The Privacy Act will need to be toughened and guidelines created if the Federal Government wants to use biometric technology in its plans to curb poker machine use, according to a peak technology group.
The government is mulling the controversial idea as part of a deal to secure the support of independent MP Andrew Wilkie.
Prime Minister Julia Gillard warned the states that the government will impose regulation if a mandatory "pre-commitment technology" to curb poker machine use is not in place by May.
Biometrics — which capture data from the body such as finger and iris prints — have not been ruled out as a means of addressing the government demands, although it has not mandated a technology.
The Biometrics Institute general manager Isabelle Moeller said that strict national laws restricting the use of captured data would be required to ensure clubs, pubs and casinos adequately protect and do not abuse sensitive customer information.
"Who ensures how data is collected and when it is destroyed? The [Privacy] Act is not specific enough," Moeller said.
She said that biometric data is not included in the Act, and that government agencies and small businesses with revenues less than $3 million are exempt.
The Federal Government is reviewing the Privacy Act in order to introduce a consistent national scheme. It plans to introduce caveats into the Act that will allow it to be more responsive to changes in technology and also iron out inconsistencies in privacy requirements across the states.
The biometric battle has been long fought by the institute and Moeller would welcome its end.
"We would like to see the Privacy Act completed and new information taken on from the institute code."
She said Australia is a privacy laggard compared to many other nations that already have or are implementing tougher updated laws.
The institute is still struggling to get members to sign onto its voluntary biometric privacy code, despite having the blessing of the Privacy Commissioner and its context has a unanimous tick from the industry.
Moeller said this is because businesses are reluctant to impose guidelines that may restrict their competitiveness against non-compliant rivals. It would also make it tougher to implement biometrics solutions.
Currently, pubs and clubs are charging ahead with biometrics installs, with little or no regard to the code.
Moeller said one business had purchased a cheap off-the-shelf biometric system online which could place customer data at serious risk if it is not adequately secured.
Any biometric solution used to control poker machine use would also be subject to the many well-publicised obfuscation techniques through which users steal and reuse fingerprints from the readers. Such an attack would allow gamblers to sign in as another, and bypass the financial controls.
Instructions of how to conduct the attacks, including how to make a replica finger from gelatine, are freely available on the internet.
"The body heat sensor [within biometric devices] might also be affected by holding cold drinks, but I suspect that this would be minimised," information security specialist Christian Heinrich said. "Obviously, other successful published attacks against biometrics would also apply."
The concerns come ahead of news that pubs and clubs are gearing up for a coordinated and well-financed advertising campaign to smear the government's plans to impose gambling monitoring.
Industry figures have said the campaign will be like the mining industry's mass-media attempt to attack the government's super-profits tax.
Heinrich said the industry could use biometrics as a physiological deterrent within the campaign by appealing to public fears that the technology is akin to "taking one's soul".