Monday, February 01, 2016

Consider carefully when consenting to children's biometrics in schools

'Turning fingers into keys'
Credit: kaprik/
There is a great article written by Brian Patton, University of Oxford, entitled "The trouble with taking biometric technology into schools", that appeared in The Conversation earlier this month, which every parent and student should read before considering using their biometrics in schools.

Other than copy most of the article into this post I would urge a read of the article which succinctly discusses security, effectiveness, implications of a data breach and consent.  

Schools and biometric companies supplying schools are keen to reassure parents and students that it is not a (pictorial) fingerprint that is being stored but simply a number string -  a number string completely unique and specific to your child's 'bio' body 'metric' measure.

Patton makes the valid point that:

"For other biometric data it's important to remember that what is being matched within the computer is not, say, one fingerprint against another. It is a set of data drawn from the features of the scanned body part – a numerical abstraction. Steal this key and you have effectively stolen that part of the person."

He also goes on to say that,

"...a  data breach will mean these type of scans will be untrustworthy for the pupils – for the rest of their lives.
And therein lies another issue: with the potential for life-long consequences, are pupils, some below the age of 16, competent to opt in to such a scheme? And what of those who opt out? It's one thing to ask adults to weigh up the balance between convenience and risk, but there are two likely issues that would make this harder in schools. There is an inbalance of power between those wanting to implement the technology and those subject to it.  This raises serious concerns about informed consent – perhaps one of the reasons why in 2012 using biometrics was banned in English state schoolswithout parents' consent."

It is unclear if there have been any data breaches of biometric databases in schools as the UK Information Commissioner's Office (responsible for the UK Data Protection Act), in response to a Freedom of Information request regarding compromised biometric databases specifically in education, are "unable to conduct an electronic search of our system using the term ‘biometric" and so could not supply information on if there has been any data breaches of children's biometric data in schools.

There are potentially long term, unknown consequences to this biometric technology used on the youngest generation in society - we are experimenting with it on our children in schools for daily activities that can be easily undertaken, quite adequately, without the use of biometrics.

I guess an individual will only know when their biometric data has been compromised when in the future they hit a problem regarding their biometrics.  How will they know when it was compromised, by whom and where their very personal digital identity has gone? 

In the words of Brian Drury, IT Security Consultant:

"Once a child has touched a [biometric] scanner they will be at the mercy of the matching algorithm for the rest of their lives."