Euro Security Watch with Mathew J. Schwartz

Biometrics , Governance & Risk Management , Next-Generation Technologies & Secure Development

Biometrics for Children: Don't Share

'Child ID Kits' Carry Identity Theft Risks, Experts Warn
Biometrics for Children: Don't Share

Warning to parents and guardians: Beware of collecting, storing or sharing your child's biometric details, including fingerprints and DNA, even if you're creating a so-called "Child ID Kit." Also, don't allow another organization to store that information unless you've vetted its security bona fides, and don't ever carry such information with you, not even in digitized form.

See Also: BEC Defense: Advanced Tactics to Shield Your Organization

That's a privacy alert being sounded by the not-for-profit Identity Theft Resource Center, which provides tips to help consumers protect themselves and defend against identity theft, for example, after their personal or financial details have been put at risk via a data breach.

Eva Casey Velasquez, ITRC's president and CEO, says in a statement: "It is important for parents to understand the best practices for retaining sensitive identifying information" and to ensure that they "avoid creating additional vulnerabilities" in the event that the collected information gets lost, stolen or exposed.

Although parents and guardians can easily assemble a "Child ID Kit" for free, Velasquez notes that there's been an increase in the number of companies selling such kits as a service, sometimes via kids' schools, daycare or after-school programs. Some providers imply that such kits may help authorities respond more quickly in the event that a child gets kidnapped or runs away, by having a child's photograph and physical description immediately available.

It's not clear, however, that such kits offer any reliable upsides to authorities or parents, except perhaps to assuage irrational, kidnapping-related paranoia.

But it's important to weigh the real risks. When it comes to kidnapping, for example, occasional high-profile cases tend to distort our collective view of the actual risk of children being kidnapped, especially by strangers, according to David Finkelhor, director of the Crimes Against Children Research Center at the University of New Hampshire. He says that in the United States - population: 320 million - "children taken by strangers or slight acquaintances represent only one-hundredth of 1 percent of all missing children," numbering perhaps just 115 kidnappings per year, and the number of such cases has been dropping. Similar findings have also been reported in England and Wales, among other countries.

Risk: Exposing Child's Details

Now contrast that with the risk posed by creating a child ID kit, which gathers personally identifiable information, often in digital form, in one location.

"This is all about a balance of risks: Is the risk of exposing my child's details greater than the risk of them going missing, or vice versa?" asks Alan Woodward, a professor of computer science at the University of Surrey.

"Storing such information centrally sounds like a good idea, but I do worry, as it is an obvious target," says Woodward, who's also a cybersecurity adviser to the EU's law enforcement intelligence agency, Europol. "Before I submitted my children's details, I'd want to know a great deal about the security they employ, and simply saying they use 'military grade' encryption would not be enough. I'd want to understand people, processes and systems in use to secure the details, as it is very sensitive. Plus, who will have access to this data? How will that access be granted? Many questions present themselves."

In addition, for such a kit to be theoretically useful, parents would have to commit to keeping it updated. Let's be real: How many parents would keep it current? "Children have a habit of growing up and they change - you'd need regular updates of photos and descriptions to be of any use," Woodward says.

ID Theft Potential

But collecting, storing or sharing children's biometric information - such as fingerprints and DNA - in digitized form can lead to identity theft risks, ITRC warns (see Stolen OPM Fingerprints: What's the Risk?). For comparison's sake, it points to how identity thieves have exploited Social Security numbers to open bank accounts or take out mortgages in victims' names (see Senate Proposal Calls for VA to Drop Use of SSNs).

"Once this identifier was adopted for multipurpose use, such as credit history, identity theft became a real problem," the ITRC says.

"Biometric information is no different - it is personally identifying information that is starting to be used for many different purposes," IRTC notes. "You can use your fingerprint to unlock your phone, your house, to log into your bank or credit card apps on your phone, and more. Biometrics have already become a part of the identity authentication process just like passwords, Social Security numbers or account numbers. The ITRC believes this is a trend that will continue to grow, and if not now, then soon, there will be an incentive for thieves to obtain this information in order to steal your child's identity."

That's why it suggests that parents and guardians safeguard any child's biometric data just as they would their Social Security card or birth certificate.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.