Amid reports of massive breach of social security numbers along with identity theft, US lawmakers, encouraged by India’s Aadhaar, explored the possibility of biometrics as an option, but privacy issues prevented experts from arriving at a consensus.
In the US, a Social Security Number (SSN) is a nine-digit number issued to American citizens, permanent residents and temporary working residents.
“Congress must not replace the SSN with a national biometric identifier. This would be a very bad idea,” Samuel Lester, Consumer Privacy Counsel, Electronic Privacy Information Center told lawmakers during a Congressional hearing on future of social security numbers.
This approach, he said, would pose serious privacy and security risks.
“These risks would only be compounded if the US were to move towards a national biometric identifier,” Lester said.
Paul Rosenzweig, senior fellow, R Street Institute tended to disagree.
“It really is a difference between a centralised database in a distributed database. Biometrics as a localised identifier is actually something that the President (Barack) Obama’s White House supported as a substitute for passwords because they are a more readily usable by most citizens than the password system,” Rosenzweig said responding to questions on biometrics from Congressman John Larson.
According to Steve Grobman, Senior Vice President and Chief Technology Officer, McAfee, said India opted for the biometric system because they needed to ensure that an individual only registered a single time for benefits.
“So, by using biometrics, it prevented an individual from registering in one town and then walking down the road to another town and registering again. In that case, bio-metrics was a practical technology in order to solve that specific problem,” he said.
The US does not has that problem at India’s scale, he said.
“Therefore, we should look for other less privacy intrusive mechanisms as a first step. Things such as smart cards can be a much more rapid practical option that could be distributed without requiring every citizen to have biometric,” Grobman said.
But if a key requirement is that an individual’s identity is not transferable, or that an individual can’t have multiple IDs, then biometrics may be worth considering, he said.
“India has moved to a national biometric identity programme, allowing 1.3 billion citizens to prove their identities through fingerprints, facial recognition and eye iris scans. The country faced an even more difficult problem than compromised SSNs because there was no single starting database of citizens.
“Because benefits came with being a citizen, there were concerns that an individual might attempt to register in one town under one name and then register in another town under another name. The Indian government addressed this issue by creating a biometrics database to register its population,” Grobman said.
“If your biometrics were already in the database, the government would know that you were a duplicate person. It also provided a mechanism that let you walk into any government office and reprove that you were you,” he said.
Lester said when Congress passed the Privacy Act in 1974, they were explicitly responding to and rejecting calls for a national identification system.
There are national identification systems that rely on biometrics and other countries that raise really grave civil liberties and privacy concerns, Lester said while responding to a question during the hearing.
“For example, in India their new biometric system Aadhaar was recently breached, compromising the biometric data on its 1.2 billion citizens,” he said, adding that any problems with a biometric system are demonstrated by the recent breach of the US Office of Personnel management.
Paul Rosenzweig said that the idea of a Smart card is a good interim solution.
“But the smart card, a security system is not itself a terribly robust. We’ve all experienced a credit card fraud as well,” he cautioned.