Patrick J. Gossman, Ph.D
Deputy CIO
Wayne State University
Detroit, MI
Overview
 Present a short case study, still in development, to
illustrate the “power” of privacy concerns around
biometrics
 Discuss key questions that may be raised in any
campus deployment
 Lead into an in-depth review of the law
11/18/10
Wayne State University
2
The Situation
 A large urban campus, 100 buildings
 200 custodial staff, unionized
 Central check-in inefficient, error-prone
 Desire distributed readers so staff can report directly
to their work location
 Remote check-in easily spoofed with magnetic stripe
card readers
11/18/10
Wayne State University
3
Perfect Solution
 Biometric readers inside all buildings for check-in and
check-out of custodial staff
 Biometric readers well-proven technologies, not easily
spoofed
 Initial up-front cost, but reasonable maintenance costs
11/18/10
Wayne State University
4
So, why are we installing CARD
readers?
 Privacy became a key issue
 Concern about dealing with privacy led to many other
questions:
 Does the technology solve our problem?
 Introduce other problems?
 Worth the cost?
 Maintenance questions?
11/18/10
Wayne State University
5
Biometrics - Privacy Concerns
 How secure are the data?
 Hosted solution, added concerns?
 Who has access?
 What data are we gathering?
 If released, how might it be used?
 How long do we keep it?
 What will be done with it?
11/18/10
Wayne State University
6
Security
 Storage is in highly secure environments
 SAS 70 security audit
 Access to data is strictly controlled by password and
role
 All data are transmitted via VPN
11/18/10
Wayne State University
7
What Data?
 Biometric identifier vs. tracking data
 Biometric identifier considered was hand geometry
 Physical images would not be stored
 Hand geometry technology is encrypted on both ends
(storage and reader) and of no use if decrypted
otherwise
11/18/10
Wayne State University
8
How Will Data Be Used?
 Management reports only
 Reports using biometrics would be no different than if
card readers or manual entry of attendance data were
deployed
11/18/10
Wayne State University
9
So why are we installing CARD
readers?
 No guarantees (are there ever?)
 Technology sounds complex, obtuse
 Don’t trust what you don’t understand
 Don’t trust technology and administration
 Deployment plan with biometrics would close some
loopholes, but not all
 Therefore, start with less intrusive process
11/18/10
Wayne State University
10
In Our Case. . . More Work
 Card readers are accepted and address the first
problem of efficiency – staff go directly to work
assignments
 Biometrics would help eliminate spoofing and
problems with lost cards
 Neither solves absence between check-in and checkout
 Building access is a related issue
11/18/10
Wayne State University
11
In Your Case
 Problem analysis is critical.
 Biometrics are just tools.
 Processes are critical.
 Total plan must be solid, ROI analysis solid, need for
biometrics solid, particular technology well chosen.
 Campus culture cannot be ignored.
11/18/10
Wayne State University
12
Closing
 Choose least intrusive technology
 Make it simple to understand
 Transparency is required
 Consider broad participation in decision process to aid
adoption
 Differentiate between what is required by law and
what is required by your culture
11/18/10
Wayne State University
13
Patrick J. Gossman, Ph.D.
Deputy Chief Information Officer
Wayne State University
Detroit, MI 48202
pgossman@wayne.edu
(313) 577-2085
11/18/10
Wayne State University
14