(Article continues below)
Many of us should rightfully be surprised that our fingerprints
aren’t considered “personal data” by the
head of DHS. Even more importantly, DHS itself disagrees.
In its definition of “personally identifiable information”
— the information that triggers a Privacy Impact Assessment
when used by government — the Department specifically
lists: “biometric identifiers (e.g., fingerprints).”
Chertoff’s comments have drawn sharp criticism from
Jennifer Stoddart, the Canadian official in charge of privacy
issues. “Fingerprints constitute extremely personal
information for which there is clearly a high expectation
of privacy,” Stoddart said.
There are compelling reasons to treat fingerprints as “extremely
personal information.” The strongest reason is that
fingerprints, if not used carefully, will become the biggest
source of identity theft. Fingerprints shared in databases
all over the world won’t stay secret for long, and identity
thieves will take advantage.
A quick web search on “fake fingerprints” turns
up cheap and easy methods for do-it-at-home fake fingerprints.
As discussed by noted security expert Bruce Schneier, one
technique is available for under $10. It was tried “against
eleven commercially available fingerprint biometric systems,
and was able to reliably fool all of them.” Secretary
Chertof either doesn’t know about these clear results
or chooses to ignore them. He said in Canada: “It’s
very difficult to fake a fingerprint.”
Chertoff’s argument about leaving fingerprints lying
around on “glasses and silverware” is also beside
the point. Today, we leave our Social Security numbers lying
around with every employer and numerous others. Yet the fact
that SSNs (or fingerprints) are widely known exposes us to
risk.
There have been numerous questions raised about how this
Administration is treating our personal information. Secretary
Chertoff’s comments show a new reason to worry —
they don’t think it’s “personal” at
all.
– Peter Swire
