Want CNET to notify you of price drops and the latest stories?

Biometrics: Beyond hype and hysteria

Daon CEO Oliver Tattan says the biometrics sector must shoulder blame for doing a poor job explaining itself to privacy advocates while elsewhere claiming to promise more than it can.

4 min read
Although the September 11 terrorist attacks focused the spotlight on technologies that recognize irises, facial features, fingerprints and voice, the heightened focus on security is not translating into boom sales of biometrics products.

In fact, biometrics suppliers are still struggling to find ways to sell their technology to more enterprise-level customers. Even worse, they are viewed in some quarters as facilitators of a "Big Brother" police state.

There are elements of hype and hysteria at play, so it's useful to step back for a moment and take a look at what's really going on.

Biometric point solutions are only going to be as effective as the infrastructure that supports them, and the absence of adequate infrastructure continues to prevent the biometrics industry from living up to its much-hyped potential.

The absence of adequate infrastructure continues to prevent the biometrics industry from living up to its much-hyped potential.
Over the past ten years, there's been a significant evolution in biometrics technology; front-end applications and the supporting hardware have matured, failure rates are very low, while back-end integration with existing PKI and encryption systems has improved.

But in their current incarnation, biometric point solutions only authenticate a user locally, referring to a very specific set of guidelines that fail to take issues of scale into account.

The real future of the technology lies in creating a flexible "biometric trust infrastructure" that allows enterprises and the public sector to handle security needs that get identified beyond the first implementation. Ultimately, such an infrastructure would allow people to move from location to location around the world while maintaining their security clearance as defined by their professional and personal identities.

For example, the Transportation Security Administration recently announced an initiative creating a framework for a single ID card that allows transportation workers to maintain their identities (and corresponding level of security clearance) across multiple locations. However, without a common infrastructure platform to support the enrollment, identity management and verification processes, the TSA's admirable vision will go largely unfulfilled.

Similarly, the United States government recently approved the Enhanced Border Security and Visa Reform Act, mandating biometric visas by October 2003 for the more than 250 million foreigners who enter the country each year. The cost implications for the biometrics industry are tremendous, but take a moment to think about the technological, political and logistical issues that need to be considered for this to work.

The government would need to establish a common set of enrollment requirements. But that's bound to raise substantial database challenges as hundreds of countries from around the world would need to share information in a timely manner. The concept is brilliant, but the implementation is a bear.

The industry must do a better job of educating the public and private sectors about the privacy aspects of biometric technology.

Privacy versus security
Over the past few months, organizations like the American Civil Liberties Union have come out against biometrics technologies--specifically facial recognition applications--contending they present an invasion of personal privacy. To some degree, the biometrics industry shoulders some of the blame for the criticism because it positioned the technology as being composed of a set of surveillance applications.

The truth about biometrics is far different. Biometric authentication technologies--and an integrated biometric trust infrastructure--will allow users to maintain their identities across multiple locations, thereby increasing personal privacy while simultaneously establishing a higher level of physical and digital security. It can also help relieve security "pain points" at airports, international borders and internal enterprise systems.

To be sure, biometric authentication provides an audit trail that allows administrators to see who is accessing what systems or crossing what borders. But more importantly, the technology is designed so that ethical users can efficiently assert their identities and obtain immediate access to needed resources or the locations they wish to visit without compromising personal privacy.

But if the biometrics industry is going to deliver on the promise of the technology and serve the needs of the public and private sectors--not to mention ease the fears of privacy advocates--it must take two additional steps:

• Admit the limitations of point solutions and begin to develop a common biometric trust infrastructure . Point solutions can work, but only in very specific cases, and in singular locations. Solutions that work across multiple locations, and are flexible enough to handle new security concerns, depend upon the prior development of a common biometric trust infrastructure.

• Reposition biometrics as a technology that enables, not a surveillance technology. The industry must do a better job of educating the public and private sectors about the privacy aspects of biometric technology. That means soliciting feedback from user focus groups to better understand and address privacy concerns. Most importantly, the industry must emphasize the enabling aspect of biometrics, as opposed to the specter of "Big Brother."

This is not an idle wish list. Balancing the protection of the nation's citizenry and borders with the Constitutional right to privacy and the construction of a better infrastructure are key to the future of biometrics. In their absence, the biometrics industry will continue to fail to live up to expectations.