Wednesday, February 7, 2007

Why Biometrics Scare Me

Greetings, fellow nerds.

I am a lover of technology. I love my Mac. I love the Internet. I love my doubly-shock-absorbing bicycle. I even once had a dream in code. Yet today I'm going to tame my technotropic tendencies to warn you against the threat of widespread biometric identification.

There are few technologies less viscerally appealing to tech nerds than biometrics: imagine a world where machines recognize you for the rich, influential 1337 h4xx0or you are just by scanning your body. Nothing short of tech porn.

In some limited circumstances, biometrics might be appropriate. For instance, if a security guard monitors the process of you putting your finger/retina/receding hairline on a scanner as an extra security layer, that's fine. However, biometrics; when substituting keys, credit cards or passwords; have three serious flaws:
  1. Biometrics give thieves an incentive to chop off parts of your body.
  2. You give out your biometric data all the time, whether you intend to or not.
  3. If you get your biometric identity stolen, you're screwed forever (unless you believe in reincarnation).
Don't Give People an Incentive to Cut You Up

Issue #1 means that not only would I personally refuse to use biometrics, but also that I have an incentive to make nobody use biometrics for identification. I don't want to have my hand chopped off only for thieves only for them to discover I didn't have a fingerprint-enabled bank account like most normal people.

Do you think it's far-fetched for criminals to chop off parts of the body for their biometric payload? It's already happened. Even though biometric identification is rare, we're starting to see the criminal reaction to it. I'd rather give up my cards and keys, thank-you-very-much. I'm horrified to see that the ICICI bank in India is also planning on opening widespread fingerprint-based ATMs for rural farmers who might find carrying cards to be too much of a trouble. I suppose a fingerprint-and-pin solution might somewhat discourage finger-theft, but your average robber might take fingers just in case, the same way a North American mugger wouldn't leave their marks' bank cards behind.

Don't Leave Credit Card Copies Everywhere

Issue #2 is pretty straightforward: getting someone's fingerprint is usually not very hard. Moreover, fooling a scanner with a print lifted from a glass is surprisingly straightforward. Even though expert techniques haven't yet been developed for getting a scanner to accept a print lifted off a glass (at least I'm not familiar with these cloak-and-dagger techniques), some first-try methods have a success rate of 80%. Some scanners can even be fooled by fogging them up by blowing on them to reveal the print of the last person to use them. Unless you'd be OK with leaving copies of your credit card on every smooth surface you touch, you shouldn't use your fingerprints as card substitutes either.

Getting Replacement Fingers and Eyes is Hard

Issue #3 illustrates the importance of disposable layers of security. I've had my credit card info stolen, and it was no big deal. VISA* called me one night to confirm some unusual charges which had gone through my account. When I said I hadn't made these charges, they sent me a replacement card and an affidavit to sign two days later (I guess it's in their best interest to keep me buying), and my old VISA card was sloughed off painlessly. I didn't pay a dime. (My story is not uncommon; identity theft happens to about 9 million Americans a year.)

The point is that fingerprints and retinal patterns are not things you want to have to slough off, ever. I like it that getting a new credit card didn't involve surgery. It's a feature (not a bug) that you can dispose of a credit card if its information gets compromised. Let's not take a step backwards in functionality for the sake of some flashy tech porn.

Conclusions: Now is the Time to Rant

Even though biometrics aren't widespread, the time to rant against their replacing credit cards is now. It's easier to nip a bad technology in the bud than it is to defeat it once it gets serious backing. How are we going to execute the said nip? By talking. That's all. I hope the scenarios I've laid out are sufficiently grizzly to spread through pool halls and cocktail parties; if they spread widely enough we will have done our job.

Take care; go do something amazing with your fingers while you still have them.

*I swear they didn't pay me to write this; I think it's important to get the word out if you feel like a company has done you right.

No comments: