The Problem with Biometrics Biometrics is a really cool technology: You're your own authentication device. Your voiceprints, thumbprints, or retinal scan uniquely identify you for access to controlled areas. The readers are even smart enough to check finger and retina readings for your pulse. (There are also iris scans, handwriting, signature geometry, typing patterns, hand geometry, and others.) Security experts get the warm-fuzzies from "what you are" (e.g., biometrics) being used for access authentication along with "what you know" (password) and "what you have" (cardkeys). See my security article, http://www.linuxworld.com/linuxworld/lw-2000-08/lw-08-expo00-hacking_p.html So, biometrics is a good thing, it would seem. But there are some small problems, and there is also one huge honking problem. The small problems are generally a small incidence of false negatives (when the system won't allow legit access). The system can be adjusted to err either on the side of that or false positives. Not a big problem. The huge honking problem comes from the way eletronic records of your biometrics must (necessarily) be handled: You do an electronic thumbprint for Mr. Security Guy, who (let's say) works for Sonitrol. Mr. Guy stores data on aspects of your thumbprint in a data file. Later, the door-lock device measures your thumbprint, and lets you in if it matches the thumbprint on file. Later, management can see exactly who has entered and who hasn't (ignoring people who had doors held open for them), at what times. That's the theory, anyway. But let's suppose Mr. Guy has a hobby: He collects thumbprint data files and misuses them in creative ways. Next Friday night, there's a burglary from our labs, and the thumbprint records say you entered there at 4 AM. You know you were home asleep. But let's say you have an honest face, and avoid getting fired. Sunday night, Tyan down the street has a similar burglary. Their outer door was crowbarred open, but their biometrics records -- maintained by Sonitrol, oddly enough -- seem to indicate a visit by you, at 10 PM. Fremont police think you've started a second, nighttime career. In fact, there are high-tech burglaries all over Warm Springs that evening: Police figure you're not too bright, and tried your thumbprint at each location before resorting to your crowbar. Maybe your honest face gets you off; maybe not. Next month, possibly after posting bail, you notice a new newgroup: alt.crackers.biometrics. In it, you notice that HAXORD00D has posted what seems to be MIME BASE64-encoded biometric data from what is said to be your thumbprint. In short, your "thumbprint" (or rather, the electronic record of it) has been stolen. You can't get it back. Wait, you think, you can always revoke authentication keys, right? I mean, if you lose your cardkey, you 'fess up to Rob Walker, he disables recognition of your lost card, and he gives you a new one. If your RSA or PGP private key gets stolen, you can revoke it electronically. But this is your _thumb_. You can revoke that biometric "signature" exactly twice, but it's painful, and your chopstick-handling will never be the same. (Amputation, I mean.) If and when your biometric impression gets stolen -- which might happen elsewhere, and merely _affect_ you here -- you're totally out of luck. And you won't necessarily even know it's happened -- except by observing yourself getting fired and/or arrested when Mr. Guy and co. need a suspect. So, management only _thinks_ biometrics is a good idea and absolutely records who's entered where and when. Because it does not do that, but management _thinks_ it does, it is a positive menace to the interests of the people being identified (as above). Unfortunately, management is tending these days not to realise the above until long after it's spent money on biometrics -- even though cardkeys would be better and are cheaper.