The news this week has included several articles (AFP feed linked here) noting that the German Interior Minister Wolfgang Schaeuble’s fingerprints were published, along with a “how to” article on creating a fake set of fingerprints. The Chaos Computer Club (CCC) allegedly collected the fingerprints from a water glass. The CCC published the fingerprints to point out the failings of biometrics in authentication.

The point the CCC are making here is that while biometrics have a reputation for “high security,” that reputation is based on uniqueness (of a fingerprint for example). But, if you can copy the fingerprint the way you photocopy a memo, then that claim of uniqueness is invalid. More simply put, the argument is that “only you could have left that fingerprint” while the fact is that anyone with a copier could have left your fingerprint.

I have another aspect of this story that I’d like to explore, and it revolves around both biometrics and privacy. My question is: “When is it ‘okay’ to collect biometric data?” I use the word ‘okay’ because there are legal, moral and public good aspects to this question, and they should all be discussed.

The fact is, humans shed, much like a white Persian cat on a black dress. As we go through our daily routines we leave a sloppy trail of fingerprints, DNA and hair behind us. It is completely unavoidable. “So, who owns those personal artifacts, and who can make use of them?” The answer is very unclear. Police, for many years, have used these artifacts as “forensic evidence” in investigations, and that precedent is well established (correct or not). Its also well established that the location plays a role. Artifacts you leave in public (like trash) are no longer ‘yours’ and have no expectation of continued ownership. “Does this apply to a fingerprint on a water glass?” It seems it does. The same artifact in a private place, like your home, would have a different expectation of ownership. You’d own that fingerprint on the water glass on your dining table.

Even though “ownership” of a fingerprint may have moved (say from the individual to the police or CCC), USE of that print may be subject to other rules. Photography provides the best examples here. You may take pictures of people in public places. But, you may not be able to make commercial use of those photos without the permission of the subject, UNLESS the subject is a public figure who has lost their expectation to privacy. (Thus we have created the infamous papparazi of Hollywood.)

‘Privacy’ and ‘ownership’ of information about your identity are tightly wound together. You can’t address the one, without addressing the other. When must you consent to data collection, and when may it be taken or collected without your consent? Again, the rules we have in this area are limited and inconsistent.

A hundred years ago, leaving a trial of biometric data behind you was a non-issue. Everyone did it, but it wasn’t an issue, because no one could do anything with the data. Life (and technology) have changed. Now that same biometric detrius can be used for many purposes — some good and some bad (DNA analysis, cloning, legitimate authentication and fraud, among others).

Perhaps its time to discuss some regulations on collection and use of biometric material and data. To whom did you give your fingerprints, today?

Filed under: Biometrics, Identification, Privacy, Security