Centre for Internet & Society

The note below is a perspective piece on biometrics. On March 11th I traveled down to the Philippines, and had a chance to experience the possible convenience of biometric based identification.

A Sequence of Events 

On the evening of March 11th I found myself on a plane destined to the Philippines for a week long joint privacy and ICT development conference in Bohol. After a 14 hour journey I landed in Manila, and was welcomed by the hot tropical weather, so familiar to the Philippines. Hungry I quickly dropped my checked bag at the hotel, and taking my backpack, set out immediately to explore Filipino food culture. Over a dinner of rice and grilled chicken, the standard local cuisine every tourists nightmare came true for me. I was robbed. While eating a group of men made a commotion around me and snatched my bag. Much to my distress the thief was able to get away with not only money and my camera, but my entire wallet consisting of my passport, Indian visa, Canadian visa, health card, FRO paper, and debit cards. In a nutshell – the wallet had every document essential and of value to my life. Little does the thief know, but his one snatching act has made me reconsider many aspects of my life, including my position on biometric forms of identification.

For the past several months I have been researching biometric forms of identification in response to the UID scheme that is being proposed in India. My stance on biometrics in my research has always been neutral – trying to draw out both the pro’s and the con’s of using biometrics. Personally though, I had always swayed away from the idea of my biometric being the strongest form of identification. The possibility that my daily motions could be easily tracked through the constant use of my finger print for transactions never settled well with me. Potential convergence of databases, unreliable technology, the possibility of stolen fingerprints, no choice to use other forms of identification have all been concerns that swayed me to the less optimistic side of the debate. But after jumping over hurdle after hurdle that came along with trying to replace the lost paper documents, and sweating at night thinking of all the possible ways the thief could exploit my papers, I am more privy to the idea of biometrics as a strong form of identification. 

The process of recovering my documents started off with a police report and the cancelling of my cards. The second task was not as easy as I had hoped, as I had not brought photocopies of my cards. Thus, it took me three hours to actually cancel my cards. Throughout the whole process I kept thinking that if my account was only accessible through my fingerprint – I would not have to worry about closing the accounts. Or if I could have identified, verified, and cancelled my account with the use of a cell phone equipped with a fingerprint reader, I would not have had the stress of rushing around trying to find adequate information to cancel my bank account.

The next step in the process started early Monday morning when I set out to the American Embassy. Luckily the hotel had taken a copy of my American passport (I did not have a photocopy of this either). With the copy of the passport, police report, and my social security number – the American embassy was able to pull up my information, and issue me an emergency passport that would be valid for three months. If I had not had a copy of my passport – the process of getting an emergency passport I can only imagine would have been even more challenging. As I sat for hours in the embassy my mind wandered to the thief and the known market for American passports.  I could not help but think about how much more secure my passport would be if verification was based on my fingerprints accompanied by a passport, rather than just my passport and a picture.  Speaking with the embassy officer confirmed my thoughts. He talked about how fake American passports are becoming harder and harder to use now that the biometric has been introduced. In this situation the biometric would be a form of convenience and security – a way of lowering the risks of my stolen passport from being misused and my identity from being taken advantage of. 

On Tuesday morning I took on the challenge of the Indian embassy. I officially came to India  8 months ago on an employment visa. When I explained my situation to the embassy I hit my first road block of the day. By rule, all matters relating to employment visa’s must be handled by and at the place of issuance. Country databases do not talk between eachother – thus the Indian embassy in the Philippines could not contact the Indian embassy in the States or in India to verify my information.  Therefore, for my employment visa to be replaced I would need to return to New York and speak with the embassy there. This was not an option. Speaking again with the officer, he finally suggested a tourist visa. Typically tourist visa’s are not issued on 3 months passports (my emergency passport was only three months), but the officer made an exception and agreed to issue a tourist visa. When I went to pay for my tourist visa I hit my second road block of the day. I was lucky and had kept one credit card in another bag, but as it turns out, the Indian embassy only accepted cash. The day was almost over and I needed to pay for my application for it to be processed. The officer had already made an additional exception, and had agreed to process my visa in three days (when my return flight to India was scheduled) rather than the typical six working days. Trying to think on my feet I sped to the nearest mall and tried to take money out of an ATM. No luck. I tried to get cash back on a grocery store purchase. No luck. I tried to western union myself money from my VISA. No luck. Finally I was able to get through to a friend of my boss who could loan me the cash, but not until the next morning. So, I rushed back to the embassy and begged with the officer to process my visa in two days rather than one. Thankfully he agreed.  Riding the local metro back to my hotel I thought again about how convenient it would have been to have my credit accessible through my fingerprint, and not have to rely on a card.

Biometric is a convenience: 

This experience, and the many hurdles that I needed to jump in order to replace my lost papers made me realize that one side of the biometric debate that is often glazed over with talk of security and privacy, is that of convenience. It would have been incredibly convenient if on my initial visit to the American Embassy they had been able to pull up my entire file, re-issue me my lost passport and visas, and accepted payment through credit accessed through my fingerprint and a pin. Though I am still aware of the risks associated with biometrics as a form of identity, this experience has shown me the positive side and convenience of having a biometric identification rather than paper forms of identification.

Perhaps there is a privacy happy medium:

This experience has shown me that the use of  biometric technology has many benefits. I do not think it is too far a leap to say that biometrics can be convenient and privacy enhancing. For instance, based off of research done by the Canadian Government on biometrics, there are many pivotal areas of biometrics which determine whether they are used in a way that enhances privacy or used in a way which invades privacy such as:

  • Distinguish between authentication and identification:

Identification involves a comparison of one biometric against all collected biometrics in one central database.  Authentication involves a comparison of a live biometric against a stored template. Thus , the central database should not be accessed for both authentication and identification processes . Placing a biometric on a smart card puts the control of access for authentication in the hands of the data subject [1].

  • Encryption

A biometric should be encrypted whenever it is used. A biometric should be encrypted to this degree that it is not possible to reconstruct the biometric data. After an encrypted version of the biometric is made, the original biometric should be deleted [2].

  • No unique identification

A fingerprint scan should not, and cannot be used alone to identify an individual [3].

  • Access control

Strict control on access regarding third parties should be enforced. To bolster this point, a warrant or court order should be required for access by external agencies.

  • Transactional information stored separately

Transactional information about a person should be stored separately from personal identifiers such as name or date of birth [4].

  • Procedural safeguards given legality

All procedural and technical safeguards that are established should be placed in a legislation to give them the force of the law.

Biometrics in India

Though there is no way to make a biometric perfectly safe, these standards, if enforced, I believe work to ensure that a biometric is as secure as possible. In India biometrics has become a controversial topic as the country is currently considering/has begun to implement the UID – an identity scheme based off of biometrics. Concerns with the project include the centralized storage of biometric information, the possibility of tracking individuals through the use of their biometric, and  the unreliability of the technology. For example in an article found in Money Life, test results from the UID project showed the possibility of up to 15,000 false positives for every Indian resident [5]. Biometrics have been used in India even before the  UID scheme. In 2009 schools proposed to use biometrics as a way of marking attendance for both the students and the teachers in order to decrease the dropout rate and insure that teachers are present in school [6] . Also in 2009 fishermen in the coastal village of Awas were issued the biometric based multi-purpose National Identity Card [7]. The MNIC scheme was later dropped. Clearly India is in a position  where she must think about the convenience of biometrics weighed against the privacy risks, and determine how biometric use in India should be secured in order to find a balance between the two. 

Bibliography

  1. Office of the Privacy Commissioner of Canada. Data At Your Fingertips: Biometrics and the Challenges to Privacy. Pg.10
  2.  Cavoukian, Dr. Ann. Privacy and Biometrics. Information and Privacy Commissioner Ontario, Canada. Pg. 4
  3. Office of the Privacy Commissioner of Canada. Data At Your Fingertips: Biometrics and the Challenges to Privacy. Pg.10
  4. Office of the Privacy Commissioner of Canada. Data At Your Fingertips: Biometrics and the Challenges to Privacy. Pg.9
  5. http://www.moneylife.in/article/how-uidai-goofed-up-pilot-test-results-to-press-forward-with-uid-    scheme/14863.html
  6. http://articles.timesofindia.indiatimes.com/2009-02-25/mumba
  7. http://28038452_1_smart-cards-biometric-coastal-villages

 

The views and opinions expressed on this page are those of their individual authors. Unless the opposite is explicitly stated, or unless the opposite may be reasonably inferred, CIS does not subscribe to these views and opinions which belong to their individual authors. CIS does not accept any responsibility, legal or otherwise, for the views and opinions of these individual authors. For an official statement from CIS on a particular issue, please contact us directly.