About All This Biometric Hoo-Ha

For the record, I don’t think the new “fingerprinting and photographing” initiative is a good idea. Setting aside the privacy concerns — after all, foreign visitors have a much lower expectation of privacy than do citizens (or residents) — I think there’s a serious potential for negative impact on the American tourism industry. Not to mention the backlash from American visitors to countries like Brazil, where they’ve decided to implement a retaliatory fingerprinting system, and one that will doubtless cause substantially longer delays than its American counterpart.

Then again, I don’t for a moment believe the cited “fifteen seconds” the U.S. analysis will supposedly take. But that’s another issue.

But despite all this, there’s another downside that’s too often being swept under the rug. Adam and I were having a conversation with another coworker last night — a true conservative in the objectivist vein, but still an okay guy (well, more or less, anyway). Let’s call him “Rich,” since, well, that’s his name. Rich brought up the Bruce Schneier axiom that a true evaluation of a security system should not be how well it works, but how well it fails.

And all systems fail. Murphy’s Law.

What are the consequences of biometric system failure? Well, the physical risks are easy to imagine. Need a thumbprint to access an ATM? Meet one determined thief and it’s bye-bye, thumb (there are, of course, other ways to fake a thumbprint, but they don’t create quite so visceral an image). If you want to get even more gruesome, you can imagine similar consequences for iris or retinal scans; thankfully, at the level of street crime, that’s probably solely the province of science fiction. Ever wonder why you don’t see couriers handcuffed to briefcases so much anymore? If someone’s really determined to get that case...

But we don’t even need to go to such morbid lengths to make the point. Someone steals a computer password, and beyond the initial loss, you can implement a new password. Lose a credit card? The bank can issue a new one. A thief gets hold of your biometric data, and there’s no way for you to change it (again, except in Hollywood). You think recovering from identity theft is tough now, wait until your very person — fingerprints, retinal scans, DNA — is encoded and available for thieves.

See, every once in a while, those conservatives do bring up a damn good point.