When security gets personal

Monday, May 1, 2006

I've just returned from my first ISC West. Even with quite the build up beforehand, the show still significantly impressed me. By my estimate, the roughly 20,000 people who were on the show floor at any one time would represent the fifth largest city in the entire state of Maine, but it never got overwhelming. The show was orderly, educational, friendly and not nearly as populated with irrelevant scantily clad women as I was warned it might be (okay, yes, we had a female booth attendant, but somebody had to pass out papers).
Above all, like many an integrator, I was there to get my hands on the stuff, the new technology and the old standbys that aren't yet old to me. The sexiest stuff, I'll admit, was the biometrics. At Synercard, manager of engineering services Mike McGrath (no, not the Irish-brogued Mike McGrath from Central One) scanned my finger, issued me a card, then used it a minute later to buy me a chocolate bar. At LG, vice president of marketing David Johnston had me look into a mirror, make a light turn from red to green, and scanned my irises. Two minutes later, the machine addressed me by name. At FaceKey, president Yevgeny Levitov had me look into a garden-variety camera and was able to enroll me in his access control system and compare my face against a database of collected faces in about five minutes.
Each time, I got the same feeling in the pit of my stomach, like I was having my hair cut for the first time by a new barber. It's an intensely personal experience, but everyone's pretending like it's the most normal thing in the world. But as much as we'd like to pretend it is, it's not normal. It's personal.
In order for security to work, we're each going to have to give up a little piece of ourselves. When it comes down to it, our fingerprints, our irises, our faces are us, in ways that our signatures, or names, or driver's licenses just aren't. If that makes me, someone who's chosen security as a profession, a little uncomfortable, it's bound to make members of the general public downright queasy.
If biometrics are to be the identification of the future (and Tom Ridge thinks they will be), the security industry has to make as much effort in policy creation as technology development to alleviate the public's uneasiness. When we're capturing this data, how is it stored? Who has access to it? When is it necessary for such data to be collected and employed?
LG, Synercard, FaceKey and others nearly all allow for a system that can be programmed to only ask for biometric verification when threat levels are raised. That's a prudent bit of engineering. Sometimes a four-digit PIN is plenty. Let's not forget that.