BW Online | November 7, 2002 | Toward a Biometrics Bill of Rights

BW MAGAZINE Get Four Free Issues Register Subscribe Customer Service

ONLINE FEATURES Book Reviews BW Video Columnists Interactive Gallery Newsletters Past Covers Philanthropy Podcasts Special Reports BLOGS Auto Beat Bangalore Tigers Blogspotting Brand New Day Byte of the Apple Economics Unbound Eye on Asia Fine On Media Green Biz Hot Property Investing Insights Management IQ NEXT: Innovation NussbaumOnDesign Tech Beat Working Parents TECHNOLOGY J.D. Power Ratings Product Reviews Tech Stats Wildstrom: Tech Maven AUTOS Home Page Auto Reviews Classic Cars Car Care & Safety Hybrids INNOVATION
& DESIGN Home Page Architecture Brand Equity Auto Design Game Room SMALLBIZ Smart Answers Success Stories Today's Tip INVESTING Investing: Europe Annual Reports BW 50 S&P Picks & Pans Stock Screeners Free S&P Stock Report SCOREBOARDS Hot Growth 100 Mutual Funds Info Tech 100 S&P 500 B-SCHOOLS Undergrad Programs MBA Blogs MBA Profiles MBA Rankings Who's Hiring Grads

BW EXTRAS BW Digital BW Mobile BW Online Alerts Dashboard Widgets Podcasts RSS

RSS Feeds

Reprints/ Permissions Conferences Research Services

NOVEMBER 7, 2002

PRIVACY MATTERS
By Jane Black

Toward a Biometrics Bill of Rights
Though this security technology is exploding, no laws exist to protect the privacy of individuals. Here's what Congress should do

STORY TOOLS

Printer-Friendly Version

E-Mail This Story

Privacy Matters Archive

POLL INSTANT SURVEY >>

PEOPLE SEARCH

Search for business contacts:

PREMIUM SEARCH
Search by job title, geography and build a list of executive contacts

Tech White Papers

Most Recent

Most Popular

For 40 years, Alan Westin has been at the forefront of the debate about a person's right to privacy. He has conducted 15 national public-opinion surveys on the subject and written privacy policies for IBM (IBM ), American Express (AXP ), AT&T (T ) and other blue-chip companies. Today, Westin is most concerned about biometrics -- the use of digital fingerprints, iris and retinal scans, hand geometry, or facial characteristics to identify individuals or verify that they are who they say they are.

According to a Nov. 5 draft of Westin's latest survey for the National Consortium of Justice & Information Statistics, 82% of Americans think it's likely that every adult will have at least one biometric ID on file before decade's end. And while 56% of Americans feel that the correct identification of people outweighs concerns about providing key information, 9 in 10 think it's important to design safeguards against potential misuses of biometric IDs.

So what's happening on the policy front? Sadly, nothing. No new laws are on the books to regulate the storing and selling of biometric information. This, despite the rollout of biometric systems across the country by law enforcement and businesses. Already, more than 40 airports are using electronic fingerprint-scanning technology from Minnetonka (Minn.)-based Identix (IDNX ) to do background checks on airport workers and to create badges that, when read by an electronic device, allow access to restricted areas.

"HARMLESS AT THE START." Since last spring, Texas shoppers at several Kroger (KR ) supermarkets can pay for their purchases simply by pressing their finger on a biometric scanner. In June, Thriftway shoppers in some stores in Seattle also gained this ability (see BW Online, 7/2/02, "A Growing Body of Biometric Tech".

That has privacy advocates are worried. "Most of these applications seem harmless at the start, but then there are new applications. Soon you have full-force Big Brother watching over you," says Chris Hoofnagle, legal counsel of the Electronic Privacy Information Center, a Washington (D.C.) privacy-advocacy group.

Big Brother can be avoided by heeding Americans' call to put sensible rules in place. Memo to the new Republican Congress: It's time to pass a biometrics bill that gives each American the right to control the creation and use of fingerprints, handprints, and eye scans. After all, biometric data is more personal than Social Security numbers or the most sensitive financial data because it represents a digitized version of your physical identity.

A federal bill should focus on scope, access, storage, and segregation of data, or as I like to call it, SASS. Here's my version of a Biometric Bill of Rights.

Scope: Biometric IDs should be used only in ways known to and approved by the individual. For example, if your employer wants your handprint to authorize building entrance and exit, it should be used only for that explicit purpose -- not to match up to your time card. Any expansion would require full disclosure of new uses -- and provide an opt-out clause for any that you disagree with.

Access: Who has access to your data is as important as how it's used. Biometric codes should not be shared with other organizations -- marketers, insurance companies, even law enforcement unless there's probable cause for suspicion. This must be explicit. After the September 11 terrorist attacks on the World Trade Center and the Pentagon, a number of companies called the FBI to offer data they thought might be useful in tracking down the culprits. There were no court orders, no subpoenas.

While their efforts were, no doubt, well-intentioned, handing over customer information violates just about every corporate privacy policy on the books. Explicit controls on usage and export of data should also be built into biometric databases.

Storage: Biometric information shouldn't be stored any longer than necessary. So if you quit the gym, get a new job, or switch health plans, any biometric data these outfits had about you should be destroyed or discarded. The same goes for any company that files for Chapter 11. Just as now-defunct online vendor eToys was prohibited from selling its 3 million customers' personal data in 2001, any company that goes out of business should be prohibited from selling biometric data without explicit consent of the people who's data are on record. Individuals should also have the right to "unenroll" from a database at any time.

Segregation: Biometric data should always be stored separately from personally identifiable information such as your name and address, or medical and financial data. That way, if the wrong people gain access to the database, they have your fingerprint, but they don't know it belongs to you. According to Westin's study, more than 80% of those surveyed said it was very or somewhat important that organizations separate biometric identifiers and prohibit companies from tracking people based on biometric information.

Will Congress pluck up enough courage to pass such an important bill? As a general rule, Republicans favor high-tech security and privacy rights. But they also advocate a hands-off approach to privacy regulation. "The twin engines of consumer acceptance and rejection will tell us what's right, not the Republicans," Wayne Cruz, director of technology studies at the Cato Institute, told an audience at a Nov. 5 biometrics conference in New York. "As these technologies come into wider use, the market will decide what's appropriate."

Perhaps. But by the time these technologies are in "wider use," it will be too late to retrofit regulations. Alan Westin's new survey shows that the market -- the American people -- has already spoken. The new Congress should listen.

Black covers privacy issues for BusinessWeek Online in her twice-monthly Privacy Matters column
Edited by Douglas Harbrecht

Get BusinessWeek directly on your desktop with our RSS feeds. XML

Add BusinessWeek news to your Web site with our headline feed.

Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video.

To subscribe online to BusinessWeek magazine, please click here.

Learn more, go to the BusinessWeekOnline home page