First it was passwords, then two factor authentication that promised to be the ultimate form of data protection. Then came fingerprint scanners as the new and improved security mechanism. And now comes word that iris scans will become the standard form of protecting smartphones from prying eyes. Or spying eyes.
Like the latest version of new and improved laundry soap, each iteration of newfangled security technology has come with the promise of better security. For our data, our finances and our future.
We have been promised that the reward for offering up pieces of ourselves will include greater data security and better data protection. But while the production and implementation costs of biometric systems have been dropping and reliability has improved, the promise has not yet been fulfilled. As we see almost daily, many of the most well-funded, technically competent public and private organizations are vulnerable. Even governments and the NSA haven’t been able to avoid being hacked.
Why? Perhaps it’s because the imperfect systems are created by imperfect people.
Indeed, iris, facial, and fingerprint are among the biometric security systems that have already been proven to be imperfect — sometimes using remarkably low technology such as Gummy Bear candies. Even something as variable as our own unique handwriting can be recreated by computers, eliminating the security of our penmanship.
And because more information in a database — and more sensitive information, such as biometrics — increases the likelihood that the data will have greater marketability, biometrics repositories are very attractive targets indeed.
We also have to consider that in many countries, discrimination based on disability is illegal. Employers have a duty to accommodate and cannot refuse to hire someone based on their disability. In other words, if an employee loses their eyes and the company implements iris scanning for security, it can’t simply dismiss the employee. The company has a duty to accommodate and could be compelled to provide a way for the person to use the security system without having to provide an iris scan. In other words, high-tech biometric security systems must have an override — a built-in backdoor that could be used to defeat the entire system and make an entire enterprise vulnerable.
From a privacy perspective, biometrics makes it easier to safeguard information than having to type in pesky passwords, and biometrics can make it more difficult for someone else to use your device. But it also makes it almost impossible to refute allegations of impropriety. So while it’s relatively easy to argue if your password has been compromised that the account activity was carried out by someone else, it’s much more difficult to substantiate a claim that your biometrics aren’t your own. Worse yet is that passwords can be changed, but biometrics cannot.
Biometric challenges already follow us to the grave. It is now possible to create fake fingerprints and to recreate the fingerprints of a dead person to be able to unlock their phone, but it will be much more difficult to recreate an iris scan. That will ensure ongoing protection of the information within a device; but it will also frustrate any attempt by family or police who might want to gain access to a dead person’s smartphone, whether to retrieve family photos or for investigative purposes.
So what recourse will we have if — or, more likely, when — biometric databases or iris scans are compromised? As Tom Cruise’s character forewarned us in Steven Spielberg’s 2002 science fiction thriller Minority Report, changing eyes won’t be very easy.
The easier route will be to balance the value of biometrics against the significant risk that relying on them poses to privacy, data compromise, identity theft and, like Tom Cruise’s character, false arrest and conviction.
So while biometrics offer great promise, the risk just might be greater than the reward.