Consider carefully when consenting to children's biometrics in schools

'Turning fingers into keys'
Credit: kaprik/shutterstock.com

There is a great article written by Brian Patton, University of Oxford, entitled "The trouble with taking biometric technology into schools", that appeared in The Conversation earlier this month, which every parent and student should read before considering using their biometrics in schools.

Other than copy most of the article into this post I would urge a read of the article which succinctly discusses security, effectiveness, implications of a data breach and consent.  

Schools and biometric companies supplying schools are keen to reassure parents and students that it is not a (pictorial) fingerprint that is being stored but simply a number string -  a number string completely unique and specific to your child's 'bio' body 'metric' measure.

Patton makes the valid point that:

"For other biometric data it's important to remember that what is being matched within the computer is not, say, one fingerprint against another. It is a set of data drawn from the features of the scanned body part – a numerical abstraction. Steal this key and you have effectively stolen that part of the person."

He also goes on to say that,

"...a  data breach will mean these type of scans will be untrustworthy for the pupils – for the rest of their lives.

And therein lies another issue: with the potential for life-long consequences, are pupils, some below the age of 16, competent to opt in to such a scheme? And what of those who opt out? It's one thing to ask adults to weigh up the balance between convenience and risk, but there are two likely issues that would make this harder in schools. There is an inbalance of power between those wanting to implement the technology and those subject to it.  This raises serious concerns about informed consent – perhaps one of the reasons why in 2012 using biometrics was banned in English state schoolswithout parents' consent."

It is unclear if there have been any data breaches of biometric databases in schools as the UK Information Commissioner's Office (responsible for the UK Data Protection Act), in response to a Freedom of Information request regarding compromised biometric databases specifically in education, are "unable to conduct an electronic search of our system using the term ‘biometric’" and so could not supply information on if there has been any data breaches of children's biometric data in schools.

There are potentially long term, unknown consequences to this biometric technology used on the youngest generation in society - we are experimenting with it on our children in schools for daily activities that can be easily undertaken, quite adequately, without the use of biometrics.

I guess an individual will only know when their biometric data has been compromised when in the future they hit a problem regarding their biometrics.  How will they know when it was compromised, by whom and where their very personal digital identity has gone? 

In the words of Brian Drury, IT Security Consultant:

"Once a child has touched a [biometric] scanner they will be at the mercy of the matching algorithm for the rest of their lives."

Compulsory fingerprinting for primary school children in Australia

Fingerprinting children in school, especially primary school children, is a contentious issue - with parents and children having the right in the UK not to participate.  Schools must seek written consent to take and process a child's biometric data.

Not so in Australia it seems.

In this article it reported that East Para Primary School has told parents they have "no choice" in the matter for a school registration system that will eventually be introduced for parents too if they want to enter the school.  The school's current newsletter states the same blerb parents have had here in the UK reassuring that no image of the fingerprint will be stored, it cannot be reconstructed and the biometric data will not be given to government or agencies... but put plainly it is a biometric mark/measure of your child's body, in this case a fingerprint, that has to stay secure, safe and never be compromised.

Giving up ones biometric may not be considered a proportionate use of personal data.  Parents should be able to decide what level of privacy they want for themselves and their children in this respect.

The article 'East Para Primary School pupils to have fingerprints scanned as part of new student attendance record-keeping program' goes on to report:

School mother Sandra Tomasin said she was disgusted by the move and immediately rang the school to ask that her Year 1 son be exempt from the program.

“They have told me that I have no choice,’’ Ms Tomasin said.

“It is an invasion of privacy. I don’t want to let it happen but I want to keep him at the school.’’

Ms Tomasin said regardless of whether or not finger prints were stored by the system, primary school children having to scan their fingers when they came and went to school was outrageous.

Sandra Tomasin is rightly outraged and should have a right for her child to attend school and NOT having to give up their biometric data.

In the UK schools fell short of giving this ultimatum as it was thought to breach Human Rights legislation by denying a service to a child because they chose not to give up their biometric data, any ultimatum of this sort was also on shaking grounds with Article 16 of the UN Convention on the Rights of the Child  (right to privacy) "Every child has the right to privacy. The law should protect the child’s private, family and home life." - which does apply to Australia.

The below statement was made by Privacy International in 2002 about library systems that used children's fingerprint biometrics in the UK to log books in and out.  It is still applicable now.