Here's one of the most bizarre lines I've ever seen in biometrics and national security. It provides a good spur to revisit what privacy is really all about.
Fingerprints 'not particularly private,' security czar says
Edmonton Sun, Thu 10 April 2008
The U.S. homeland security czar says Canadians shouldn't fear plans to expand international sharing of biometric information such as fingerprints. Michael Chertoff says a person's fingerprints are like footprints."They're not particularly private," Chertoff said yesterday during a visit to Ottawa."Your fingerprint's hardly personal data, because you leave it on glasses and silverware and articles all over the world."
Actually there is a technical legal principle here that Chertoff is ignoring (or maybe trying to subvert). In most privacy law, if information is personally identifiable, then it is treated as "private", insofar as there are legislated limitations on what anyone can do with that information, how they may collect it, store it and share it. In general, if you collect personally identifiable information -- in any way about any individual -- then you owe certain duties of disclosure to that individual. That's what privacy is all about! It's not about security per se, and it isn't nullified just because fingerprints are readily available for collection. It's about a duty of care.
From a common sense perspective, even if people do leave fingerprints lying around, they surely have a presumption of privacy? If you try to have a quiet conversation in a park then you expect some privacy, even if your voice might be picked up by a sensitive microphone at a distance.
I also leave DNA all over the place. How soon before national security people say that's "public" too? Remember the legal principle: any personally identifiable information, collected by any means, comes under privacy law. Certainly there are national security provisions that trump privacy, but they're not automatic, and they do not change the legal status of any personally identifiable data like fingerprints, on the basis that fingerprints are easily collected and "not particularly private".
Even granting that fingerprints are left lying around in public, if someone else goes to the trouble of picking them up, scanning them, digitising them, linking them to my identity, and running checks to track my whereabouts then they commit a host of privacy invasions relating to the Collection and Secondary Use principles.
Finally and rather ironically, the reasons given for saying fingerprints are not private amount to an argument that they're really not much good for security!
Stephen Wilson is Managing Director of the Lockstep Group.
Lockstep Consulting provides independent advice and analysis on identity
management, PKI and smartcards. Lockstep Technologies develops unique
new smart technologies to address transaction privacy and web fraud.