Can someone steal your face and use it to run up your bills? They may be able to if it's stored as information in a biometric database.
As banks, Web stores, and corporations ponder how to identify users with these new biometric technologies, a California legislator is hoping to head off the misuse of people's digital identities.
California state Assemblyman Kevin Murray (D-Culver City) introduced a bill this week to prevent the theft and misuse of such information, which is used to identify a person by his or her finger, voice, retinal, or facial prints.
"The technology is starting to threaten privacy, " said Murray. "We need to get ahead and put limits on the use of such identifiers." The bill was submitted to the State Assembly in Sacramento this week.
Labeled the "Consumer Biometric Privacy Protection Act of 1998," the bill prohibits trafficking in biometric databases, mandates increased security for storing such data, and prevents businesses from recording data for biometric identification without the owner's consent. The bill also increases the severity of identity theft, from a misdemeanor to a felony.
"The biometric issues is not necessarily a pure identity theft issue," said the assemblyman. "We want to make sure that the information is difficult to distribute. How would you like your fingerprints to be old over the Internet?" If passed, the bill will take effect on July 1, 1999.
The bill was sponsored by the Center for Law in the Public Interest and California Bankers Association. "When I heard that fingerprinting was becoming more prevalent, I thought, 'Oh my God! We are going to have the same mistakes that we have with social security number identities today," said Ed Howard, executive director of the Center for Law in the Public Interest. Most credit applications today ask applicants for their social security number as a method of identification, despite the fact that the nine-digit ID is fairly easy to obtain. For that reason, companies evaluating electronic commerce intend to use biometrics, smart cards, or digital IDs to validate the user's identity.
"[Biometric] identifiers [have the potential] to provide an efficient, unintrusive, and accurate means of identifying consumers in a variety of commercial and government applications," said the text of the bill.
Unfortunately, if the identifying data is sold or stolen, whoever has the data could pose as the original owner. If a store has data that seemingly personally identifies a buyer, the business is less likely to believe the victim in a case of identity theft. "Imagine how much harder it will be to correct your credit report, when the store believes it has your fingerprints," said CLPI's Howard. Luckily, the use of biometric data and, thus, its theft, is still rare.
A case of crying wolf? "That's just the point," Howard said. "When you are talking about the security of data, you have to aim ahead of the technological curve. It's like shooting skeet." According to Howard, this is a win-win situation for all parties concerned. Businesses get more accurate information, and consumers will not have the trauma of having their identity stolen.
Randall Fowler, chairman of Identix, which makes fingerprinting technology, said Murray's bill would help develop security standards for the young biometrics industry. "In my opinion this kind of legislation is essential and very good news," Fowler said. "I don't believe e-commerce or home banking can exist unless people feel secure [at both ends]." He said Murray's bill would allow tighter security standards than currently exist and prevent the unwanted selling of information.
Others are not so sure. Some makers of biometrics software fear such laws could restrain -- instead of enhance -- security efforts by prohibiting companies and government agencies from sharing information about potential lawbreakers with each other. "Our concerns are that the benefits of safety and security could potentially be constrained by overzealous legislation," said Dave Maddox, sales manager for Visionics, though he would not comment on Murray's bill specifically.
Visionics makes biometrics software called FaceIt that captures pictures of people for security purposes. Companies often use face data to search databases containing personal information to find matches. Maddox said FaceIt has been used by several agencies and companies to prevent voter and benefit fraud as well as shoplifting. Assemblyman Murray has frequently advocated the protection of consumer privacy -- most recently, with a bill signed into law last October that makes identity theft a crime and requires credit agencies to remove potentially inaccurate information immediately.
