Security breaches involving personal data and the inadequacy of the controls protecting this data in many organisations was brought to the top of the news agenda in late 2007, making it something of a watershed year regarding the security of electronically stored personal information at companies. Many businesses are now in the process of doing the work needed to answer the question: “are we next?” - IT security controls are being examined! There has been a huge amount written about this; journalists have had a field day! I’ve read a lot of it and have no intention of continuing the feeding frenzy. Instead, I want to hone in on a particular aspect that intrigues me both professionally and personally, so I hope this will provoke some response. It seems something of a paradox that a cornerstone in the IT security world’s blueprint for providing controlled access to personal data requires … the use of more personal data. I’m talking about Identity & Access Management (IAM) systems and the way that IAM needs strong digital credentials in order to validate online identities. For most purposes today those credentials take the form of ‘secrets’ - passwords, pass-phrases, my mother’s maiden name, my favourite year etc. The evolution of IAM as a discipline within Information Security is demanding better, more robust online credentials. The result is we all have to offer more personal data, more shared secrets to ‘prove’ who we are when online. There has been much abuse of this too. Like many people I’m sure, I get annoyed at being asked to provide personal information such as my home address, my age, my occupation and so on in order to make an online purchase. Why is that? If I walk into a shop I don’t have to tell the shopkeeper anything at all, so why should I risk giving it to an organisation that has little incentive to look after it properly? (- yes, I am implying that data protection legislation needs better enforcement!). This rather blatant data harvesting is not only annoying, it potentially puts my personal information at risk (- yes, I am implying that data protection legislation needs better enforcement!). The demand for better and stronger IAM credentials is a movement, inevitably, towards greater use of biometric information. From an identity credential perspective this is great: here is my credential, a unique, digitised representation of the physical me! This biometric credential is surely much more difficult to subvert than a secret. Unlike a secret, which can be intercepted, stolen or negligently exposed, I can just present the real, unique, physical me to a reader (e.g. fingerprint or iris) and the digitised result is compared to a stored version of … ah, here’s a problem: There must be a pre-existing, validated copy of my ‘digital body part’ stored electronically somewhere. Where does that information rank in terms of sensitivity of personal data? - Surely there’s no information more personal than this? And, remember, this is all for the purpose of enforcing secure control on access to personal information. Isn’t that rather circuitous? There’s work to be done here!