5 Things You Need to Know About Your Biometric Data

You can cancel your credit card, but you can't cancel your face.

5 Things You Need to Know About Your Biometric Data

A landmark ruling in the Illinois Supreme Court last Friday morning, 25th January 2019, gave voice to the parents of a 14 year old boy, whose fingerprints were taken in the Six Flags theme park without informed consent. The judge in the case upheld that the plaintiff's rights were breached as per Illinois state's Biometric Information Privacy Act (BIPA).

The ruling is a sign that the application of new laws governing the use of technology by corporate giants is coming into force and that the rights of private citizens are being recognised. Coupled with the EUs GDPR (General Data Protection Regulations), CCPA (California Consumer Privacy Act) and many more localised regulations to come, we are starting to see a real push back against our data being mis-used or held without informed consent.

The purpose of the fingerprinting was to affirm identity when purchasing an annual pass to the park. So why was this such a big deal?

"Biometric information is uniquely sensitive. You can cancel your credit card but you cannot cancel your face"  Abraham Scarr, director of Illinois PIRG Education Fund.

In a world of deepfakes, identity theft and phishing, both trust and Identity Management have become critical in almost every facet of our lives. Whilst biometrics would seem to be the immutable method for identification, it doesn't come without its risks. The biometrics system market was valued at USD 13.89 billion in 2017 and is expected to reach USD 41.80 billion by 2023.

This shows staggering growth and it's all about us - this is highly personal data. Your biometric data will be the target in the coming years.

1. Fingerprints give access to our smartphones and all of our data

If your smartphone has a fingerprint scanner, it is typically so small that only a fraction of your fingerprint is read each time you hold your finger to it. Fake fingerprints are not that hard to make. Your phone usually takes between 8 and 10 scans of the finger to build the full fingerprint, however, each finger press only has to match one of the stored images to unlock it.

Once your phone is unlocked using a fake fingerprint, it is likely that the attacker will gain access to everything you have on that device.

2. Most people rely on their biometrics to disguise poor password hygiene

Approximately 59% of people still use identical passwords for all of their social media and password-protected accounts and applications, despite the warnings. This means that there is increased danger in using your fingerprint.

If you were to discover that your password was compromised, you are able to change it swiftly it and regain your ownership of the application or account. However, if you rely on your fingerprint and someone gets a copy of it, your fingerprint cannot be changed or altered like a password. Facial, iris, voice or fingerprint recognition cannot be replaced.

3. Consumers don't yet understand the implications of using their biometrics

Large enterprises and government agencies increasingly use biometric voiceprints to identify  callers to their services. Whilst this has in the past been greeted with positivity due to passwords being "hard to remember", it's not all rosy.

Banks, for example, offer to store your voiceprint in the form of a passphrase. The consumer is led to believe that a phrase such as "My voice is my password" is all the bank have to compare against. In reality, the institution has measured your voice with great detail and stored more than 100 characteristics which identify you as a speaker.

If a database of voiceprints was compromised, there also lies potential to identify an individual in a recording, which definitely wouldn't be part of informed consent for many consumers. As such, the Information Commissioner's office is investigating a massive collection of over 5.1m voiceprints of taxpayers by HMRC in the UK. HMRC has yet to disclose which other UK government departments have access to these voiceprints.

4. Hacked biometrics can exert a physical toll on your body

Consumers are unaware of the physiological and psychological effects of having their biometric data hacked. When considering consequences such as stolen identity, hacked biometrics can have an enormously detrimental impact on those people’s lives.

These consequences are not clear or stressed enough when the decision is made to use touch ID or iris recognition.

Stolen identity can create financial hardships and long term psychological trauma which come with restoring an individual's reputation. It also has the ability to take both a social and physical toll. A report from the Federal Trade Commission noted that more than 15% of victims relocated or moved following their identity being stolen, with the same number having to sell possessions to pay for related expenses. 67% of respondents noted feelings of anxiety, one in four feared for their physical safety and a terrifying 7% reported feeling suicidal.

More than 1 in 4 individuals whose identity was stolen were unable to go to work due to the physical symptoms caused by the events.

In 16% of cases reported, the discovery of stolen identity was made more than 3 years after the event. Consumers are ill-equipped in many cases, through education mostly, to know how to monitor for identity theft.

5. Policies can change and your data can be sold

In the most famous cases, companies such as Google or Facebook started recognising, tagging and/or grouping individuals faces with the apparent purpose of providing the consumer with enhanced services. However, for individuals who simply use the applications as storage devices for photos, they will typically be unaware of changes to either Google's or Facebook's policies on how this data will be used, and who would have access to this data.

Consumers may enjoy the benefits of tagging or faceprinting but will likely be unaware if a private company sells their faceprint, or the faceprints of their children, on to either a government or police department, or another private enterprise. Last year's events with Facebook and Cambridge Analytica have taught us that policies are there to be breached and data in the wrong hands exists to be mis-used.