The capturing of GovTech attendees' fingerprints during the registration process has raised a few questions. Delegates were required to have their fingerprints scanned to allow for access to government's technology conference and exhibition currently taking place in Cape Town.
A number of attendees have raised concerns regarding the necessity of this and the security risk it poses. Conference-goers were not informed beforehand that they will need to provide their fingerprints.
Project manager for GovTech technology, Walter Piepmeyer, says the biometric system was introduced to better monitor entrance into the conference. He explains that GovTech relied on printed tags in the past, which meant attendees would share their tags with colleagues or friends, and people would attend the conference "illegally". This year, SITA boosted the efficiency of delegate monitoring by introducing a biometric system.
Piepmeyer emphasises, however, that this poses no security risk to attendees. He explains the actual visual image of the fingerprint is not stored, only codes generated through "minutiae points" detected on the print. When scanning the fingerprint, the system then recognises the specific points, links it to the code stored on the database and allows for access.
This means the registration company that owns the database on which the information is stored, is only in possession of codes that cannot be converted back into a visual image on the fingerprint, says Piepmeyer. The company has also signed a non-disclosure agreement and will hand over the data to SITA after the conference. This data will then be used by SITA to generate statistics, such as how many people attended the conference, when they entered the venue, how long they stayed, etc.
He says only one person refused to have her fingerprint scanned during registration, after which an alternative arrangement was made to allow for her entrance. Piepmeyer notes he understands that people may be wary of providing their biometric data, but says if attendees understand the technology behind the system, they will also understand there is no security risk involved.
Always a risk
Dawid Jacobs, general manager for Independent Identity Verification, says there is always a risk involved when providing personal information for whatever reason. "Any individual is at risk at any given time, anywhere, where you are asked for your personal information, especially if this is coupled to your fingerprints," he says. "For the identity thief, this is a great opportunity to collect data and biometric data. Remember, biometrics is algorithms. Algorithms can be used, manipulated, changed and deleted."
He says while he comprehends SITA's dilemma regarding the abuse of entrance by attendees, biometrically capturing an individual's fingerprints and other personal data onto a database with an Internet connection is asking for trouble and allows for potential problems. "Biometric fingerprints is the new thing everyone is on about, but truth be told it has a very long way to go before it can protect any individual's identity against ID theft. It has many shortcomings and is fallible to say the least."
He says while the new GovTech system is a better way of monitoring than simple printed access tags, the capturing of personal information without doing it according to the Protection of Personal Information (POPI) Bill, which is not yet signed into law, makes it unnecessary and highly risky for the individual. "Once your fingerprints have been compromised, it stays compromised. If a subject's data is altered on the biometric system, who will be the new person to be identified? This is the scary part - hackers have already proved they will move as fast as technology changes. They already have the capability to enter a 'secure' database. All they need to do is change or delete the subject's data to transact in peace."
He points out that until the POPI Bill has been signed into law, people have no protection against the abuse of their personal information. "Did anyone [attending GovTech] sign a consent form with details about destruction of the data? And in any event, the data has been captured and can be copied prior to the disposal. The POPI Bill needs to be signed into law ASAP."
Share
