In this three-part series, I've tried to address the serious data privacy and security tradeoffs that biometrics require when used to replace passwords wholesale -- not least of these being the federal government's interest in "moving beyond passwords" to make searches and surveillance easier. (See parts 1 and 2.) To make this possible, the Obama Administration has been working with the private sector to introduce a federal Internet ID and increase biometric adoption through the National Strategy for Trusted Identities in Cyberspace (NSTIC).
Cozy biometric partnerships between big business and big government are naturally suspect because of the latter's penchant for surreptitiously collecting massive swaths of data on US citizens and its voracious desire for as much biometric data as possible on as many people as possible. For starters, of course, there are Edward Snowden's revelations of the NSA's massive domestic spying campaigns on US citizens and companies, including the NSA's collection of biometric data from picture files stored on the Web and sent via email, MMS, videoconference, and other high-tech technologies at a rate of millions of images daily.
Other examples include the following:
- Advanced law enforcement biometric technology, available to the FBI and police departments, collects biometric data from security cameras, government records, and a variety of other unspecified sources to continuously enable rapid personal identification by face, scars, tattoos, birthmarks, and fingerprints.
- The TSA's controversial full-body scanners can store and rapidly transmit images of the people they scan -- a capability the TSA specifically requested in its own procurement specification documentation for said scanners.
- According to recently leaked US Customs and Border Protection (CBP) documents, CBP is deploying extensive biometric measures to identify and track all international travelers by obtaining and storing their biometric and travel data via facial recognition, iris scanning, and fingerprint reading.
- Schools, too, are getting into the biometric storage and tracking act. The school board in Encinitas, Calif., recently voted to develop and deploy facial recognition technology on students' mandatory, school-assigned iPads. In 2013, outrage erupted in Polk County, Fla., when schools there began scanning bus-riding students' irises and storing the data without parental notification or permission. (Since then, the State of Florida has entirely banned school collection and use of student biometric data.)
In regard to these considerations, Apple is way ahead on good customer information security than Microsoft. Although Apple's biometrics are far from breakable (you may recall this, this, and this from parts 1 and 2 of this series), the company's latest mobile encryption and data protection, when implemented properly, is very strong -- not to mention backdoor-proof.
This feature has been a bad shrimp in the federal government's net ever since Apple introduced it. So desperate are federal agencies to backdoor Apple's encryption (and, indeed, all encryption not their own) that they have gone on record equating it to pedophilia and child murder.
The NSTIC website's FAQ demonstrates just how little the federal government cares for individual liberties where Big Brother is concerned. As an answer to the question "How will implementation of NSTIC enhance privacy and support civil liberties?" the FAQ goes on for paragraphs about keeping the private sector in line privacy-wise, but has only this to say on the topic of civil liberties -- an afterthought at the very end:
"[T]he Identity ecosystem allows you to continue to use the Internet anonymously, which supports civil liberties like free speech and freedom of association."
Read that again. It is a bland statement about the the Internet, in general, "support[ing] civil liberties" -- without saying anything about NSTIC, federal Internet IDs, or the government.
Yes, the Internet supports liberty and freedom ... when government is not tracking an individual citizen's every move. If the government really supported anonymous Internet use and data privacy, its agencies probably wouldn't have it out for Tor users -- people federal law enforcement agencies have likened to terrorists.
Even the NSTIC page, however, recommends multifactor sign-on, making the case that a single multi-use password with an accompanying credential is more secure than different passwords on different sites. The position is debatable, but there is no question that multifactor authentication offers superior information security -- and that passwords remain an integral authentication component.
Attend Interop Las Vegas, the leading independent technology conference and expo series, designed to inspire, inform, and connect the world's IT community. In 2015, look for all-new programs, networking opportunities, and classes that will help you set your organization's IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.