Tuesday, September 13, 2011

Despite increasing adoption Biometric misconceptions still rife


A recent feature on AM, ABC Radio's flagship current affairs program, regarding a Melbourne Local Council’s plans to track employees' work hours with biometric technology garnered some interesting debate surrounding data privacy and security.

AM revealed that the City of Monash in Melbourne's south-east is considering vein scanning technology to capture time and attendance information for up to 100 library staff, including casuals.

The technology will capture the vein patterns in a person's fingers and store them as a template for future scans.

But while biometric technology like iris, fingerprint and vein scanning was once reserved for Hollywood and the stuff of sci-fi movies, isn’t it becoming more commonplace now?

With Public Sector agencies and corporate organisations around the country, such as Woolworths, already using biometric technology to check and verify the identities of their staff and record work hours. Even patrons at popular theme parks and venues, such as the Coogee Bay Hotel, are now required to present their fingers! (Read More: "You want a drink? Give us your fingerprints)

So what’s the problem?

Judging by the feedback from the AM talk back show and the subsequent comments voiced by readers on ABC News, the vast majority are worried about privacy issues.

"They're concerned about where this information is going to be stored, what will happen with the information when they leave council, who owns the information, what's the legal ramifications," said Igor Grattan, Australian Services Union assistant branch secretary.

Indeed, this is an all to common reaction we, as Biometric Time and Attendance providers, come across when speaking to prospective clients and unions alike.

As Phil Scarfo, Senior VP of Sales and Marketing at Lumidigm Inc. explains, “Though most biometrics systems rely solely on templates, or mathematical representations of the physical characteristic, the general public is not aware of this fact. It is the misperception that people are storing fingerprint images in databases that creates concerns related to privacy.” (Read More: What’s behind the biometric template?)

As such, our presales process involves educating users and management that the multi-spectral biometric technology we utilise doesn't actually collect and store fingerprints.

Instead, when an employee enrols via our biometric clocking terminal, the system saves a mathematical representations of the fingerprint and reproduces this as a template. The template is then checked against those stored by the reader, for a possible match. If one is found, the employee’s registration is accepted - otherwise it is rejected.

Contrary to popular belief, this biometric template cannot be reconstructed back to the original fingerprint image.

If you would like to read more about common biometric misconceptions check out: Dispelling the Myths About Biometrics: Misguided beliefs about biometrics should be investigated for proper understanding of the technology")

Isn’t it time you considered biometrics?

Biometrics can significantly improve the ROI associated with implementing an automated Time and Attendance solution. By utilising this technology oganisations can:
  • Enhance site security – as no one without the proper identity is admitted, misplaced cards and staff borrowing “swipes” to gain access to controlled areas is no longer an issue
  • Reduce time and attendance fraud – cut out ‘buddy clocking’ practices, where one employee clocks on for another
  • Eliminate costs associated with physical ID card production and proximity fobs
  • Facilitate accurate reporting – in the unfortunate event of an emergency supervisors have an up-to-the-minute view of exactly who is onsite/where they are located
Visit our website today for more information on our Biometric Time and Attendance systems.

Or feel free to join in the conversation on our Facebook page and Twitter.

2 comments:

Steve_lockstep said...

Sorry but this post misrepresents or fails to appreciate the real privacy issues.

It is NOT true that "it is the misperception that people are storing fingerprint images in databases that creates concerns related to privacy". In fact the technical nature of the template is relatively unimportant because contrary to your flat assertion, any biometric template CAN in principle be reversed; see for example "From Template to Image: Reconstructing Fingerprints from Minutiae Points” Ross & Jain at http://biometrics.cse.msu.edu/Publications/SecureBiometrics/RossShahJain_FpImageFromMinutiae_PAMI07.pdf.

No, the real privacy issues are many and varied and include:

- No contingency plan *anywhere* for recovering from biometric identity theft. No commercial biometric is able to be cancelled and re-issued in the event of compromise. After biometric identity theft, users are ostracised.

- Violation of the Collection Principle through overkill. Biometrics are a heavy handed solution to problems like Time & Attendance and school tuck shop security. As the Victorian Privacy Commissioner said on the ABC AM program, it is not clear that collecting biometrics is a proportionate approach.

- Security of the template database. This is the gravest practical issue and is rarely covered adequately. Vendors often refer vaguely to “encryption” without going into details, nor showing any evidence that the encryption has been independently tested and certified. Neither do they discuss the importance of database administration.

- Inadequate understanding and discussion of Detection Error Tradeoff. Vendors are rarely even honest about False Accept and False Reject Rates, much less do they cater for the consequences. When inevitably a legitimate user suffers a False Reject, they will endure some special case additional checks. This experience, if not managed properly, can impugn the integrity of the unfortunate, and lead to even more extraneous PI collection.

- Inadequate treatment of Fail To Enrol rates. Some proportion of users cannot be enrolled in any given biometric, and these minorities need also to be handled carefully, with proportionate collection of whatever data is needed to identify them.

Finally, anyone promoting biometrics in Australia must plan for changes recommended by the Law Reform Commission that biometric data be classified as Sensitive Personal Information. This would mean that free and express consent must be given before collecting any biometric data.

Mitrefinch APAC said...

Steve, thank you for taking the time to read our post and for your constructive feedback. Your link to "From Template to Image: Reconstructing Fingerprints from Minutiae Points” Ross & Jain at http://biometrics.cse.msu.edu/Publications/SecureBiometrics/RossShahJain_FpImageFromMinutiae_PAMI07.pdf does make for interesting reading.

From a Time and Attendance perspective, we have found that the majority of organisations in the market for a new Time Tracking application are indeed opting for a biometric solution – and it’s not just large multinationals but even small one site operations. This is primarily due to issues they have experienced with “Buddy Punching” and time theft, which can amount to thousands of lost dollars every year, as well as the commercial availability of an array of biometric products – we’ve even had enquiries from organisation who have bought such devices on eBay! (and this doesn’t show signs of abating with the global biometric market is expected to grow at a compound annual growth rate of 23% through 2013)

Yes, it may be argued that rather than opting for a biometric solution these organisations could look at addressing the culture that exists within their business, whereby employees think it’s OK to clock in or out for each other. However, for many biometrics represents a more convenient and efficient option. But, then again it could be argued that by implementing a biometric solution employees may feel alienated and threatened by the prospect of a Big Brother style operation – resulting in demotivation and a subsequent drop in productivity.

With all our prospective clients we advise them to research the different time and attendance data capture options available to them, converse with others users in similar industries, and speak to their employee representatives – to ensure they implement a solution that best suits the needs of their particular organisation and staff.

Once again, thank for your insight and feedback and we look forward to following your views and perspectives via Twitter (http://www.twitter.com/steve_lockstep).

Post a Comment