What are Risks of Storing Biometric Data?

Ever since the rise of biometric applications, there is a major concern looming over this recognition technology: risk of storing the biometric data. The way things are going, it is safe to say that biometrics is the future of human identification, however, this future will stay uncertain unless there are stringent methods employed to protect it against any misuse or security incidents. If people’s biometric data is threatened or stolen, they may start losing confidence in this recognition technology.

In the subsequent sections, we will discuss about biometric data protection approaches, different laws and GDPR.

Image: Social networks can capture face biometric data just by using your images.

Types of biometric data

Regardless of the modality or technology used, all types of biometric acquisitions end up generating some type of biometric data. Biometric data is also a digital data, which can be stored on information systems and processed by biometric systems. Unless saving the raw images of biometric identifiers, processed biometric data is often stored in an encrypted format to safeguard it against any manipulation. When encrypted biometric data is of no use for any entity trying to access it, unless it has decryption keys. Encryption makes sure that only eligible entities can read the data.

Types of biometric data are dependent on types of biometric identifiers used. However, all types of data eventually end up generating digital bits that are stored on secure servers.

On the basis of different biometric characteristics following can be the types of biometric data:

Fingerprint templates
Iris and retina templates
Voice print
2D or 3D facial structure map
Hand, finger geometry map
Vein recognition template
Gait analysis map
DNA profiles
Behavioral biometric profiles

There can be several other types of biometric data depending on the modality, technology and approach used. In security centric applications where multi-modal biometrics is used, type of data will be the combination of the modalities used. Biometric identification is a constantly evolving field and different approaches are worked upon all the time. For example in many behavioural biometric tactics, there are several measures are taken into account to create a user profile. There are even unconventional biometric methods that may go mainstream at some point in the future.

Biometrics and data protection

What would be the worse-case scenarios with your government issued ID card you carry with you all the time? Probably losing it when you need it the most and someone finding it and misusing your identity. However, this sequence of events can be stopped once you acknowledge that you have lost your ID. You can have it cancelled by the issuing authority and get a new one reissued. The same is the case with digital form of identity authentication, if you forget your password, you can create a new once (which automatically turns the old one ineffective).

However, this is where things go differently in case of biometric identifiers: Unlike your government ID, biometrics cannot be reissued or changed if compromised.

Biometric technology works by capturing anatomical or behavioral patterns found in human beings. Each individual’s biometric patterns are different and biometric technology can find this minute difference in these patterns using technological, mathematical and statistical means. Biometric recognition technology has proved its superiority over traditional and other recognition methods; however, permanence of human biometric patterns becomes the strength as well as the weakness of this technology. Your fingerprints or iris patterns are unique as well as permanent, it is a good things when your biometric data is secure, and a very bad thing when it is not.

Information security incidents are another risk of storing biometric data. If hackers somehow reach the repository of biometric data, they can copy it to their storage. Till now there is no reported incident in which hackers of security experts were able to reverse-engineer the biometric data, i.e. creating the original biometric pattern using the biometric templates.

Risks associated with storing biometric data

Like any other personal or sensitive digital information, biometric data can also be exposed to the threats faced by present day information systems.

Risk of data breaches and cyber security incidents

News of data breaches captures the headlines every now and then. Cyber criminals steal account information and even passwords of millions of users every year and despite the repeated events and improved cyber security measures, these incidents keep happening. When a data breach is identified, organizations intimate its users to change their passwords and update account recovery information; however, in case of biometric data, these countermeasures will not help. Biometric templates are secured with encryption and they cannot be reverse-engineered to generate the biometric patterns, however, history tells that all information security countermeasures fall short at some point of time.

Risk to privacy and preferences

What if you stand by a digital display at a shopping mall and it starts showing you ads of a product you search online in the morning? You would probably think it to be a complete coincidence; however, looking at today’s technology, it may not be a coincidence. We have seen online advertisements following us on the web, all it takes is a search on a shopping website to make the products follow you. This approach was not possible for offline world, but now biometrics like face recognition is going to fill this gap.

The digital display you stood by, may have a small camera with face recognition tech and your shopping website may have partnered with your social media service provider to get your facial scans, so that they can show you ads, even when you are not on your PC or phone. Savvy?

The scenario discussed above is one of the many privacy risks that users may face due to uncontrolled use of biometric data. This is why we need privacy laws specially framed for biometric data to curb the uncontrolled storage and processing of biometric data of users or customers.

Biometric data privacy laws

We have discussed above why security of biometric data is of prime importance and how it can affect the user privacy. Soon commercial and business outfits will be collecting more than ever biometric data of users, which can lead to uncontrolled use of this data for commercial purposes. Business outfits may also choose to store or process this data with inadequate data safety measures to save cost. This is one of the many examples where things may go wrong. To ensure security of biometric data and its usage, we need laws specially framed for biometric data. Unfortunately, there are no separate laws for biometric data around the world, and it is processed under the laws written for personal data and user privacy.

In the United States, there is no comprehensive law particularly framed for collection, storage and processing of biometric data of users / customers. However, U.S. states are in the process of enacting BIPA (Biometric Information Privacy Law), which, as the name suggest is the legal framework for biometric information privacy.

While the laws of biometric information privacy are struggling in the U.S., European Union has already made GDPR (General Data Protection Regulation) effective on May 25, 2018. The regulation put biometric data in sensitive category and mandate compliance with it.

GDPR and biometric data

GDPR (The General Data Protection Regulation) EU 2016/679 is a regulation in the European Union region. GDPR aims to protect data and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). On May 25, 2018, the new European privacy regulation called The General Data Protection Regulation (GDPR) came into effect. All the companies doing business in EU and EEA region and collecting / storing personal information (including biometrics) of their customers need to comply with this law. According to GDPR, personal information can contain your name, email address, photo, contact details, bank information, medical data, location, IP address, updates made on social networks etc.

When it comes to biometric data, GDPR puts it in “sensitive” category of personal information and mandates robust protection. As per GDPR, biometric data is:

“Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (fingerprint) data”.

Under GDPR requirements, companies will have to justify the need of collecting and processing biometric data of its users or customers. They will also require explicit consent of users or customers for the collection of such data. The GDPR also requires that data processors must implement appropriate “technical and organisational measures” to keep data secure.

Conclusions

Recent surge in biometric applications and their widespread adoption have made it clear that this technology is here to stay. Biometric technology powered identification and authentication is taking over all other forms of establishing or verifying human identity. However, it has also raised the security concerns of the large amount of biometric data adding up every day.

Why we need to protect biometric data? For the same reason we need to protect any other form of identity authentication tool from a potential misuse, e.g. a government issued ID or a password. Since biometric data is stored on connected information systems, it is always a good idea to reinforce the information security efforts to secure data. Modern biometric systems use encryption that further secures the storage and transfer of biometric data. With in-built encryption and best information security practices in place, biometric data can be as secure as it deserves to be.