Fueled by increasingly common cybersecurity leaks, vendors seek more secure ways to protect users’ data and financial credentials. Biometric data-enabled devices secure and validate access to systems with a high degree of privacy risks. Many see it as a way to replace usernames and passwords.
Biometric data use has grown over the years from personal computers to building access and is forecasted to be a $45B a year industry by 2024. New technologies such as blockchain and artificial intelligence will only increase demand for biometric data use. Alongside the massive collection and storage of this data, the processing and computational capabilities which use this data have advanced. Sources of data inputs come primarily from the way people interact with their devices and the websites, apps, and digital platforms. In addition to voluntary use of biometric data, the rapid growth of personal devices, augmented and virtual reality (AR/VR), and biometric scanners in consumer electronics have significantly increased the capability of private businesses to capture biometric data. As the prevalence of biometric data collection increases, the risk of personal data leakage grows, making securing biometric data of primary importance. Since this type of data consists of a person’s unique physical or behavioral characteristics, it is impossible to contain the privacy risks once leaked. The confiscation of biometric data by the Taliban in 2021 provides a stark reminder that biometric data use carries a heightened risk for users and administrators alike.
The list of unique physical and behavioral characteristics that can be used to identify individuals continues to grow. This list consists of commonly used identifiers to which a user usually consents, such as fingerprints, iris scanning, and facial recognition. But lessor known biometrics can now be used to identify individuals, such as heart rhythm analysis, gait analysis, and even a person’s unique typing pattern. Collecting this data is often justified as a more secure means of identification and authentication. For example, many smartphones use fingerprint scanning or facial recognition to safeguard against unauthorized access. These safeguards are adequate but have been compromised in the past. While biometric data is complicated to forge, it is not impossible to hack. In 2019 a team of researchers showed that they could lift fingerprints from a glass and use those fingerprints to unlock the owner’s cell phone in a process that took under 20 minutes. This unique personal data presents a challenge when compromised. As the prevalence of biometric information grows, the stakes increase, making securing biometric data of primary importance. The United States does not have a federal law governing the capture, storage, or processing of biometric data.
This piece will discuss the advantages of using biometric data, how your biometrics may be collected, and the opportunities and risks these technologies present. Although it is on the rise, the inherent difficulty in imitating biometric data makes it an appealing option to replace current identification, authentication, and access control methods. Another being the timesaving advantage of using biometric identification systems. We will explore the proliferation of biometric data being used in the workplace and by government agencies.
Biometrics in the workforce
The use of biometrics in the workplace for identification and authentication has been around for some time. The first palm print analysis and iris scans were used for physical access security in the late 1980s. For the 1996 Olympics, palm readers controlled access to the Olympic village. Today, fingerprint readers are widely commercially available and often used for two-factor authentication when accessing computer systems. Some organizations use biometric time clocks to track employees hours using a unique identifier such as a fingerprint and to free employers from manually tracking and verifying employees’ attendance.
A Spiceworks survey of IT professionals found that 62% of employers are currently using biometric authentication technology. The survey data also showed that 57% of organizations use fingerprint scanning technology as part of their authentication process. Nontraditional employee monitoring tools that analyze emails or gather biometric data, have become more popular in the workplace over the years – a study by Gartner found more than half of companies surveyed in 2018 deployed some form of employee monitoring tool, a 30% increase since 2015. Another innovative form of employee biometric tracing is gathered through wearable fitness technology. Through this, employers gain access to an array of health and biometric data.
However, multiple states have introduced biometric privacy laws or other restrictions that require companies to clear hurdles to deploy authentication technology or other biometric tools. For example, employers collecting employees’ biometrics have been targets of lawsuits under Illinois’ Biometric Information Privacy Act [BIPA].
Despite these challenges, the Covid-19 pandemic has sparked an increased interest in “employee monitoring” of staff while they are working from home. These technologies use eye-tracking, always-on video conferencing solutions, and input monitoring which some employees find invasive. Other health tracing tools – from location tracers to heat sensors – has increased as people’s health information is even more important during the pandemic. While the attempts by employers may have been well-intentioned, the technologies also come with the possibility of the information being stolen, leaked, or misused.
Government Biometric Data Use
Law enforcement collects biometric data in fingerprints, mugshot photos, driver’s license photos, and other images and videos that capture a person’s facial features. Several government agencies, including the Department of Homeland Security (DHS), are expanding their use of biometric data. DHS is replacing its Automated Biometric Identification System, or IDENT database, “the largest biometric repository in the U.S. government,” containing biometric data of over 250 million people with the Homeland Advanced Recognition Technology System (HART). The FBI also has a repository of personal identifiable biometric information, the Integrated Automated Fingerprint Identification System (IAFIS). In 2004, interoperability was achieved between these two databases, enabling the DHS to access biometric records from the FBI and vice versa. This cross-agency access to biometric information facilitates an even larger and more accurate database of personal records.
The U.S. Customs and Border Protection Agency Global Entry program expedites clearance for travelers arriving in the United States. It utilizes fingerprint scanning as part of its identification process to speed those travelers along. The Agency is developing and implementing an integrated, automated entry and exit data system to match records, including biographic data and biometrics, of non-U.S. citizens as they enter and depart the United States.
A few departments are even using biometric data to detect their own employees’ identification. The Defense Department is using biometric data for entry into secure areas. The Air Force similarly uses facial recognition software for entry into bases.
Biometrics in our everyday life
Most of us pay little attention to just how often our biometric data is captured and stored. If you live in a major city, you will likely be captured on a camera whenever you leave the house. There are about six cameras per 1,000 people in the United States, with Atlanta and Chicago topping the list of surveyed cities. The proliferation of security cameras means that you are likely recorded every time you enter a store or public transportation. Most of these cameras are capturing and storing your image without processing your biometric data. But in each recorded circumstance, a person’s likeness captured as an image or video can always be run through a facial recognition program. The increased use of police body cameras and personal home video surveillance systems has only increased the likelihood of capturing biometric data in the public space. Over 15 cities have banned the combined use of these systems with facial recognition software.
Apple introduced fingerprint scanners on phones to the mainstream by introducing the Touch ID, an electronic fingerprint recognition feature on its iPhone 5S, in 2013. Since its introduction, many people use facial recognition or fingerprint scanning to access their smartphones. A report by Mercator Advisory Group estimates that 41% of smartphone owners use biometrics. Android and iOS devices secure their biometric authentication by leveraging embedded security modules to facilitate these processes in a manner separate from the device’s operating system. The biometric data never leaves the device. Therefore, if the phone is compromised, a hacker cannot gain access to the info on the module through the operating system. When your phone or apps require authentication, information is collected via the fingerprint reader or camera and sent to the module, where it is compared to the original. The data is not transferred when a person upgrades to another smartphone.
Even with these security measures, there are ways to capture and transfer biometrics from smartphones. One way is through deceptive terms of service agreements. These Terms of Service agreements accompanying newly downloaded applications are most often agreed upon without the user reading the agreement’s contents. This introduces consumers to potentially unwanted access to personal or private information. For example, in 2019, a Russian-owned app FaceApp went viral on social media. The app allows users to upload a picture of themselves and then takes that photo and creates an older version of the subject. This sparked biometric privacy concerns when it was learned that the photos were uploaded to FaceApp’s servers, where AI algorithms were run against it to create the aged version. FaceApp’s terms of service left users with little to no control over their actual pictures after submission:
“You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.”
Google’s Arts and Culture app allows users to take a photo of themselves which is then analyzed to find famous art pieces that resemble the user. As the app captures, analyzes, and stores biometric data (facial recognition) on users, Google has disabled this feature in the app for users in Illinois because of BIPA concerns.
While there is currently no federal law on biometric privacy, Illinois, Texas, and Washington have taken the lead in passing state laws to offer protections for individuals’ biometric data. Most state laws’ definitions, applications, and protections overlap in providing standards and frameworks for capturing, storing, and processing biometric data. One significant divergence is the Illinois right of private action. Infractions in that state can carry a fine of up to $5,000 per person for “intentional” violations. While courts are exploring interpretations of this law, a recent $650 million settlement claimed Facebook violated Illinois residents’ privacy law (BIPA) through facial recognition software that collected user’s biometric information. About 1.6 million Illinoisans will receive payouts of at least $345.
Senator Jeff Merkley [D-OR] introduced the National Biometric Information Privacy Act of 2020. The bill works to address the lack of federal guidance that has left states to go it alone. In the absence of congressional action, citizens are inconsistently and often inadequately protected, while corporations are forced to navigate state-by-state regulations. A first step could be establishing a biometric data privacy framework similar to the NIST Privacy Framework that could help to guide standards for states to follow and build upon.
Once a biometric identifier is compromised, it is unlikely that the victim will use that identifier again. The high stakes for failures make securing biometric data of primary importance. It is not enough to rely on the old policies to protect people on this digital frontier. Nor will it be sufficient to assume that biometric data can be covered under broad stroke privacy legislation. This uniquely identifiable data will need particular attention to ensure that privacy is protected.