Every time we leave our homes, we enter a world dominated by strangers and anonymity. Although facial or voice recognition may help us authenticate a few of those we encounter, what about the many people we don't know? In particular, how do we authenticate ourselves to each other when we need to know who we are dealing with?
Confusing privacy with anonymity has delayed implementation of robust, virtually tamper-proof biometric authentication to replace paper-based forms of ID that neither assure privacy nor reliably prove identity. The debate over Real ID and sensitivity to creation of any form of national ID reveal a fear that anything that identifies us to others will intrude on privacy. This has led to a preoccupation with forms of ID rather than the fundamental question of how we can reliably identify ourselves to each other. This is a crucial issue: We live in a society where we are often unknown to the people we encounter, including people who need to know exactly who they are dealing with.
While anonymity implies privacy, it does not confer it. We delude ourselves into thinking we have privacy if the person next to us doesn't know our name. If we use cash and avoid technological conveniences such as credit cards and windshield-mounted RFID devices to pay highway tolls, we may think we are going about life anonymously. We are allowing ourselves to believe that our public acts, how we communicate to others by word or deed in public space, are now somehow private.
In the tight-knit communities in which people used to live, people presumed that neighbors always knew whenever someone ventured outside of his or her front door, because everyone knew each other and could see public conduct. In the global virtual neighborhood, we now live among strangers. We may have anonymity as we encounter people who are not familiar with us, but it is only an illusion that public acts are now private.
Outside our homes, we have always lived in a public space where our open acts are no longer private. Anonymity has not changed that, but has provided an illusion of privacy and security. A credit card, rather than a shopkeeper, might record our purchases. Or, the RFID chip in our EZ pass might recognize that we cross a bridge at a given moment, instead of a toll taker. But these are records of public acts in which we openly engage in a public space with no reasonable expectation of confidentiality.
In public space, we engage in open acts where we have no expectation of privacy, as well as private acts that cannot take place within our homes and therefore require authenticating identity to carve a sphere of privacy. Such private acts might involve receiving medical treatment or conducting financial transactions. Individuals have a strong interest in maintaining control of treatment records that we rightly consider confidential, and knowing that finances cannot be misappropriated or snooped without consent.
The false privacy of anonymity allows others to steal what remains private to us in public space. Personal identity is unique and should remain in our control. Our lives outside our homes include not only open acts, but also those private transactions that have to take place in space we cannot control.
The lack of reliable authentication becomes a threat to control of our own identity and confidential information, because it enables others to take advantage of living among strangers to assume a false identity undetected. Strangers can falsely assume our identities when they steal identifying information like social security or credit card numbers. They can also threaten our personal, economic and national security when they garb themselves in legitimacy by forging ID or misusing someone else's ID with or without that person's collusion.
Biometric authentication has a role in maintaining and defending our control of our own identity and personal data. This emerging technology makes it virtually impossible to assume someone else's unique identity. It is a way of providing the same kind of security in the virtual neighborhood that we once had in rooted neighborhoods, where the uniqueness of individual identity was assured by neighbors authenticating each other through facial recognition.
We have to expect that people will see us when we are in public and that our open public acts will be just that. But we have to worry that, in an anonymous world without authenticated identity, privacy will be violated when others can assume our identifying characteristics and take control of transactions and interactions outside the home that are indeed personal and unique to us. This is a threat to the sphere of privacy we take with us outside our homes, including not only our interest in maintaining control of our names and reputations, but also of transactions and records that are highly confidential to us. Authenticated identity can address this threat, as well as the threat posed to society by strangers exploiting the vulnerability of anonymity to assume false identity.
Mark A. Shiffrin, a lawyer, is a former Connecticut state consumer protection commissioner.
Avi Silberschatz is Sidney J. Weinberg Professor and Chair of Computer Science at Yale.
Related news, commentary, and predictions:
- Mark A. Shiffrin and Avi Silberschatz: Making Wikipedia available anytime, anywhere
- Fred Wilson: Facebook and The Privacy Backlash
- News: Facebook beefs up privacy options, readies online chat
- News: Privacy advocate, ACLU hit new Virginia privacy law
Note: Anonymous comments on The Industry Standard are disabled. To leave a comment and participate in the Standard's prediction market, please register first.
Comments
It is said, a combination of What you have (a smart card), what you know (a PIN) and what you are (biometric - fingerprint, iris, palm vein, etc.) with adequate security gives unique identity to every person and every transaction, thereby making it tamper proof.
The transactions can be stored in a central server and cannot be accessed by any unauthorized person if proper security measures are built-in. The individual can have a complete record of transactions in his/her smart card and is fool proof as it is done using biometric and PIN.
This can give the necessary anonymity and yet full security against repudiation.
The authors describe biometric authentication as an "emerging technology" and repeat the all-too-common presumption that it "makes it virtually impossible to assume someone else's unique identity".
The word “unique” is bandied about far too casually in biometric discussions. Typical biometric products have False Detect Rates and False Reject Rates of 1 or 2 percent. How can these technologies relate to "unique" characteristics on the one hand (or be “virtually impossible” to spoof), and yet suffer one-in-a-hundred errors on the other?
Fundamentally, neither the voice nor the face are unique to an individual. Nor indeed are fingerprints. See Simon Cole: "Although conventional wisdom since the nineteenth century has accepted the doctrine that no two fingerprints are alike, no one has really proven the proposition's validity." Ref: The Myth of Fingerprints: A forensic science stands trial, Simon Cole, Lingua Franca 10(8) pp 54-62, 2000; http://fp.bio.utk.edu/evo-eco/resources-this_semester/Cole-fingerprints.....
Even if a given bodily trait is close to unique, we need to remember that all biometric systems involve measurement and information processing stages all of which are imprecise and fallible. The impact of measurement is clearest in the case of iris scanning. The proponents of iris recognition like to claim that the probability of two individuals' irises being the same is one in ten to the power of seventy eight. The denominator is truly a fantastic number -- much bigger than the number of atoms in the universe. But in practice, false match rates with iris technology can be 0.001%. Sounds pretty good but it is literally ten million million million million million million million million million million million million times worse than implied by the vendor's claim.
So before we entertain policy recommendations that would seek to protect privacy on the basis of the supposed perfection of biometrics, we should take great care to understand their limitations. The privacy intrusions that are bound to arise when innocent people are flagged by a supposedly perfect technology as being suspect will be enormous. Biometrics are indeed an "emerging technology". It should strike us all as very strange and worrying that national scale security projects with huge societal impacts are being touted on the basis of immature solutions that even on cursory examination fall so far short of expectations.
The authors spend a lot of time trying (poorly IMO) to disentangle privacy and anonymity. And then somehow this is supposed to support the need for biometrics? Perhaps I'm missing the point, but I think everyone will grant the need for robust authentication of identity. If their point is to support biometrics, their timewould be better used addressing the shortcomings of that approach. Stephen Wilson's comment points out one major problem--that as a practical matter biometrics does not yet work well. However there is a greater problem with biometrics--once your biometric identity *has* been compromised, there is no way to change it. If my password (what I know) is learned or my PKI token (what I have) lost, those can be revoked and replaced. If someone finds a way to forge my biometric identity for a given biometric authentication implementation, what can I do about that? What I am is a dangerous means of authentication.
Post new comment