Employee s Right to Privacy

Employee's Right to Privacy

The employee's right to privacy and the employer's need to protect its corporate interests have always been at conflict. Early on, employees were treated like property. Once in the employ of a company, the corporation controlled many aspects of the employee's life. It wanted to know with whom the employee associated, to what organizations the employee belonged, the religious affiliation an employee held, and other aspects of the employee's personal life that could affect the company. The advent of trade unions and other such groups did much to remove these intrusions into the employee's everyday life. Today, the employee is facing a number of privacy issues that never before existed or were of little interest to the employer.

Protection of Personal Data Collected by the Employer

Not long ago, an employee's personal file contained relatively little information. The most confidential piece of information contained in the file was the employee's social security number. The government required this number so that taxation could be applied to the employee's salary. In today's data-rich world, most employees would be surprised to see what information their employer has about them. This information could include:

• Credit history

• Medical coverage

• Insurance and beneficiaries

• Criminal history

• Photo of employee

• Ink fingerprint card

• Phone numbers called from employer's phone system

• List of bookmarked Web sites

• Voicemails

• List of Web sites surfed

• Daily arrival and departure times from place of business

• Electronically stored biometric data

The simple fact that this data has been collected can be very unsettling to an employee. The employee would be rightly concerned over who is viewing this data, and what it is being used for. As discussed in the section describing the employer's requirement for privacy, biometrics can be implemented to help enhance the privacy of the employer. When biometric systems are in place, they can be used by the employer to help protect the employee's privacy. However, the same biometric that is helping to protect the privacy of the employer and the employee could also be used to invade the employee's privacy. What follows next is a discussion of the impact of biometrics on the privacy of the employee.

Biometrics as an enabler of employee privacy

Employees do have a concern over who can view the personal information collected about them. Biometrics can help in this area. If the information about an employee is stored electronically, we can use biometrics to protect access to this information. This way, only other employees who have a requirement to access this information could do so. It would also deter the employees who have access to this information from sharing it with others. If the employees with access to this sensitive information know that they can be positively identified as accessing other employees' confidential information, they may be less likely to provide this information to a third party or gossip about what they know.

Physical access biometrics can be used to prevent unauthorized employees from gaining entry to securely stored paper records. If a biometric authentication is required to access paper documents, it will deter unauthorized access and help manage required access. It should also give the employee some sense that the company is doing what it can to safeguard personal data.

Biometrics used to invade employee privacy

An employee needs to be made aware of what personal information is being collected and what it is being used for. Most employers have the legal right to monitor what an employee does in conducting business on behalf of the employer. The employer has the right to monitor how corporate resources are used. The employer may listen to employee phone calls and voicemails. The employer may do this to determine with whom the employee is communicating. The employer may hear personal information being communicated at the time. This information could then be stored or recorded for future use.

The employer may use digital surveillance cameras to watch for unauthorized access. These cameras can record digitally and their output can be stored indefinitely. A group of anonymous employees meeting in a hallway and talking may not be of any interest to an employer. However, if one of the employees in the group turns out to be supplying information to a competitor, the employer may want to know to whom they were speaking.

Many companies now require an employee to submit to a background check. These background checks are mainly carried out using fingerprints . The employer collects the prospective employee's fingerprint images digitally and sends them off for a background check. The number of industries doing this type of checking has increased since September 11, 2001.

Without even realizing it, an employee may give the employer a sample of his/her biometric traits. Voicemail or recorded conversations can be used with voice-based biometrics. Digital surveillance cameras can provide both face and gait biometric information. Lastly, the collection of a fingerprint can be used for fingerprint biometric verification. There are really two issues here that are of concern for the employee. First, the biometric data collected for use with voice, face, and gait biometrics could be obtained without the employee's consent or knowledge. Second, how is the employer going to use the biometric data collected?

Collecting employee biometric data can be done either covertly or overtly. In an overt collection of biometric data, the employee knowingly submits to the collection of data. In a covert system, the employee does not know about his/her biometric data collection. In the cases of voice, face, and gait data collection, the employee may not be aware that the employer was collecting this data. The employer could argue that the surveillance cameras are visible and well-known, that the employee should not have the expectation of privacy while at his/her place of employment. With the collection of fingerprint biometric data, the employee knows that it is being collected. The employee needs to be present and actively submit his/her finger for fingerprinting. In this case, the employee knows that the biometric data is being collected for a background check.

The second, more invasive problem is, what other uses does the employer have for this data? An employee can never know for sure, but the company's privacy statement can give some indication of how the data will be used. In general, the privacy statement should make mention of disclosure policies for third parties. Some policies say that for business or legal reasons, private information may be shared. The policy will often go on to state that any third party will abide by the same privacy statement as the company releasing the data. It may also say that the company releasing the data is liable for the third party's misuse of the data. This can be reassuring, but who monitors whether or not the third party breached its agreement? It is generally the responsibility of the company that shared the data originally. It would be in the company's best interest not to find any breaches, as it would be liable for them. Thus, you have self-regulation that does not really work.

What is an employee to do? The best an employee can do is to be diligent in how his/her personal information is used and provide only the absolute, bare minimum. Be aware that your personal data is a valuable commodity. Any interaction you have with an entity that is not tracked is a lost opportunity for data gathering. The lost opportunity can be seen as possibly lost revenue if sold, or lost intelligence on the employee.

The real onus of providing a positive biometric privacy environment falls on the company. It is the company that wants to use biometrics to enhance its authentication. If a company wants to use biometrics, it must create a privacy policy that respects the employee as an individual, yet at the same time affords the company a strong factor of authentication.

Creating a Positive Biometric Policy

The largest obstacle to overcome in a successful biometric implementation is user acceptance. A user will not accept biometrics for any number of reasons. These could include fear, ignorance, stigmatism, religious beliefs, and the loss of privacy. A pro-privacy policy statement can address the user 's concerns. The policy statement should address the following areas:

• Biometric enrollment

• Template storage and transmission

• Verification

• Terms of use and audit statement

Let's expand on each in more detail.

Biometric enrollment

A privacy policy must clearly state what biometric are being enrolled and how data will be captured. A pro-privacy policy will allow only biometric enrollment through overt means. This means that both passive and active biometrics will be taken only with the user's full knowledge and consent. Passive biometric measures like face, voice, gait, and to a lesser extent, eye-based biometrics can be taken from the user without his/her knowledge or consent. A camera in the lobby could record a person's face and/or gait. A camera in an elevator by the floor selection panel could read retina and iris biometrics. A microphone in a hallway or elevator, or the user's phone handset, could be used to record a voice biometric. In all these cases, the user would never know that his/her biometric had been enrolled. It is paramount that if these types of biometrics are used, the user is clearly told when they are being enrolled to allow him/her to consent to the enrollment.

Active biometrics like finger, hand, and vein biometrics require the user to actively submit to enrollment. These types of biometrics would be seen as more privacy-friendly. At the same time, the user still needs to be made aware that he/she is being biometrically enrolled in order to allow him/her to consent to the enrollment.

The enrollment portion of a pro-privacy policy statement should also clearly outline that what is about to take place is a moment of trust. The enrollment agent or someone else of authority must positively identify the user being enrolled. The greatest risk of fraud in a biometric system comes at enrollment time. The user must be prepared to produce appropriate documentation and/or have other trusted parties in the company vouch for his/her identity. It should be made clear that this is being done for both the protection of the employee and the employer. From the employee's perspective, positive identification means that he/she will be the only one claiming to be him/her when the biometric system is used. This way, if a biometric audit log is used to verify who did a particular action, the employee knows he/she will not be falsely identified.

When biometric enrollment takes place, the company needs to disclose the following regarding the enrollment:

• Is it compatible and comparable with law enforcement databases ? ” There are a number of reasons why an employer and employee may/may not want to have a template compatible with existing law enforcement databases. From an employer's standpoint, having a template that is compatible gives the employer the chance to find out if there is an employee with a criminal background. It can also allow for a third party's verification of the employee's identity. This verifying for positive identification can prevent previously terminated employees from re-applying. It can also stop individuals from using pseudonyms or other means of identity fraud. From an employee's standpoint, being positively identified will prevent others from trying to be enrolled as him/her. This form of identity theft would be detrimental to an employee in that the employee could be associated with activities he/she did not commit.

• The need for re-enrollment ” Over time, biometric measurements can change. If the biometric system being used does not in some way account for these changes, the number of false rejections for an employee will increase. This increase in false rejections will cause frustration on the part of the employee and diminish the expected results of the system for the employer. Biometric re-enrollment needs to be explained to the employee. The employee needs to understand that his/her stored biometric data will eventually deviate too far from the template to be usable. At this point, the employee will be asked to re-enroll. Re-enrollment from the employee's perspective will continue to offer him/her the ease of use initially obtained from the system. It gives the employer up-to-date templates to use for comparison. This will also lower the number of calls to the help desk about false rejections.

• Is the biometric image stored or is a template created ? ” The end-result of a biometric enrollment is the capturing of biometric data. The form in which biometric data is stored is important to both the employee and the employer. This biometric data can be stored in its raw form, or turned into a template. The raw form of the data is the biometric measurement before it is processed . This could be an image of a finger, face, iris, or other traits. It could be a raw .wav file for voice. This is the data that would be fed into a templating algorithm.

• The current state of biometric technology today does not require raw data. All biometric systems work from templates. The keeping of raw data is useful only for applications like face verification. The raw image could be stored along with the template. When the user authenticates, a guard viewing the stored raw image could make a secondary verification. This obviously benefits the employer and does not really invade the employee's privacy. Unless the employee is walking around with a mask on, the face is one biometric that is always visible. The storing of a fingerprint image is normally of more concern. Many believe that the raw image could be used to spoof an authentication system or make a fake finger. As we will see in a later chapter, the creation of fake fingers is possible. Therefore, it is preferable to have the raw biometric data discarded and a template created.

• A template created from raw biometric data should contain enough data for verification, but not enough data to recreate the raw biometric. Templates are normally created using a one-way hash algorithm. The algorithm takes the raw data, extracts the information it needs, and then processes it. Once the raw data is processed, there is no way to go back. The use of hash functions is covered in greater depth in a subsequent chapter. When a biometric comparison needs to be made, the newly acquired image is put through the same one-way hash function as the original biometric enrollment. This way, it is this template that gets used for comparison.

Template storage and transmission

When an employee is being biometrically enrolled, templates need to be stored somewhere. Templates can be stored in relational databases, in smart cards, as files on a user's computer, or in a corporate lightweight directory access protocol (LDAP) directory. The employee's and employer's privacy concerns are different depending on where the template is stored. For discussion purposes, let's group the storage of templates into locations. LDAP directories and relational databases are network-based and are thus available online; local files and smart cards can be considered offline storage.

Privacy concerns with templates being online are:

• Online storage is controlled by the employer

• How templates are retrieved for comparison

Each point needs to be examined from both the employee's and employer's perspective.

• Online storage is controlled by the employer, so the management of online storage is a privacy concern for the employee. The employee's biometric data is no longer under his/her control. The employee no longer has the ability to allow or deny access to this data. In addition, the employer has the template available at any time. This way, the employer is the final arbitrator of who has access to the data, and with whom it is shared.

• From an employer's standpoint, the responsibility of controlling biometric data is very important. This repository needs to be under control in order to assure the employer of the validity of the data. If this data is compromised and is used outside the company or for other nefarious purposes, the company could be held liable. On the other hand, having the data under the employer's control allows greater flexibility in its use. Depending on the nature of the agreement between the employer and employee, the biometric data could be used in conjunction with other data to put together a complete employee picture. This could include things like time and attendance, travel patterns in the buildings , time of lunch breaks, and other sundry information. This information could be used to better manage the employee, or could be sold to third parties.

• How templates are retrieved for comparison ”For a biometric authentication to take place, a biometric sample needs to be taken. The new raw biometric data is put through a one-way hash function and a comparison template is created. The comparison template is then compared against the reference template stored online. The retrieval of this template can pose privacy concerns for the employee and employer. Ironically, both parties have the same privacy concerns, but for different reasons. Employers are always concerned about compromising the templates for fraud and unauthorized access. Employees are concerned over identity theft.

For both parties, the security of online template storage is important. Online storage in either a relational database or an LDAP directory has similar properties that cause concern. Both have the following characteristics:

• Access control lists (ACLs) are required

• Network-based resource accessible companywide

• Accessible through TCP/IP or other networking protocols

• High on the "hit list" for hacking

ACLs are security mechanisms that are applied to records in a relational database or attributes in an LDAP directory. The ACLs control who can read, write, delete, or make changes to records themselves. These ACLs can be set for individual users or groups, or they can be inherited from higher up in their access tree. ACLs have the potential for privacy invasion if they are not set and managed properly. One of the biggest failings with ACLs is the over-assignment of rights. This over-assignment of rights normally occurs when there are problems with accessing certain data. Instead of analyzing why the data cannot be accessed, the administrator will keep on granting higher levels of rights until access is achieved. In doing so, the administrator may inadvertently grant access to information that should not be made available to everyone. This can cause the template to be accessible and might lead to its compromise. The proper way to handle this is to assign the ACLs with a minimum amount of privileges. If the templates need only read and write access for the users, then the users do not need delete or other properties concerning the ACLs themselves . Also, the ACLs for templates should be set through group ACLs. This way, if a server or a new administrator needs access to the templates, they can be added to the group. And, if an administrator no longer needs access, he/she can be removed from the group, and not as an individual.

When templates are stored on a network-based resource, they are network-accessible . This way, it would be possible for almost any machine in the firm to reach their storage location. Networks can be partitioned and routing can be disabled to different subnets, but if you need to have free seating, then you cannot limit where a user can access these templates. A better solution would be to have a trusted proxy between the requests for templates. This trusted proxy would be the only means of accessing the templates. It would be better still if the actual matching of the templates took place on a trusted server. This way, the server could also act as the proxy and return a template only to itself. Using this approach, the templates would never leave the trusted server, and on the server acting as the proxy, the templates would have the appropriate ACLs for access. The only flaw in this solution is that database or LDAP directory that is being used for template storage could also be used for other applications. These other applications may require that end-users directly access the database or directory. So, even if the templates have the proper ACLs on them, unauthorized access attempts can still be made. For example, there are well-known attacks that can be carried out on databases and directories for unauthorized access. The fact that these do exist demands that the security group of a company make every effort to keep the network secure and the data repositories patched with the latest fixes from their vendors . This way, the risk may be mitigated or reduced.

The economies of scale that corporations have reaped from implementing TCP/IP have also proved to be a security risk. TCP/IP is the networking protocol that allows everything to be connected and share the network infrastructure. TCP/IP is what allows corporations to connect to the Internet, send and receive email, browse the Web, and offer applications and data for use by partners and customers. This TCP/IP network is also the one that lets the attackers and hackers right in the company's front door. As discussed in Chapter 2, TCP/IP provides the mechanisms for these attacks to occur. This, combined with the templates being stored by network-based resources, provides the opportunity for compromise. Again, protecting the templates from being compromised is part of the network security group's responsibility. If access to the templates is compromised either from the inside or the outside, the templates can be posted and moved around the world in fractions of a second. The sheer computing power available on the Internet could then be put to work for compromising the templates. The simple fact that the templates have left the control of the employer is in and of itself cause for concern. The connections between the template repository and the verification location can also be cause for concern. There are TCP/IP hacker attacks that can be used to receive the packets destined for the proper recipient. These attacks allow hackers to access the packets or interact with the application listening on the server. Proper operating system choices, applying all the operating system and application patches, and good security models in the biometric software can help alleviate these risks.

The network-based resources in which the templates are stored are high on a hacker's target list. Databases and directories contain information that others would probably want. As such, they are frequent victims of hacker attacks. Since they are such highly valued targets, large numbers of hackers try out the latest exploits to compromise these systems. As such, the probability that the servers where the templates reside will have well-known attacks is high. It is imperative that the servers that hold the database or LDAP directory be secured both physically and digitally. These servers should be on the inside of the firewall, and not host any applications or services that would require external connectivity. These simple security practices will reduce the risk of external attack, but they may still be vulnerable to an internal attacker. Most security intrusions are either perpetrated by an insider or with the assistance of insiders. As such, the greatest weakness once again is the human condition.

While biometrics provide a means to mitigate some of the human risk, they cannot mitigate all of the associated risk. Good human resource (HR) and IT policies can also address the insider threat. HR policies can stipulate that unauthorized access to corporate resources, or the disclosure of company information, is a punishable offense. IT policies can force administrators to follow best practices and mandate the rotation of personnel to prevent fraud from being perpetrated for extended periods of time. Personnel rotation is very common in the banking industry. The idea behind it is that employees in all positions either rotate out of their positions or have mandatory holiday time. This time away is meant to prevent the ongoing cover-up of illegal activities. An employee cannot cover up his/her actions if he/she is not present. This works well, assuming that the employer has a way to check on illegal activities, or suspects something.

Verification

Once an employee is enrolled, the reference template is used for verification. The privacy concerns of verification are as follows:

• Reason for verification

• Where the verification match takes place

Let's examine these verification concerns in more detail.

Reason for verification

Like any factor of authentication, a request for verification should not be taken lightly. When an employee verifies, he/she is confirming his/her identity with a high level of certainty . This creates a point of recognition. The employee is no longer an anonymous entity. The employee now has an identity and associations can be made. If the verification is done in the course of doing company business, then it is a justifiable verification. If the verification is frivolous or intended to create non-business- related associations, a breach of privacy has taken place. Examples of justifiable verification are:

• Physical or logical access to a company building, resource, or computer network

• The binding of a physical person to a digital persona

• Proof of identity before conducting private transactions

• Proof of identity for employment reasons

Examples of unjustified verification are:

• Verification for access to non-critical resources or facilities

  - Washrooms

  - Fitness centers

  - Cafeteria

• Passive biometric verification

  - Security wanting to know the name of an anonymous face for personal reasons

  - Wanting to know the names of people smoking outside the building

  - Associating a name to a person carrying shopping parcels from a particular store

• Access to non-corporate Web sites

What are the reasons behind justifiable and unjustifiable verifications?

Justifiable verifications

• Physical or logical access to a company building, resource, or computer network ” As an employer, I want to make sure that access to my buildings and resources occurs only for authorized employees. To accomplish this, I require every employee to verify his/her identity before entering or accessing a building or resource. This is justifiable since it takes place while the employee is discharging his/her duties . The employee has no justifiable grounds to deny verification. It is part of the employee's employment to use these resources or access these facilities. As such, the employee must be expected to provide all reasonable accommodations to me as the employer.

• The binding of a physical person to a digital persona ” As seen in Chapter 2, one of the reasons for biometric deployment is to provide a physical binding between your digital identity and your physical one. A digital certificate in and of itself is worthless unless tightly bound to an individual. Once this binding has occurred, it is only fair to assume that use and access to the digital certificate would require verification. The employer will want to know for certain that the employee was the one who electronically signed a transaction. This way, the employee must provide the verification to fulfill the security vision of the company, and also to ensure that the recipient of the transaction/email received it.

• Proof of identity before conducting private business ” In the course of being employed, there are a number of times when an employee needs to identify who he/she is. These authentication requests could be for access to HR, for medical reasons, or for employee benefits. Ensuring the confidentiality of employee data is the responsibility of the employer. Requiring an employee to authenticate him/herself to get access to data is justifiable.

• Proof of identity for employment reasons ” As outlined earlier, an employer wants to verify that an employee or potential employee is who he/she says. To achieve this level of certainty, the employer will request of the employee a verification of identity. This could be in the form of a background check to verify criminal history. The verification could be used to prevent discharged employees or previously rejected candidates from seeking employment. It could also be used to prevent fraud of the same person receiving salary and/or benefits multiple times under different names. In this case, the employee or candidate has willingly offered services for employment. As such, the employee or candidate must be willing to accommodate this justifiable request for verification.

Unjustifiable verifications

• Verification for access to non-critical resources or facilities ” While the needs of employee verification for physical and logical access to corporate resources are justifiable, not all resources or facilities should require verification. If access to all corporate resources or facilities mandated verification, the perceived value of that verification would be diminished. For example, if an employee needed to verify for access to trade secrets or corporate financial information, that same verification should not be required to use the washrooms. This diminishes the importance of verification for trade secrets and corporate financial details. These justifiable verifications lose their effectiveness and come to be viewed as just another bureaucratic activity.

  In the same vein, verification for access to resources like washrooms, health facilities, and cafeterias seems intrusive . A concerned employee could view the interest in the employer of positively identifying the individual as nefarious. This perception of nefarious activity could lead the employee to believe that the employer is using a moment of recognition as an opportunity to correlate data about anonymous users. This correlated data could then be sold, or used internally, without the user's consent. For example, being able to put an identity to a face that uses the health facilities every day may identify a prime candidate for targeted mass mailings from fitness companies. Also, the knowledge that this particular individual uses the health facilities, makes six figures, and has a wife and three children adds increased value to this information for sale to marketing groups. At the same time, an employee who regularly eats at the cafeteria and orders from the grill line, and is never seen going to the health facilities, could be "red-flagged" for additional health screening for insurance re-qualification. As you can see, the above examples of verification are not justifiable when viewed in the context of discharging one's corporate responsibilities.

• Use of a passive biometric ” One of the biggest privacy fears for an employee is not knowing when he/she is being watched. One of the factors that mitigates this concern is the general anonymity an employee has while moving about. If the employer uses passive biometric systems, however, this anonymity is decreased or lost. The employer can establish a moment of recognition whenever he/she needs to. These additional moments of recognition could occur for non-business reasons. An example could be a security guard wanting to know the name of an employee so he/she could ask the employee for a date, or worse . Another example is a company that has less life insurance coverage available to employees who smoke. Thus, it would be in the company's best interest to be able to identify employees who smoke. In today's work environment, smoking is an activity that does not occur in company buildings; smokers are forced to go outside to designated smoking areas. This provides prime locations for passive verification to take place. The employer can control where these smoking areas are set up and the lighting and access ways to these areas. These factors provide an ideal environment in which to create a moment of recognition. Now that the employer knows who smokes, he/she can use it for internal reasons; the employer could also use it to provide direct marketing information.

  The marketing data which a company holds on an employee is quite often seen as an untapped revenue stream. In tough economic times, normally scrupulous companies sometimes do the wrong thing. For example, the value of knowing which employees are married, have children, and earn a particular amount of money is pretty lucrative in and of itself. Now, if the employer can correlate this static information with new dynamic data, the value of the marketing data can soar. For example, a corporate location near a major shopping center can provide the company with such information. Many employees may run errands or shop during their breaks. The employees may bring procured items back to their place of employment. When an employee shops somewhere, the store often gives a bag to carry purchases in. The bags are usually emblazoned with the logo of the store. This information, when combined with a moment of recognition, can correlate all the data together. This is clearly an unjustifiable use of verification. Not knowing and controlling when these unauthorized verifications take place can only diminish the amount of privacy and anonymity an employee has.

• Access to non-corporate Web sites ” With the advent of the Internet being as commonplace in business as the telephone, companies has provided policies to ensure proper use. A proper use statement generally comments on the type of content that is allowable for viewing, what the Internet connection can be used for, and what applications cannot run across the company's link. To better secure and speed up Internet access, a company may implement proxy servers. To "control" access to the Internet, authentication is required to the proxy server. This moment of recognition can be used to correlate the sites visited after verification with a particular user. Again, this illustrates how the static data that an employer has about an employee can increase in value with correlation. If a user seems to be spending a lot of time looking at car sites and the latest car reviews, he/she is probably a pretty good candidate for a car loan or purchase. If the moment of recognition happened only when the user wanted to access corporate sites and resources, this would be justifiable. But, using moments of recognition to further increase the value of the data stored on an employee is unjustifiable.

Where verification takes place

The act of verification is purely computational. Wherever there is sufficient computing power, a verification could take place. Historically, biometric verifications take place on:

• Servers

• Workstations

• Smart cards

Let's examine each in more detail.

Servers

Server matching seems to offer the ideal solution. The match takes place away from the client and on a machine that is in a secure facility. This server is, to a large degree, considered trusted. It has not been physically or logically compromised. When the reference template is used for verification, it is never exposed to the PC in any way. The software on the client machine making the request is expecting back a simple yes or no answer from the server. Assuming the communications between server and client are secured, the server solution is ideal. The reference template is never exposed and the authentication can be automatically audited .

One of the drawbacks of using servers is the problem of how employers can support offline users. The obvious answer is they cannot with server-based authentication only. This leaves two other choices: Use the user's workstation/laptop or use a portable token like a smart card.

Workstations

Using workstations for authentication provides location convenience. In general, the user will always have access to one and will normally carry a laptop if traveling. The use of a workstation creates additional concerns, however. These additional concerns are the inherent distrustful nature of workstations and how templates get to the workstation for verification.

Workstations in general are not to be trusted. Employees can load almost any software they like on them. They will modify and change security settings on their workstations because the security administrator granted them full access so as not to have any access- denied issues.

Workstations and laptops tend to be lost or stolen at an alarming rate. The storage of templates on any local machine is a concern if a laptop is compromised. Most biometric solution providers have a mechanism to get templates to a workstation. Once there, they are stored and encrypted until needed for verification. Thus, the templates can be attacked continuously if a laptop is stolen or compromised. A better solution would be to age the templates and then delete them. An aged template is one whose continued access has been blocked by some means. An aged/blocked template could be reactivated if the workstation talks to a server online or has the aged template reactivated. Aged templates are securely deleted from workstations after a predetermined number of days. This way, a thief or attacker has a limited timeframe in which to access the templates.

Smart cards

Smart cards have been used historically for stored value purchasing and lately for more logical access requirements. Smart cards are great. They come with their own processor and memory. The speed and size of the smart card chip dictate the type of processing of which the card is capable. With biometric verification, a match using a smart card can occur on the card if the biometric vendor supports a match on the card. A variation of this is to create a comparison template on a PC, then send the new comparison template to the smart card. The smart card does the comparison and then returns a yes or no. If the return is yes, then the user is verified .

Smart cards also contain reference templates. The biggest benefit of the smart card is the secure storage of the templates. For someone to hack a card, he/she would need access to it, and would have to have a very detailed understanding of the card's structure and operating system. With a smart card system, the employee gets offline access to applications and the employer gets secure storage of the templates.

Terms of use and audit statements

The terms of use and audit statements in a positive biometric policy should define the following:

• What can the biometric data be used for?

• Will it be used in correlation with other data?

• Length of storage of the biometric data

• Audit trails for access to the biometric data

• Audit trails created from verification

• How the employer is audited against terms of use

• Will biometric data be shared with third parties?

• What options do employees have who cannot or will not use biometrics?

Let's expand on the above points

What can the biometric data be used for?

Once an employer has possession of biometric data, it should be clear from the terms of use of the positive biometric policy when and how it will be used. It should clearly state when biometric verifications will be required and how the results of the verifications will be used. It needs to state the requirements the employer will put on the employee for re-enrollment and any other possible uses.

Will it be used in correlation with other data?

This part of the statement will give the employee some idea of what other uses the employer has for the data. If the employer is going to correlate verifications against other data, the employer needs to clearly outline what this new combined data will be used for. If it is to be used for third-party disclosures, the employee, by default, should be able to opt out of this. Any exposure of correlated data to a third party for uses other than the core business of the employer should be clearly defined. No employee should have as a condition of employment the sharing of his/her data with third parties other than for core business reasons. The employee should also have the right to view all data that has been correlated against moments of recognition.

Length of storage of the biometric data

The employee has the right to know how long the employer intends to keep the employee's biometric data. The length of time should be reasonable to ensure the employer sufficient protection, and at the same time, the employee should have confidence that the data will be properly disposed of. A positive biometric policy should outline the number of days, weeks, months, or years the data will be kept in case the employee leaves, is dismissed, retires, or dies. The policy should also state how the data will be destroyed , and if any data correlations will also be destroyed.

Audit trails for access to the biometric data

The employee has a right to expect that only authorized business access will take place with biometric data. To ensure this, audit trails must be kept. An audit trail should show enrollments, deletions, modifications, time last accessed, and time last accessed by user ID. This way, the employer is forced to examine the logs for its own protection. If there is evidence of illegal activity, the employer could be held liable for any damages an employee incurs.

Audit trails created for verification

When a user is challenged for a moment of recognition, there must be an audit trail of this event. The audit trail needs to show the location of the request, the date and time, the application that requested the authentication, the challenged username, the FAR, and if the request was a success or failure. These audit trails need to be administered by someone outside the security and biometrics group. That way, there can be no question as to the validity of the audit file entries.

How the employer is audited against terms of use

There is no use having a positive biometric policy if it cannot be enforced. Before the policy can be enforced, it must be seen and validated . The policy must clearly state the organization that will be responsible for the audit, the arbitrator who will be available to settle disputes, how frequently audits will happen, and how the auditor 's report will be sent out.

Will biometric data be shared with third parties?

The sharing of biometric data to an unknown third party is never good. The employee loses control over his/her data and the employer may become liable for additional injuries suffered by the employee. The sharing of data must be optional, and as such, the default decision for sharing employee data must be no. To have biometric data shared requires the user to proactively opt in. Some sharing of data with law enforcement organizations may be necessary. It can be a condition of employment that all employees have background checks performed. This is a reasonable example of when data can be shared with a third party.

What options do employees have who cannot or will not use biometrics?

As much as biometrics have been hyped as the "silver bullet" to secure information technology, there will be portions of the population that will not want to, or can't, use them. For any given biometric, there is approximately 3 “6% of the user population that is unable to use the biometric for one reason or another. This small group still needs strong authentication solutions offered to it. The secondary factor of authentication needs to have as much as possible the same high level of assurance as biometrics. This fallback authentication plan is what the hackers will go after. It is a lot easier to hack something that does not have biometrics as the primary means of authentication. Biometric authentication does not suffer from the same types of brute-force attacks as passwords. Fallback mechanisms should try to provide the same level of user convenience that would be enjoyed by biometrics, if possible.