The hidden risks of biometric credentials

Over on the Hawktalk blog, Chris Pounder has a characteristically incisive analysis of some of the privacy problems which arise out of the deployment of biometric passports. If you don’t follow Hawktalk already, I’d recommend it. In the meantime, here’s a copy of the comment I’ve added on Chris’ post, setting out some of the further implications.

In many of the early discussions about the NIS/NIR[1] it was just noted, as an “inconvenient side-effect” of biometric enrolment, that individuals who legitimately need an assumed ID (intelligence officers, undercover police officers, endangered witnesses, victims of domestic abuse) would need to be specially handled by the NIR. The implication was that the NIR would (need to) be designed so as to allow an alias to be registered against a given biometric record.

However, the Dubai episode reveals that this initial analysis is flawed and does not fully reflect the risk involved.

It is one thing for the NIR to be able to respond as if a valid alias were a real ID – unfortunately, that’s not the only valid use-case… as Dubai clearly illustrates. In practice, suppose my passport says that I am Oscar Wilde, and my biometric is registered against the name “Oscar Wilde” in the NIR; I may well have travelled to the States several times, for instance, and their immigration systems will have registered my fingerprints and facial biometric against the name “Oscar Wilde”.

But imagine I then have to adopt a (legitimate) alias:

  • my NIR entry is changed to associate my biometric with the name “William Gladstone”;
  • I’m issued with a new, valid passport in the name of William Gladstone.

How the hell am I going to explain that to a US immigration official, whose database (totally beyond the control of the NIR) clearly shows that my biometrics belong to “Oscar Wilde”, not “William Gladstone”?

To put it more simply: once a foreign government has linked your biometric with one name, the fact that the NIR links it with a different name is likely to do you more harm than good.

This will clearly be both inconvenient and possibly dangerous for intelligence officers, but it also raises serious safety, privacy and practical concerns for, say, victims of domestic abuse or jury-tampering, who may be obliged to disclose that fact (quite unnecessarily) just in order to cross a frontier. If they are doing so in order to begin a new life away from the source of the abuse, that is not a happy start to the process…

Just to put the icing on the cake, of course, a likely perverse consequence of this is that suspicious foreign governments will start to assume the worst of anyone explaining that their Id/biometric don’t match because they’re a fleeing victim of domestic abuse – simply because that’s the easiest way for travelling spooks to game the system.

[1] See, for instance, this blog post and comments, from Nov 2006.