Risky business: non-revocable biometric data

Psst. Your biometric data is showing.

Millions of Americans have no control over their biometric data, which floats around in cyberspace and multiple databases. Although most people wouldn't dream of carrying around a credit card that couldn't be canceled if it were stolen, they're giving out biometric data that cannot be revoked if it's compromised.

Biometrics uses measurement and analysis of biological characteristics, such as fingerprints, retina or voice scans, or facial features, to identify individuals.

The biometrics in widespread use are non-revocable and can be "spoofed." Victims of identity theft cannot obtain a "new" set, so creating additional biometrics for an individual merely creates more opportunities for spoofing.

And there is a false-accept rate of one in 10,000 with the fingerprints used by most government systems, since they only measure some of the data on a fingertip. For instance, in a databank of 100,000 users, a random thief could impersonate 10 people at a given bank, using fingerprint biometric data.

Businesses don't accept credit cards without expiration dates, nor do consumers use credit cards or passwords that cannot be canceled or changed. Similarly, individuals should not give out their biometric data if it cannot be revoked or if it's been compromised, said C. Maxine Most, a principal at Acuity Market Intelligence.

"It's important to have revocability, so individuals have control over their biometrics if they are compromised," she said. "The real role of biometrics is to act like a key to a lock -- that can be shut down if the information is stolen."

Copyright 2008 Dolan Media Newswires
Provided by ProQuest Information and Learning Company. All rights Reserved.