Biometrics is being touted as the cure-all for identity theft, credit card fraud, network hacking, terrorism, invasion of privacy, exploitation of your personal information and all the other horrible 21st-century things that can happen when someone else convinces a computer that he or she is you.
The problem is one of authentication. Even passwords as complex and random as a Gord Downie lyric aren't enough to protect you any more.
Biometrics is the science and technology of establishing identity by measuring physiological characteristics.
This is typically done by analyzing fingerprints, retinas, voices, faces or hand measurements - as unique as your DNA or a snowflake - and then making a comparison with a previous analysis. If the current scan and the previous scan match up, then you're proven to be whoever the database record or smart card says you are.
This type of authentication is considered to have more integrity than photo ID and username/password systems because even sophisticated fake IDs, clever social engineering and lazy security habits can't compromise it. Or at least that's the theory behind the dramatic surge in biometric security systems planned and deployed over the last year.
A worldwide overhaul of the passport system is underway, as per the International Civil Aviation Organization's new machine-readable travel documents standard. Each document will now include a tiny computer chip containing the holder's photo and basic personal information. The belief is that a three-part verification process (visual inspection of the individual, review of the physical passport and a scan of the chip) will increase border security and also allow for more efficient cross-referencing of visitors' faces with images in a globally distributed database of terrorists and other criminals.
Beginning mid-2005, Canada will start issuing passports with this technology (www.ppt.gc.ca/faq/index_e.asp#700 ).
While consideration of a national ID card has been taken off the table for the time being after last year's public outcry about a Big Brother nation, Canada may start issuing biometric identification soon to all new immigrants, visitors and refugee claimants.
According to Citizenship and Immigration Canada's Biometrics: CIC Business Requirements report obtained by Canadian Press under the Access To Information Act in early September, our government is considering several options for using this technology to track newcomers.
"Biometric technologies potentially add an additional layer of security to a program, supporting the anti-terrorism agenda," it says.
Security, however, is not just a federal concern. The Toronto police services is getting set to deploy a $4-million Motorola Omnitrak integrated identification network that uses fingerprints and palm prints for user authentication.
Biometrics is also slowly creeping into everyday consumer life.
At the Statue of Liberty, which reopened to the public this summer after having been closed since 9/11, all the old lockers were replaced with biometric ones from Smarte Carte (www.smartecarte.com/lockers). Those who want to rent, close and reopen them must have their fingerprints scanned.
The Nine Zero, one of Boston's fancier hotels, recently installed an iris-scanning door entry system in its $3,000-a-night Cloud Nine suite. Guests scan their right eye when they check in and again when entering their room. As well, only authorized staff are allowed to enter the suite. Staff must use iris scans to unlock the staff entrance and log into the hotel at the beginning of each shift.
In both cases, the actual fingerprints and iris scans themselves aren't stored in a database or sent to authorities. Instead, the scans are reduced by complex mathematical algorithms to encrypted digital keys that are then stored and against which later scans are compared. This means that someone gaining access to these keys with malicious intent would need to crack the encryption and reverse-engineer the algorithm in order to get a copy of a scan.
Of course, cracking the technology isn't the only work-around for this. If someone were to associate another's identity with his own biometrics, he or she could easily impersonate that person without arousing suspicion. As well, depending on the sophistication of the scanning equipment, a fingerprint detector might be fooled by a piece of sticky tape with an authentic fingerprint on it, or an iris scanner by a photo of someone else's iris.
And then there are the famous movie tricks like using synthesized prosthetics or severed limbs (or heads) to bypass security.
There's no question that biometric identification is here to stay, but there's been surprisingly little discussion in Canada about what role the Personal Information Protection And Electronic Documents Act (PIPEDA) will play.
Who are you going to let store your identification, in what format, for what purpose and for how long? And can you be sure that you're getting proper disclosure about this when you submit to your first scan? These are all important questions to ask as your anonymity, signature and passwords become irrelevant.