Who Owns Your Fingerprint?

On a recent trip to the SeaWorld park I was asked to be fingerprinted at the entrance. As a matter of principle I have refused (they checked my ID instead), but a quick look around revealed a steady stream of patrons putting their fingers in a scanner. Not even frowning at this latest addition to our surveillance society. "It helps public perception to have biometrics deployed on a widespread basis," said a former chairman of the Biometrics Consortium. "The more people use biometrics, the more people are comfortable with it." Apparently the consortium have achieved their goal: people begin to get comfortable with fingerprinting, face recognition software, and other biometric devices.

SeaWorld and other theme parks (mostly Disney's) ostensibly introduced the fingerprinting as a way of preventing people from selling their multi-day passes. Which I guess makes a good business sense. However, two very important issues need to be raised.

First: How are these corporations going to use the data they collect? Right now they claim it is exclusively to match the pass with the person, but how long will it take before the government realizes the value of such database? Especially since many former Disney's employees are now working for US intelligence and security organizations (e.g., Eric Haseltine, Bran Ferren). Soon enough there will be a request from DHS, FBI, or some other three-letter agency to make this database available. First they will claim it will help them catch terrorists. Then it will be child molesters, drug dealers; then other criminals. Next the turn will come for deadbeat parents, anarchists, anti-globalists, Muslims, militia members, and those punks with pants hanging below waists. The agencies will ask, the corporations will deliver (remember the retroactive immunity for AT&T?), and the general population will acquiesce. Not a murmur will be raised, not a word of protest, since, as I wrote in "Life Above All" the members of our society are scared to death. Scared that a big bad terrorist will come and kill them in the night. And to protect themselves they will gladly give up the remaining shreds of their liberty and privacy.

The second issue perhaps is not so profound, but more practical, and certainly as important. Namely: How are the companies going to protect the biometric data they collect from theft and misuse. The list of companies (and government organizations) losing sensitive personal data is quite impressive (just do Google search for companies losing customer data...) The resulting identity thefts are more and more common, and more and more costly (Federal Trade Commission estimates there is about 9 million identity thefts every year, with financial costs of about several thousands dollars per incident). Now imagine what may happen if not only your social security number or bank account number is stolen, but also your fingerprint. For as little as $20 one can create a "gummy finger" from the electronic fingerprint data, which will be accepted by most fingerprint scanners. What is even more scary is that the imprint of such "gummy finger" may also be accepted by forensic labs... Imagine the day law enforcement officers break your door because of a gun with your fingerprint on it. Just because SeaWorld or Disney created the biometric database and did not protect it properly.

These companies will disclaim all the responsibility, saying, as other companies has done before in similar cases, that it is not their fault. Even though they collected and preserved the data and they did not protect it.

Here is my proposal. Let them pay the liabilities for everything that results from the data being stolen. After all, they benefit from the data they collect, while passing the cost and risks to the consumer. That need to change. Unfortunately, our weird laws assert that the fingerprint data belongs to whoever collected it, not to the actual owner of that fingerprint. (It is the same situation with any other personal and biometric data: whoever collected it is the owner, not the actual person about whom the data is). It's time to change that, and to demand laws that would make the companies that collect personal data responsible for its misuse -- whether by their own employees, by government, or by other thieves.

We need to demand more responsibility from the companies that collect personal, and especially biometric, data. And the only way to achieve that is to make them liable for the loses they facilitated.