By Paul Saffo
Sunday, April 3, 2005; Page B01
If you're worried about privacy and identity theft, imagine this:
The scene: Somewhere in Washington. The date: April 3, 2020.
You sit steaming while the officer hops off his electric cycle and
walks up to the car window. "You realize that you ran that red light
again, don't you, Mr. Witherspoon?" It's no surprise that he knows
your name; the intersection camera scanned your license plate and your
guilty face, and matched both in the DMV database. The cop had the
full scoop before you rolled to a stop.
"I know, I know, but the sun was in my eyes," you plead as you fumble
for your driver's license.
"Oh, don't bother with that," the officer replies, waving off the license
while squinting at his hand-held scanner. Of course. Even though the old
state licensing system had been revamped back in 2014 into a "secure"
national program, the new licenses had been so compromised that the street
price of a phony card in Tijuana had plummeted to five euros. In
frustration, law enforcement was turning to pure biometrics.
"Could you lick this please?" the officer asks, passing you a nanofiber=20
blotter. You comply and then slide the blotter into the palm-sized gizmo he=
is holding, which reads your DNA and runs a match against a national=20
genomic database maintained by a consortium of drug companies and credit=20
agencies. It also checks half a dozen metabolic fractions looking for=20
everything from drugs and alcohol to lack of sleep.
The officer looks at the screen, and frowns, "Okay, I'll let you off with a=
warning, but you really need more sleep. I also see that your retinal=20
implants are past warranty, and your car tells me that you are six months=20
overdue on its navigation firmware upgrade. You really need to take care of=
both or next time it's a ticket."
This creepy scenario is all too plausible. The technologies described are=20
already being developed for industrial and medical applications, and the=20
steadily dropping cost and size of such systems will make them affordable=20
and practical police tools well before 2020. The resulting intrusiveness=20
would make today's system of search warrants and wiretaps quaint=
Some people find this future alluring and believe that it holds out the=20
promise of using sophisticated ID techniques to catch everyone from=20
careless drivers to bomb-toting terrorists in a biometric dragnet. We have=
already seen places such as Truro, Mass., Baton Rouge, La. and Miami ask=20
hundreds or thousands of citizens to submit to DNA mass-testing to catch=20
killers. Biometric devices sensing for SARS symptoms are omnipresent in=20
Asian airports. And the first prototypes of systems that test in real time=
for SARS, HIV and bird flu have been deployed abroad.
The ubiquitous collection and use of biometric information may be=20
inevitable, but the notion that it can deliver reliable, theft-proof=20
evidence of identity is pure science fiction. Consider that oldest of=20
biometric identifiers -- fingerprints. Long the exclusive domain of=20
government databases and FBI agents who dust for prints at crime scenes,=20
fingerprints are now being used by electronic print readers on everything=20
from ATMs to laptops. Sticking your finger on a sensor beats having to=20
remember a password or toting an easily lost smart card.
But be careful what you touch, because you are leaving your identity
behind every time you take a drink. A Japanese cryptographer has
demonstrated how, with a bit of gummi bear gelatin, some cyanoacrylic
glue, a digital camera and a bit of digital fiddling, he can easily
capture a print off a glass and confect an artificial finger that
foils fingerprint readers with an 80 percent success rate. Frightening
as this is, at least the stunt is far less grisly than the tale,
perhaps aprocryphal, of some South African crooks who snipped the
finger off an elderly retiree, rushed her still-warm digit down to a
government ATM, stuck it on the print reader and collected the
victim's pension payment. (Scanners there now gauge a finger's
Today's biometric advances are the stuff of tomorrow's hackers and
clever crooks, and anything that can be detected eventually will be
counterfeited. Iris scanners are gaining in popularity in the
corporate world, exploiting the fact that human iris patterns are
apparently as unique as fingerprints. And unlike prints, iris images
aren't left behind every time someone gets a latte at Starbucks. But
hide something valuable enough behind a door protected by an iris
scanner, and I guarantee that someone will figure out how to capture
an iris image and transfer it to a contact lens good enough to fool
the readers. And capturing your iris may not even require sticking a
digital camera in your face -- after all, verification requires that
the representation of your iris exist as a cloud of binary bits of
data somewhere in cyberspace, open to being hacked, copied, stolen and
downloaded. The more complex the system, the greater the likelihood
that there are flaws that crooks can exploit.
DNA is the gold standard of biometrics, but even DNA starts to look
like fool's gold under close inspection. With a bit of discipline, one
can keep a card safe or a PIN secret, but if your DNA becomes your
identity, you are sharing your secret with the world every time you
sneeze or touch something. The novelist Scott Turow has already
written about a hapless sap framed for a murder by an angry spouse who
spreads his DNA at the scene of a killing.
The potential for DNA identity theft is enough to make us all wear a
gauze mask and keep our hands in our pockets. DNA can of course be
easily copied -- after all, its architecture is designed for
duplication -- but that is the least of its problems. Unlike a credit
card number, DNA can't be retired and swapped for a new sequence if it
falls into the hands of crooks or snoops. Once your DNA identity is
stolen, you live with the consequences forever.
This hasn't stopped innovators from using DNA as an indicator of
authenticity. The artist Thomas Kinkade signs his most valuable
paintings with an ink containing a bit of his DNA. (He calls it a
"forgery-proof DNA Matrix signature.") We don't know how much of Tom
is really in his paintings, but perhaps it's enough for forgers to
duplicate the ink, as well as the distinctive brush strokes.
The biggest problem with DNA is that it says so much more about us
than an arbitrary serial number does. Give up your Social Security
number and a stranger can inspect your credit rating. But surrender
your DNA and a snoop can discover your innermost genetic secrets --
your ancestry, genetic defects and predispositions to certain
diseases. Of course we will have strong genetic privacy laws, but
those laws will allow consumers to "voluntarily" surrender their
information in the course of applying for work or pleading for health
care. A genetic marketplace not unlike today's consumer information
business will emerge, swarming with health insurers attempting to
prune out risky individuals, drug companies seeking customers and
employers managing potential worker injury liability.
Faced with this prospect, any sensible privacy maven would conclude
that DNA is too dangerous to collect, much less use for a task as
unimportant as turning on a laptop or working a cash machine. But
society will not be able to resist its use. The pharmaceutical
industry will need our DNA to concoct customized wonder drugs that
will fix everything from high cholesterol to halitosis. And crime
fighters will make giving DNA information part of our civic duty and
national security. Once they start collecting, the temptation to use
it for other purposes will be too great.
Moreover, snoops won't even need a bit of actual DNA to invade our
privacy because it will be so much easier to access its digital
representation on any number of databanks off in cyberspace. Our
Mr. Witherspoon will get junk mail about obscure medical conditions
that he's never heard of because some direct marketing firm "bot" will
inspect his digital DNA and discover that he has a latent disease or
condition that his doctor didn't notice at his annual checkup.
It is tempting to conclude that Americans will rise up in revolt, but
experience suggests otherwise. Americans profess a concern for privacy, but
they happily reveal their deepest financial and personal secrets for a free
magazine subscription or cheesy electronic trinket. So they probably will
eagerly surrender their biometric identities as well, trading fingerprint
IDs for frequent shopper privileges at the local supermarket and genetic
data to find out how to have the cholesterol count of a teenager.
Biometric identity systems are inevitable, but they are no silver
bullet when it comes to identity protection. The solution to identity
protection lies in the hard work of implementing system-wide and
nationwide technical and policy changes. Without those changes, the
deployment of biometric sensors will merely increase the opportunities
for snoops and thieves -- and escalate the cost to ordinary citizens.
It's time to fix the problems in our current systems and try to anticipate
the unique challenges that will accompany the expanded use of biometrics.
It's the only way to keep tomorrow's crooks from stealing your fingers and
face and, with them, your entire identity.
Paul Saffo is a director of the Institute for the Future, a forecasting
organization based in Silicon Valley.
Copyright 2005 The Washington Post Company
NOTE: For more telecom/internet/networking/computer news from the daily
media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra . Hundreds of new articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, The Washington Post Company.
For more information go to: