In September, throughout the United States, school started as usual. But in some school systems, the lunch line had changed. In a Maryland district, for example, instead of paying for lunch with bills and change, students now must scan their palms in order to pay for their French fries and chocolate milk.
Not everyone is happy with the new system. Indeed, some parents have had their children “opt out,” but many parents were not aware of the transition to biometrics until they heard about it on the news or from their kids. Now, parents and civil liberties groups alike are up in arms, focusing on the privacy issues surrounding a public school’s having a databank of kids’ unique biometric data.
In this column, I will examine this new trend, and discuss its privacy implications. I will also discuss the policies that school districts and local or state governments might enforce in order to protect children’s privacy and help parents make informed choices.
Biometrics in Schools: An Emerging Business Model
Biometric technologies are those that automatically measure physiological or behavioral characteristics of a person. Such technologies include fingerprint identification, retina scanning, face recognition and hand (palm) geometry. It is this last type of technology—palm scanners—that is making its way into school lunchrooms across America.
According to news reports, Carroll County is one of the first localities in Maryland to use the Palm Secure system at lunchtime. There, children from kindergarten to 12th grade place their hands above an infrared scanner, which reads and identifies unique palm and vein patterns. The scanner converts the images into an encrypted numeric algorithm. The algorithm is then stored in a database to be used later to identify students and to match their purchases with their unique identifier.
The Palm Secure system is also being used in other schools nationwide, including in Louisiana and Mississippi. The Pinellas County, Florida school system was the first to implement the scanner last year. And in South Carolina, Strom Thurmond High School also deployed biometric identification software. With a majority of students at the school receiving reduced-price or free lunches, the school’s staff sought a student identification system that would work with their current cafeteria and library software.
Biometric identification is being deployed on school buses as well. Palm Beach County school officials currently are considering a proposal that would have the more than 60,000 students who ride a school bus each day there giving their fingerprints on an electronic keypad to board a yellow bus. California’s second-largest elementary school district announced last month that it will begin using biometric fingerprint scanners for its school buses.
One vendor of biometric technology, BlinkSpot, recently announced the national availability of the company’s first-to-market biometric solution for identifying, monitoring, and reporting students as they board and exit school buses. BlinkSpot’s iris-scanning technology recognizes each child through a scan of his or her iris and sends real-time reports to the school, along with an email to each parent verifying the time and the location of their child.
Moreover, this trend isn’t confined to America; in 2010, dozens of Scottish schools introduced biometric systems, such as fingerprinting, to identify pupils as young as four.
As many as 68 schools are now using technology to manage meals, control library books, and even allow access to toilets. Almost two-thirds are primary schools, where fingerprinting and palm recognition can be used to identify young children.
The Privacy Implications of Biometrics: Should Parents Be Concerned?
The key question here is this: Do we really want this sort of intrusive information taken from young children? School districts argue that it’s efficient to get kids through lunch lines as quickly as possible, given their busy school days, which are packed with classes, sports, and other activities. In addition, school administrators and parents alike are concerned about children’s safety as they travel to and from school, and with biometrics, students can be identified and logged in or out of classrooms, buses, playgrounds, and restrooms.
The Carroll County example caused parental alarm due to the lack of prior notice and an opt-out. And no wonder: Parents surely were alarmed and offended at the thought of their children being asked to submit to the scanning and retention of their unique physical markers.
Some of the Reasons Why We Should Be Watchful of Schools’ Use of Biometrics
The reason for parents’ and civil liberties groups’ alarm relates to the ability of government entities (including schools) to link children, or other individuals, to unique markers. In many people’s minds, the taking of fingerprints is linked to criminality. And more broadly, there is fear that surrendering unique data to the government will mean that that data could be used for illegitimate purposes in the future—such as compiling databases that could later be used in unanticipated ways.
Parents and privacy advocates are also worried about the implications of starting to use biometric identification with children at very young ages. They contend that using the technology so early in a child’s life makes the practice seem commonplace. As a result, they argue, students may become desensitized to issues such as whether it is right, fair, or overly intrusive for them to be asked to provide their biometric data in other settings later in life.
Critics thus argue that—acclimated to such practices very early on—children may not question other uses or requests for their data later in their lives. Critics also point out that linking palm scans to grade-school lunches creates a false impression that biometric data and its uses are pedestrian, mundane, and innocuous. Yet once the data is collected, it can be used for multiple purposes, which might not be mundane at all. And of course, the data, once collected, needs to be kept securely—lest third parties seek to appropriate it to use it for nefarious or harmful purposes.
Moreover, there is the larger issue of mission creep: A school that started using biometrics solely for lunch lines may keep a databank for multiple purposes—from tracking students as they travel to and from school, to figuring out which children are associating with one another in clubs and activities. And once the data exists, it can be subpoenaed by law enforcement. These ideas may seem outlandish now, but the more biometrics is used, the more commonplace they may seem. Thus, the implications of biometrics should be considered now, when we can see proposed biometric systems with fresh eyes.
The Religious Objections to Biometrics in the Schools
Interestingly, some parents object to the use of biometric markers not just on privacy grounds, but also on religious grounds.
For instance, when Moss Bluff Elementary School in Lake Charles, Louisiana, wanted to use biometrics to speed up its lunch line, the school district sent out a letter to parents announcing the proposal. However, the district received numerous complaints from Evangelical Christian parents who believe that all forms of biometric ID constitute what the Christian Bible calls “the mark of the Beast.”
Although Scotland deployed biometric systems, as noted above, the EU as a whole may also resist the trend, understanding that unique biological markers may be considered special type of data and therefore, programs would require explicit consent to the use of such data collection by parents of schoolchildren. Privacy in Europe is considered more of a fundamental right than it is in the United States. Thus, in Europe, concerns about efficiency would not override privacy concerns as quickly as might be the case here in the U.S.
Can Biometrics Be Implemented Correctly? Why Parents Want an “Opt In” and Not an “Opt Out”
The Carroll County, Maryland School District believes that its biometrics minimized privacy issues, since the school does not keep an image of the student on file; it only keeps the algorithm, which is uniquely linked directly to one schoolchild. Still, about 20 percent of the District’s parents have declined to have their children participate. (If students opt out, they then give their names to the cashier, who manually processes their purchases).
Still, parents did not like the fact that the “opt out” followed the initial scanning. “I didn’t appreciate how they handled it,” said Mike Richmond, parent of two elementary-school children. Richmond said that the school scanned his children’s hands before sending the opt-out form. “I’m concerned about it,” Richmond added. “I know it’s the way of the future, but it’s fingerprinting, it’s palm-printing.”
A better solution would require parents to opt in to the system. Under the opt-in system, a school district would provide parents with information about the system, including how data will be used, collected, and stored. Some parents may also appreciate being there when their child’s data is captured. If parents are present, they can both communicate their thoughts to the school system and speak to their child more effectively about what is happening.
Details of a Biometric System Need to Be Considered Carefully If Students’ Privacy Is to Be Protected
Importantly, privacy issues should be considered well before a biometric program is deployed. Schools opt for such program with cost savings or security enhancement in mind. They should more deliberately consider the privacy and security implications of such a program and develop a privacy plan at the same time that they implement the biometric system.
Among the important questions districts need to consider are these: What happens if a student opts out mid-year? Will the school then destroy the algorithm? Who has access to the algorithms: School administrators? Cafeteria personnel? An outside vendor? Such questions should be discussed openly, and schools should conduct a privacy-impact assessment before charging ahead. Moreover, parents and school boards should consistently be part of the decisionmaking.
The UK and Scottish Information (i.e., Privacy) Commissioners have both published guidance about the use of biometrics in schools. Both regulators admit that it is not prohibited for schools to capture biometrics from students. In doing so, however, both commissioners have noted the need to implement programs with proper privacy and security features. As the Scottish Commissioner has noted, “certain features of such systems will make them more or less likely to be acceptable on privacy and security grounds. It is important that the information is only used for purposes specified when it is collected. For this reason biometrics applications should be self-contained systems, whose templates cannot readily be used by computers running other fingerprint recognition applications.” The reason? If systems are interoperable and can be used across different systems, this can create linked “de facto” fingerprint databases.
The Scottish Commissioner also refers to the need for many safeguards to be put in place before biometric technology is deployed in schools. The Commissioner notes, for example, that an education authority considering introducing biometric technology into one or more schools will inform and consult both pupils and parents and conduct a privacy impact assessment as part of its planning. And of course, for students who wish to opt out of a biometric scheme, Scottish authorities remind schools that they should provide alternative mechanisms for students.
Which leads to the larger question: Is it always necessary to use biometric technology, when there may be less intrusive means of achieving similar goals? Students could for example, use unique PIN numbers in libraries or lunch lines as a way of paying for their lunches and avoiding cash. They also could carry around prepaid cards, loaded with money, rather than having to scan their palms in order to eat.
One privacy advocate has described a possible “Brave New World” that biometrics might bring: Imagine being tracked with biometrics from ages 8 to 17, and then, at 18, being tracked at your new college or university—without any protest on your part, for tracking is so old hat to you by now, you simply accept it. And that acceptance, in turn, makes you less inclined to recognize privacy threats. If we come to see biometrics as commonplace, then the kids who find their palms being scanned now may soon become adults who find that their irises, too, are scanned wherever they go.
The best way to approach this contentious
issue is to ask what problem we’re trying to solve? And does biometrics represent a proportionate response?
authentication brings great and novel risks. If someone steals your
biometric then unlike a card or PIN or password, there’s no way to
revoke and reissue your ID — you’re probably going to be persona non
grata forever. And if and when biometrics become widespread and used
(albeit naively) as a gold standard identity, their value to ID
thieves will multiply.
So, are schools able to protect these
precious assets with due care? Recent history shows that well heeled
banks, credit card processors, government agencies and security
companies continue to suffer significant data breaches. It’s frankly
inconceivable that schools are up to the task of protecting biometrics
databases, let alone dealing with the consequences of attack by
organised crime. Schools may not even know what sort of risks they’re
running, in creating “honey pots” for biometric identity thieves.
really need to be used sparingly They have a place in data centre
security, but for school canteens, they’re disproportionate and a
disaster waiting to happen.
Stephen Wilson, Lockstep Consulting, Australia.
Frankly, Stephen’s comments paint a much more dire situation than truly exists regarding the management of biometric databases by schools and “hackers” stealing your biometric data to be used with other databases. While it is true that any system has the ability to be hacked by anyone at anytime, I’d like to see an example of a hacker stealing a student’s biometric template (or anyone for that matter), recreating an image and subsequently using it to access the same or another system for nefarious purposes. Please, I’d like to know where this has happened and why it is necessary to make this assumption that an image can be reverse engineered and used for this purpose and then compare this to the situation that schools are facing.
It’s also nice to know that schools aren’t up to the task of protecting biometric databases – I’m curious to know the scientific and historic rationale behind this statement too, which obviously involves intimate knowledge of U.S. school IT infrastructure.
What about the positive benefits of using biometrics for schools that aren’t mentioned in the article? For example, reducing student lunch line wait times, cutting down on bullying, removing the embarrassment of forgetting PIN numbers, etc. I didn’t see any mention of this.
Also, it’s important to note that an iris camera does not scan the retina as mentioned in the article, it photographs the iris and has nothing to do with the retina. With technical mistakes like this in the article, how can one honestly believe that the author has done their due diligence on how the technology actually works to make her arguments even believable?
Big Brother is wacthing?Is this what that is?…
The best way to approach this contentious issue is to ask what problem
we’re trying to solve? And does biometrics represent a proportionate
Biometric authentication brings great and novel risks. If someone steals
your biometric then unlike a card or PIN or password, there’s no way to
revoke and reissue your ID — you’re probably going to be persona non
grata forever. And if and when biometrics become widespread and used
(albeit naively) as a gold standard identity, their value to ID thieves
So, are schools able to protect these precious assets with due care?
Recent history shows that well heeled banks, credit card processors,
government agencies and security companies continue to suffer
significant data breaches. It’s frankly inconceivable that schools are
up to the task of protecting biometrics databases, let alone dealing
with the consequences of attack by organized crime. Schools may not even
know what sort of risks they’re running, in creating “honey pots” for
biometric identity thieves.
Biometrics really need to be used sparingly They have a place in data
center security, but for school canteens, they’re disproportionate, and a
disaster waiting to happen.
I fail to understand why we cannot track students when they use their unique PIN codes or a prepaid cards? In the article it makes it seem that tracking can only be done with biometrics, which is fundamentally incorrect. And function creep can as easily be done with PIN codes/passwords and cards as with biometrics, although nobody ever seems to want to mention that, because that would then mean one less argument against biometrics.
Discussing privacy issues for biometrics is valid, but the arguments pro and con should be discussed for any method of identification/authentication.
Patrick Bours, Prof. in Information Security at the Norwegian Information Security Laboratory, Gjøvik, Norway
[…] their fingers, palms or even iris, in order to keep track and record information, for instance about the schools lunch programs. This has raised many concerns with parents that their children’s privacy is being […]
The UK has banned capturing student’s fingerprints without parental consent, which I applaud.