Advances in Identity Technology and Privacy
Does Anyone Really Care About Privacy?
When any new technology is developed and put into use, there is a delay between implementation of the technology and implementation of policies and best practices of how the new technology should be used. That’s normal. But biometric identification technology really isn’t new any more. As a staunch privacy advocates, we’ve been waiting for the general public to start paying attention to what data various companies and government agencies are collecting and what they are doing with that data and to start clamoring for restrictions on who has the data and how it is used.
And it keeps not happening.
Repeatedly, it just doesn't seem to happen.
We’ve been working in this industry for a long time now, and generally any concerns about privacy are always on behalf of someone else. "Well, I don't have any problem with it, but I think other people might." or "I don't have anything to hide." It’s common knowledge that anything posted to the internet cannot be deleted but that doesn’t slow people down very much.
Government versus Commercial Use
Some people are very concerned about what Google or Facebook are doing with their data, but don't pay any attention to what the various government organizations (at every level) are doing. Both Google and Facebook publish detailed information about their data collection and privacy policies. Maybe they could be clearer, but they do exist.
In 2014, the Texas DPS started collecting 10 fingerprints from people trying to get a Texas drivers license. Why? Because they wanted to. For the children! To make things safer. And they didn't even think about it - they just started doing it. The fact that it was the first time they were collecting fingerprints of Texans who were not suspected of a crime didn't seem important. The program was only made public six months after it started and the agency fought hard to keep it after privacy groups objected.
When required to stop by Texas lawmakers, DPS complied and went back to collecting a single print (to verify your identity in the case you lost your drivers license and need to replace it). But they collected full ten-prints for about a year without any authorization.
In July of 2017 the Vermont Attorney General's Office determined that a facial recognition program used by the state's DMV does not comply with Vermont law and must be suspended. I was amazed - both because lawmakers were paying attention and that the Governor of Vermont asked them to stop. It just doesn't happen very often.
We are very happy to see various states starting to address biometric and privacy. Texas, Illinois and Washington have some sort of biometric privacy law. California just passed one that will go into effect in 2020. This article addresses them in more detail. Still, there are problems. For example, the Washington law's definition of biometric identifiers doesn't include physical or digital photographs, videos or audio recordings. So it basically just includes fingerprints? How handy.
But there is a creepy aspect to all this. The novel “Big Brother” wasn’t intended to be a “how to” guide. Technology tends to get faster, smaller and cheaper. Soon the kind of mass surveillance usually reserved for science fiction novels will be possible. When your fingerprints are collected, even when you are just waving your hand over a sensor, you know about it. This can't be done without your cooperation. But sensor technology is advancing and we are now able to collect face and iris images from a distance, and while people are moving. That means it's possible to collect biometric data from non-cooperative people. Not "uncooperative" - because if you are covering your face or looking down, such collection would be difficult. But non-cooperative in that you didn't know a camera was there and had no idea you were being photographed or identified.
With every new technology come questions of responsible and ethical use. In my opinion, the key issues are transparency and accountability. We think the use of biometric identification technologies should always be disclosed. You need to know what data is being collected, by who and for how long. And government agencies and commercial organizations need to be accountable if they are collecting or storing information improperly. That would be a good starting point.