Florida Ruling Highlights Continued Urgency to Educate Public on Biometric Technology

biometric identification management technology helps school lunch lines move faster

A student scans their fingerprint in a school lunch line for payment.

You may have heard that the State of Florida recently voted to ban the collection of biometric data from school students. The legislation was a direct response to several Florida school districts capturing student biometric data and using it for various purposes including purchasing lunch in school cafeterias and tracking students on school buses. Ongoing concerns over the protection of student biometric data as well as who has access to it sparked discussion on the use of the technology in schools and prompted legislators to stop it.

One major concern is the storage of biometric information and how secure the system of encryption and verification is. Most, if not all systems work under the principle that it’s not student biometrics that are actually stored, but it is instead a numerical sequence used for verification. The worry is that criminals will find a way to steal a student’s biometric template, reverse engineer it, and then use it to access the current system or another one that relies on the same biometric credential. A legitimate concern since biometrics are quite different from and ID card or token which when lost or comprised, can be replaced. Biometrics on the other hand, are said to be an “irrevocable” attribute since they are based on human physiological characteristics and can’t be “replaced.”

In response to the FL State Legislator’s decision to ban biometrics in schools, Janice Kephart from the Security Identity and Biometrics Association (SIBA) made the following statement:

“I’m concerned this precedent could spill over to other states due to mostly a lack of education on what these systems do or don’t do,” Janice Kephart, the founder of the Secure Identity & Biometrics Association (SIBA) and an outspoken advocate for the use of new authentication technologies said in a recent interview with BiometricUpdate.com. “It’s really concerning.”

After a thorough review of the legislation, Ms. Kephart went on to say that the logic used as the body of the bill was based on “misunderstood science” and essentially penalizes the entire State for the actions of 2 districts who failed to properly notify parents and secure their permission for students to “opt-in” to having their biometric credentials captured. If you read statements from FL lawmakers on the issue, it’s clear that the genesis of their actions seem to be tied more into constituent fear of “Big Brother” and privacy/civil liberty violations then arguments based on fact about how the technology actually works. The use of palm vein biometrics in Pinellas County school lunch lines for example is a clear illustration of how the technology can be misunderstood.

If one were to extrapolate the argument that student biometric data from a palm vein reader could easily be stolen and used by a criminal, the argument seems flawed when you look at the facts about the science. Fujitsu, the company who manufacturers the palm vein device has clearly stated that they use multiple layers of encryption to secure biometric information and don’t even capture an image of the palm vein but instead convert it into a template with a private encryption key. Furthermore, Fujitsu relies on the unique hemoglobin through the bloodstream as a “liveness detection” security measure which again makes the technology virtually impossible to spoof and use another person’s credentials to access a system. Ultimately, is it possible to “steal” someone’s biometric credentials and reverse engineer them to create an image whether it’s fingerprint, palm vein, iris, or another biometric modality. The answer is that anything is possible in this day and age, but the chances of it actually happening are extremely remote. One read at some of the logic behind the FL State legislation and you would think that it’s a piece of cake to recreate a student’s biometric credentials.

Unfortunately, the biometrics industry often falls victim to misperceptions about how the technology actually works and these can be magnified by people who are intent on stopping the inevitable advancement of this technology as a more modern identification platform. As most know, in life perception tends to be 9/10 of reality and this has never been more evident than in biometrics. People who do not completely understand the technology but perceive government as rapidly encroaching on our personal lives and the slow disappearance of personal privacy in our digital world jump on biometrics as just another tool to control our lives. In reality, biometrics is used all over the world and has drastically improved security, saved a countless amount of money, resources, and time for business and governments, and continues to be used in new and creative ways to establish accountability and protect individual privacy.

It’s crystal clear that the biometrics industry has a lot of work left to do when it comes to public education on how the technology works. We hope that biometric vendors take this call to action seriously and embark or continue their push to educate and inform so more rational decisions can be made about the use of this technology in the general public. We need to be taking steps forward in biometrics, not steps back.

After all: Truth is universal. Perception of truth is not.

In what ways do you feel the biometrics industry can better educate the public about the technology?

 

Privacy: Will Mobile Apps with Biometric IDs Help Advance Biometrics Acceptance?

will biometric mobile authentication take a step forward?

Will the use of biometrics for mobile device authentication help advance acceptance of the technology?

The following guest post is by Nicole Williams, professional blogger.

Biometrics seemed like such a futuristic term just a few years ago, but now it’s here and according to CNET, it’s predicted to be a ‘common’ form of security by 2015. However, many companies are concerned about whether biometrics will offer a viable security solution and consumers are worried about whether biometrics will violate their privacy by using their stored data. Many of these concerns are caused by a lack of understanding surrounding biometric security systems.

Many people are unaware that fingerprint scanners and voice recognition apps are forms of biometric security. Millions of mobile device users download these apps as a first line of defense to secure their text messages, phonebook contacts and images. Since there are many ways for data thieves to get past patterns, passwords or number codes, they can only secure a device to a certain degree. This is bad news for businesses that subscribe to the BYOD trend. In these businesses, employees are encouraged to work from their own devices both on and off-premise. These devices hold valuable data about clients and the business itself, so unauthorized access could spell danger.

This year’s widely publicized data attack on the retail giant Target, has raised some concerns about how data is stored and accessed. Security experts believe that biometrics could have provided an iron wall of protection around this data, preventing the attack from occurring in the first place. However, with so many businesses lacking information about biometric security, this unfortunate incident was followed by many others. Biometrics work by providing an added level of security that only the user can get past. Since many people are already using biometric apps to secure mobile devices, it is predicted to become the most popular form of device and data security for both businesses and private use.

How Biometrics Work

Every person has a distinct pattern on their fingertips, in their eyes and in their DNA. Biometric scanners take images of these patterns and compare them to future images. This is very similar to the blink method that astronomers use to track changes in the night sky. Astronomers take pictures of the night sky then they take pictures of the same section of the sky again. They use a computer program to compare the images and the slightest change is noted immediately. With biometrics, the patterns must match for access or access is denied immediately. There are pros and cons to using biometrics (i.e. cost vs ROI and ease of use vs benefit), but the pros greatly outweigh the cons.

All in all, biometrics are becoming a more acceptable way of securing data thanks to the introduction of biometrics on mobile devices. The average user can see how biometrics work and the benefits of using them in a non-threatening situation. This increases the likelihood of them accepting biometrics for other uses such as ATM access, business or home premise access and security alarm access.

The key here is to continue to educate the user on the benefits of biometrics and to find easy to use solutions that require a relatively short learning curve. As more mobile app and computer manufacturers use biometrics as a first point of access to data, consumers and businesses will grow more comfortable with using them as well.

Nicole Williams is a guest blogger for M2SYS Technology as she writes about the relationship between biometrics for mobile ID and increasing public acceptance of biometricsAbout the author: Nicole Williams is a keen technology enthusiast and enjoys blogging about topics like technology and productivity. She is a professional blogger who currently writes for Micro Com Systems.

 

 

 

Additional References:

http://www.banktech.com/payments-cards/biometrics-and-mobile-payments-security/240162549

http://researcher.ibm.com/researcher/files/us-kapil/ACSAC12.pdf

5 Patient Identification and Data Matching Issues the New HIMSS “Innovator in Residence” Must Address

accurate patient identification and data matching are important issues for the healthcare industry

The new HHS “Innovator in Residence faces some tough issues on patient identification and data matching.

On the heels of the recent announcement by HIMSS and the Department of Health and Human Services to hire an “Innovator in Residence” and make progress on the establishment of a nationwide patient data matching strategy, we thought it would be pertinent to outline some of the issues this person will face that require careful consideration. If the end goal is to establish a more consistent, industry standard approach that redefines patient identification and data matching accuracy, this new leader faces some tough challenges on the road ahead. Matching the right patient to the right data requires almost heroic efforts across an extremely disparate healthcare network and is the cornerstone of any viable health information exchange (HIE). Here are our top 5 issues that the new HIMSS/HHS “Innovator in Residence” must address:

1. Cost – Any new patient identification and data matching initiative will likely involve assessing the potential financial impact to healthcare facilities since any solution will most likely involve incorporating accurate matching algorithms into certified EHRs plus making changes to fields that capture soon to be standardized patient identifying attributes. With the recent changes that the HITECH Act and Meaningful Use requirements brought to the industry and the amount of dollars already shelled out for health IT, investment weary healthcare providers may balk at any solution that requires additional funds allocated to EHR resources to completely replace a system.

The Office of the National Coordinator for Health Information Technology (ONC) recently released results from a study on developing an open source algorithm “to test the accuracy of their patient matching algorithms or be utilized by vendors that do not currently have patient matching capabilities built into their systems.” Their results indicated:

“During the environmental scan, many indicated that replacing their current systems would be cost prohibitive. As such, it is not suggested that a standardized patient matching algorithm be developed or required. In a more limited way, however, there is value in developing an open source algorithm or updating and supporting an existing open source algorithm that EHR vendors may choose to utilize in their products.”

2. Patient buy-in and accountability – As noble as the healthcare industry’s efforts to establish more accurate patient identification and data matching standards, the entire initiative is moot unless the new Innovator in Residence forges best practices and policies to encourage patients to keep their demographic information up-to-date and accurate. The new Innovator in Residence would be wise to capitalize on the patient engagement momentum spurred by Meaningful Use Stage 2 and extend the patient engagement initiative to include patient accountability for demographic information accuracy. Without patient buy-in and involvement, the industry can’t reasonably expect any worthwhile patient identification and data matching initiative to lift it’s wheels of the ground.

3. Technology – Incorporating non-traditional data attributes to improve patient matching is a great example of a “wish list” item by industry advocates pushing for stricter patient identification and data matching but currently, most EHR systems do not support the collection of this information in a standardized field format. Any legitimate effort to standardize patient identifiers and substantially increase data matching will most likely require new technologies or modifications of existing ones to meet these goals. On the surface, requests to add demographic fields to existing EHR interfaces or incorporate standardized deterministic or probabilistic algorithms may seem like small changes that don’t require a lot of effort, but in reality even the simplest of changes require health IT vendors to make significant investments in upgrading or completely replacing existing technology.

4. Rekindling the national patient identifier debate – Did you know that it’s been 14 years since Congress placed a moratorium on funding research and implementation of a national patient identifier (NPI)? 14 years. Sure to be rekindled as a debate topic that closely coincides with the industry’s push to standardize patient demographic data, the idea of establishing a NPI needs to be addressed now and the new Innovator in Residence should be standing behind the healthcare industry podium leading the discussion. Sure, there are lingering questions on the privacy and security implications of creating a NPI, issues surrounding who will manage and have access to any databases created, but ultimately the topic deserves to be put back on the table and expectations are that the Innovator in Residence will spearhead the efforts. Many people believe that an NPI is no different than the plethora of other personal identifiers we deal with in our everyday lives – social security numbers, employee IDs, and driver’s licenses numbers just to name a few. Why should the NPI be treated any differently? We surmise that the new Innovator in Residence will have to address a NPI sooner rather than later.

5. The validity of health information exchanges (HIEs) - Although there are myriad reasons to develop HIEs, the bottom line is that their existence is meant to facilitate the fluid exchange of health information between disparate systems in order to improve individual and population health. What often seems to often be left out in the conversation about HIEs is the introduction of a foolproof patient identification technology that can uniquely tie together a patient with their electronic health record in a standardized data format to help ensure high levels of data integrity. After all, what good is developing an integrated HIE without a back end patient identification system that prevents the creation of duplicate medical records and overlays?

The new HIMSS/HHS Innovator in Residence faces some tough challenges to help tie together and incorporate a nationwide patient identification and data matching initiatives. What points would you add to our list that are critical for this new position to address?

January #biometricchat Summary – Privacy and Biometrics with Special Guest Shaun Dakin

January's biometric tweet chat will discuss privacy and biometrics.

January #biometricchat discussed privacy and biometrics.

On Thursday January the 10th we hosted the first #biometricchat tweet chat of 2013. The topic was biometrics and privacy and our guest was Shaun Dakin, a privacy expert and the man responsible for establishing the National Political Do Not Call Registry as well as writing several op-ed pieces including this one for the Washngton Post calling for a Privacy Bill of Rights for voters. Shaun was gracious enough to lend his time for our chat to discuss his thoughts on the current issues that privacy advocates are concerned about and his opinions on biometric technology’s affect on privacy.

For a copy of the Storify chat transcript please click here.

Here is a list of the questions that we asked Shaun during the chat:

  1. Can you bring us up to speed on what privacy advocates currently feel is the most pressing privacy issue of our time? What technology has the most disastrous impact on privacy?
  2. Is privacy primarily a cultural, contractual, or technological issue?
  3. What is the more appropriate, effective, and desirable approach – educating the public on privacy or lobbying the government to pass laws protecting it?
  4. Ireland recommends using a “Privacy by Design” (http://www.arthurcox.com/whats-new/publications/preserving-privacy-in-the-age-of-biometrics-nov2012.html) system which encourages proactively embedding privacy design into biometric technology. Should this type of approach be used in the U.S.?
  5. Does a “Privacy Impact Assessment” (see http://www.planetbiometrics.com/article-details/i/1412/) carry any weight with advocates as a necessary tool in constructing a privacy friendly biometrics identification solution?
  6. On the scale of existing threats to privacy, where does biometrics fit in and what steps can the biometrics industry take to promote and encourage privacy friendly solutions?
  7. Biometrics is often viewed as a “privacy protector” in that it can prevent identity fraud, which is becoming an epidemic of global proportions. Do you agree or disagree with this statement?

Shaun felt that the biggest privacy story of 2012 was the increasing power of the government to search electronic communications directly stemming from the David Petraeus CIA scandal case. He went on to say that privacy seems to be a generational phenomenon, and younger generations very willing to give up their privacy in exchange for something else. he expected to see privacy norms stretched way beyond where we are and government surveillance slowly is becoming the privacy hot topic of our times.

Shaun went on to say that he believes there should be some sort of baseline privacy legislation in the U.S. “with teeth.” He also reminded us that in the last session of Congress there were over 21 pieces of privacy legislation introduced but none of them passed. Shaun agreed that the “Privacy by Design” concept which proactively encourages embedding privacy designs into biometric systems is a good idea on paper, but tough to implement in reality. He pointed out that most developers don’t think about privacy as a necessary step for design, instead they justifiably place their focus on revenue and number of users.

We rounded out the chat discussion by getting Shaun’s thoughts on where biometrics stood on the scale of existing threats to privacy and he said that currently biometrics is still not top of mind with the public but with the recent announcement by Disney that they would be using RFID bracelets stored with personal information in their parks, perhaps public conscience may change plus this may be an opportune time for Disney as a major brand to affect some change in the industry.

Please join us in thanking Shaun for his time on the chat  on privacy and biometrics and for everyone who participated! Look for the announcement of February’s #biometricchat topic sometime in the next couple of weeks.

Please drop us a note at marketing@m2sys.com if you have an idea for a topic. Thank you!

 

Privacy and Biometrics — Where are we in 2013? January’s #biometricchat Explores the Issues

January's biometric tweet chat will discuss privacy and biometrics.

January #biometricchat to discuss privacy and biometrics.

When: January 10, 2013 11:00 am EST, 8:00 am PST, 16:00 pm BST, 17:00 pm (CEST), 23:00 pm (SGT), 0:00 (JST)

Where: tweetchat.com (hashtag #biometricchat)

What: Tweet chat on iris biometrics technology with Shaun Dakin (@ShaunDakin, @PrivacyCamp), Data Privacy Advocate and Founder of #privchat

Topics: What technologies have negative impacts on privacy, how the privacy industry works for change, privacy and biometrics, effectiveness of “privacy by design” and “privacy impact assessments,” biometrics as a “privacy protector,” and more

It almost seems impossible to engage in conversation about biometric technology without broaching the subject of the technology’s impact on individual privacy rights. With good reason, many people have concerns about personal data that is collected on them with or without their knowledge and how that data is used and stored. Biometrics often acts as a lightning rod for modern discussions on where technology and privacy collide, and what rights (or perceived lack thereof) we have as individuals to control who knows exactly what about us.

There are many who believe that preventing the use of biometric technology in any capacity is the only way to guarantee that individual privacy and civil liberty rights are maintained. Others believe that in the bigger picture, biometrics is a key technology to prevent terrorist attacks, promote global security, create efficiency, and increase convenience. Where do you stand on the issues?

Some may recall that we discussed privacy and biometrics at the inaugural #biometricchat in October of 2011. For more information on that chat, please click here. Join us on January 10th from 11 a.m. to 12 p.m. EDT as we discuss the issues and explore the impact of biometric technology on privacy.

Just in case you are interested in participating but are new to Tweet chats, please read this post which outlines the instructions and procedures. We hope that you will join us for the discussion, and please help us to spread the word among your colleagues and friends.

Do you have any questions about privacy and biometrics that you would like to ask Shaun? Just drop us an email at marketing@m2sys.com and we will try and include them in the chat.

Thanks, and hope to see you next Thursday, January the 10th at 11 a.m. EDT for the #biometricchat tweet chat!