Every new year, IBM puts forth their “5-in-5”: a set of predictions about the state of technology half a decade into the future. This year, the prediction that’s attracting the most controversy is that by 2017, you can ditch those 50+ passwords and PINs you need to remember, and biometric identification will step up to take their place. Here’s the 1-minute video:
Many of the comments on YouTube, on IBM’s blog, and other blogs around the web are highly critical of the idea that you could log into an ATM, or your social networks, using iris scans or voice ID. The plausibility of the technology itself isn’t particularly controversial, so I won’t talk about that here. Instead, I’ll address three of the most common fears I’ve seen about the implementation of such a system. These concerns are understandable, given the lack of detail in the video above, but I think they’re generally unfounded.
Myth #1. My biometric ID could be stolen. Okay, this one is technically true, but it doesn’t matter. The concern here is that if a password is stolen, you can always change it, but this is clearly not an option with, say, your iris patterns. This is irrelevant because credible biometric systems don’t just ask for the data from your iris (or fingerprints, etc), they require your eye itself (or fingers or body) to actually be present. A would-be thief could take high-res photos of your eyes, record your voice and steal your fingerprints, but unless they have cloning technology readily available, they still couldn’t hack your bank account.
Myth #2. My biometric data is private! I’m not sharing it with Google or my bank. I’m a firm believer that protecting your DNA is among the most important privacy issues of the new century. DNA can reveal many things about your mental and physical health, family history, and more. But no one has suggested using DNA as an identification method, and biometric data does not contain any such information. It is no more private than the color of your eyes.
Myth #3. My biometric data will change and I’ll be locked out. There’s a kernel of truth to this; people do go blind, gain weight, suffer from skin conditions and so on. But this is a practical rather than a theoretical problem. Perhaps ID systems could check multiple conditions, and allow you access as long as you meet 3 out of 5. Or perhaps it’d be possible to regularly calibrate your metrics so they stay accurate regardless of changes in your body. It’s not enough of a reason to give up on the idea completely.
Conclusion: One last caveat before I open it up for comments. Biometric identification can also be used for surveillance purposes, as suggested by one astute reader here. That does invoke a variety of very serious privacy concerns. I’m not advocating for that at all – I just want easy, secure access to things I use every day.
Do you agree with my reasoning? Still have concerns? Is this development worth the risks? Let us know in the comments.
Hmmm, very interesting. I think it’ll be worth the risks to enjoy the convenience of not memorizing 10 passwords, especially since our strageties now have risks too.
I’m not entirely convinced by your reasoning on Myth #1. What about all the cool toys spies have in the movies? …A rubber mold of my fingerprint…A contact lens that looks exactly like my eye. Just because the technology will require a physical presence doesn’t mean that someone can’t fake it to look/sound like me, right?
Good point. I agree that it’s probably possible for someone to steal your fingerprints and mold them onto their own fingers; scan your iris and create specialized contacts; and record your voice in hi-fidelity. But unless you’re a VIP, or perhaps an unwitting pawn in a vast global conspiracy, I find it hard to imagine anyone going to that much expense and trouble just to hack my 3-figure bank account. Or, maybe I’m underestimating the thieves of the future…
I think you make some valid points, although I question Myth #1 and have concerns about Myth #2. If my understanding of current technology is correct for biometric scanning and intended plans for it, it seems that retinal scanning is not going to be the way of things, and instead that fingerprints are going to be the way of most of it. This seems the easiest thing to replicate, as I do not think that even the most farfetched of television shows or movies are far off in the ease of recreating a fingerprint for a biometric reader.
I think the privacy issue, both in terms of DNA, but also in terms of biometric data in general, is a pressing one. For instance, if we switch entirely to biometric systems, think of how easy it will be to track someone’s movements – that seems like the type of thing that privacy acts just won’t be able to prevent, and the fourth amendment will begin to go bye-bye. Good article Scott, enjoyed reading it, and it definitely provoked some critical thinking.
Good points, as well. As to the first, you may be right that a purely fingerprint-based system would be untenable. Perhaps credible systems would require multiple IDs: fingerprint and iris, for example. More expensive, but exponentially harder to compromise.
Your concerns about privacy are hard to refute, though. I would just add that I’ll be concerned about biometric tracking and surveillance in any case, even if biometric passwords never come to pass.
Thanks for your input, and for your kind words!
I believe on an episode of Mythbusters they actually did fool a finger print lock just by stealing someones finger print. They were able to create multiple methods that worked in a single afternoon!
And I echo the same concerns about biometric privacy!