World View | In the Land of Cheese, Tulips and Biometrics

There is a quiet revolution taking place in the Netherlands. It is an innovation that is revolutionary in terms of the impact it will have on society, commerce and civil liberties. Yet, this revolution is taking place with scarcely any detectable public discussion of the issue. The revolution I am speaking of is the use of biometrics to authenticate the identities of people in daily situations.

Last month I wrote about a large Dutch grocery store chain, Albert Heijn, implementing finger scans as a method of paying for groceries at the checkout stand. The method is a much faster method of payment since a scan of a finger takes much less time that the prototypical customer fumbling around in their purse or wallet seeking either a bank card or the correct amount of cash.

The program also has the benefit of reducing fraud — especially bank card theft. A thief can steal a card and use it without notice, but he would be highly conspicuous were he to attempt to pay at the checkout stand with a severed finger. If the trial goes well in the pilot program, Albert Heijn has plans to expand the program to other stores and perhaps eventually roll it out on a national basis.

In May of this year, Schiphol international airport in Amsterdam announced a trial with iris scans and fingerprints for identification on flights between the Netherlands and the US. Like fingerprints, the iris is unique for every individual and can thus be used to uniquely authenticate identities. Passengers wishing to use the system must first have a scan made of the iris of their eye and fingers which is then stored in a database. At the border control, biometric scanners are then used to authenticate arriving passengers at immigration control.

The publicly stated purpose of the program is to enable Dutch and American passengers to avoid queues and process through immigration control more quickly. The true purpose, of course, is to tighten security — specifically checking the identities of persons entering the country and interdicting potential terrorists or criminals. Biometric scans are a more trustworthy manner of authenticating persons than comparing a passport photograph to the person standing in front of the counter at immigration control. The fact that passengers using the program might be processed in a more speedy fashion is merely an incidental benefit.

What is interesting is that both programs, grocery checkout and immigration control, are using improved customer service and response times as the means for selling what is essentially an improved security service. In the former case, it is being used to reduce fraud on the part of customers attempting to pay for groceries with stolen bank cards; in the latter case to better detect, screen and deter terrorists and criminals.

The transformation taking place in the Netherlands is similar to what occurred in the States during the fifties and sixties with the use of credit cards. Then, credit cards were billed as a more convenient way of paying for relatively small purchases like gasoline, department store purchases and dining out. At the time credit cards were introduced, scarcely anyone was concerned about the protection of peoples personal details. The focus was on convenience and increasing buying opportunities and identity theft was a relatively uncommon phenomenon.

It was only decades later, when credit cards became deeply ingrained in everyday American life, that concerns have began to emerge about protecting personal information. The recent arrest of Mr. Albert Gonzalez (no relation to the former U.S. Attorney General) for stealing credit card information by utilizing an advanced technological attack called war driving underscores the point. Mr. Gonzalez drove by and scanned corporations looking for unprotected wireless networks. Once a vulnerability was found, he installed sniffer programs on the network designed to ferret out personal information—especially credit card information. This type of advanced technological theft could not possibly have been imagined in the United States at the time credit cards were being introduced.

Fortunately, the Netherlands might be able to avoid similar type problems with its use of biometrics. Like most European countries, the Netherlands has strong privacy protections — protections which were put in place to guard against abuses that occurred during totalitarian regimes of the recent past. A persons biometric, be it their fingerprint or iris scan, would certainly qualify as personal information and would be subject to the provisions of the European Unions Data Protection Act.

Granted, the consumer protections established in the Data Protection Act cannot, of themselves, protect against potential technological attacks which may occur in the future, but what it can and does do is lay the groundwork for a regulatory regime that will insist that due care be taken by organisations possessing citizens biometric data.

Just as Federal Reserve bank regulators today insist that the banks they regulate possess adequate means of protecting Internet banking, so too, must the various Information Commissioners in the EU states ensure that organisations possessing citizens biometric information have adequate security measures in place. If this path is followed, then perhaps the next generation of commercial transactions will have learned the lessons of the previous generation. If not, we may face what Yogi Berra once observed, “It’s like deja vu all over again.” ##

Paul Raines is a CISO based in Europe.