Biometric Security and the Question of Privacy

As private colleges and universities look to the future of security and access control on campus, more concerns about student and staff privacy emerge. Currently most campuses rely on physical access control such as keys and card readers.

Card-swipe access is used for everything from residence hall access, to library checkout, to dining hall meal plans. But these cards can be vulnerable to theft and duplication. Some colleges and universities have therefore started looking to implement biometric security. But what does biometric security mean for safety and privacy on campus?

What Is Biometric Security?

Biometrics are measurements of physiological identifiers, such as fingerprints, facial geometry, handprints/hand geometry, or iris/retina geometry. Biometrics security, then, is the use of these  biometric identifiers to perform security authentication. In a biometric security system, a user’s biometric data is stored in a secure database connected to secure scanners. In order for the user to gain access to the secure system, they must verify their identity using the biometric identifier, which is then compared to those stored in the database to authenticate the user. Essentially, any place you currently use a swipe card could be replaced with a face, iris, hand, or fingerprint scanner.

We’re already pretty familiar with this kind of biometric security. Many of us are used to using our fingerprints or even our faces to sign into our phones and computers. Some of us may even use biometric security when flying, as the Transportation Security Administration (TSA) uses biometric security for their Clear service.

Biometric security has many advantages. Biometrics are highly secure, for one. Because biometrics rely on a user’s physical characteristics, they are difficult to hack or “spoof” (i.e., fake). Keys, passwords, personal identification numbers (PINs), and ID cards, on the other hand, can all be stolen, duplicated, spoofed, or lost, causing security risks and expense. Biometrics are difficult to fake or bypass and so are more secure than other systems. Biometric security is also efficient and convenient, as users always have their “keys” on them and most scanning devices work quickly. Many biometric scanners are also completely contactless, meaning they are safer and more hygienic than swipe cards and keypads in a pandemic. Biometrics are also highly scalable as they can grow with a campus and can be used safely for both physical and digital security.

Concerns with Biometrics on Campus

Although biometric security is a powerful and effective tool, it is not without its drawbacks. The most pressing concern is the issue of privacy. Biometric security depends on the collection of the most personal of data: our very bodies. Whether it is our face, our eye, or our fingerprint, biometric security requires surrendering a piece of ourselves that cannot be changed. Unlike passwords that can be replaced, biometric data cannot be changed unless we alter our very bodies.

While typical security and privacy concerns come from outside actors breaking into a physical or digital space, the concern with biometric security is how this personal data can be used by those who collect it. In January of this year, the activist groups Fight for the Future and Students for Sensible Drug Policy issued a joint statement calling for the ban of the use of facial recognition on college campuses. “Facial recognition technology isn’t safe. It’s biased, and more likely to misidentify students of color. The data collected is vulnerable to hackers, and in the wrong hands could be used to target and harm students. And it’s invasive, enabling anyone with access to the system to watch students’ movements, analyze facial expressions, monitor who they talk to, what they do outside of class, and every move they make,” Evan Greer, Deputy Director of Fight for the Future, declares in the statement.

Such rhetoric might seem overblown, but the recent months of protests in support of the Black Lives Matter movement in the wake of the murder of George Floyd has demonstrated the truth of these statements. Police departments across the country have used facial recognition technology to track down protestors days or weeks later to arrest or harass them. As a result, major tech companies like IBM, Microsoft, and Amazon announced plans to end their facial recognition programs or at least stop selling such programs to law enforcement. There is a clear privacy risk in collecting biometric data and an even greater risk that such data could be abused.

Other concerns with many current biometric systems, especially facial recognition, are that they are not as accurate as they claim; moreover, they reenact racial and gender biases. According to research by Joy Buolamwini, a graduate researcher at the Massachusetts Institute of Technology’s (MIT) Media Lab, facial recognition software has a problem properly detecting dark-skinned faces. Her research found that the software, including Amazon’s, had much higher error rates in classifying dark-skinned subjects, especially women of color. This research is in keeping with other studies of current artificial intelligence (AI) and detection technology that demonstrate time and again the replication in programming of the implicit biases of the developers. These race-oriented flaws can mean that incorporating facial recognition biometric security can be unreliable, at best, in properly identifying students; at worst, the operational flaws can be life-threatening.

These concerns with biometric security mean that it should not be implemented lightly. Colleges and universities interested in adopting biometric security should work with developers and suppliers to ensure that the technology meets the needs of the institution. Institutions must also work with faculty, staff, and student stakeholders to implement policies that help address concerns of privacy and bias. Such policies should address how biometric data will be used, who has access and control over that data, and how long the data is kept. Especially given Family Educational Rights and Privacy Act (FERPA) considerations, universities must be very careful how personal identifying biometric data is collected, stored, and used.

Other Alternatives

While your institution may not be ready to make the switch to biometrics, there are some other steps colleges and universities can make now to upgrade security. Most institutions rely on magnetic strip ID swipe cards which can be vulnerable to duplication and are easy to lose/steal. Additionally, magnetic strip cards require someone to swipe them and so cannot be contactless. Smart cards are a step above magnetic strip cards that have to be swiped. Unlike magnetic strip cards that can be easily duplicated, smart cards are hard to duplicate and are more reliable. These cards have an embedded integrated circuit capable of writing and reading data. The card can be programmed to be used for identification and secure access, as well as any other applications for which magnetic strip cards are currently used, those such as dining, vending, and laundry. Smart cards are also more secure.

Another alternative is to rely on the one thing you can be certain students will always have on them: their cell phones. Mobile access security employs a user’s smartphone as the credential device to authenticate access. The smartphone uses Near-Field Communication (NFC) technology, which can be used to as the “card” for access. NFC is how smartphones can be used to pay at cash registers in many stores and restaurants through services like Google Pay and Apple Pay. Like smart cards and biometrics, mobile access can be completely contactless. Mobile access can be used in the access control of physical and digital spaces (i.e., unlocking campus buildings and rooms as well as authenticating users on school computers) and used for payment, attendance, dining, etc. A smartphone with NFC can essentially be used in any way that a magnetic strip card can be used. Mobile access can be more secure in some ways because it is more difficult to copy than magnetic strips and less likely to be lost. Phones, however, can be stolen and are prone to breaking. Another concern with switching to mobile access is that it is difficult to mandate students and staff have a smartphone with NFC (although most phones have it these days).

There are many options in upgrading access control security to make your campus safer and healthier. By moving to contactless options like biometrics, smart cards, or mobile access, your institution can have increased flexibility to adapt in times of crisis. As these systems are upgraded, however, one must always consider how these advances may impact privacy and safety, as well as security.

About the Author
Phineas Dowling is a PhD candidate in literature at Auburn University where he teaches literature and composition. His dissertation is on Scottish identity and British literature of the long eighteenth century. In addition to his scholarship, Phineas has a strong interest in pedagogy and university administration.