thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Monday, September 11, 2006

Biometrics and "what you have" vs. "what you are"

Kim Kameron at Identityblog picked up on Jerry Fishenden's post on the problems of biometrics (by the way: Jerry will speak at our privacy workshop in Athens, see below). He again brings up the story from Malaysia, where some brutal car thieves cut off the index finger of a Mercedes owner in order to circumvent the biometric engine lock. First of all, the thieves could have had it much easier, also without having to carry around a rotting finger. With a bit more high-tech, in the future they could maybe just read the fingerprint out of the car owner's passport.

But more important, this case shows the problems with identity and how hard it is to proof to a machine who you are. It is often based on the classic trinity of authentication, which either can be done by something you have (a key, a USB dongle, a chipcard), something you know (a password, a PIN, your mother's maiden name), or something you are (your fingerprint, your retina). There are of course other possible authentication factors, but these are the most common.

This story makes clear that "what you have" is much clearer than "what you are". I would prefer saying "I have ten fingers" instead of "I am ten fingers". "What I am" relates more directly to my personality / identity than "what I have" or "what I know". It is a story, a flowing amorphous thing, changing from context to context and over time. Of course, you can break it down to some extent to single pieces of data (address, date of birth, employer, email, favourite mp3s, ...) - but this is all not good for authentication purposes, as most of it is not really secret. "What I know" can be secret, and as Jerry Fishenden points out in his post, could be linked to "what I have" in order to have multi-factor authentication. But it again is not the same as "what I am".

Biometrics therefore is more about what I have than what I am. The only difference is that it can't be stolen as easily as a car key or a passport. Fingers can be cut off, but faces? Ok, Hollywood was always ahead of us.

Last open question: Can "what you have" also be said about the way you walk? Probably not. But is that really what you are?


Anonymous Anonymous said...

This very well relates to the view on to the world, as it is "implemented" in the old irish language.
Only a few things are, because we defined them to be that way. For example, a table is a table, because we defined a word table for that thing.

Most things have properties laid upon them. For example a name of a person, is laid upon him or her. It can be changed.

Also of this leads to the underlying question, which was asked in the Lord of the Rings by the hobbits to Tom Bombadil and which he answered:

Don't you know my name yet? That's the only answer. Tell me, who are you, alone, yourself and nameless? But you are young and I am old. Eldest, that's what I am." ("Fellowship" 182)

The nature of identity is that it is inside onself. You need trust of others to proove this to them. And trust is a mutual agreement, which can be changed. And that's the root cause of all trouble, when you try to match this trust agreement to a larger community, where not all peers know themselves directly.


12/9/06 10:43


Post a Comment

<< Home