Slashdot just posted a piece that Bloomberg wants to build a database of every valid US worker to include DNA or fingerprints. This is completely insane, and more importantly its completely unnecessary.
This is insane because centralization of data is a bad idea. Just look at what recently happened with the analyst at the VA who was robbed with his laptop containing 26 million veterans records. Imagine a ~150 million worker database containing biometric data. Crazy insane. But again, its not necessary to build such a database.
I am not against the idea of unique identification via a biometric, but just don't centralize the data. If you want to make sure a person is a valid worker, build a mag card that holds two things:
- Biometric 'signature' of a person's fingerprint stored as a small data file
- Digital signature w/certificate of the biometric signature generated by a 'signature authority' with a valid certificate chain.
That's it. What this would do is create a card that can be self-authenticated without any network access. You have a terminal that takes a fingerprint, produces a signature, then compares it to the one on the card. The digital signature would be validated against the stored biometric data to ensure it has not changed since the authority 'signed' it. This terminal could be completely disconnected from any network and still produce a valid result. No log would have to be generated. No loss of privacy would result. If someone had the card it would be useless without your finger to validate it with. Its just like your signature, just one someone cannot copy without compromising a signature authority. This is not novel, its been done before although there they were trying for much more. The above idea is a simple, cheap way to ensure identity without loss of individual control or privacy and more importantly without the need for centralization.