The Washington PostDemocracy Dies in Darkness

The biometrics revolution is already here — and you may not be ready for it.

Apple introducted the iPad Air 2 on Thursday in Cupertino, Calif.  (AP Photo/Marcio Jose Sanchez)

The future is here, and it's biometric identification: You will soon be able to unlock the most recent iPad model with your fingerprint; banks are reportedly capturing voice imprints to catch telephone fraud; and the FBI's facial recognition database is at "full operational capacity" (although it still pales in comparison to Facebook's database).

But while these technologies are already influencing consumers' lives, it's not clear that everyone understands the long-term implications of widespread biometric use, experts say.

Biometric identifiers are any personal feature that is unique to an individual, including fingerprints, iris scans, DNA, facial features, voice and many other markers. In some cases, these identifiers are already making it into consumer technology. Some brands of laptops have had fingerprint scanners for years -- and the new iPad Air 2 will come equipped with the same Touch ID fingerprint reader already offered on the iPhone.

The Apple system stores information from its scans locally -- meaning it's not uploaded to some master database. But the ubiquity of iOS devices may make consumers more comfortable than ever with using biometrics as a means of self-identification. And biometrics are being used by companies and governments in ways that many people may not even be aware of yet.

Earlier this week, the Associated Press reported that two major financial institutions are using voice imprints from customer support calls as part of their fraud protection efforts. Facebook maintains what many experts call the largest facial recognition database in existence to tag individuals in photos, while some of its researchers have been developing an even more advanced system. And the FBI announced last month that its Next Generation Identification, or NGI, system had reached "full operational capacity." The system is supposed to incorporate iris scan, fingerprint and facial recognition databases. According to the Electronic Frontier Foundation, NGI will have 52 million photos in its facial recognition database by 2015 -- most, but not all, of criminals.

But as biometrics become more and more common, experts worry that consumers aren't fully aware of the potential pitfalls of using a personal feature for verification purposes.

"Our keys for authentication things used to be things that we had," says Alvaro Bedoya, the executive director of Georgetown Law's Center on Privacy and Technology. "Then they were things we knew, like passwords. And now they're things that we are."

Biometric markers area also immutable, unlike other forms of digital verification techniques. "You can change your password, but you can't change your face or your fingerprints without going through an awful lot of trouble," Bedoya explains.

To make matters worse, Bedoya says, most biometrics are also inherently public. "The only people who know my passwords are people who I tell them to and in some cases the services I am accessing," he says. "But I leave my fingerprints on everything I touch, and my face shows up on every camera I pass and my Facebook profile."

"Biometrics are not secrets," agrees American Civil Liberties Union analyst Jay Stanley. "Ideally, they're unique to each individual, but that's not the same thing as being a secret."

In a recent C-SPAN interview Jeremy Grant, director of the National Strategy for Trusted Identities in Cyberspace, acknowledges that even as biometrics are gaining popularity, they may not be the best solution for all tasks because of these concerns. "The devil is in the details of how you deploy it," he says.

There are two general ways biometrics are used, Bedoya says: for verification or identification. But the equipment to do either is the same. "A company one day can use your face print or your voice print to ID fraud, but the next day use it to identify a person unknown to them," he explains.

Says Stanley: "One-to-one verification is less intrusive than one-to-many. But once you compile a biometrics database, it's hard to put limits on how that's used."

Bedoya contends that current laws have not kept pace with technological developments in this area. "Facebook can create the world's largest privately held facial recognition database, legally, because our law has yet to catch up with biometrics," he says. "The law doesn't recognize a right to privacy over anything you reveal to the public, and in this case that includes just showing your face."

Just walking around outside and participating in society could leave some biometric markers open to collection, Bedoya says, raising significant privacy concerns as the technology to track these markers from afar advances.

It's this last part that worries Stanley the most. "In some ways, the biggest privacy concern is that biometrics become used as unique identifiers for pervasive surveillance, so the things that are of the most concern are the ones that can be captured from a distance," he says.

Bedoya and Stanley both doubt that consumers are aware of just how far some of this technology has advanced -- or what it might mean down the road.  "People think of biometrics as this thing out of 'Minority Report,'" says Bedoya. "But the fact is that if you have a driver's license, a passport and a Facebook account, you are likely enrolled in at least three different facial recognition databases."