Protect people, not data
I spent some of this week talking to parents about the phenomenon of fingerprinting kids in schools for the Guardian. (Surely fingerpainting was more fun.) One of the real frustrations among the people I spoke to was the lack of (helpful) response from the Information Commissioner's Office.
The systems that are being deployed in many school libraries in the UK (with doubtless other countries to follow if they succeed here) are made by Micro Librarian Systems. The fingerprinting side of it is really an add-on; without fingerprint readers, the kids use barcodes. One of the system's selling points seems to be that it doesn't need adult supervision, unlike library cards.
You can see why fingerprints sound appealing as a way to unlock the system: quick, easy, efficient, nothing to lose and/or replace. Slight problem, maybe, that kids' fingers are often dirty, sticky, or damaged, but at least they can't lose them.
What took me aback a bit was discovering that MLS has on its Web site – and quotes to schools – letters from the Information Commissioner's Office and from the Department of Education saying they saw nothing wrong with the system.
It's not my purpose here to rehash whether fingerprinting kids to let them take out library books is appropriate; the parents who were against it had plenty to say in my Guardian piece. But the whole incident has made me think about the role of the Information Commissioner's Office. Whenever I've spoken to anyone there it's seemed clear that ICO's job (PDF) is to explain the law and ensure that organizations obey it. They don't go around looking for things to investigate; they respond to complaints from the public. In this case, they say, they haven't had many. They do advise, as the letter MLS received says, that schools consult parents before instituting fingperprinting "as it may be a sensitive issue".
Indeed, it might. It's a measure of how much both technology and the willingness to be monitored are infiltrating everyone's consciousness that there has been so little public outcry over this. The manufacturers are, of course, very reassuring: the system doesn't store whole fingerprints but an encrypted, very large number mathematically derived from the scanned finger. The image cannot be reconstructed from the number.
But that doesn't actually help because if what unlocks the system is the number it is actually more easily forged than a fingerprint image would be. Now, no one's suggesting that some crook is going to break into a school and steal the computer that holds the kids' fingerprints just so he can take out all the library books. If you were told that your government records were protected by a very large number in encrypted form would you feel reassured that it wasn't an image? I'm not sure you should, because first of all, even encryption that can't be cracked today probably can be tomorrow. Second of all, there are plenty of people out there with good reasons to try to deconstruct how these systems work. And third of all, a number is, well…sometimes it's just a number. In the case of MLS, it's a number generated by a system created by Digital Persona, who supply enterprise biometric solutions to all sorts of other clients. How many of them will accept the same numbers because they use the same algorithms?
In this case, it seems to me that it's not sufficient to say whether the precautions taken to protect the data are adequate. It seems to me the real question is whether the proposed system is proportionate to the problem it's being installed to solve. Is the desire to provide a quick and easy method for kids to check out their own library books sufficient justification for fingerprinting children? This is a question the ICO is not in business to answer.
It's always seemed to me that no amount of data protection really solves anything: data always seems to go where it's not supposed to, whether that's because someone leaves a laptop in a cab or a CD in the back of an airplane seat, or because the database's owner has become infected with what writer Ellen Ullman has called "the fever of the system". The MLS literature states that fingerprints are removed from the system when the child leaves school. But how would a parent check this? And how often do people really throw out data they have. You never know, you might need it someday.
It seems to be an inalienable truth of human nature: if you have two databases you want to link them together; if you have one database you want to keep adding to it and using it for more and more stuff. In the end it's like Mark Twain's old adage, that "Three people can keep a secret if two of them are dead." Databases are not designed to keep secrets; they are designed to help people find things out. If you really want to protect privacy, the only certain option is not to create the database.
In the meantime, it would be nice if the ICO's job description and title went further to ask, "Is this an appropriate use of technology? Is it possible there will be consequences down the line that make this a bad idea?" Now that the government has its way to build the national identity register, these are questions we should all be asking.
Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. She has an intermittent blog. Readers are welcome to post there, at the official net.wars blog, or to send email, but please turn off HTML.