Privacy agreements are being scrapped as fingerprints, iris scans and voiceprints are at risk of being hocked off through business acquisitions.

Industry experts said biometric privacy agreements can be made void once businesses collecting the data are acquired.

Experts also attacked the security measures used to protect biometric data, and said encryption techniques often touted as infallible are rarely used.

Speaking at the Asia Pacific Aviation and Airport Security Summit in Sydney, Australian Biometrics Institute technical committee member Suzanna Lockhart said biometric data is treated as a commodity in private enterprise.

"Biometric data is sold along with the business in acquisitions, and they can then do what they want with it," Lockhart said.

"Private enterprise is much faster [to deploy biometrics] than the government.

"They are less responsible with data than government agencies and do not put the same effort into research and planning."

Lockhart said biometric systems should be designed around customer values, collect only relevant data, and demonstrate a minimum level of reliability.

She said flashy biometric systems will falter if they lack simple features like fall-back mechanisms for disabled customers, or data collection rules to facilitate legal requirements such as compliance audits.

New South Wales Council of Civil Liberties president Cameron Murphy said regulation is moving too slow to protect customer rights and urged businesses to sign the industry-formed Biometrics Institute Privacy Code.

"Legislation is playing catch-up with biometric technology and the vendors are flying ahead [with biometric development] without any concern for privacy implications," Murphy said.

"It reflects badly on how important privacy is to the industry and will result in a lack of public confidence when it is time for them to give up their information when adopting biometrics."

Murphy said biometric data is vulnerable to function creep where businesses surrender information to law enforcement or use it for marketing campaigns.

Biometrics will be included in upcoming reforms to the Privacy Act under new powers given to the Privacy Commissioner to amend legislation.

A security consultant who requested anonymity said biometric data is vulnerable in the hands of the private sector because there is no minimum security standard.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.