Biometrics Acceptance, Privacy, and Law
Part of the Biometrics For Dummies Cheat Sheet
Biometric technology is nowhere near universally accepted by all users. There are a number of social and legal considerations that give every organization some pause before taking the jump headlong into implementing a biometric system.
People are most comfortable with biometric collection systems that are the least intrusive. Retinal scanners and electronic noses are a bit too intrusive; iris imaging and touch-free hand-vein scanners are more comfortable.
Commonly, the information stored by biometric systems could not be used to recreate an image, but re-creating a fingerprint (or other biometric) from stolen data is a common fear.
Touch-based biometric sensors (such as fingerprint, palm print, and hand geometry) can be disease vectors unless sanitary precautions are taken. Oddly, they are no less sanitary than doorknobs, but doorknobs are better accepted.
Stolen biometric data can typically be used only if the attacker can inject that data directly into the information flow of an authentication transaction via the network or wires from the sensor.
Some kinds of biometric data (such as fingerprints, facial images, and gait characteristics) are exposed to attackers' attempts to collect them from such sources as drinking glasses, camera phones, and video cameras.
Some kinds of biometrics, such as those obtained from the retina, iris, and hand veins, can potentially reveal medical data to the organization (in particular, health changes when the system detects changes in these readings).
In the United States, few laws actually offer direct protection for the privacy of biometric information — and companies that collect such information are typically not under any obligation to disclose the loss of it (usually a result of hacking or theft).
In the European Union, privacy laws protect the collection and subsequent use of personal information, including biometric information.