The Tug of War Between Biometrics and Privacy
It doesn’t get much more personal than biometric information. Your face, your fingerprints, your irises are unique to you. Given the uniqueness of biometric information, it can serve as a quick, effective key that outshines traditional security measures such as passwords. And the prospect of finding more and more ways to eschew passwords is tantalizing. No more cumbersome jumbles of letters, numbers, and symbols. No more password managers. A press of the thumb on your phone, and you are looking at your bank account. A quick look into a camera at the airport, and you can hurry on your way to catch your flight. You are who you say you are, and you carry that indelible proof with you at all times.
Once you part with that information, any kind of personal data for that matter, you are making a compromise that risks your privacy: accessing a service you need or enjoying more convenience in exchange for your biometrics. You trust that the company or organization taking that information will only use it for what they say they will, and you run the risk that your biometrics will be compromised in the case of a breach.
Biometrics are a part of daily life for many people, and adoption is likely to continue. A 2022 report from facial recognition technology company CyberLink found that 176 million Americans use facial recognition. Among the younger crowd, people aged 18 to 34, adoption is at 75%, according to the report.
How can enterprises and consumers balance the benefits of biometrics with its privacy risks? Four leaders with expertise in privacy and biometrics speak to InformationWeek about its use cases and preserving privacy.
Biometric Benefits
Biometric technology assigns a unique identity to an individual by collecting data on physical features, often from your face, fingerprints, palm, retinas, or irises. Biometric systems may also leverage voice, gait, or signature recognition.
Biometrics isn’t simply about comparing gathered data in its raw form to a stored record. Take facial recognition as an example. “Usually, it’s based on geometric data about … features of your face and like how far your eyes are apart, where the tip of your nose is, what the shape of your mouth is, the shape of your head, where your ears are. They’re using all that information to kind of create a representation of your face,” explains Hal Lonas, CTO of Trulioo, an identity verification company. “So, they boil your face down into a set of numbers.”
Today, biometric systems are put to work in various use cases to verify identity. Airports, government buildings, financial institutions are among the common places you could expect to encounter biometric systems.
The strengths of biometric identification can combat fraud. Your fingerprint proves you are you before you conduct a transaction on your mobile banking app, for example. At airports, biometrics identification is implemented as a matter of public safety. Fingerprint biometrics are standard in background checks. Within an enterprise, biometric systems may be used to prevent insider threats, verifying an employee’s identity before they conduct a transaction.
Among the myriad use cases for biometrics, the argument for this technology is its convenience and its strengths over traditional measures, such as passwords. Biometric identifiers are unique to the individual and difficult to alter or fake.
“It’s very difficult with modern technology to do a spoof or a fake on your biometric,” says Lonas. “Once you present your biometrics and … verify that you really are who you say you are, then it’s almost perfect. We know for sure who you are.”
Privacy Pitfalls
Consent looms large as sticky privacy issue in biometrics. Surveillance, tracking, and profiling without consent is significant privacy violation. Do individuals consent to having their biometric information collected? Do they consent to how a collecting organization plans to use that information?
In many scenarios, consent is clearcut. An enterprise has an upfront policy, and users must give their explicit permission to have their biometrics collected. Think of a banking app; you have to click through a series of prompts before you can start using your thumbprint to log into your account.
In other situations, consent is not so easily addressed. In an airport, for example, it is possible to opt out of facial recognition, but that might be surprising to many. If you decide to say no, you might find airport security is less than receptive. Sen. Jeff Merkley (D-Ore.) declined to have his photo taken for facial recognition at Reagan National Airport and faced resistance from TSA, The Washington Post reports.
Once collected, with or without consent, biometric information is likely stored. And like any other type of sensitive information, it is a potentially valuable target for threat actors. Consumers who share their biometric information are at the mercy of the collecting organizations and the safeguards they have in place.
If biometric information is breached, there is little recourse. Biometrics are more ironclad proof of identity than a password, but that same strength can be a serious disadvantage. You can change your password. Your biometrics? Not so much.
“If your facial parameters or your fingerprint parameters are somehow compromised, let’s say someone could intercept them and reuse them in some way like in the movies. There’s nothing you can do about it, right? You can’t change your face. You can’t change your fingerprints,” says Lonas.
Tina Srivastava, co-founder of Badge, experienced firsthand the compromise of her fingerprints. She previously worked as the chief engineer at US defense contractor Raytheon, and it was standard operating procedure that her fingerprints be stored with the Office of Personnel Management (OPM). In 2015, the OPM was breached and fingerprints of 5.6 million people were stolen, including Srivastava’s.
“Ultimately, enterprises and organizations centrally storing biometric data, in any form, are faced with the constant challenge, risk, and expense of building higher walls to protect the storage of the user’s sensitive biometric information,” says Srivastava.
If compromised, how could biometric information be misused?
Biometrics could be leveraged in a presentation attack in which a threat actor attempts to use an individual’s biometric data to gain access to a particular system. “A classic way [in] which you … attempt to spoof that particular system is to use either a replay or a clone of a particular biometric,” explains Mohamed Lazzouni, CTO at Aware, an authentication software and identity verification services company.
Replay attacks are another tactic. “You might, say, identify that there is a particular service that requires the voice biometric or voice password,” says Lazzouni. “So, you record someone, and you try to play that recording … in the hope that you go through the biometrics.”
While faking biometrics might not have always been easy, GenAI is changing that. Research has shown that deepfakes can be used to trick facial recognition systems. The nefarious aims made possible if GenAI successfully fools biometric identification systems are frightening and multiple.
While bad actors are a very real threat to consumers who share their biometric data, there is also risk of misuse by the organizations collecting the information.
Biometric information can reveal a lot about you, say your race and your sex. Bias in AI models has already gotten a lot of attention for racist and sexist outputs. If organizations are feeding machine learning models biometric data, their leaders need to be aware of the possibility of discriminatory outcomes.
“Instead of using it in order to deter or stop bad actors, you are using it towards discriminatory outcomes … that’s a disaster,” says Lazzouni.
Regulations
Biometric technology has not gone unnoticed by regulators. A handful of states have laws that specifically address the use, collection, and storage of biometric data. Illinois’ Biometric Information Privacy Act (BIPA), enacted in 2008, was the first state-level legislation. It is still considered the most robust legislation addressing biometrics and privacy in the US today.
But that doesn’t mean organizations are free to do what they will with biometric data outside of those states. More general data privacy laws apply; biometric data is, after all, personal information. Enterprises leveraging biometrics have to take into consideration state laws, as well as international regulations like the General Data Protection Regulation (GDPR) in Europe. The US has yet to pass a federal data privacy law, but the American Privacy Rights Act (APRA) has the potential to become that law.
The term “patchwork” comes up frequently when enterprise leaders talk about the regulatory landscape for data privacy. It is likely that more laws covering data privacy and biometrics in particular will come to pass, adding to that complex patchwork, before some type of regulatory harmonization is achieved.
“Biometric privacy legislation is gaining momentum due generally in part to more people using the technology and the concern over the rise in GenAI,” says Srivastava.
Safeguarding Biometric Information
Given the complexity of the regulatory landscape and the potential misuse of biometric information, how can enterprises leveraging biometric technology keep that data safe and preserve their consumers’ privacy?
Lazzouni points to strategies like data obfuscation and data anonymization as important techniques to protect consumers. Data obfuscation disguises sensitive information, in this case biometrics, through tactics like encryption and masking. Data anonymization removes personally identifiable information (PII). “You literally strip out the PII from the biometric of origin,” says Lazzouni. “For somebody to really put something back together, they need to know what the original PII is.”
As with any sensitive information, enterprises also need to apply data access controls to biometric information. “Whether that’s siloing biometric information and instituting role-based access controls that sort of thing, I think it’s a part of your broader strategy around sensitive personal information,” says Ron De Jesus, field chief privacy officer of Transcend, a data privacy and governance platform. Organizations also need audit logs to understand who has seen what biometric information and when.
Data management is also essential. What biometric information does an enterprise have and where? Do they need to continue storing that information, or can it be deleted? “The concept of data minimization is going to be really key when you’re thinking about using biometric information,” says De Jesus.
There are companies in the biometrics space leveraging various approaches to privacy. For example, Srivastava cofounded identification software company Badge with the intention of preserving privacy in the biometrics authentication space.
“This solution has zero sensitive data storage anywhere and enables seamless user authentication from any device, personal or shared, without the limitations of device registration,” she shares.
Regardless of the approach any enterprise takes to biometrics, the use of this technology must be treated as a business decision.
“So, that’s a big investment. Then you have to think about, [how] I’m going to manage the data, what vendors I’m going to work with and are they managing the data in ways I am I comfortable with as an organization, that my risk and compliance and regulatory people can sign off on,” says Lonas. “So, that gets very complicated and expensive.”
With that context, they need to develop and implement policies that are understood and upheld throughout the organization.
Communicating those policies to employees and consumers is an important element of avoiding potential privacy pitfalls. The user group, consumers, or employees who are having their biometric information collected should know the answer to several questions: Do I have the ability to consent? Can I opt out at any time? Who will have access to my data? Is it being shared with third parties? How will my data be used?
“The recurring theme is just complete transparency for customers and employees around how we use that personal information,” says De Jesus.
As biometric systems become ubiquitous, the associated risks grow with them. The more information that is stored, the more opportunities for threat actors to target it. The more sophisticated GenAI becomes, the easier it will be to manipulate biometric information. The balancing act of that powerful technology and its privacy risks will be one that needs to be frequently revisited by the organizations that use biometrics and the people whose data is collected.