Privacy expectations around biometrics

Stephen Wilson's Babysteps

Ideas to demystify identity, privacy, authentication and safety online.

Here's one of the most bizarre lines I've ever seen in biometrics and national security:

Fingerprints 'not particularly private,' security czar says
Edmonton
Sun, Thu 10 April 2008
http://www.edmontonsun.com/News/Canada/2008/04/10/5244996-sun.html

The U.S. homeland security czar says Canadians shouldn't fear plans to expand international sharing of biometric information such as fingerprints. Michael Chertoff says a person's fingerprints are like footprints."They're not particularly private," Chertoff said yesterday during a visit to Ottawa."Your fingerprint's hardly personal data, because you leave it on glasses and silverware and articles all over the world."

Actually there is a technical legal principle here that invalidates Chertoff's interpretations.  In most privacy law, if information is personally identifiable, then it is treated as "private", insofar as there are legislated limitations on what anyone can do with that information, how they may collect it, store it and share it.  In general, if you collect personally identifiable information, in any way about any individual, then you owe certain duties of disclosure to that individual. That's what privacy is all about.  It's not about security per se, and it isn't nullified just because fingerprints are readily available for collection.  It's about a duty of care.  

From a common sense perspective, even if people do leave fingerprints lying around, they surely have a presumption of privacy? If you try to have a quiet conversation in a park then you expect some privacy, even if your voice might be picked up by a sensitive microphone at a distance.

Then consider the legal status of something that is lost. In some jurisdictions, it is not simply a case of "finders keepers"; there is an offence called "theft by finding". If I accidentally drop a thousand bucks and someone picks it up, then it is still my money. So ... if I drop my personal diary and it's found by a stranger, I think I still have a right to privacy. And I should think that expectations for privacy of fingerprints left on glassware might similarly be entirely reasonable.

I also leave DNA all over the place. How soon before national security people say that's "public" too? Remember the legal technicality: any personally identifiable information, collected by any manner, comes under privacy law.  Certainly there are national securityprovisions that trump privacy, but they're not automatic, and they do not allow personally identifiable data like fingerprint files to be shared willy-nill, on the basis that fingperints are "not particularly private".  

Even granting that fingerprints are left lying around in public, if someone else goes to the trouble of picking them up,  scanning them, digitising them, linking them to my identity, and running checks to track my whereabouts then they commit a host of privacy invasions relating to the Collection and Secondary Use principles.

Finally and rather ironically, the reasons given for saying fingerprints are not private amount to an argument that they're really not much good for security!

Cheers,

Stephen. 

Lockstep Consulting provides independent specialist advice and analysis
on authentication, PKI and smartcards. Lockstep Technologies develops
unique new smart ID solutions that safeguard identity and privacy.

XML.org Focus Areas: BPEL | DITA | ebXML | IDtrust | OpenDocument | SAML | UBL | UDDI
OASIS sites: OASIS | Cover Pages | XML.org | AMQP | CGM Open | eGov | Emergency | IDtrust | LegalXML | Open CSA | OSLC | WS-I