The benefits – and perils – of commercializing biometric technology.
Biometric technology used to be exclusive to government administration – passports that store fingerprints and faces, or criminal databases that collect the DNA information of people who have been arrested.
In recent decades, the use of biometric tech in the business field has been growing. According to a report by IMARC Group, a market research company, global biometric technologies market revenue reached a value of US$23.5 billion in 2020. The market is expected to grow rapidly in the years to come, reaching a size of $55.42 billion by 2027, according to Statista.
‘Biometric data’ is a descriptor for a person’s physical characteristics, including fingerprints, face geometry, voiceprints, and even iris patterns. Since one’s physiological characteristics can hardly be changed, biometrics serve as long-lasting, accurate identifiers.
This data is now commonly used for identity verification and entry security, for its permanency and uniqueness have made it an apt choice for identity authentication. Numerous companies – including most phone brands – have introduced biometrics like fingerprint and face unlock to replace traditional account-password login.
Electronic payments is another facet where the use of biometric tech is blooming. Banks, such as HSBC, allow customers to access e-banking services via mobile devices, using facial recognition or fingerprints. Mastercard is planning to adopt facial recognition into its secure payments system and has even launched wearable payments, while in many cities in China, facial recognition payments have become the norm.
In the foreseeable future, where digitization is inevitable, biometrics will play a key role in the commercial sphere. The mobility industry is seeking ways to integrate the technology into new generations of electric vehicles. The security industry is also making use of biometrics, with fingerprint verification more extensively adopted in residential households and commercial buildings to avoid the need to memorize passcodes.
Security-wise, biometric tech appears to give people more confidence. A 2019 report conducted by Experian, a multinational consumer credit reporting company, pointed out that security was the most important element of a consumer’s online experience in Asia-Pacific, and 80% of surveyed Chinese consumers regard biometrics to be within the top ten features that enhance their online banking experience.
A false sense of security?
Secure as it seems, the risk of data leaks is often overlooked. The ramifications of stolen biometric data could be drastic, as there is no way to reset your biological traits like resetting a lost password. Due to the high level of security it ostensibly offers, biometric verification is often used for more sensitive and valuable assets – like your bank accounts – which are likely to become hackers’ primary targets.
All these concerns lead to the questions – how and where is our biometrics data being stored? And is it safe enough?
There are various ways of storing biometric data, the safest being storing it on external devices like chips on a smart card or end-user devices like mobile phones. If you are an Apple user, your bio-data for Touch ID and Face ID is stored in an encrypted enclave on your individual devices, which the company doesn’t have access to.
Alternatively, the more cost-effective way to store this data is using a biometric server. Data is put on an external server that allows for verification in multiple locations. However, this is more susceptible to cyber-attacks, which can happen anytime during data transmission via the network.
The 2019 breach of Suprema, a company that provides control access and biometric solutions, served to highlight the vulnerabilities in such a system. It was found that the company’s database, which contains more than 28 million users’ biometric data, can be accessed publicly; some of the highly sensitive data were even left unencrypted and could be altered or removed. Though the full impact of the leak has yet to be seen, it is an alarming sign of how fragile the security systems protecting our biometric data can be.
Apart from the risk of cyberattacks and data leaks, on a technical level, biometric technology might also have a way to go when overcoming its algorithmic bias. Most commonly used tech such as facial and voice recognition are found to be more likely to misidentify users because of their race or gender, and only maintain accuracy levels with Caucasian users.
The risk of misuse: biometric as a privacy tracker
Apart from the risk of cyberattacks and data leaks, there is also mounting concern over the aggregation of bio-data with other PII (Personal Identifiable Information) or non-PII. PII is more sensitive information that can be used for tracing and identifying a person, such as names, addresses, and national ID numbers. Non-PII includes data such as website cookies and aggregated statistics on the use of products.
Paul Wiles, a U.K.-based biometrics commissioner who oversees the public use of such information, said in an interview with Financial Times, “what many big tech companies, and increasingly governments, want to do with data are to link different databases.” Our biometrics play a key role in this massive linking plan because they are unique identifiers that can track a person across multiple databases.
After all, a single data point is worthless, and the more connectable data points, the more valuable a set of data is to a business using it to – for example – sell ads. But if more data is gathered and linked, digital footprints become more difficult to erase, and it makes it even harder for people to remain anonymous. Most problematically, consumers are rarely consulted before their data is aggregated.
This begs the question of whether more vigorous collection of bio-data is a good idea when it is likely to be a catalyst for data linking, exposing consumers not only to greater cyber-risks, but to businesses who want to leverage personal data for commercial gain.
The future: enhancing cyber resilience and data protection
Despite all the probable risks, it is impossible to let go of this technology now that the world wants to march toward building smart cities that provide people with convenience and quality services.
Perhaps like most of the exciting inventions introduced in the 21st century, the key to truly maximizing the potential of biometric data is minimizing the risk of its misuse, without setting undue restrictions that might stifle its potential benefits. Achieving this goal requires a collective effort between both the government and private companies which collect and handle users’ data.
Governments are also working to introduce regulations into the biometric data space. The EU, for instance, has been on the frontier of privacy protection with its General Data Protection Regulation, which makes it clear that the collection of biometric data requires explicit consent, and people are entitled to the right to be forgotten – the right to withdraw and delete any data collected on them.
Several states in the United States, such as Illinois and California, already have biometric data protection laws that place limits on the capture and use of biometric information. Other states like New York and Virginia are also putting biometric data regulations onto their legislative agendas.
On the other side of the world, in Asia, where citizens’ privacy rights may be less of a priority due to these countries’ political landscapes, there is also a waking awareness to these issues among the public, and demand for better regulation of the commercial collection of biometric data.
In November last year, a Chinese court ruled that a wildlife park’s use of facial recognition for its entry system was not legitimate. The case was brought by a law professor and was the first case in China, a country that is known for its widespread application of surveillance technology, to regulate the unauthorized and excessive collection of personal data. In December 2020, China also drafted new guidelines on the collection of personal data through mobile apps.
The court judgment was a move to allay the mounting public discontent regarding surveillance in commercial areas, and signifies the state’s attempt to bring business use of biometric data under regulatory control.
Before sound regulations come into place, companies themselves need to commit to providing better privacy protection. There should be proactive moves toward making sure that consumer consent is adequately obtained before collecting their biometrics, and that the data is ultimately stored using secure infrastructure.
While both the commercial world and consumers are thriving on the benefits offered by new technology, the security and privacy concerns that follow should not be taken lightly. Businesses and governments should be sensitive to the inherent conflicts between the utilization of bio-data and data privacy, and work out a sustainable way of incorporating this technology into business operations.