Want to use the Web? Your fingerprint, please.

June 2, 2005

Soon, patrons of the Naperville Public Library - at least those wanting to use the Internet - will need more than a library card.

They'll give a fingerprint.

It sounds like something out of a Philip K. Dick novel, but the new requirement is in many ways unsurprising.

The library, like other Internet providers nationwide, has realized computer users aren't always who they say they are. And the technology it will use to check up on them is fairly simple - patrons will press a glass-topped scanner.

In Naperville, the identity swapping consists largely of kids trying to circumvent their parents' Internet-filter rules. But in today's wireless world, users' purposes can be much more sinister: sending spam, looking up child pornography, or, increasingly, trolling for personal information like bank-account numbers and passwords - all under a cloak of anonymity.

The Internet may have changed our intellectual landscape by opening doors to vast amounts of knowledge, but it's also made that landscape increasingly treacherous. Meanwhile, efforts to improve security - whether scanning for fingerprints or requiring more personal information for access to wireless networks - raise questions about how to keep a valuable resource open to all without letting it be abused, and whether it's possible to balance security with privacy.

"I used to be the guy saying we have to have anonymity on the Internet, but now I think it's far more important for us to have an orderly space," says William Murray, a computer-security consultant at CyberTrust.

Not everyone agrees, and moves like Naperville's have some worried that online privacy is endangered. The library says it's doing everything it can to protect patrons. It deletes its log-in files on a daily basis, and doesn't spy on the sites users visit. While deputy director Mark West acknowledges that some may be wary of the fingerprint technology, he hopes a public-education campaign will help explain how it's used and, most important, its limits.

"You can't compare it to an FBI database or anything like that," says Mr. West.

While the Naperville library has had a couple of encounters with the law over Internet use - once when someone was apparently sending threatening e-mails to a local journalist, and once when a man was charged with committing an act of public indecency while viewing a porn site - the fingerprint decision was prompted by the more mundane realization that patrons, especially children, were swapping library cards to sign on to the Internet. Like a number of libraries, Naperville requires a library card and ID to go online, and it allows parents to limit children's Internet access with a filtering system. To bypass filters, kids simply used their friends' cards.

Still, the move worries some privacy advocates, including the American Library Association (ALA). Just the idea of requiring computer users to identify themselves is troublesome, says Judith Krug, director of the ALA's Office for Intellectual Freedom. "They say they destroy the records.... The problem is that while you can delete them from your mail, you have several layers under there," says Ms. Krug. "I understand the question [of Internet abuse] and I'm sympathetic to it, but I don't know how to deal with it. Where do you draw the line?"

That question is becoming even tougher to answer with the proliferation of wireless technology, which has made the Internet more widely available even as it increases the ways people can mask their identities.

Some become "wardrivers," cruising neighborhoods for unprotected wireless signals. Tapping into them can help protect people engaging in illegal activity from being caught. Worse, some hack into wireless networks to read their owners' e-mail or find passwords and bank information.

The proliferation of wireless Internet access in cafés, airports, and cities can also shield identities. "One of the biggest concerns is that people will be able to use these commodity networks in order to do things that they aren't intended for," says Wade Trappe of the Wireless Information Network Laboratory at Rutgers University.

He and others say that public education is critical: Internet users should know never to respond to e-mails asking for log-in and password information, even if they seem to be from a bank, and home wireless networks should be secured.

While most agree on the need for security, the answer doesn't always have to involve trading a name or e-mail address for Internet access. "Both goals are important - we don't want less security or less privacy," says Marc Rotenberg, director of the Electronic Privacy Information Center. "Have better security protocols, but don't impose ID requirements on users."