by Peter Swire
Homeland Security Secretary Michael Chertoff has badly stumbled in discussing the Bush administration’s push to create stricter identity systems. Chertoff was recently in Canada discussing, among other topics, the so-called “Server in the Sky” program to share fingerprint databases among the U.S., Canada, the U.K., and Australia.
In a recent briefing with Canadian press (which has yet to be picked up in the U.S.), Chertoff made the startling statement that fingerprints are “not particularly private”:
QUESTION: Some are raising that the privacy aspects of this thing, you know, sharing of that kind of data, very personal data, among four countries is quite a scary thing.
SECRETARY CHERTOFF: Well, first of all, a fingerprint is hardly personal data because you leave it on glasses and silverware and articles all over the world, they’re like footprints. They’re not particularly private.
Many of us should rightfully be surprised that our fingerprints aren’t considered “personal data” by the head of DHS. Even more importantly, DHS itself disagrees. In its definition of “personally identifiable information” — the information that triggers a Privacy Impact Assessment when used by government — the Department specifically lists: “biometric identifiers (e.g., fingerprints).”
Chertoff’s comments have drawn sharp criticism from Jennifer Stoddart, the Canadian official in charge of privacy issues. “Fingerprints constitute extremely personal information for which there is clearly a high expectation of privacy,” Stoddart said.
There are compelling reasons to treat fingerprints as “extremely personal information.” The strongest reason is that fingerprints, if not used carefully, will become the biggest source of identity theft. Fingerprints shared in databases all over the world won’t stay secret for long, and identity thieves will take advantage.
A quick web search on “fake fingerprints” turns up cheap and easy methods for do-it-at-home fake fingerprints. As discussed by noted security expert Bruce Schneier, one technique is available for under $10. It was tried “against eleven commercially available fingerprint biometric systems, and was able to reliably fool all of them.” Secretary Chertof either doesn’t know about these clear results or chooses to ignore them. He said in Canada: “It’s very difficult to fake a fingerprint.”
Chertoff’s argument about leaving fingerprints lying around on “glasses and silverware” is also beside the point. Today, we leave our Social Security numbers lying around with every employer and numerous others. Yet the fact that SSNs (or fingerprints) are widely known exposes us to risk.
There have been numerous questions raised about how this Administration is treating our personal information. Secretary Chertoff’s comments show a new reason to worry — they don’t think it’s “personal” at all.