Sense and Nonsense About Biometrics
Apple’s Touch ID fingerprint scanner seems to have fueled an important but ill-informed and ultimately nonsensical debate about biometrics and privacy. The latest example is this muddled editorial in the Sept. 22 New York Times.
The Times editorial, and a great deal of other discussion of the issue, errs in confusing two completely different uses of biometric data: authentication and identification.
The iPhone uses fingerprints for authentication. It scans your finger an checks if it matches previously recorded data (read this for a deep dive into how the process works and why it is secure.) You can record up to five prints. If you want one of them to be your cat’s paw, fine. You can give your cat access access to your iPhone. The phone does not care who the print actually belongs to, just that it matches.
This is what authentication is about. You attempt to access a system claiming to be Mr. X. The system confirms that this is the same person (or cat) who previously claimed to be Mr. X. It offers no warranty whatever that the person claiming to be Mr. X is Mr. X or, indeed, that Mr. X exists.
Authentication is relatively easy. It is still non-deterministic and, like any other statistical process, subject to both false positives (accepting a print it should reject) and false negatives (rejecting a print it should accept.) But a properly designed system with a good sensor, like Apple’s, can keep the rates of both types of error very small. And as long as the biometric data is stored locally and securely, as Apple maintains is the case with Touch ID, there is no real privacy issue. In fact, biometric authentication can increase privacy by reducing identify theft.
Identification is what happens when the police find a fingerprint at a crime scene. The FBI lab must compare this unknown print to millions of known prints in its database in search of a match. The likelihood of both false positives and false negatives is much higher than in the authentication case and the quality of any match–the probability that it is not a false positive–may be low. (Good defense lawyers know how to challenge expert witnesses on the quality of fingerprint matches.)
Fingerprint matching is at least backed by decades of experience and a fair amount of science. Other forms of biometric identification, such as face recognition in crowds, is far more problematical. As Adam Harvey pointed out in an Ignite talk at the Privacy, Identity, Innovation conference in Seattle last week, the current state of technology makes it all but impossible to capture useful biometric data without the cooperation of the target. You have to touch something, hold still for iris scanning, or at least look squarely into a camera with you face unobscured. At best, the data we collect from tens of thousands of surveillance cameras is good only for after-the-fact identification of suspects.
But the technology for on-the-fly biometric data capture is only going to get better. This, not Apple’s fingerprint scanner, is what poses the real threat to privacy and where the debate ought to focus.