Wired had an excellent article on deCODE Genetics, which has filed for bankruptcy and will likely be bought up by another company. The concern is that the purchasing company, driven not by passion for the industry but by profits alone, will opt to sell customer data.
It reminded me of the old biometric iris scanner at a secure server collocation facility I once was a customer of. They replaced the iris scanner with an RFID+Fingerprint scanner. I was happy about this, because the iris scanner was old and I had to lean in and stick my eye socket up to this annoying port hole, and then it would only work if I was absolutely still and didn’t breath for 10 seconds. However, my delight turned to extreme annoyance when I asked them “what happened to that iris scanner with my iris data in it” and they couldn’t really give me an answer. When I asked them “Did you just toss it out in the dumpster?”, one guy started to answer but the other one hushed him and they just shrugged their shoulders.
The bothersome thing is that I know my experience is in no way isolated or unique. Biometric data is not disposable like RFID data can be. People always think that RFID is somehow this thing that will forever tie you to some government traceable number… but the great practical privacy benefit of RFID, even implantable RFID, over biometric identification is that it can be blocked or even changed.
At the moment, you cannot change your DNA… and getting fingers or eyes transplanted just to change your biometric signature seems pretty far fetched. So, whatever biometric system you surrender your biometric data to, you better make sure you trust not only the operator of said system, but also their data protection and deletion policies, even if they sell out or fold. From my point of view, once you’re in, you’re in. There is no way to reliably know if your data has been protected, and will be properly handled in the future. My rule of thumb is this; submission of biometric data is permanent and uncontrollable once released.