Patrick J. Gossman, Ph.DDeputy CIO

Wayne State UniversityDetroit, MI

OverviewPresent a short case study, still in

development, to illustrate the “power” of privacy concerns around biometrics

Discuss key questions that may be raised in any campus deployment

Lead into an in-depth review of the law

11/18/10 Wayne State University 2

The SituationA large urban campus, 100 buildings200 custodial staff, unionizedCentral check-in inefficient, error-proneDesire distributed readers so staff can report

directly to their work locationRemote check-in easily spoofed with

magnetic stripe card readers

11/18/10 Wayne State University 3

Perfect SolutionBiometric readers inside all buildings for

check-in and check-out of custodial staffBiometric readers well-proven technologies,

not easily spoofedInitial up-front cost, but reasonable

maintenance costs

11/18/10 Wayne State University 4

So, why are we installing CARD readers?Privacy became a key issueConcern about dealing with privacy led to

many other questions:Does the technology solve our problem?Introduce other problems?Worth the cost?Maintenance questions?

11/18/10 Wayne State University 5

Biometrics - Privacy ConcernsHow secure are the data?Hosted solution, added concerns?Who has access?What data are we gathering?If released, how might it be used?How long do we keep it?What will be done with it?

11/18/10 Wayne State University 6

SecurityStorage is in highly secure environmentsSAS 70 security auditAccess to data is strictly controlled by

password and roleAll data are transmitted via VPN

11/18/10 Wayne State University 7

What Data?Biometric identifier vs. tracking dataBiometric identifier considered was hand

geometryPhysical images would not be storedHand geometry technology is encrypted on

both ends (storage and reader) and of no use if decrypted otherwise

11/18/10 Wayne State University 8

How Will Data Be Used?Management reports onlyReports using biometrics would be no

different than if card readers or manual entry of attendance data were deployed

11/18/10 Wayne State University 9

So why are we installing CARD readers?No guarantees (are there ever?)Technology sounds complex, obtuseDon’t trust what you don’t understandDon’t trust technology and administration Deployment plan with biometrics would close

some loopholes, but not allTherefore, start with less intrusive process

11/18/10 Wayne State University 10

In Our Case. . . More WorkCard readers are accepted and address the

first problem of efficiency – staff go directly to work assignments

Biometrics would help eliminate spoofing and problems with lost cards

Neither solves absence between check-in and check-out

Building access is a related issue

11/18/10 Wayne State University 11

In Your CaseProblem analysis is critical.Biometrics are just tools.Processes are critical.Total plan must be solid, ROI analysis solid,

need for biometrics solid, particular technology well chosen.

Campus culture cannot be ignored.

11/18/10 Wayne State University 12

ClosingChoose least intrusive technology Make it simple to understandTransparency is requiredConsider broad participation in decision

process to aid adoptionDifferentiate between what is required by law

and what is required by your culture

11/18/10 Wayne State University 13

Patrick J. Gossman, Ph.D.Deputy Chief Information OfficerWayne State UniversityDetroit, MI 48202

pgossman@wayne.edu(313) 577-2085

11/18/10 Wayne State University 14