A student scans their fingerprint in a school lunch line for payment.
You may have heard that the State of Florida recently voted to ban the collection of biometric data from school students. The legislation was a direct response to several Florida school districts capturing student biometric data and using it for various purposes including purchasing lunch in school cafeterias and tracking students on school buses. Ongoing concerns over the protection of student biometric data as well as who has access to it sparked discussion on the use of the technology in schools and prompted legislators to stop it.
One major concern is the storage of biometric information and how secure the system of encryption and verification is. Most, if not all systems work under the principle that it’s not student biometrics that are actually stored, but it is instead a numerical sequence used for verification. The worry is that criminals will find a way to steal a student’s biometric template, reverse engineer it, and then use it to access the current system or another one that relies on the same biometric credential. A legitimate concern since biometrics are quite different from and ID card or token which when lost or comprised, can be replaced. Biometrics on the other hand, are said to be an “irrevocable” attribute since they are based on human physiological characteristics and can’t be “replaced.”
In response to the FL State Legislator’s decision to ban biometrics in schools, Janice Kephart from the Security Identity and Biometrics Association (SIBA) made the following statement:
“I’m concerned this precedent could spill over to other states due to mostly a lack of education on what these systems do or don’t do,” Janice Kephart, the founder of the Secure Identity & Biometrics Association (SIBA) and an outspoken advocate for the use of new authentication technologies said in a recent interview with BiometricUpdate.com. “It’s really concerning.”
After a thorough review of the legislation, Ms. Kephart went on to say that the logic used as the body of the bill was based on “misunderstood science” and essentially penalizes the entire State for the actions of 2 districts who failed to properly notify parents and secure their permission for students to “opt-in” to having their biometric credentials captured. If you read statements from FL lawmakers on the issue, it’s clear that the genesis of their actions seem to be tied more into constituent fear of “Big Brother” and privacy/civil liberty violations then arguments based on fact about how the technology actually works. The use of palm vein biometrics in Pinellas County school lunch lines for example is a clear illustration of how the technology can be misunderstood.
If one were to extrapolate the argument that student biometric data from a palm vein reader could easily be stolen and used by a criminal, the argument seems flawed when you look at the facts about the science. Fujitsu, the company who manufacturers the palm vein device has clearly stated that they use multiple layers of encryption to secure biometric information and don’t even capture an image of the palm vein but instead convert it into a template with a private encryption key. Furthermore, Fujitsu relies on the unique hemoglobin through the bloodstream as a “liveness detection” security measure which again makes the technology virtually impossible to spoof and use another person’s credentials to access a system. Ultimately, is it possible to “steal” someone’s biometric credentials and reverse engineer them to create an image whether it’s fingerprint, palm vein, iris, or another biometric modality. The answer is that anything is possible in this day and age, but the chances of it actually happening are extremely remote. One read at some of the logic behind the FL State legislation and you would think that it’s a piece of cake to recreate a student’s biometric credentials.
Unfortunately, the biometrics industry often falls victim to misperceptions about how the technology actually works and these can be magnified by people who are intent on stopping the inevitable advancement of this technology as a more modern identification platform. As most know, in life perception tends to be 9/10 of reality and this has never been more evident than in biometrics. People who do not completely understand the technology but perceive government as rapidly encroaching on our personal lives and the slow disappearance of personal privacy in our digital world jump on biometrics as just another tool to control our lives. In reality, biometrics is used all over the world and has drastically improved security, saved a countless amount of money, resources, and time for business and governments, and continues to be used in new and creative ways to establish accountability and protect individual privacy.
It’s crystal clear that the biometrics industry has a lot of work left to do when it comes to public education on how the technology works. We hope that biometric vendors take this call to action seriously and embark or continue their push to educate and inform so more rational decisions can be made about the use of this technology in the general public. We need to be taking steps forward in biometrics, not steps back.
After all: Truth is universal. Perception of truth is not.
In what ways do you feel the biometrics industry can better educate the public about the technology?