Mandatory thumbprinting for the LSAT: an appropriate use of biometrics?
posted by:Philippa Lawson // 11:41 PM // February 21, 2006 // ID TRAIL MIX
Some recent complaints to three privacy commissioners in Canada have put the spotlight on the Law School Admissions Council (LSAC), the US-based non-profit corporation that administers the Law School Admissions Test (LSAT) throughout North America. The complaints focuse on LSAC’s requirement for a thumbprint by all test-takers. The Alberta, B.C., and federal privacy commissioners have launched a joint investigation into the LSAT complaints.
LSAC requires all test-takers to provide a thumbprint, along with name, date of birth, SIN, gender, race/ethnicity, and signature. It has been requiring thumbprints for 31 years. The purpose of the thumbprint, according to LSAC, is to deter imposter test-takers. Thumbprints are not imaged or digitalized, and are not accessible by computer. LSAC claims to maintain a high level of security of the document on which the thumbprint is recorded. It shreds the documents five years after collection.
LSAT isn't the only test administrator to require biometric identification of test-takers: the GMAT and MCAT, used for business and medical school admissions, collect thumbprints as well as digital photographs.
So what's wrong with this practice?
Mandatory collection of biometric identifiers is anathema to many people for a number of reasons. Some people object to the collection of their biometric data because of its association with tyrannical governments or criminal law enforcement. Some object simply because they find it intrusive. Some object to it on religious grounds.
More reasoned objections focus on the risks that collection and storage of biometric data poses to individual privacy. Once digitally stored, biometric data - like any other data - is easily copied, transmitted, altered and searched. But unlike other personal data such as names, addresses and identification numbers, biometric data does not change. And unlike credit cards, passports, and drivers licences, biometric data cannot be invalidated and substituted once compromised.
Another set of objections focuses on reliance on technology for the granting or denying of rights and privileges. While there are obvious advantages to such reliance (e.g., avoidance of human bias and corruption), there are also legitimate concerns about accountability and due process in the event of system failures. And studies have shown that biometric identification systems are by no means fool-proof. When used for authentication purposes, their reliability depends in part on the way in which they are administered.
Given the legitimate privacy concerns associated with fingerprinting, it is not surprising that complaints have been lodged. What is surprising is that LSAC has required thumbprints for 31 years, yet the issue has only recently come to the fore. Indeed, many of us who took the LSAT during this period (the author included) have no recollection of providing a thumbprint, although we must have done so!
No doubt the explanation for the recent complaints has to do with the relatively recent promulgation of privacy laws in Canada, and growing public awareness of citizen rights under these laws.
The federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), which came into force in 2001, is based on a set of widely accepted fair information principles. One of these principles is that organizations should not collect more personal information than necessary for the purposes that they have identified. Another is that those purposes must be reasonable.
In the LSAT case, the stated purpose of collecting thumbprints (to deter fraud) is clearly reasonable. But is the collection of thumbprints necessary to achieve this purpose? Do other, less intrusive but equally effective methods of deterring fraud exist? And is the fraud-deterrent value of thumbprinting proportional to its privacy invasiveness? The privacy commissioners now investigating this matter will have to answer these questions.
LSAC defends the practice as minimally privacy invasive, especially since the thumbprints are not digitized. Moreover, LSAC states that it typically objects to providing thumbprints in response to subpoenas for test-taker records, and destroys the thumbprint records after five years. Hence, concerns about subsequent uses of biometric data stored on computers may be inapplicable to this particular practice. But what’s to stop LSAC from digitizing the thumbprints in the future?
In any case, LSAC must still explain why other, less intrusive identification methods (such as the presentation of photo ID) are inadequate for the purpose of deterring fraud. Perhaps it is necessary to collect and store individual identifiers for some time after the test is administered, in order to be able to authenticate identities after the fact, in response to allegations of fraud. If so, are non-digitized thumbprints the least intrusive method?
Concerns about mandatory thumbprinting by LSAC and other test administrators have been heightened by the existence of the USA Patriot Act, which allows FBI access to private sector databases of customer information for counter-terrorism purposes, without any reasonable or probable cause to suspect wrongdoing by the individuals whose information is being disclosed. Because LSAC is US-based, it is potentially subject to Patriot Act orders. Although LSAC may not digitize the thumbprints it collects, there is no guarantee that the FBI would not do so, were it to demand test-taker records. Moreover, Patriot Act requests come with gag orders, so that individuals whose information has been gathered by the FBI and possibly added to terrorist watch lists or no-fly lists won’t know it.
In light of the growing vulnerability of personal data to potential abuse, it is important that governments and corporations alike limit their collection of personal data – especially biometric and digitized data – to that which is necessary for the purpose in question. The LSAT complaints have highlighted an issue that will no doubt arise with greater frequency in the future. If we want to maintain the level of privacy that currently underlies our free and democratic societies, we all have to be vigilant against the overuse of biometrics and be prepared to exercise our rights to keep it in check.
The fact that the Patriot Act can cause recording of the data with gag orders rather than informed consent suggests that law is insufficient to protect the data.
Thus a technological means is probably required. I often like to say that "The trouble with law is that it's advancing so quickly [and new laws like the Patriot Act] are continually evolving], that technology is having a hard time keeping up with the law.
One technological solution would be to have the student retain the only existing copy of their own biometric information in a tamper proof envelope or the like, where they could use it to prove absence of fraud if necessary, but where it would not be accessible to others.
It seems that the current system fails to balance the needs of security with those of privacy. Moreover, I believe that safety and security themselves are states of balance, and even if we don't care about privacy (where safety and security are concerned) it is still true that too much security can be dangerous.
In particular, I think that when security and safety can grow into such grandiose proportions as to become securityranny and safetyranny, unless they are limited somehow. It seems that legal limitations are breaking down, and therefore we might need to create some kind of technological (rather than legal) framework to limit safety and security somewhere below the dangerously high levels that they are approaching.
Posted by: Steve Mann at February 21, 2006 03:57 PM