By Valerie Dittrich
Three months after the Ryerson Students’ Union (RSU) rolled out biometric fingerprint scanners for employees to sign in and out of work, privacy experts warn of risks associated with the use of this technology in the workplace.
“[Your fingerprint is] the most sensitive personal information about you because it will identify you like no one else,” said Ann Cavoukian, former Information and Privacy Commissioner (IPC) of Ontario and the current leader of the Privacy by Design Centre of Excellence at Ryerson University. “I don’t know if they’re encrypting the data, but this can become a magnet, a treasure trove for hackers and the bad guys.”
“I didn’t understand the need that compelled the RSU to go in that direction,” said Cavoukian.
Not only are there privacy risks associated with the use of biometrics but, according to experts, the legalities around its application in the workforce are vague.
“[Your fingerprint is] is the most sensitive personal information about you because it will identify you like no one else”
According to the Office of the Privacy Commissioner of Canada website, the rules in the Privacy Act only apply to people who work within federal institutions when it comes to biometrics. The legislation does not contain information on how all O
When implementing fingerprint scanners at work, Toronto-based privacy consultant Lauren Reid stressed the importance of employees knowing what the company will be doing with the data.
“It requires transparency, meaning that the students are informed of what you’re collecting, why you’re collecting it, what you’re going to do with it and that they’re given meaningful choices,” said Reid.
“When something like that is mandatory, it calls into question whether the choice [of students to participate] is meaningful.”
Reid also added that just asking someone for their consent to use their fingerprint isn’t enough. The workplace needs to prove that biometrics is the best option, whether it is to prevent fraud, identity theft or just for convenience, she said.
According to Reid, privacy impact assessments help a company assess the pros and cons of implementing something that gathers employee information, like biometrics. The company must give a reason for why they are doing this to justify their reason and explore alternatives.
Privacy impact assessments are a necessary step a workplace must take before implementing biometrics, she said.
ingerprints can’t be replaced like passwords; in the instance that the data is compromised, someone can’t just get a new fingerprint.
Shane Turnidge, a fingerprint expert and the owner of SSTForensics, said a system such as the one the RSU has in place doesn’t provide enough information for someone to effectively ‘hack’ one’s fingerprint. In fact, the system could get the fingerprint wrong sometimes.
Turnidge said the system looks for features that are consistent and don’t change in fingerprints, such as its ridges and shape. These create something called a minutia map — a “constellation” of features in the fingerprint that are associated
He said the system the RSU has doesn’t have the software or hardware to take an exact print, just enough to know who that person is and let them into work.
“It’s not entirely accurate. It’s accurate enough,” he said.
Turnidge doesn’t think anyone should be afraid of their information from the system getting out.
“I wouldn’t necessarily be concerned about the fingerprint data because it really only benefits that particular system. People think that you can take the fingerprint from that particular device and put it into something else and I’m just not convinced that you can do that,” he added.
Still, Turnidge doesn’t see why the RSU would turn to biometrics in the first place. “Unless you don’t trust your employees, I can’t imagine why you’d ever put them in.”