This editorial was originally published on Nov 10, 2008. It is being re-run as Steve is at SQL Bits.
I've written about biometrics in the past and even polled you about your concerns with this data v credit card data. Surprisingly most people felt that credit card data was more of an issue.
There is a report on CNet that some people are concerned about the security of this data, which makes sense given the way that much of our data has been treated over the last few years. I haven't seen any reports of biometric data being copied, but I'm sure that's a matter of time. It seems to be some type of corollary to Murphy's Law, call it the Jones Observation: If we can store data, someone can copy it.
Biometric data sounds really, really cool, and I know there are all sorts of ways that it can be secured, that we can scan multiple parts of your body in case you lose a finger, get a sore throat, have a few too many adult beverages the night before, etc. However the fundamental problem isn't false positives, and it's not false negatives.
It's the fundamental inability of any organization of any size to be sure that the data they stored is still the data that's there. This is going to be one place that it will pay to somehow replace the digital representation of your finger with a criminals, giving him the access to whatever you're protecting. And when he can't remember the password or PIN, the "second factor" in authentication, I'm sure that someone will be happy to verify his fingerprints and then reset the password for him.
It sounds like a good idea to biometrically verify people's identity, and it looks cool in the movies when those computers remember who you are. But in practice it doesn't work well, probably never will, and it will be an area that mistakes, serious mistakes can be hard to correct because people will have so much faith that those 1s and 0s really do represent you.
ID cards and pass codes are fallible; I completely agree with that. But we KNOW they're fallible and so we accept some issues and we don't necessarily trust them, at least not in very secure places. However I think we're just naturally going to believe more in biometrics, something I'm not sure is a good idea. I know that if I have to start using these, I'm going to want to some escrow of my digital representations, just in case there are problems.
Steve Jones
The Voice of the DBA Podcasts
The podcast feeds are now available at sqlservercentral.mevio.com to get better bandwidth and maybe a little more exposure :). Comments are definitely appreciated and wanted, and you can get feeds from there.
Overall RSS Feed: or now on iTunes!
- Windows Media Podcast - 28.8MB WMV
- iPod Video Podcast - 25.1MB MP4
- MP3 Audio Podcast - 5.1MB
Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.
I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.