D3.2: A study on PKI and biometrics

Title: BROADER SOCIAL, POLITICAL AND ECONOMIC IMPLICATIONS

Usually, new technologies are entering the market in competition with established technologies – the better solution is expected to win. The market of biometrics and at least in some countries of electronic signatures as well is underlying regulatory approaches. By order of governments, large and complex systems, e.g. the European passport using biometrics, are going to be introduced in a very short time. This chapter discusses the imbalances resulting from the introduction of such systems from a broader socio-economic perspective targeting at current political argument used to introduce them.  

There is absolutely no telling where such implementations of wide-scale systems, such as ID documents using biometrics, in a very short time will lead us. Potential technological failures along with a legislative havoc create a complex system that cannot be conventionally controlled (if at all). Chances are that society will eventually react as freedom of information, privacy, online free speech and security of communications are likely to face further restrictions. Reactions might occur in the most subtle ways and some might come from within the system that supports these changes. Some ‘solutions’ will simply not be accepted, others will be too costly to implement, and so on.  

Despite such concerns, governments around the globe are heavily influenced from a broader discourse on fighting terrorism. Had it not been for such a discourse, it is highly unlikely that such forceful changes would have been put forward over such a short period of time with little or no consideration for interoperability and security issues. Various examples demonstrate such changes. France has expanded police powers to search private property without a warrant, Germany has loosened its restrictions on monitoring e-mails, phone tapping and bank records, whereas Australia introduced a terrorist law to intercept e-mail [DAV02]. Too much information is collected, government becomes too powerful, and still, effectiveness in fighting terrorism is not improving. In his statement to the US Senate, the Assistant Director of the FBI explained in 2000 why they were using the Carnivor Diagnostic Tool to intercept communications and he brought up examples from terrorism, including Al Qa’ida, well before 9/11. The system was obviously one more intelligence failure while for a period of two years, FBI and Internet Service Providers (ISPs) co-operated closely for intercepting communications through the Carnivore technology.

Such failures have an underlying reason: complexity. Complexity means that at any given point there are so many sub-systems within a broader domain that it is impossible to monitor all the interactions that take place at the same time. The interconnectedness of several sub-systems is such that the interactions explode in number. This brings systemic complexity and emergent properties at the front stage of attention for emergent problems.

Complexity however at a global scale is something that does not seem to trouble governments and therein lays an additional problem. Initiatives from an international level have fostered the belief that their own initiatives will enjoy a neat hierarchical diffusion at national contexts. This is merely a fallacy that will manifest itself from differences in legislation to national contexts, to interoperability issues between different vendors, security related problems and political agendas. Complex systems simply do not work like that; they overlap, interact and co-evolve [ANG05].The ideal of a neat hierarchical diffusion is how governments perceive the implementation of their decisions. Reality is far removed from this ideal representation and our concern lies on those emergent and unplanned consequences that may have a myriad of adverse results. Furthermore, the more broad-scale the implementations of a technology, the more difficult it becomes to plan thoroughly the system’s uses. Of course, political agendas, adverse results, opportunism by different stakeholders and resistance to change will also find their way in this new governmental venture concerning biometrics. Tension between the United States and the European Union is already becoming evident concerning the implementation of biometrics. With the US deciding that all passports after October 2005 should include a biometric chip, the EU wants the deadline extended to August 2006 in order to ponder the important security and interoperability issues. If not, there are two distinct options. The first option would rush the EU towards an implementation of biometrics without addressing crucial issues and the second option would miss the deadline thus rendering millions of EU citizens no longer eligible for the American visa waiver programme. The EU then would most likely place similar restrictions and transatlantic travellers are likely to face the music of biometric hurdles (ibid).

Different stakeholders will also put forth their own interpretation and interests concerning biometrics. Some designers and engineers may be thinking about security, privacy and non-linkability to an extent that the technological artefacts they build (i.e. biometric devices) would incorporate these elements. At the same time, governments are thinking about profiling, traceability, accountability, preserving and expanding their control. One compromises the other. 

In addition to the aforementioned elements there are national and international cultural considerations that have to be made. Reactions to such technologies will vary and some will consider biometrics invasive.

Biometrics as a Solution to What?

Sometimes we easily forget that some practices have become institutionalised and institutionalisation itself is a forceful process that can be very constricting. New practices can become infused with values that go beyond the technical requirements of the task at hand. As a technological innovation spreads, a threshold is reached beyond which the adoption of a certain technology provides legitimacy rather than improved performance. What constitutes an improvement is also something that needs further consideration [MID03].

Biometrics provides an example. The technology has been around for quite a few years but its widespread and large-scale adoption only came about after an initiative from the US Department of Homeland Security, set up after the September 11 terrorist attacks. Not surprisingly, the move started from suggesting that using biometrics in aircraft cockpits would verify that the person about to fly the craft was the bona fide pilot. Legitimacy was sought through the adoption of biometrics in order to recover from – what now appears to be – a series of intelligence failures. This comes as no surprise at all. Individuals, groups, organisations or even countries will often adopt technologies to justify their cause of pursuing further efficiency and effectiveness. Whether such adoption does enhance the perceived efficiency of a target domain is unclear. What is clear though is that biometric technologies are seen as a solution to the problem of security, whereas in fact they address the problem of identity.

Claiming to solve the problem of identity has nothing to do with enhancing security and there has to be a clear separation of the two. Even though biometrics are introduced for application to the middle ground of security and identity issues, there is no evidence that this separation is taking place. All the hijackers of the 9/11 attacks had valid passports and were not on lists of potential terrorists. The terrorists of the future will no doubt have valid biometrics; the only actual change will be in the mode of establishing identity. But terrorists who are willing to die do not care less about that; most will never reach the point where their identity will be checked against a stored template and, in any case, they would be happy to go through the process (especially if it is to become faster and more ‘reliable’ ). Another danger is also clear. Belief in the technology per se, might lead to less scrutiny. Trivial as this may seem to some, the projected association between security and identity is at the very core of arousing privacy concerns and arousing suspicions about the creation of a global surveillance infrastructure; indeed it already exists - but is constantly becoming ever more pervasive.

Another problem is the association between information and intelligence. It was well put by a US security consultancy founder: 

 “Since 9-11 there have been extraordinary pushes to collect information on US and foreign citizens… But the problem is not that we do not have enough information, it is that we do not have enough intelligence. All you end up getting are more pictures and prints”

This move is seen as part of a wider trend within the US to gather huge amounts of information in an effort to gather intelligence. Again, one issue does not necessarily correspond with the other and it can have other unforeseen consequences as well (like for instance making the US a less attractive destination for tourists). Biometrics in this case serves as the means to digitise information concerning identity but how that information might affect intelligence or give rise to unintended consequences remains uncertain. Perhaps not surprisingly, in an era that is characterised as the ‘information-age’, solutions are being sought within the technological sphere. But sometimes, the cure can indeed be worse than the disease.  

Collecting massive amounts of information however has an underlying logic despite our inability to analyse effectively all of it; that of creating a ‘Panopticon’ that acts as a state of continuous ‘visibility’. This is associated with the idea of surveillance that is powerful even if it’s not actually present or not that powerful at all. In the case, however, of digitised information that is stored in centralised databases, there is a real risk, that of creating an infrastructure that will give rise to a further range of phenomena starting from identity theft to who knows what. We should always have in mind that surveillance works both ways with some interesting reactions from both sides.

Following the short analysis of this sub-section it is worth pondering the question of whether biometrics is really the solution it is famed to be. Emerging problems are hardly taken into consideration – by definition, they cannot be – but the question is what are the potential cost we might suffer and should we proceed to wide scale implementations of such technology? Apart from all security related issues, identity theft and the like, all their implementation might achieve is merely to intensify illegal entry to a country by alternative means.  

Additionally, quite often technology solves the wrong problem and what is measured or computerised is irrelevant. The only reason that this occurs is because we have the means to do it, and only ritual makes it important. There is nothing inherently divine or efficient in technology and the power of the ritual should thus not be underestimated. The same stands for biometrics. We now have the means to adopt them but a widespread implementation may be the source for a myriad of emergent problems and unforeseen consequences. Once biometrics’ vendors have become institutionalised and the market has increased, so has the forceful diffusion of the plasmatic ideal that biometrics can help enhance security. This has constantly been projected by such vendors, something that has had its share of impact on how biometrics are viewed. Good-timing in an era where security is considered crucial has of course helped a lot.  

The problem though is that every technology implementation optimises a system to a niche and when that niche becomes obsolete or fails, so does the system that is supported by it. Technology is not the solution to confront social, political or economic turmoil; sometimes it is quite the other way round with technology creating the problems (like the recent example between the US and the EU in biometrics). But as governments face uncertainty they produce a knee-jerk response. They adopt technology in order to impose tidiness on their world but surprisingly fail to understand that uncertainty does not conform to a neat computational logic [ANG00]. This comes as no surprise. Humanity has always been arrogant and obsessed with control; control of our lives, the environment, the society, the economy and eventually everything. Technology (in one form or another) has always been part of that control. There is however one thing that most technological systems enjoy in common: occasional failure; sometimes that failure is acceptable, some other times it goes by unnoticed and some others it can be disastrous.

A Social, Political and Economic Outlook

Even though there might be considerable improvements in the technology itself there are clear concerns on the social, political and economic sphere. Privacy issues are considerably alarming and associated with potential breaches in security.  

From a social perspective, resistance to change to an unfamiliar technology could manifest itself in various ways and inconvenience designers, users, and other stakeholders or systems. The more resistance to change to such implementations - for whatever reasons (i.e. privacy) - the more likely the attacks on new systems become and the more prone they will be to compromises or security breaches. Systems of such complexity and infrastructural interconnectedness must be deployed with great caution. From this perspective it is vital that additional research is carried out with the aim of examining the acceptability of such technologies at respective national levels and documenting clear contextual factors that are associated with cultural and broader social aspects that might be crucial for the acceptability of such systems; a fundamental element indeed for their success. Such contextual factors for the acceptability of these technologies will also be vital for the coordination of national stakeholders who will be responsible for their national implementation and for attending to several aspects of their deployment like training, public information, etc. It must not be assumed that a one-size-fits-all approach can be followed in the scenario of biometric implementation. Certainly, technological implementation will target such an approach for interoperability reasons but the societal fabric does not conform to the same rules (and still affects all other domains, including technology). Technological approaches are formulated by scientists and engineers but technologies of this type will be used by a population with different demographics, ideas, education and acceptance to the technology itself. 

Technology must not be deployed for the sake of it. The US with the SSN number provides a classical example of how a centralised database has given rise to identity theft reaching $48 billion in economic losses over a 5-year period. Re-purposing of data will also be very hard to control once a technological platform of such scope will be in place, something that will systemically have a societal impact of unforeseen consequences.  

Information currently provided to the public is not balanced and lacks considerable warnings concerning privacy issues or fails to document how privacy concerns will be handled.  

From a political perspective it is worth noting that several countries might be facing constraints on travelling due to another country’s requirements. Such political tensions have only recently become evident where the deployment of biometric-enhanced passports has been delayed in Europe and the US has had to tweak its own passport requirements in order to avoid such a tension (for the VISA-waiver countries). In an era of increased mobility, political tensions of such a nature must be considered internationally as they have their own impact on business, economy, travel and a myriad of other activities.  

From an economic perspective there has to be a very clear differentiation between the price of implementation and the cost of such technologies. Most governments (like the one in the UK) talk only about the cost of the technological infrastructure, marketing, training and a few other aspects. Whereas the cost might conform to approximate calculations, the price might accrue dramatically. In such a scenario the economy must be portrayed as a system that interacts with both the social and the political domain. This renders the differentiation between price and cost vital. More research is therefore required to establish the interaction of such systems pertaining to the implementation of biometric technologies and to consider the potential implications of their deployment to other fabrics of the socio-political sphere which in their own turn will affect the economy. Especially in countries where the implementation of biometrics in ID-documents is an opportunity for e-government services or for cooperation between public and private sector, there needs to be more research on how such an implementation will reframe the economic and commercial national and international relations.