Biometric scanners raise privacy concernshttp://www.stltoday.com/lifestyles/health-med-fit/medical/article_8267bf6f-7c54-5ec4-83f9-246773e27509.html
By Demian Bulwa • San Francisco Chronicle | Posted: Monday, August 23, 2010 12:15 am
OAKLAND, Calif. • When the 24 Hour Fitness chain recently installed finger scanners as a way of verifying members' identity, it was a public première of sorts for a powerful and fast-expanding technology — and a test of whether consumers will embrace it.
The scanners, which came to the chain's 60 Bay Area gyms this month, are a form of biometrics, in which people are recognized through a unique physical quality. Although 24 Hour Fitness checks fingers, biometric devices can verify people's identity based on the contours of hands, eyes and faces, a voice, even a scent or a style of walking.
The technology has become far more accurate and affordable in recent years, allowing it to move beyond longtime police and military uses and to be hailed as a potential solution to the menace of identity theft.
Corporate America has taken notice, as have privacy advocates, who say consumers ought to tread cautiously into a largely unregulated field.
Many companies now have employees punch in with biometrics. At schools, the devices restrict access or allow students to pay for subsidized lunches. The gym at California State University Chico uses hand scanners, while Walt Disney World scans the fingers of pass-holders. In some countries, finger scanners are built into ATMs.
"It's just part of our cyber-existence these days," said Dan Miller, a senior analyst at Opus Research in San Francisco, which has focused on voice verification. "The neat thing about biometrics is that you are the thing that identifies you."
The novelty of the technology, though, prompted an array of reactions at 24 Hour Fitness. Outside a downtown Oakland gym one morning, many customers said they had signed up without reservation for the new "Cardless Check-in" system, seeing only speed and convenience.
"Why not? It's cool," said Michael Nguyen, 38, an engineer from San Jose. "It's not a big deal."
But others — some of whom refused to participate in the program, which is voluntary — felt as if they had stumbled into a science fiction plot. They worried that the gym was going to do something sinister with their scan, while admitting they couldn't think of exactly what that would be.
"The only time I ever saw that before was in the movie 'Total Recall,'" said Isaac Thomas, 36, a Caltrans worker from Vallejo. He said he had submitted to scanning but added, "Now I'm wondering what they're going to do with my fingerprint."
"I did not do it," said Jenica Babbitt, 35, a social worker from Oakland. "I don't know why I didn't do it. It just seems weird."
Another woman said she was concerned about the scanners but for a different reason: She often sneaks into 24 Hour Fitness under a friend's membership. She declined to give her name.
Company officials, concerned about the public perception of the scanners, tested them for months at some locations while soliciting feedback from members. They say the reaction was overwhelmingly positive, with just 3 percent of people declining to be scanned during the pilot program.
The officials say they have no ulterior motive. They say the scanners simply allow visitors to show up without a club card and an ID, while preventing nonmembers from sneaking in. The company also saves on paper, plastic and postage, having issued 1.9 million cards last year.
Members using the machines must first enroll, submitting to an initial scan. Then, during visits, they punch in a 10-digit code before placing the pad of one of their index fingers over a small window. Using the code, the system compares the finger to the one that was previously enrolled. False matches, or rejections, are rare, the company says.
The system doesn't actually store fingerprints of the type that could be compared with prints from a crime scene, officials say. The machines, made by MorphoTrak of Alexandria, Va., map out unique points within the ridges of a finger, then convert that information into a binary code— ones and zeroes — that is encrypted.
If someone were able to crack the encryption, said Gary Jones, MorphoTrak's senior manager for biometric security products, "it would still be impossible to reverse-engineer the information into a person's fingerprint image."
Two privacy experts who have followed biometric technology said that, in isolation, the health club's program may be perfectly safe. But they said consumers should be certain that biometric scans taken at places such as 24 Hour Fitness are stored securely and not used for any other purpose.
It is conceivable, they said, that a law enforcement agency could figure out a way to compare fingerprints with a database such as the one kept by 24 Hour Fitness. It's also possible, they said, that finger scans could be stolen as credit card numbers are.
Jared Kaprove, an attorney who focuses on domestic surveillance at the Electronic Privacy Information Center in Washington, said, "It's easy to get a credit card reissued, but you can't get your fingerprints reissued."