I often feel like much of what I do goes on in a world of hypotheticals, not just the assessment of risks, but even the assets, systems and processes I’m assessing risks and making recommendations about. It can start to feel pretty abstract.

Out in the real world, however, things get a little more physical. For example, at my local grocery and drug stores, they have the “pay-by-touch” system where you can just use your thumbprint to biometrically authenticate yourself and pay for your groceries. It’s been deployed for at least a year and I have yet to see anyone use it. I also examine the reader on more than one occasion and noticed a layer of dust across the scanning area–people aren’t even interested in playing with it.

Quite the opposite, in fact. Last week, I was waiting in line behind two women, one of whom was a “local” and the other an out-of-town guest, based on their conversation. They reached the counter and the visitor noticed the pay-by-touch machine, which led to a conversation that went roughly like:

“What’s that?”

“That’s the fingerprint pay thing.”

“You pay with your fingerprint?”

“Well, I don’t, but you can.”

“Not me. That’s creepy, big-brother-ish.”

“You won’t see me using it.”

Now I had always assumed that, other than security professionals, the reason that biometrics haven’t taken off was an unwillingness to accept the risk of catching whatever disease the user before you had or having your key stolen by way of a sharp knife.

But if the resistance is actually based on a distrust of the information state and corporate or governmental privacy abuse, then it’s going to take a lot more than Sony’s technology solution to the biometric “key theft” problem.

The company’s biometric system uses an infrared camera to record the unique pattern of capillaries just beneath the skin, which can only be seen when blood is pumping through them. When this blood flow is cut off - when the finger is cleaved from the body, for example - the pattern disappears and the finger can no longer be used for identification. Thumbs up to Sony for this one.

All hype aside, the commercial release of finger scanners based on Sony’s patent will not be the inflection point of increased biometric adoption.

This is a people and process/policy problem, not a technology problem. Getting buy-in will only happen if people believe that their personal information is being handled responsibly, something that (at least here in the United States) the government and corporations demonstrate every day they have less-than-no interest in doing–they’re all-too-often trying to either weaken or develop workarounds to what anemic privacy rights we have.

Personally, I would argue that people are behaving sensibly in this case. They look at the supposed benefits of pay-by-fingerprint, which are quite clear and finite, primarily that it is “secure*” and convenient. This also ignores the reality that the inconvenience of grocery shopping is the shopping and standing in line, not paying for your stuff once you finally get to the front of the checkout line.

I think that most people (rightly) compare that to the potential risks, which are perceived to include Big Brother-ish snooping, disease, and getting you finger chopped off, and decide that the risks outweigh the benefit.

* I strongly suspect that if you examined the security of the system, it would be quite weak. Additionally, depending on how the transaction agreement is structured, the consumer might be exposed to liability for fraudulent transactions that they are currently protected from by law with a credit card transaction.

Personally, I would be very hesitant to create a new, unevaluated avenue for risk of financial loss for what is at-best a minimal convenience gain.

Here in Europe, I don’t think there are any rolled-out payment verification systems that use biometrics, so it’s nice to hear about a real-world system. It’s also good to hear about user reaction (even if it is negative). Personally I remain doubtful about the utility of biometric systems, for one reason - the irrevocability of biometric “certificates”.
What happens if someone manages to get their fingerprints registered in yor name? How do you prove that you are you? What happens if a system is rolled out and compromised? Does everybody have to get busy on their fingers with a bottle of acid??

The base technology required - the fingerprint readers - are available in a reliable form. But the information management required in collecting everyones biometric data, storing it securely, and maintaining a reliable system is potentially well dodgy. The continuing debate on UK biometric ID cards is fuelled partly by the appalling track record of IT infrastructure implementations by UK government departments (or their contractors).

Also, the shift in liability that you suspect could happen almost definitely will - as has been demonstrated by the liability shift in the UK after the implementation of Chip & PIN (EMV) payment cards. The Banks have already passed liability for fraudulent magstripe transactions onto retailers. There are also some reports that cardholders who are the victims of fraud on their cards are now being treated as guilty with the onus being on them to prove their innocence - the assumption being that their PIN code can only be compromised if *they* have been negligent with it. And how can you prove a lack of negligence?