By Jane Black For 40 years, Alan Westin has been at the forefront of the debate about a person's right to privacy. He has conducted 15 national public-opinion surveys on the subject and written privacy policies for IBM (IBM), American Express (AXP), AT&T (T) and other blue-chip companies. Today, Westin is most concerned about biometrics -- the use of digital fingerprints, iris and retinal scans, hand geometry, or facial characteristics to identify individuals or verify that they are who they say they are.
According to a Nov. 5 draft of Westin's latest survey for the National Consortium of Justice & Information Statistics, 82% of Americans think it's likely that every adult will have at least one biometric ID on file before decade's end. And while 56% of Americans feel that the correct identification of people outweighs concerns about providing key information, 9 in 10 think it's important to design safeguards against potential misuses of biometric IDs.
So what's happening on the policy front? Sadly, nothing. No new laws are on the books to regulate the storing and selling of biometric information. This, despite the rollout of biometric systems across the country by law enforcement and businesses. Already, more than 40 airports are using electronic fingerprint-scanning technology from Minnetonka (Minn.)-based Identix (IDNX) to do background checks on airport workers and to create badges that, when read by an electronic device, allow access to restricted areas.
"HARMLESS AT THE START." Since last spring, Texas shoppers at several Kroger (KR) supermarkets can pay for their purchases simply by pressing their finger on a biometric scanner. In June, Thriftway shoppers in some stores in Seattle also gained this ability (see BW Online, 7/2/02, "A Growing Body of Biometric Tech".
That has privacy advocates are worried. "Most of these applications seem harmless at the start, but then there are new applications. Soon you have full-force Big Brother watching over you," says Chris Hoofnagle, legal counsel of the Electronic Privacy Information Center, a Washington (D.C.) privacy-advocacy group.
Big Brother can be avoided by heeding Americans' call to put sensible rules in place. Memo to the new Republican Congress: It's time to pass a biometrics bill that gives each American the right to control the creation and use of fingerprints, handprints, and eye scans. After all, biometric data is more personal than Social Security numbers or the most sensitive financial data because it represents a digitized version of your physical identity.
A federal bill should focus on scope, access, storage, and segregation of data, or as I like to call it, SASS. Here's my version of a Biometric Bill of Rights.
Scope: Biometric IDs should be used only in ways known to and approved by the individual. For example, if your employer wants your handprint to authorize building entrance and exit, it should be used only for that explicit purpose -- not to match up to your time card. Any expansion would require full disclosure of new uses -- and provide an opt-out clause for any that you disagree with.
Access: Who has access to your data is as important as how it's used. Biometric codes should not be shared with other organizations -- marketers, insurance companies, even law enforcement unless there's probable cause for suspicion. This must be explicit. After the September 11 terrorist attacks on the World Trade Center and the Pentagon, a number of companies called the FBI to offer data they thought might be useful in tracking down the culprits. There were no court orders, no subpoenas.
Storage: Biometric information shouldn't be stored any longer than necessary. So if you quit the gym, get a new job, or switch health plans, any biometric data these outfits had about you should be destroyed or discarded. The same goes for any company that files for Chapter 11. Just as now-defunct online vendor eToys was prohibited from selling its 3 million customers' personal data in 2001, any company that goes out of business should be prohibited from selling biometric data without explicit consent of the people who's data are on record. Individuals should also have the right to "unenroll" from a database at any time.
Segregation: Biometric data should always be stored separately from personally identifiable information such as your name and address, or medical and financial data. That way, if the wrong people gain access to the database, they have your fingerprint, but they don't know it belongs to you. According to Westin's study, more than 80% of those surveyed said it was very or somewhat important that organizations separate biometric identifiers and prohibit companies from tracking people based on biometric information.
Will Congress pluck up enough courage to pass such an important bill? As a general rule, Republicans favor high-tech security and privacy rights. But they also advocate a hands-off approach to privacy regulation. "The twin engines of consumer acceptance and rejection will tell us what's right, not the Republicans," Wayne Cruz, director of technology studies at the Cato Institute, told an audience at a Nov. 5 biometrics conference in New York. "As these technologies come into wider use, the market will decide what's appropriate."
Perhaps. But by the time these technologies are in "wider use," it will be too late to retrofit regulations. Alan Westin's new survey shows that the market -- the American people -- has already spoken. The new Congress should listen. Black covers privacy issues for BusinessWeek Online in her twice-monthly Privacy Matters column