Reading this article about PayPal+Lenovo’s nascent scheme to eliminate online passwords via, among other things, fingerprint identification, I was reminded of my old rant against quotidian biometric data capture. I wrote this silly (yet wicked smaht) post over 5 years ago and my position on the issue remains the same. Of course I’m interested in protecting property (financial, intellectual) and I’m more likely than not to forget my online passwords. But is our best and/or only recourse to give up our bodies? Surrender our skins to registration, classification, and verification? Unlike my 5-years-younger self, I now have the benefit of Foucaldian study behind me. And this physical intrusion just doesn’t, for lack of a better term, feel right… HOWEVER. For fans of irony, check out my postscript that follows this blast from the past.
(originally published online, 10/04/07)
Check my yard for bombshelters– you won’t find a one. I bank online, date online, and fly worldwide. All of this is to say, I’m hardly an alarmist. I let all sorts of personal data/”personal data” (wink wink nudge nudge) mingle with real and virtual strangers. It’s the post-9/11 twenty-first century, and I feel fine.
But I could feel finer.
And that is both the cause AND the effect of my registration with a new gym.
I was finally fed up, literally, with my excess paunch. So after work on Monday, I marched myself straight down to the gym I associated with the 1980’s. Obsessed with brushed steel, black leather, and conspicuous consumption, this is the gym where jagbag consultants self-possessedly sweat.
You read me right. They’re jagbags.
Approximately one year ago, this gym sent me scurrying to the kinder, gentler halls of the YMCA. The only thing is, the YMCA also has a kinder, gentler personal training program. And when you’re hoping to annihilate a lifetime of habits and accumulation, “kinder, gentler” just ain’t gonna cut it. If I were a small-town girl with big dreams, and my weight was a go-nowhere high school sweetheart, I would tell myself (in an unnecessary Southern accent) “Honey, ya gotta ditch that nice, aimless fella and hitch yourself to the cutthroat, ruthless guy high-tailing it outta town. And God forgive you.”
So I sold my soul to XSport Fitness.
Perhaps it’s only fitting that, in so doing, I also surrendered my identity.
Guess the method to cash in your personal training sessions. Is it:
A) Sign your name in a book
B) Swipe your membership card
C) Display photo ID
D) Answer a security question
E) Fingerprint scan
If you guessed A, B, C, or D, congratulations, you’re sane.
But if you answered E, then you’re correct.
A very matter-of-fact employee informed me of this horrifying system. I stared back at him blankly, waiting for him to say “Just kidding!”, trying to figure out an alternate meaning for the string of syllables that he just uttered… to no avail. Slowly my face registered horror and confusion. His remained blank.
The next day, I unwittingly surrendered my prints. My trainer asked me to tap my finger on a digital disc. No explanation, nothing, just tap your finger four times. I complied. Heck, the previous day I had held a digital device that measured my body-mass index, so I figured this disc was going to calculate my bone density or guess my cup size or something.
Not so. Its job was to steal my identity.
Dismayed, I brought my concerns to the gym manager.
Where and how is this data stored? I asked. What happens if hackers get a hold of this information? You’re a gym, not a high-security data haven. People worry hardcore about their credit cards, but they can always cancel their account and get a new string of numbers. This is not the case with fingerprints. I have been and will continue to be stuck with my fingers for life. If somebody lifts my prints, then I’m permanently screwed.
The gym manager went on the defensive. These are actual sound bytes:
“All the gyms are doing it!”
“It’s the only way.”
The only way?
Let’s say my lawn had a weed problem. Would the only way to address it be dousing it with Agent Orange?
No. There’s some middle ground between the status quo and “the nuclear option.”
So then he recommended that I call corporate. And when he gave me the number, he admitted that I wasn’t the first person to question the fingerprinting. Maybe they’ll repeal the system, he speculated.
Well, he didn’t say “repeal.” But that’s what he meant.
After the evil digital disc had captured my fingerprint, after I had completed my series of squats and lunges, I hit the showers. The report on the television in the locker room (pause to process “the television in the locker room”… and moving on) showed an adolescent girl named Alyssa whose Facebook profile had been stolen. In the Valley Girl tones of too many female adolescents, she bemoaned the obscene speech that had been posted in her name and bleated that her username and password had been changed, locking her out of her own account.
If the commercials of old men talking like bimbos with bustiers hadn’t done it, then perhaps this saga of a socially un-networked preteen will drive the message home: Identity theft is rampant! Even Web gurus are getting played. And my gym thinks it can keep fingerprints safe?!
I started to do some research on this topic and discovered that the use of sensitive biometric data for completely frivolous ends is on the rise. They’re introducing biometric measurement tools in school cafeterias, Walt Disney World lines, and airport security counters.
I listened to a podcast of NPR’s Talk of the Nation, originally broadcast on August 8, 2007, entitled “High-Tech Spy Tools Aren’t Just for James Bond.”
Host Neal Conant interviewed Walter Hamilton, director of the International Biometric Industry Association. In a nutshell, Walter loves employing biometrics. He thinks it’s great, safe, efficient, delicious. Eliza Du, assistant professor in the Department of Electrical and Computer Engineering at Indiana University, also loves biometrics. She’s trying to manufacture the recognition technology that astounded/freaked the s*#$ out of us in Minority Report.
Then Neal and Walter took some phone calls.
Mark from San Francisco, a member of the Air Force Reserve, extolled the merits of the “Clear System,” or registered traveler program that provides a fast-lane security option for frequent fliers who have undergone background checks and submitted biometric samples (fingerprint and iris recognition).
For Mark, this amazing technology represents a “20-30 minute savings on a typical morning.” He opined, “It’s kinda a risk-benefit ratio. I think the convenience here, for me at any rate, far outweighs whatever concerns I might have that information will be misused…”
Sure, of course. 20-30 minutes… the integrity of your persona… potato, potahto.
Then Jim from California called in. He just got back from the Blackhead Defcon Conference in Las Vegas (don’t know what that is, but they use the term “Defcon” in War Games, so I’m impressed) where he had seen a demonstration of a new technology. It’s familiarly referred to as the “passport Smartchip” and basically, it’s a microchip loaded with biometric data that each person could put in his/her passport. At this demonstration, the data on the chip was cloned and, thus, compromised.
Here is an interchange between Jim and Walter:
JIM: Digital data can be copied readily. Once that digital blob is compromised, anybody can use it in the appropriate application by sending it into the system that wants that response from the reader… Biometric data, while it’s very sexy, is also very dangerous, so I have great concerns about it. And, having watched the source being cloned, and having biometric data on the passport, I think it’s a real danger.
WALTER: Biometric data, like any personally identifiable information, needs to be adequately protected in terms of how you design a system. It should be encrypted when it’s stored, wherever it’s stored. It should be sent over secure communication channels whenever it’s transferred—
JIM: It’s not, that’s the problem!
WALTER: When it’s not, that could be a problem.
JIM: The bottom line is the encryption method that is being used is inadequate for the purposes for which it’s intended and the systems in general are not really designed to take into account the sensitivity of this data. So it’s a matter of convenience rather than a matter of security. It’s a matter of system design, it’s a problem of implementation and understanding of consequence, and I don’t think we have a clear understanding of that yet…
So there you have it. Mark’s a tool, Walter’s a flunky, and Jim’s a prophet of truth.
Ironically, my fingerprint-greedy gym is the reason my print is currently impaired. Not that that’s gonna save me, the whorls are still readable, they just ain’t pretty. And THAT I blame on the gym.
I had risen at an ungodly hour to kickoff my new, early morning workout routine. Bleary eyed, I made my way to the kitchen, shoved a few soy bacon strips into the toaster oven, and shuffled back to my bedroom. Either squeezing into my Spandex took more time than I had anticipated, or I had torqued up the toaster setting too high. In any event, that bacon burned, baby. That bacon burned.
And I wasn’t about to watch my bean curd-based breakfast go up in smoke. I thrust my hand into the inferno and pulled out the charred remains. The fingertips of my right index and middle fingers paid the price. To this day, i.e., one and a half days later, they sport horizontal slash marks as if they’d been sliced by a Gillette Venus Razor For Ladies.
Now, I wouldn’t have been toasting that bacon, incinerating that bacon, or swiping that bacon if it weren’t for the gym. And frankly, I’m not sure how that bodes for my new stab at fitness.
On the bright side, if all of this working out doesn’t, well, work out, at least my identity will be gone. So that slightly pudgy girl won’t really be me.
POST-SCRIPT: I moved to Los Angeles in 2008. My gym in Glendale, CA, instituted fingerprint check-in almost immediately after I joined in 2009. And guess what? I’ve been giving them the finger — literally, the index — ever since. So much for living your values…