders 1) The Individual Gives Up a Biometric Identifier: To de- were photographed to prevent any illegal or inadvertent termine the specific privacy concerns implicated by bio- pass transfer; the new finger-scanning system has received metrics, we must first focus on what exactly is disclosed positive feedback [4]. when biometric scanning is used. Regardless of whether The computer log-on of the not-so-distant future will be an individual voluntarily provides a biometric identifier done using a biometric identifier, according to biometrics or is forced to surrender it as part of a state action or experts. Under this scenario, a small optical scanner or government-required scheme, he is giving up information video camera would be added to the computer worksta- about himself. When biometrics like finger imaging, iris tion. The computer user would then log-on by using, for recognition, or retinal scanning are used, he discloses truly example, finger imaging or iris recognition. unique information about his identity. When the other WOODWARD: BIOMETRICS 1483

5 biometrics are used, he discloses accurate information about point of privacy protections aimed at this technology. At who he is. present, private actors possessing biometric identification 2) Invasive Aspects of the Information: Beyond this fun- information generally follow a nondisclosure policythey damental disclosure, there also might be invasive impli- do not disclose the information to third partiesas part of cations related to privacy concerns that stem from the a strategy of building public acceptance for the technology. biometric identification information disclosed. These in- Such nondisclosure policies, however, are voluntary. vasive implications for privacy are essentially two-fold: Critics contend that biometric identifierslike other per- 1) the invasive effects of a secondary market, defined as sonal information, such as names and addresses for mailing disclosure of the biometric identification information to listsmight eventually be considered to be in the public third parties, and 2) invasive information that might be domain [24]. The fear is that the individual will lose additionally obtained as part of the biometric identifier. ultimate control over all aspects of his biometric identifier. a) Invasive secondary market effects: Once a biometric b) Invasive information is obtained: In addition to the identifier is captured from an individual in the primary identification information associated with the biometric, market, and even if it is captured only once, the bio- invasive information threatening privacy could conceivably metric identifier could easily be replicated, copied, and include three other types of concerns. First, biometric otherwise shared among countless public- and private- identifiers could be used extensively for law-enforcement sector databases. This sharing in a secondary market could purposes. Fingerprints have long been used by law conceivably take place without the individuals knowledge enforcement, and finger imagesor what in effect is the or consent. Indeed, biometric identifiers could be bought next generation of fingerprintsare presently being used by and sold in a secondary market in much the way that names various law-enforcement agencies as part of their databases. and addresses on mailing lists presently are bought and sold For example, the Federal Bureau of Investigation (FBI) has by data merchants. embarked on a bold finger-imaging project for its Integrated Particularly with respect to the private sphere, where the Automated Fingerprint Identification System (IAFIS). conduct of private actors traditionally has been given a IAFIS would replace the present paper-and-ink-based degree of freedom of action from government interference, system with electronic finger images. there presently are few legal limits on the use of biometric Second, it is possible (and, the point needs to be stressed, information held by private actors. This observation is not only possible) that some biometrics might capture more meant to suggest that the federal or state governments than just mere identification information. Information about would not be able to regulate the use of biometric in- a persons health and medical history might also be inci- formation held by private actors. Rather, it emphasizes dentally obtained. Recent scientific research suggests that what the present regulatory baseline is with respect to the fingerprints and finger imaging might disclose medical regulation of biometric information: until affirmative action information about a person [25], [26]. For example, Dr. has been taken by a government, the use of biometrics H. Chen, in his work on dermatoglyphics, or the study is left to the market. In other similar contexts where an of the patterns of the ridges of the skin on parts of individual has surrendered personal information to private the hands and feet, notes that [c]ertain chromosomal actors, the Supreme Court has not found a constitutionally disorders are known to be associated with characteristic based privacy right. For example, in Smith v. Maryland, the dermatoglyphic abnormalities, specifically citing Down defendant claimed that information in the form of telephone syndrome, Turners syndrome, and Klinefelters syndrome numbers he dialed from his home telephone (what is known as chromosomal disorders that cause unusual fingerprint as a pen register) could not be turned over to the police patterns in a person [25]. Certain nonchromosomal dis- absent a search warrant [22]. Rejecting this argument, the orders, such as chronic intestinal pseudoobstruction (CIP, court noted that it consistently has held that a person described below), leukemia, breast cancer, and Rubella has no legitimate expectation of privacy in information he syndrome, have also been implicated by certain unusual voluntarily turns over to third parties [22]. fingerprint patterns [25]. In United States v. Miller, a case involving a bootleggers For example, Dr. M. M. Schuster, director of the Division private financial records, which were turned over to U.S. of Digestive Diseases at Johns Hopkins Bayview Medical Treasury agents pursuant to a grand jury subpoena, the Center, has discovered a mysterious relationship between bootleggers attempt to have the evidence excluded was an uncommon fingerprint pattern, known as a digital arch, unsuccessful [23]. The court found that Miller had no and CIP, which affects 50 000 people nationwide. Based on expectation of privacy in the records, reasoning that [t]he the results of a seven-year study, Dr. Schuster found that depositor takes the risk, in revealing his affairs to another, 54% of CIP patients have this rare digital-arch fingerprint that the information will be conveyed by that person to pattern. Schusters discovery suggests a genetic basis to the the Government [23]. The records therefore could not be disease in that the more digital arches in the fingerprint, the considered confidential communications because they had stronger the correlation to CIP [27]. been voluntarily conveyed to the bank in the ordinary From examining the retina or iris, an expert can determine course of business [23]. that a patient may be suffering from common afflictions like Biometrics is still too new for the Congress or the diabetes, arteriosclerosis, and hypertension; furthermore, various state legislatures to have acted from the stand- unique diseases of the iris and the retina can also be 1484 PROCEEDINGS OF THE IEEE, VOL. 85, NO. 9, SEPTEMBER 1997

6 detected by a medical professional [28], [29]. While both or locate information about a person. Names and numerical the iris and retina contain medical information, it is by identifiers such as social security numbers (SSNs), account no means obvious that biometric scanning of the iris or numbers, and military service numbers have long been used retina automatically implicates privacy concerns related to to access files with personal information. Moreover, the the disclosure of medical information. A necessary area impressive search capabilities of computer systemswith of further technical inquiry is whether the computerized their ability to search, for example, the full text of stored byte code taken of the iris or retina actually contains documentsmake identifiers far less important for locating this medical information or if the information captured is information about an individual. sufficient to be used for any type of diagnostic purpose. Critics of biometrics also overlook the fact that there While much research remains to be done, the availability usually is a good reason why recognition in the form of such information, with its possible links to medical of identification or verification is needed. The benefits of information, raises important questions about the privacy establishing a persons identity outweigh the costs of losing aspects of the information disclosed. anonymity. For example, given the massive problem of missing children, there is growing support for the idea of C. Biometrics as Privacys Foe: Criticisms day care providers using biometrics to make certain that 1) The Loss of Anonymity and Autonomy: A basic criti- children are released at the end of the day to a parent or cism of biometrics from the standpoint of privacy is that guardian whose identity has been verified. we, as individuals, lose our anonymity whenever biometric Similarly, to consider a pocketbook example, the scanning systems are deployed. Controlling information worlds financial community has long been concerned about ourselves includes our ability to keep other parties about growing problems of ATM fraud and unauthorized from knowing who we are. While we all know that at some account access, estimated to cost $400 million a year [32], level, a determined partywhether the state or a private [33]. Credit card fraud is estimated at $2 billion per year. actorcan learn our identity (and much more about us), The financial services industry believes that a significant biometric scanning makes it plain that our identity is now percentage of these losses could be eliminated by biometric fully established within seconds. As Prof. Clarke explains, scanning [2]. The need to identify oneself may be intrinsically distasteful Critics give too much credit to biometrics alleged ability to some people . . . they may regard it as demeaning, to erode anonymity without giving enough attention to the or implicit recognition that the organization [sic] with markets ability to protect privacy in response. It is not whom they are dealing exercises power over them [30]. obvious that more anonymity will be lost when biometric Privacy advocate R. Ellis Smith agrees, noting that [i]n measures are used. Public- and private-sector organizations most cases, biometric technology is impersonal [2]. At already have the ability to gather substantial amounts of in- the same time, if the technology meets with widespread formation about individuals by tracking, for example, credit success, individuals may find that they are required to card use, consumer spending, and demographic factors. provide a biometric identifier in unexpected, unwelcome, Drawing a parallel to the financial services industry, or unforeseen future circumstances. Moreover, one cannot despite the existence of many comprehensive payment make up a biometric as easily as one can an address and systemslike credit cards, which combine ease of ser- phone number. In this sense, perhaps, the loss of anonymity vice with extensive record keepingmany Americans still leads to an inevitable loss of individual autonomy. prefer to use cash for transactionsa form of payment To the extent that there is less individual anonymity today that leaves virtually no record. An individual who wants than in decades or centuries past, biometrics is not to blame. anonymity might have to go to greater lengths to get it in Rather, far larger economic, political, and technological the biometric world, but the ability of the marketplace to forces are at work. Americas transformation from an accommodate a persons desire for anonymity should not agrarian to an industrial to a postindustrial service economy, be so readily discounted. Moreover, as explained below, combined with the massive growth of government since the the ability of biometrics to serve as privacy-enhancing New Deal of the 1930s, has put a greater premium on the technologies should not be discounted. need for information about individuals and organizations. 2) The Biometrics-Based Big Brother Scenario: Aside At the same time, technical advances have made it much from the alliterative qualities the phrase possesses, critics easier and more convenient to keep extensive information of biometrics seem inevitably to link the technology to on individuals. Summarizing this trend, one scholar has Big Brother [2][4], [24]. Its critics argue that biometrics, noted that in combination with impressive advancements in computer in the present service economy, information has and related technologies, would enable the state to monitor become an increasingly valuable commodity The the actions and behavior of its citizenry. In this vein, computer has exacerbated this problem through its concern has been expressed that biometric identifiers will capacity to disclose a large amount of personal in- be used routinely against citizens by law-enforcement agen- formation to a large number of unrelated individuals cies. As M. Rotenberg of the Electronic Privacy Information in a very short amount of time. [31] Center has succinctly explained, Take someones finger- While a biometric identifier is a very accurate identifier, print and you have the ability to determine if you have a it is not the first nor is it the only identifier used to match match for forensic purposes [34]. WOODWARD: BIOMETRICS 1485

7 For example, in the traffic stop of the future, the police Japanese living in the United States. To compile the list, officer will pull over the vehicle, walk to the drivers staffers used 1930 and 1940 census data. Working without side window, and ask for the drivers license. This license the benefit of computers, staffers compiled the list in one will have a magnetic strip containing the byte code of the week [36]. By the spring of 1942, the U.S. government drivers finger image, which will be required by the states forced persons of Japanese descent, including U.S. citizens, department of motor vehicles. The officer will then take to leave their homes on the West Coast and report to a portable optical scanner from his pocket and ask the relocation centers [37]. vehicles driver to biometrically scan in. The officer will a) Function creep: The biometrics-based Big Brother be able to identify the driver, as the data is transmitted scenario would not happen instantly. Rather, when first for immediate matching to the central database, where deployed, biometrics would be used for very limited, clearly any outstanding arrest warrants, traffic citations, delinquent specified, sensible purposesto combat fraud, improve air- taxes, tardy child-support payments, and the like could be port security, protect children, etc. But as Justice Brandeis entered. The concern is that a mere traffic stop would warned in his famous Olmstead dissent: tell the police officer a great deal about the motorist in Experience should teach us to be most on our guard mere seconds; the fear is that armed with this informational to protect liberty when the Governments purposes power, there would be abuses by law enforcement. are beneficent. Men born to freedom are naturally This use of biometrics is superior to the present system alert to repel invasion of their liberty by evil-minded of checking a drivers license because it makes it much rulers. The greatest dangers to liberty lurk in insidi- more difficult in practical terms for a person to obtain a ous encroachment by men of zeal, well-meaning but drivers license using a false identity. Not only would law without understanding. [38] enforcement know in a very short time the criminal status What would inevitably happen over time, according to of any driver they have stopped but whenever a drivers civil libertarians, is a phenomenon known as function license would be presented for other secondary identifica- creep: identification systems incorporating biometric scan- tion purposes, the claimed identity could be confirmed by ning would gradually spread to additional purposes not the use of a biometric scan-in at the point of service. For announced or not even intended when the identification example, background checks for firearms purchases could systems originally were implemented. be done easily in this manner. While the threat of criminal The classic example of function creep is the use of penalties for using false identification might deter some the SSN in the United States. Originated in 1936, the individuals, the use of biometrics as described above sets SSNs sole purpose was to facilitate record keeping for the hurdle all the higher for criminals seeking to obtain a determining the amount of Social Security taxes to credit drivers license by using an alias. to each contributors account [39]. In fact, the original This Big Brother concern, however, goes beyond normal Social Security cards containing the SSN bore the legend, police work. Every time an individual uses his biometric Not for Identification [30]. By 1961, the Internal Revenue identifier to conduct a transaction, a record would be made Service (IRS) began using the SSN for tax identification in a database, which the government, using computer tech- purposes [30], [39]. By 1997, [e]verything from credit to nology, could then match and use against the citizeneven employment to insurance to many states drivers licenses in ways that are not authorized or that meet with our requires a Social Security Number [40]. From its origins disapproval. To borrow the reasoning of a 1973 report on as Not for Identification, the SSN has become virtual national identity card proposals, the biometric identifier, mandatory identification. in ways far more effective than a numerical identifier, Moreover, given the consequences of function creep, could serve as the skeleton for a national dossier system to the size, power, and scope of government will expand maintain information on every citizen from cradle to grave as all citizens have their biometric identifiers thrown into [35]. Prof. Clarke perhaps has offered the best worst-case massive government databases by the men [and women] 1984-like scenario: of zeal, well-meaning but without understanding about Any high-integrity identifier [such as biometric scan- whom Justice Brandeis warned. In effect, a Russian proverb ning] represents a threat to civil liberties, because aptly identifies the danger of biometrics for freedom-loving it represents the basis for a ubiquitous identifica- Americans: If you are a mushroom, into the basket you tion scheme, and such a scheme provides enormous must go. power over the populace. All human behavior would b) By using biometrics, government reduces the individ- become transparent to the State, and the scope for uals reasonable expectation of privacy: Just as function nonconformism and dissent would be muted to the creep implies that biometrics will gradually (and inno- point envisaged by the anti-utopian novelists. [30] cently) grow to be used by zealous, well-meaning bureau- There is at least one example from U.S. history where crats in numerous creative ways in multiple fora, function supposedly confidential records were used in ways likely creep will also enable the government to use the new never intended. In November 1941, almost two weeks technology of biometrics to reduce further over time the before the Japanese attack on Pearl Harbor, President F. citizenrys reasonable expectations of its privacy. D. Roosevelt ordered that a comprehensive list be made of Analogies can be drawn from previous cases where the the names and addresses of all foreign- and American-born government has used cutting-edge technology to intrude in 1486 PROCEEDINGS OF THE IEEE, VOL. 85, NO. 9, SEPTEMBER 1997

8 an area where the private actor had manifested a subjective terms to over $40 billion a year in potential savings [14] expectation of privacy. For example, the Environmental if the fraud is prevented. Protection Agency (EPA), in an effort to investigate in- Biometrics can be used to help stop this fraud. B. dustrial pollution, used the finest precision aerial camera Rasor, a senior U.S. Secret Service official, commented that available mounted in an airplane flying in lawful airspace [b]iometrics would put a sudden and complete stop to as to take photographs of Dow Chemical Companys 2000- much as 80% of all fraud activity [14]. In Connecticut, acre Midland, MI, facilities [41]. Fearing that industrial which has embarked on a robust biometric identification competitors might try to steal its trade secrets, Dow took program for welfare recipients known as the Digital Imag- elaborate precautions at its facility to ensure privacy. De- ing System, the states Department of Social Services spite these precautions, the Supreme Court, in a 5-4 vote conservatively estimates that in the first year of operation (Dow Chemical Co. v. United States), found that Dow [1996], savings in the range of $5 512 994 to $9 406 396 had no reasonable, legitimate, and objective expectation of have been achieved [42]. privacy in the area photographed [42]. The dissent noted In these tight budgetary times when welfare programs that by basing its decision on the method of surveillance are being curtailed and resources are overextended, anyone used by the government, as opposed to the companys who is illegally receiving an entitlement payment is, at reasonable expectation of privacy, the court ensured that the bottom line, depriving an honest, needy person of privacy rights would be seriously at risk as technological his entitlement because there is simply less money to go advances become generally disseminated and available to around. society [42]. To the extent that critics have concerns about function Biometrics is the kind of technological advance that the creep, two points need to be made. First, as explained Dow dissenters warned about. Citizens no longer would above, the critical and key function-creep issue is con- have a reasonable expectation of privacy any time they trolling information systems, not controlling a nine-digit use a biometric identifier because the governments use number or an -byte numerical template used as a biometric of biometrics and computer matching would be merely identifier. Second, issues specifically related to biometrics utilizing commercially available technologies. can be best addressed within our present legal and policy While biometrics is an important technological achieve- framework. We do not need a new Law of Biometrics ment, its use should be kept in a law and policy perspective: paradigm; the old bottles will hold the new wine of bio- Big Brother concerns implicate far more than biometrics. metrics quite well. In this regard, legislative proposals, The underlying issue is not controlling biometrics but rather particularly at the federal level, should be considered and the challenge of how law and policy should control contem- studied, particularly if the threat of function creep is real. porary information systems. Computers and the matching These proposals could include: they perform permit various fragments of information about an indi- 1) a Code of Fair Information Practices (CFIP) specif- vidual to be combined and compiled to form a ically adapted to the use of biometrics. A CFIP much more complete profile. These profiles can be could emphasize that organizations holding biomet- collected, maintained, and disclosed to organizations ric identification information have responsibilities to with which the individual has no direct contact or protect such data and that individuals who provide to which the individual would prefer to prevent such biometric identification information have certain disclosure. [31] rights, including the right to prevent their biometric Biometrics should be viewed as an appendage to this identification information from being traded in a enormous challenge. secondary market; Critics also overlook the many legitimate reasons why the 2) an outright legal prohibition on any kind of transac- government needs to use biometric applications. Biometric tions in the secondary biometrics market. applications related to national security and prison man- agement are easy to grasp; all of us want solid guarantees 3) Cultural, Religious, and Philosophical Objections: that only the correct military personnel can access nuclear a) Cultural objectionsStigma and dignity: S. Davies missile silos and that ax murderers cannot slip out of prison of Privacy International notes that it is no accident that by masquerading as someone else. These same concerns biometric systems are being tried out most aggressively related to the use of false identity apply across the board; with welfare recipients; he contends that they are in for example, the government has a legitimate purpose in no position to resist the state-mandated intrusion [43]. preventing fraud in the programs it administers. Interestingly, in the General Accounting Office (GAO) Fraud is a significant issue in public-sector programs. A report on the use of biometrics to deter fraud in the persistent problem of state welfare entitlement programs nationwide Electronic Benefits Transfer program, the U.S. is fraud perpetrated by double dippersindividuals who Department of Treasury expressed concern over how finger illegally register more than once for benefits by using an imaging would impact on the dignity of the recipients alias or other false information about themselves. Many and called for more testing and study [13]. experts believe that fraud in entitlement programs like While stigma and dignity arguments tied to the less for- welfare can be as high as 10%, which translates in dollar tunate elements of society have a strong emotional appeal, WOODWARD: BIOMETRICS 1487

9 the available empirical data suggest that the majority of not use biometrics. When biometrics is used in the public entitlement recipients actually support the use of biometrics. sector, the use will be for legitimate purposes and will be For example, a recent survey of 2378 food stamp and overseen by democratic institutions. Aid to Families with Dependent Children recipients in San 4) Actual Physical Harm, Physical Invasiveness: To this Antonio, TX, who will be participating in a biometrics pilot authors knowledge, there are no documented cases of program, found that 90% think finger imaging is a good biometrics causing physical harm to a user. Anecdotally, idea and 88% think finger imaging will help make people some users of biometrics have complained that hand ge- more honest when applying for benefits [44]. Survey data ometry systems dry their hands, while military aviators in Connecticut suggest similar results [45]. participating in an experimental program voiced concern b) Religious objections: Several religious groups criti- that retinal scanning would damage their 20/20 vision with cize biometrics on the grounds that individuals are forced extended use over time. to sacrifice a part of themselves to a godless monolith in In terms of the physical invasiveness associated with the form of the state. For example, observing that the biometrics, retinal scanning requires close contact with the Bible says the time is going to come when you cannot biometric apparatus in the sense that the retina pattern is buy or sell except when a mark is placed on your head or captured from about three inches away from the eye. Finger forehead, fundamentalist Christian P. Robertson expresses imaging requires physical touching of the scanner, as does doubts about biometrics and notes how the technology is hand geometry. Iris recognition stands out as perhaps the proceeding according to Scripture [46]. And at least one most hygienic of the biometrics in that no part of the religious group has complained that the hand geometry users body has to touch anything to operate the system. devices used by California were making the mark of the Any liability resulting from actual physical harm caused beast on enrollees hands [14]. by biometric systems would be addressed by the individual Similar objections have also been made in the context of states tort liability regimes. Eventually, the judiciary will the governments mandated provision of SSNs. In Bowen have the opportunity to decide the admissibility of biometric v. Ray, a leading Supreme Court case dealing with this identification as scientific evidence using prevailing legal issue, a Native American objected to the provision of standards [49]. an SSN for his minor daughters application for welfare assistance as a violation of the familys religious beliefs. C. Biometrics as Privacys Friend: Support for Biometrics The court refused to sustain this challenge [47]. 1) Biometrics Protects Privacy by Safeguarding Identity As Bowen v. Ray demonstrates, the courts are experienced and Integrity: While critics of biometrics contend that in dealing with objections involving the states mandatory this new technology is privacys foe, the opposite, in provision of identifiers. The judiciary has an adequate fact, is true. Biometrics is a friend of privacy whether framework to deal with biometrics-related religious con- used in the private or public sectors. Biometrics proves cerns if they should arise in this context. itself as privacys friend when it is deployed as a security c) Philosophical objectionsBiometrics-based branding: safeguard to prevent fraud. Biometrics merits criticism on the grounds that a biometric To consider a specific example drawn from the finan- identifier is nothing more than biometrics-based branding cial services industry but applicable to almost any fraud- or high-tech tattooing. There is an understandably odious prevention scenario, criminals eagerly exploit weaknesses stigma associated with the forced branding and tattooing within the present access systems, which tend to be based of human beings, particularly since branding was used as on passwords and PINs, by clandestinely obtaining these a recognition system to denote property rights in human codes. They then surreptitiously access a legitimate cus- slaves in the eighteenth and nineteenth centuries and tattoo- tomers account. The honest client effectively loses control ing was used by the Nazis to identify concentration camp over his personal account information. His financial in- victims in this century. More than just the physical pain of tegrity is compromised and his finances are gone because a the brand or tattoo accounts for societys revulsion. Analo- criminal has gained unauthorized access to the information. gizing from these experiences, biometric identifiers are In effect, he has suffered an invasion of his privacy related merely a physically painless equivalent of a brand or tattoo to his financial integrity. With biometrics-based systems, that the state will impose on its citizens. While biometrics fraud, while never completely defeated, becomes more may lack the performance of a microchip monitor that difficult for the criminal element to perpetuate. Biometrics could be implanted in humans [48], the biometric identifier means less consumer fraud, which means greater protection will similarly serve the interests of the state. Biometrics of consumers financial integrity. is another example of the states using technology to Numerous examples exist of impostors masquerading reduce individuality. under a false identity to convince state actors that they are Comparisons of biometrics to brands and tattoos again someone other than who they really are. For example, James appeal to the emotions. Essentially, these arguments are the E. Young (Young 1) suffered financial losses as well as loss ultimate form of the Big Brother concerns outlined above. to his reputation when a person with the same first and last Slave owners and Nazis forced branding and tattooing on name (Young 2) was able to get Young 1s undergraduate victims who had absolutely no choice. In the private-sector transcript from his state university. This transcript contained realm, citizens are making voluntary choices to use or extensive personal information, including Young 1s SSN. 1488 PROCEEDINGS OF THE IEEE, VOL. 85, NO. 9, SEPTEMBER 1997

10 Young 2 then used this information to establish charge acknowledge why knowing an individuals identity is nec- accounts, with which he purchased items billable to Young essary. As Section V explains, the use of biometrics might 1 [50]. In such a case, biometric applications would almost provide for even further individual privacy protections certainly help protect a citizens informational integrity by through a phenomenon known as biometric balkanization. making it more difficult for the criminal to obtain the infor- mation; Young 2s biometric would not match Young 1s. V. BIOMETRIC CENTRALIZATION VERSUS BIOMETRIC 2) Biometrics Used to Limit Access to Information: BALKANIZATION: WHICH PROTECTS PRIVACY BETTER? Biometrics becomes a staunch friend of privacy when It is important to address whether a specific biomet- the technology is used for access-control purposes, thereby ric technology will come to dominate biometric scanning restricting unauthorized personnel from gaining access to systems. In other words, will the biometric future fea- sensitive personal information. For example, biometrics ture biometric centralization, whereby one biometric would can be effectively used to limit access to a patients dominate multiple applications, or will we see biometric medical information stored on a computer database. balkanization, where multiple biometrics are used for mul- Instead of relying on easily compromised passwords and tiple applications? At present, finger imaging has an early PINs, a biometric identifier would be scanned in at lead in terms of industry presence and received an important the computer workstation to determine database access. seal of governmental approval when it was endorsed by the The same biometric systems can be used for almost GAO [13]. The popularity of finger imaging is explained any information database (including databases containing primarily by its accuracy, the fingerprints long acceptance biometric identifiers) to restrict or compartmentalize by the public, and the extensive competition in the finger- information based on the need to know principle. imaging market that is leading to rapidly decreasing user Biometrics also protects information privacy to the extent costs, among other factors. that it can be used, through the use of a biometric log- For example, with regard to public acceptance of finger on explained above, to keep a precise record of who imaging, a recent survey of 1000 adults revealed that 75% accesses what personal information within a computer of those polled would be comfortable having a finger image network. For example, individual tax records would be of themselves made available to the government or the much better protected if an IRS official had to use his private sector for identification purposes. This high accep- biometric identifier to access them, knowing that an audit tance is arguably underscored by the fact that over half of trail was kept detailing who accessed which records. Far those surveyed said that they had been fingerprinted at some less snooping by curious bureaucrats would result. point in their lives. Only 20% thought that fingerprinting 3) Biometrics as Privacy-Enhancing Technology: Beyond stigmatizes a person as a criminal [54]. Despite this early protecting privacy, biometrics can be seen as enhancing lead, however, it is not clear that finger imaging will emerge privacy. There are several newly developed biometric tech- as the biometric of choice. nologies that use the individuals physical characteristic to It is tempting to predict that finger imaging will dom- construct a digital code for the individual without storing inate or that another biometrics will come to monopo- the actual physical characteristics in a database [51][53]. lize the market because of its perceived advantages. This For example, using finger-image-based technology, a per- view, however, overlooks one of the great strengths of the sons fingerprint is used during enrollment to create a present biometrics market: it offers many robust technolo- PIN for the individual. This encoded PIN can only be gies, which allows maximum choice for users. A more decoded by a match with the appropriate finger pattern. likely outcome is that biometric balkanization will result: During verification, a computer search is done to ensure multiple biometrics will be deployed not only by various that the same PIN has not previously been entered into public- and private-sector actors but by the same actor the system, thereby eliminating the fraud risk. At the same depending on the specific mission. time, only the PIN, and not the actual fingerprint, is stored Arguably, biometric balkanization, like its Eastern Eu- in the database [53]. In this regard, the maker claims to ropean namesake, can take on a sinister spin. Individuals have created the first anonymous verification system using will be forced to give up various identifying pieces fingerprint patterns and light waves to protect privacy [53]. of themselves to countless governmental and corporate The applications of this type of anonymous verification bureaucracies. In an Orwellian twist, the retina, the iris, system are extensive. Most notably, such a biometrics- the fingerprints, the voice, the signature, the hand, the vein, based system would seem to provide a ready commercial the tongue, and presumably even body odor will all be encryption capability. Moreover, rather than technological extracted by the state and stored in databases. advances eroding privacy expectationsas we saw, for Yet, biometric balkanization offers at least two key ad- example, with the EPAs use of a special aerial camera vantages for the protection of privacy. First, it offers over Dowbiometrics, as used to create an anonymous maximum flexibility to the private or public actor that will encryption system, would provide for privacy enhancement. use the technology. The actor can tailor a specific biometric Many of the criticisms of biometrics discussed above are program to meets its own unique mission within its resource either off the markin that they really should be aimed constraints. Depending on the situation and the degree of at contemporary information systems, which are the result accuracy in identification required, the optimal biometric of economic, political and technological changeor fail to for that use can be selected. For example, the best biometric WOODWARD: BIOMETRICS 1489

11 Table 1 Selected Listing of Biometrics Applications Used by U.S. and State Government Agencies U.S. Department of Justice U.S. Immigration and Naturalization Service Border Patrol evaluating facial imaging, voice verification, hand geometry, and finger imaging technologies. The INSPASS system uses hand geometry for automation of frequent flyers at a number of U.S. airports. The IDENT system uses finger technology to secure the southwest border of the United States. Drug Enforcement Administration Hand geometry for access control. Federal Bureau of Investigation Finger imaging for IAFIS. IAFIS would replace the present paper-and-ink-based system with electronic finger images. National Crime Information Center 2000 will use various biometric technologies. National Institute of Justice Evaluating finger imaging and voice verification for smart gun technology. A smart gun incorporates, for example, biometric technology into the operating system of a firearm to restrict the firing of the weapon to authorized users. California Department of Justice, SINS (Statewide Finger imaging to secure access to sensitive information about narcotics. Integrated Narcotics System) U.S. Department of Commerce Hand geometry to secure access to the departments Office of Computer Services. U.S. Department of DefenseVarious Components Voice verification, hand geometry, and finger imaging for access control. Much of the departments biometric work is classified; numerous technologies are being evaluated. U.S. Department of Energy Hand geometry in conjunction with smart cards for access control. Finger imaging for access control. Much of the departments biometric work is classified; numerous technologies are being evaluated. Department of Motor Vehicles at the state level Various states, including California, Colorado, Florida, New Jersey, and Texas, are considering finger imaging for drivers licenses. Entitlement programs A number of states, such as California, Connecticut, Illinois, Massachusetts, New Jersey, New York, Pennsylvania, and Texas, are using finger imaging to prevent welfare fraud. Hand geometry, retinal scanning, and signature dynamics are being evaluated by other states. Federal Aviation Administration Evaluating various biometric technologies for airport security applications. Federal Bureau of Prisons Various biometric technologies, including hand geometry and finger imaging, are securing access and verifying identity of prisoners, staff, and visitors across the United States. Other prisons Retinal scanning, iris recognition, finger imaging and hand geometry for securing access and verifying identity of prisoners, staff, and visitors across the United States. U.S. Department of State Evaluating various biometric technologies to aid in visa and passport processing. U.S. Department of Treasury Internal Revenue Service Evaluating signature dynamics for the electronic signing-off of income tax returns. U.S. Secret Service Evaluating hand geometry. Bureau of Printing and Engraving Evaluating various biometric technologies to aid in currency control. Sources used include: Biometric Digest, Biometric Technology Today, Security Technology & Design, The Washington Post, and Wired. Reprinted from John D. Woodward, Biometric Scanning, Law and Policy: Identifying the ConcernsDrafting the Biometrics Blueprint, University of Pittsburgh Law Review, Fall 1997. used to verify access to a government entitlements program Government agencies basically want dependable, workable might differ from the best biometric used by a university to biometrics to achieve their primary purposeverifying ferret out undergraduate examination fraud, which in turn or identifying an individual. The individual essentially might differ from the best biometric needed in a prison wants the same thing, plus protection of private infor- environment, where hostile users will go to extreme lengths mation. If different technologies are used for different to foil identification efforts. Similarly, voice verification situations, citizens will not face the necessity of reporting might be ideal for determining account access over the to the governments biometric central for enrollment. telephone, while signature dynamics might be better suited By allowing the agencies maximum choice of biometrics for monitoring tax returns. technologies, the individual gains greater protection for Second, biometric balkanization might actually mean a private information. synergy of the actors interest and the individuals concerns. Biometric balkanization could also lead to the safe- Consider, for example, the public-sector use of biometrics. guard of biometric compartmentalization, which would be 1490 PROCEEDINGS OF THE IEEE, VOL. 85, NO. 9, SEPTEMBER 1997

12 Table 2 A Selected Listing of Biometrics Applications Presently Used by the Private Sector Sources: Biometric Digest, Biometric Technology Today, Security Technology & Design, The Washington Post, and Wired. achieved through the use of different biometric identifiers. the American approach to privacy matters has tended to For example, an iris pattern used for ATM access would be be ad hoc and piecemeal; for example, federal law forbids of little use to the Connecticut Department of Social Ser- the disclosure of video records by a private actor, but the vices, which uses finger imaging, just as a hand geometry state can sell motor vehicle information from drivers to data pattern captured at Disney World would be of little value merchants. While the question of whether America needs a to Orlando police investigating a crime scene unless hand comprehensive approach to privacy concerns is beyond the geometry systems played a role in crime-scene access. scope of this paper, the legal and policy challenges posed From the privacy-enhancement perspective, biometric by biometrics are not so novel and extraordinary that they balkanization is the equivalent of being issued multiple cannot be dealt with under existing processes. identification numbers or PINs or passwords, with the Before succumbing to the criticisms of biometrics as important difference that biometrics-based systems provide privacys foe, the countercase needs to be made: biometrics better security and greater convenience. is privacys friend. Critics of biometrics are too quick to kill On balance, however, the greater threat likely will arise the biometric identifier when it is really the information not from the use of advanced monitoring technology but society and the technical underpinning of computer match- rather from sloppiness in database management. The po- ing that should be the focus of their concern. To the extent tential for a breach in database security increases greatly that biometrics raises important legal and policy issues, the as shortcuts are taken, budgets are slashed, trained per- existing institutional framework can address these concerns. sonnel are few, and leaders do not draft and implement Biometrics protects information integrity in both the a biometrics blueprint or plan to safeguard biometric iden- private- and public-sector context. By restricting access to tification information for which they are responsible. For personal information, biometrics provides effective privacy these reasons, the Supreme Courts warning in Whalen v. protection. Biometric balkanization further safeguards pri- Roe (discussed above) rings true for biometrics. vacy by allowing maximum choice for the organization VI. CONCLUSION using biometrics, which also makes biometric compartmen- talization viable. Biometrics is a new technology that is being deployed in We are eyeball to eyeball with a new technological reality a variety of creative public- and private-sector applications. that promises greater security and efficiency for both its As biometrics gains in popularity and grows in uses, public- and private-sector users. Now is not the time to the law, or at least a modern-day equivalent of Judge blink. Hand, will likely take notice. As this paper has suggested, while biometrics is a new technology, it does not require APPENDIX I a striking new legal vision to regulate it. Rather, the See Table 1. situation is more akin to new wine in old bottles in that existing legal doctrines can deal with the challenges that APPENDIX II biometrics present. The situation is compounded in that See Table 2. WOODWARD: BIOMETRICS 1491

13 ACKNOWLEDGMENT [29] Interview with F. P. Nasrallah and A. S. DiDio, Washington, D.C., Apr. 4, 1996. The author wishes to acknowledge the assistance of I. S. [30] R. Clarke, Human identification in information systems: Man- Nathenson, editor-in-chief of University of Pittsburgh Law agement challenges and public policy issues, Info. Technol. Review, and Dr. W. Shen, guest editor of this special issue. People, Dec. 1994. [31] P. Mell, Seeking shade in a land of perpetual sunlight: Privacy He wishes to thank Dr. A. S. DiDio, M.D., Adjunct Prof. as property in the electronic wilderness, Berkeley Technol. Law I. K. Fong, Prof. S. Goldberg, Adjunct Prof. J. Massey, J., vol. 11, p. 1, 1997. [32] J. Hall, For new ATM, the eyes have it, Trenton Times, Sept. Prof. J. R. OSullivan, and S. Cassin Woodward for their 19, 1995. helpful comments on earlier versions of this paper. He also [33] M. Barthel, Banks eyeball sci-fi style identification for thanks Dr. J. Campbell, Jr. and L. Alyea, chair and vice ATMs, American Banker, Sept. 22, 1995. [34] FutureBanking, American Banker, Oct. 21, 1996. chair of the Biometric Consortium, respectively, D. Harper [35] U.S. Dept. Health, Education and Welfare, Records, Computers of the National Computer Security Association, B. Miller, and the Rights of Citizens: Report of the Secretarys Advisory chairman of CardTech/SecurTech, and W. Rogers, editor of Committee on Automated Personal Data Systems. Cambridge, MA: MIT Press, 1973, pp. 114122. Biometric Digest, for inviting him to speak at conferences [36] J. Toland, Infamy: Pearl Harbor and Its Aftermath. New York: hosted by their organizations; he benefited greatly from the Anchor, 1992, p. 32. [37] Korematsu v. United States, 323 U.S. 214 (1944). participants many insightful comments. [38] Olmstead v. United States, 277 U.S. 439, 479 (1927). [39] Greidinger v. Davis, 988 F.2d 1344 (4th Cir. 1993). [40] J. J. Miller and S. Moore, A national ID system: Big Brothers REFERENCES solution to illegal immigration, Policy Anal., Sept. 7, 1995. [1] W. J. Clinton, commencement address at Morgan State Univer- [41] Dow Chemical Co. v. United States, 476 U.S. 227 (1985) sity, Baltimore, MD, May 18, 1997. [citations omitted]. See also United States v. Knotts, 460 U.S. [2] R. Chandrasekaran, Brave new whorl: ID systems using the 276 (1983). human body are here, but privacy issues persist, Washington [42] D. Mintie, Report from Connecticut, Biometrics in Human Post, Mar. 30, 1997. Services User Group Newsletter, Mar. 1997. [3] A. Davis, The body as password, Wired, July 1997. [43] Foolproof identification methods create privacy worries, Na- [4] F. James, Body scans could make ID process truly personal, tional Public Radio broadcast, segment no. 2360, Oct. 8, 1996. Chicago Tribune, June 4, 1997. [44] C. Edwards, Reports from the states: The lone star imaging [5] T. J. Hooper, 60 F.2d 737 (2d Cir.) cert. denied, 287 U.S. 662 system, Biometrics in Human Services User Group Newsletter, (1932) (Hand, J.). May 1997. [6] B. Miller, Everything you need to know about automated [45] D. Mintie, The Connecticut DSS biometric project and EBT biometric identification, Security Technol. Design, Apr. 1997. card: Implementation issues, in Proc. CTST96 Government [7] B. Carter, Biometric technologies, what they are and how they Conf., Arlington, VA, 1996. work, in Proc. CTST97, Orlando, FL, 1997. [46] Biometrics: Chipping away your rights? The 700 Club Fact [8] D. R. Richards, Rules of thumb for biometric systems, Sheet, VA, Oct. 9, 1995. Security Manage., Oct. 1, 1995. [47] Bowen v. Ray, 476 U.S. 693 (1986). [9] K. McManus, At banks of future, an eye for an ID, The [48] R. E. Smith, The true terror is in the card, The New York Washington Post, May 6, 1996. Times Magazine, Sept. 8, 1996. [10] G. Roethenbaugh, Biometrics: A global perspective, in Proc. [49] Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1993). BiometriCon97 Conf., Arlington, VA, 1997. [50] State ex rel. Beacon Journal Publishing Co. v. Akron, 70 Ohio [11] J. Ritter, Eye scans help sheriff keep suspects in sight, Sr. 3d 605 (1994). Chicago Sun-Times, June 22, 1995. [51] Test center comparison, Infoworld, June 16, 1997. [12] R. J. Hays, INSPASS: INS Passenger Accelerated Service Sys- [52] Privacy and data security targets of Mytecs commercialization tem. (Jan. 4, 1996.) Available: http://www.vitro.bloomington. strategy, PR Newswire, June 20, 1997. in.us:8080/ bc/REPORTS/INSPASS.html. [53] A. Cavoukian, Go beyond securityBuild in privacy: [13] General Accounting Office, Electronic benefits transfer: Use One does not equal the other. (May 1996.) Available: of biometrics to deter fraud in the nationwide EBT program, http://www.microstar-usa.com/tech support/faq/privacy.html. Sept. 1995. [54] People patterns: Fingerprints? No problem, The Wall Street [14] D. Milbank, Measuring and cataloguing body parts may help Journal, Jan. 31, 1997. weed out welfare cheats, The Wall Street Journal, Dec. 4, 1995. [15] The Truck and Bus Safety and Regulatory Reform Act of 1988, codified at 49 U.S.C.A. Section 31309(d)(2). [16] J. Wayman, presented at the Biometric Consortium 9, Arlington, VA, Apr. 8, 1997. [17] C. Fried, An Anatomy of Values. Cambridge, MA: Harvard John D. Woodward received the B.S. degree in Univ. Press, 1970, p. 140. economics from the Wharton School, University [18] R. B. Parker, A definition of privacy, Rutgers University Law of Pennsylvania, Philadelphia, in 1981 and the Review, vol. 27, p. 275, 1974. M.S. degree in economics from the London [19] T. Gerety, Redefining privacy, Harvard Civil Rights-Civil School of Economics, University of London, Liberties Law Review, vol. 12, p. 233, 1977. U.K., in 1983, where he was a Thouron Scholar. [20] United States v. Westinghouse Elec. Corp., 638 F. 2d 570 (3rd He currently is a candidate for the J.D. degree Cir. 1980). from Georgetown University Law Center, Wash- [21] Whalen v. Roe, 429 U.S. 589 (1977). [22] Smith v. Maryland, 442 U.S. 735 (1979) [citations omitted]. ington, D.C. [23] United States v. Miller, 425 U.S. 435 (1976) [citations omitted]. From 1985 to 1997, he served as an Opera- [24] S. G. Davies, Touching big brother: How biometric technology tions Officer in the Directorate of Operations of will fuse flesh and machine, Info. Technol. People, 1994. the Central Intelligence Agency, including assignments in East Asia and [25] H. Chen, Medical Genetics Handbook. St. Louis, MO: W. H. Africa. He writes and lectures regularly on the law and policy concerns of Green, p. 221226. biometrics. His articles dealing with biometrics have appeared in Amer- [26] M. Skoler, Finger and palm prints: A window on your health, ican Banker, Biometric Technology Today, BiometriCon97 Proceedings, Glamour, pp. 248250, Apr. 1984. CardTech/SecurTech96 (Government) and 97 Proceedings, Legal Times [27] Gastroenterology: Fingerprinting GI disease, Johns Hopkins (Washington, D.C.), and University of Pittsburgh Law Review. He also Physician Update, p. 5, Apr. 1996. has published articles on other topics in Asia Manager, Far Eastern [28] B. Bates, A Guide to Physical Examination and History Taking, Economic Review, and Money Laundering Law Report, among others. He 5th ed. Philadelphia, PA: Lippincott, 1991, pp. 181215. was Executive Editor of Law & Policy in International Business. 1492 PROCEEDINGS OF THE IEEE, VOL. 85, NO. 9, SEPTEMBER 1997

Load More