In part 1, we covered the brilliance of biometrics including increased security and convenience. There’s a lot of biometric data out there already and loads of research in this area making it more of a daily reality.

Generally speaking, it’s all very good news, but this post is a word of caution highlighting some of the risks of this technology.

Biometric data for authentication

How many fingers do you have? Easy – eight fingers, and two thumbs. What about your other biometrics? One face, two ears, two eyes and one set of DNA.
You don’t have that many really. So what happens if you start losing them? Not physically losing a finger in some Tarantino-style act of violence. But rather what happens when someone else steals your biometric data?
You can’t change your fingerprint. Once it’s stolen, you can never trust it. In fact, you need to mark it globally as unusable.

Some biometric data is easily captured without you knowing it. For example, analyzing a photo of your face, lifting your fingerprint from a glass or picking a strand of loose hair from your coat.
When compared to a password that should only really be stored in the depths of your mind, biometric data is actually more vulnerable than you may think.

Storing your measurements

To match the convenience of a password used with a cloud software service, your biometric data would need to be moved off a device so that you can log in from anywhere. Now, all of a sudden, some of your most unique and personal data is stored somewhere that you don’t know about. Does that make you feel comfortable?
Losing this sort of data has already happened. In September 2015, the Office of Personnel Management had 5.6 million fingerprints stolen. That’s a lot of people who potentially can never use a fingerprint scanner system ever again.
India has a hugely successful biometrics program with a database of over a billion fingerprints and iris scans. Imagine the impact of having all that data stolen.

The legal implications

It seems the industry is yet to work out the legal implications of storing and using this highly personal identification information.
Facebook has the largest ‘face database’ in the world with over 350 million images stored. Many of those images have been dutifully tagged by us with location information, names of people featured, relevant event information and date. Some of this information is automatically tagged.
Earlier this year, there was a lengthy court case against a video game publisher and its right to collect and store players’ biometric data. The publisher won the case. This result demonstrates that as long as you’ve agreed to its T&C’s, a company has the right to store and use your data.
In 48 states across the US, it’s totally legal to use an image of you to recognize you without consent (only Texas and Illinois do not allow it for commercial use). So your image captured by Company X could be reused to identify you by Company Y and Z.
Imagine walking into a new car dealership and having your image automatically recognized without your knowledge. After being warmly greeted by a sales advisor who seemingly remembers everything about your last encounter, you would feel pretty special. Equally, what kind of treatment would you get if your reputation isn’t so good?

What about privacy?

Some people argue that the promise of absolute authorization via biometrics has a negative implication – privacy. For example, an ambiguous name and password combination could be used by someone to buy something online, masking the identity of the actual purchaser.
On the other hand, a purchase made using a fingerprint unmistakenly pins the owner to the purchase or activity. The privacy argument in such a case is that sometimes, for some reason, you might like to make a purchase or use a service with a degree of anonymity. Using a biometric marker erodes that right. It’s a cash vs credit card argument and it boils down to trust or the lack of it.
So herein lies the kinks – who collects, stores, and uses your ultra-unique biometric data? Who do you trust to do that? Also, what are your legal rights to sharing and selling that information?

Passwords still relevant

Passwords have problems too, but having thought about them next to biometrics, they are still powerful. You can have tonnes of them and hopefully, if you’re following best practice, they are all different and all complex.
If you forget a password or have it stolen, it’s no real problem. Generate a new one and off you go.
Want to create a new account on that forum and stay anonymous? Go ahead and use a random username with a brand new password.

2017 and beyond

So perhaps the short-term answer here is to continue to develop biometrics, work out the kinks in the technology and address the legal questions.
I would be genuinely cautious about companies and institutions building huge biometric databases and how they use that information. History supports this concern where we’ve seen such rich resources falling into the wrong hands or being used without care.
Biometrics is an innovative tool for security but don’t forget your password just yet.
[text-blocks id=”gdpr-mobile-implications”]