Calif. DMV tried to sneak in biometrics for driver's licenses, groups claim

"We believe that important policy changes should be determined by elected officials, but that's not what is happening here," Holober said. "This is an attempt to slip something through that really should have been vetted in a hearing process in the legislature," with the public and technologists given a chance to comment on it, he said.

Although thumbprints and facial-recognition software can be useful in deterring crime and fraud, they also pose serious privacy and security risks, he said.

The information contained in the California DMV databases, for instance, is accessible by law enforcement and other government agencies. Without guidelines for access, there's nothing to prevent the biometric data from being used for other purposes, including surveillance, Holober said.

"What if someone goes to a picket line or a protest rally, and someone were to use the DMV repository to profile and track them down because they spoke out on issues?" he asked. "We are not saying this is the intent of the DMV. We are just saying that there are other uses" for biometric data, he said.

The consequences of a data breach involving biometric information are also significantly higher compared with a breach involving nonbiometric identifiers, said Pam Dixon, executive director of the World Privacy Forum in San Diego. "What happens if the data gets compromised and falls into the wrong hands?" she said.

Unlike other forms of identification, such as a driver's license number, a biometric identifier such as a facial image or thumbprint, cannot be changed in the event of a data breach, potentially resulting in lasting problems for victims, added Lee Tien, a senior staff attorney at the EFF. "Basically, any kind of biometric is a piece of information that is uniquely linked to you and cannot be revoked," he said.

Such issues explain the need for "a robust public debate," Dixon said. Academic and security experts need to first study all of the privacy and security implications involved in the collection, storage, use, sharing and protection of biometric data, she said.

"This was sneaky, there's no other way around it," Dixon said. "California has said no to this type of technology with no proper safeguards in the past," she said. Various bills on the use of biometric technology with driver's licenses have been proposed, including Senate Bill 661 introduced in 2001, and Assembly Bill 1474 also introduced that year. "We have a long legislative history in California where this kind of proposal has not made it through," she said.

California is one of several states that has refused to implement the federal Real ID Act which requires DMVs around the nation to adopt new verification standards for vetting the identities of driver's license applicants.

The act, which also calls for the use of biometric identifiers, was approved by Congress and signed into law by President Bush in 2005. Since then, it has faced a maelstrom of protest from states that see it as an attempt by the U.S. Department of Homeland Security to force unwanted ID standards down their throats, while also making the states pay for the program.

Read more about security in Computerworld's Security Knowledge Center.