Body language

Body language

Biometric technologies such as voice recognition systems and fingerprint scanners may have their advantages, but there are still issues of privacy and confidentiality to be resolved.

Austar's chief information officer, Dean Walters, doesn't like fiddling around for his keys, poking around at the stereo while driving, or entering multiple passwords to complete online transactions. Whenever and wherever possible, he lets his body do the talking - literally.

"It's not really about security, it's about simplicity. I've got a fingerprint scanner on my front door, my car has a voice recognition system, and I use the fingerprint scanner on my laptop rather than typing in my password all the time, because it's just easier that way," Walters says.

Applying the same logic to business, he's used a natural voice recognition system to streamline Austar's phone-based movie-ordering systems, shaving $11 million off operating costs while improving the customer experience.

Oh, and he's also added an extra level of biometric voice recognition security as an opt-in.

"Instead of having to go through three levels of menus, customers call in, quote their ordering code and tell us what they want to do," Walters says. "They have the option to set up voice printing, so that they are the only ones who can access their account, but only 14 per cent of our customer have implemented the extra security measure."

And Walters isn't the only CIO who has figured out that biometric technology provides for more than just elaborate door locks.

In Adelaide, South Australian Department of Health CIO ¿David Johnston has spent the past two years laying the foundations for an identity management system culminating in the unveiling of keyboards that feature fingerprint scanners.

He's not doing it because the hospital's computer network requires a state of the art sign-on system, or because there were any serious security concerns. It's simply easier and quicker for clinicians to flick their finger across a scanner than it is for them to log into multiple software packages and databases.

"What we get with the fingerprint scanners is the opportunity to automate workflow via a non-repudiatable authentication system, we get session transportability, an audit trail, secure systems access and improved process efficiencies," he says.

With several trials successfully completed, Johnston has moved to a gradual execution of the hardware, and although fingerprint scanners will add about $25-$30 annually to PC rental costs, he is confident the amount will be covered through improvements to operational efficiency.

"Our hospitals run up to 600 different applications at any given time, and a doctor could use up to 10 applications, all with different user names and passwords in a single consultation," Johnston says. "When you look at the different applications in health, everything comes down to identity. The non-repudiated ID management we're now implementing provides a legal signature, so we will have the opportunity to implement a substantial improvement to overall workflow."

It's the economy, stupid!

According to James Turner, industry analyst with Intelligent Business Research Services (IBRS), such operational efficiencies will be exactly what drive biometric technologies piecemeal into the private sector.

"With the key exception of voice recognition technologies, the private sector has been dragging its heels in the adoption of biometrics," Turner says.

While biometrics vendors have been focusing much of their marketing on the ways in which biometric technology enhances security, the business community has been left wondering how to justify a substantial initial cost with an incremental improvement in protection.

Andrew Walls, research director focusing on security for Gartner, says although biometrics vendors have been attempting to focus on efficiency gains, the nature of the technology has clouded the message.

"A biometric system that can stand up and say it's accurate enough to reliably identify an individual has to refer back to security. It needs to deal with false positives and false negatives, and reach an intersection of accuracy and usability which is acceptable to the customer," Walls says. "But when it comes to providing the customer with a reason to move from a password system to a handprint system there has to be an economic motivation, rather than an argument simply based on enhanced security."

The growth of biometric technologies has been further hampered by general concerns regarding privacy and safety. Even in sectors such as banking, where identity authentication is paramount, there is a good deal of reticence regarding the adoption of biometric identifiers.

"As with all security applications, Westpac has had a watching brief on biometrics for a number of years but recognises its limitations in mass market applications," says David Backley, chief information security officer at Westpac Banking Corp. "Westpac has no immediate or near-term plans to introduce these technologies."

According to Turner, the private sector is still largely in the pilot phase of its dealings with biometrics, seeking technologies that will improve productivity, increase security and be largely invisible to the customer.

"How are people going to feel walking up to the counter, and being asked to look into a light to verify their identity?" Turner says. "With the possible exception of voice recognition technology, most biometric applications at this stage are expensive to roll out and are not trusted by customers."

As such, the strongest push into the biometrics sphere is coming from a few large-scale government projects.

Leading the government pack is the Department of Foreign Affairs and Trade's (DFAT) introduction of ePassports, which, when combined with Customs' SmartGate service, will speed up migration queues by enabling Australians to check themselves through airport security.

At the same time, the Department of Immigration's nascent biometric identity verification is being implemented in immigration detention centres throughout Australia, while Queensland Transport is on track to offer smartcard licences by November 2008.

It could be argued that the private sector needs to be attentive to the concerns of its customers, while government departments can simply mandate for the use of a new technology. At least until an election rolls around.

Who are you?

Nowhere is this more the case than in immigration detention centres and refugee camps, where the Department of Immigration's identity management strategy has led to the collection of biometric data to be used as a basis for ongoing identity authentication.

"We are collecting biometric information for those case loads where we might have lots of dealings with people in the future, and on people who have, for whatever reason, found themselves detained," explains ¿Janette Haughton, assistant secretary identity branch, Department of Immigration. "The other place where it will become very important is in the airport where people have been turned around and denied entry into Australia, as they will often try to regain entry to the country under another name."

According to Haughton, trials have also been applied to refugee camps overseas, where the biometric ensures that the same person who was initially granted refugee status is the same one who eventually enters Australia.

"In the refugee area, through no fault of their own, people often don't have many identity documents, so it's important for us to have a way to verify that we are dealing with the same person," Haughton says.

As for the rest of the country, the federal government is halfway through its $186 million ePassports project, designed to reduce identity fraud and make the processing of incoming passengers faster and more efficient. According to DFAT, 2.1 million Australians now carry a biometric algorithm, based on their facial features, in a microchip sealed into their passport.

Despite some delays in the operation of the associated SmartGate designed to read the ePassports at international airports, the project is largely progressing to plan, and seems to have achieved a high level of acceptance.

Interestingly, however, the introduction of ePassports has not paved the way for more extensive use of biometrics in federal or state government departments.

Sticking to the script

At a federal level, attempts to launch a national government services Access Card, containing biometric data, has been put on hold pending the upcoming election, amid criticism that the project is costly and ill-conceived.

The federal government's Access Card project inspired a strong public backlash largely due to conflicting statements from the government as to the card's purpose and a failure to communicate this clearly to relevant lobby groups. Queensland's smartcard licence project, on the other hand, has been gradually implemented over the past two years amid a high level of public consultation.

Queensland Transport CIO Paul Summergreene has been unwavering in his insistence that biometric smartcard licences are being adopted in order to reduce the instance of fraud, and will not carry other data or provide access to other personal information. "We've been keen to ensure that the project doesn't get diverted onto other issues, and we've worked exceptionally closely with all the privacy and lobby groups and no real issue has been raised," Summergreene says.

Here lies an important lesson for anyone contemplating the use of biometric technology for identity authentication - if you are going to capture and store someone's biometrics - you better convince them that you are going to take damn good care of it.

Protecting privacy

At the Biometrics Institute Australia Conference held in June in Sydney, ¿Cameron Murphy, secretary for the Australian Council for Civil Liberties, delivered a stinging rebuke of the biometrics sector for failing to comply even with its own privacy standards.

"Often the creators of this technology and the companies who want to use it are more than happy to explain the benefits," Murphy says. "But they don't explain the risks, they don't tell you what happens if someone steals your biometric identifier and uses it to impersonate you. They tell you how secure the system is from an outside attack, but not how they will deal with someone inside the company breaching security."

Fundamentally, Murphy's argument is based on the fact there is no national privacy legislation that takes into account advances in biometrics. He argues that before the technology is widely adopted the government needs to set up mechanisms by which users can control the use of their biometric information.

"I think there are essentially the same basic privacy concerns involved in the use of biometric technology as there are in any other type of system. The only difference is that when a biometric identifier is stolen it provides a much greater capacity for damage to occur," Murphy says. "There is the same capacity for people to hack into a computer system that holds biometric information as there is for them to hack into any other system. And while you can change your phone number or your name, you can't change your fingerprint."

Former privacy commissioner Malcolm Crompton still advises companies as to what they can and can't do when it comes to data collection, and these days he's heading up a data consultancy called Information Integrity Solutions.

His assessment is disturbingly simple.

"A good implementation of biometrics technology is about using the right technology the right way," Crompton says. "And about having the mechanisms in place to handle failure when it happens."

And while much of the focus, when it comes to using biometrics technology, is on protecting the biometric algorithms, there is also a substantial need to create appropriate procedures for system failure.

Unfortunately, this is where the whole argument in favour of biometrics becomes a little circular. After conducting extensive research into the human capacity to recognise faces, ¿Richard Kemp, at the school of psychology at the University of NSW, believes the greatest points of failure of biometric systems may well lie in the human element.

"If a biometric facial recognition system says that the person in the photo doesn't correspond with the person holding the ID, most systems will switch back to humans for verification," Kemp says. "And humans are, in general, very bad at recognising people we don't know, let alone people from different racial backgrounds."

So despite the promised convenience, biometric technologies still have a long way to go to prove themselves to a sceptical audience, as even their most ardent supporters have some doubts.

"I don't think we're going to see biometric scanners pop up everywhere, because public acceptance is extremely important," Austar's Walters says. "I'm happy enough to use my fingerprint on my own door, but I don't know about having my fingerprint stored all over the place. I'm not very comfortable with that idea."

MIS Australia

© Fairfax Business Media

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags biometrics

Show Comments