September 18, 2022
Privacy Issues With Biometrics & How Businesses Can Mitigate Them
Biometric Authentication Techniques are at the forefront of digital security, allowing individuals to unlock their devices with a simple touch or glance. These cutting-edge technologies are not without their privacy concerns. Imagine having your biometric data compromised, leaving you vulnerable to identity theft and unauthorized access to your personal information. In this blog, we explore the privacy issues associated with Biometric Authentication Techniques, offering valuable insights into biometric data privacy laws, concerns, and implications to help you protect your sensitive information effectively.
Anonybit’s identity management platform is a powerful solution for navigating these privacy issues. By leveraging technologies that ensure these sensitive data sets cannot be compromised or misused, Anonybit equips you with a powerful tool that can be used by your enterprise to prevent fraud, streamline the user experience, and, above all, enhance your compliance posture and protect user privacy.
What Are Biometrics?
Biometrics are measurements related to a person’s unique physical characteristics, including but not limited to fingerprints, palmprints, voiceprints, facial or iris measurements, and more. A person’s biometric data – their specific measurements – can be used as unique identifiers. As tools to collect biometric data become more advanced, it’s important to understand the privacy issues that can arise.
Laws like the European Union’s General Data Protection Regulation (GDPR), Illinois Biometric Information Privacy Act (BIPA), and California’s Consumer Privacy Act (CCPA), are being introduced and considered on a global scale to prevent private entities from collecting biometric information without disclosure and consent, ensure the data is properly protected and specifying fines in the event of a data breach and/or non-compliance
Related Reading
- Biometric Identity Theft
- Biometric Data Security
- Can Biometrics Be Hacked
- Advantages Of Biometrics
- Biometric Privacy Laws
- Biometric Authentication Advantages And Disadvantages
- Biometric Authentication
- Privacy by Design
- Multi Factor Authentication Using Biometrics
How Are Biometrics Used?
Biometrics are commonly used to authenticate a person’s identity. Examples include using fingerprint or facial recognition to access smartphones or facial recognition technology at airport smart gates. Using biometrics to authenticate individuals is also known as one-to-one matching.
In one-to-one (1:1)
In biometric systems, a person’s biometric characteristic(s) is compared to the system’s existing data for that individual. In this instance, the individual has previously provided their biometric information for future authentication purposes and will present an identifier, like a user name or a trusted device, to point to their existing biometric information in a database for identity validation.
A second type of biometric system is a one-to-many (1:N)
A system often used for identifying individuals. This involves comparing an unknown person’s biometric characteristic to other characteristics of the same type in a database. One-to-many systems generally produce a shortlist of potential matches that must be manually adjudicated.
Anonybit’s Multi-Layered Approach
At Anonybit, we help companies prevent data breaches and account takeover fraud with our decentralized biometrics system design. With a decentralized biometrics solution, companies can enable passwordless login, wire verification, step-up authentication, and help desk authentication. We aim to protect companies from data breaches, account takeover, and synthetic identity fraud.
To achieve this goal, we offer security solutions such as:
- Secure storage of biometrics and PII data
- Support for the entire user lifecycle
- 1:1 biometric authentication and 1:N biometric matching to prevent duplicates, synthetics, and blocklisted identities
Anonybit eliminates the tradeoffs between privacy and security. Prevent data breaches, enable strong authentication to eliminate account takeovers, and enhance the user experience across the enterprise using Anonybit.
Book a free demo today to learn more about our integrated identity management platform.
How Do Biometric Systems Work?
A person’s biometric information is initially entered into a biometric system at a point known as enrollment. During enrollment, a characteristic is collected to serve as biometric reference information for that person. This information may be recorded as raw data (such as an image of the fingerprint) or a digital template. Key features of the biometric characteristic are extracted and processed to create the template, which is stored in a database for future use.
Matching Characteristics for Authentication/Identification
When biometric information is presented at a later stage (often known as recognition), the same process occurs: the person’s characteristics are detected, key features are extracted and then matched against existing templates in the database to either authenticate or identify that person.
Balancing Security and Verification Needs
In many cases, the biometric systems store only the template, not the image of the physical biometric. In some instances, the original images of the enrollment characteristics (for example, selfie images ) may be retained. This may be necessary for manual validation or auditing purposes or if there is a need to update or upgrade the biometric system. However, as we shall see later in this blog, the way the images and templates are stored needs to be carefully considered.
Vendor and Version Incompatibility
The generated and stored templates are usually unique to that biometric solution and even sometimes to the particular recognition engine model. A template generated by one manufacturer’s biometric engine will not be recognized by a system made by another vendor. Sometimes, a template made by an earlier software version from a single manufacturer will not be readable by a later version.
Storing Biometric Templates
Storing the templates is less risky than storing the raw biometric characteristics, such as the selfie image. Notwithstanding, serious attention must be paid to storing the biometric templates as they can be stolen and used in conjunction with other stolen personal data and advanced cyber techniques to impersonate a victim and gain access to a compromised account.
Considerations for Storing Raw Biometric Images
Where raw images of the biometrics are stored, security controls are essential, and regular monitoring and auditing of those controls should be undertaken. Organizations should also consider decentralizing both the raw images and the templates to avoid becoming targets of criminals seeking biometric data that might be used for identity theft.
Limitations Of Biometrics Systems
Failure to Enroll
Issues may arise when creating biometric templates due to poor reference information or physical conditions, which may cause enrollment problems. These can result from difficulties in obtaining high-quality reference data, such as fuzzy camera images or worn-down fingerprints.
False Acceptance and Rejection Rates
Biometric systems can sometimes make errors by matching templates that do not correspond (false positives) or by failing to recognize a correct match (false negatives). This can happen due to the presence of common characteristics among individuals or changes in biometric data over time.
Spoofing Vulnerabilities
Fake artifacts can deceive biometric sensors, especially if countermeasures like liveness detection are not put in place. Spoofing can include downloading a photo of a victim from their social media account, tricking them into providing a voice recording that can be mimicked by gen AI tools and 3D masks for facial recognition. If the right liveness detection protocols are not in place, these tactics can trick biometric recognition systems, leading to unauthorized access to sensitive information.
Irreversible Compromise
Once biometric characteristics are compromised, rectifying the situation is challenging. Compromised biometrics present a long-term security risk, unlike passwords or tokens that can be changed or replaced. If a biometric template, such as a fingerprint, is compromised, it cannot be easily altered. Therefore, if a hacker gains access to a biometric database and extracts fingerprint templates, this information can potentially be used indefinitely for malicious purposes.
Privacy Issues With Biometrics
Consent and Data Ownership
One of the primary ethical concerns is consent. Users may not always be fully aware of how their biometric data is collected, stored, and shared. It is crucial to establish clear consent mechanisms and ensure individuals have control over their biometric data.
Discrimination and Bias
Biometric systems can exhibit bias, leading to disparate treatment among individuals. This bias can be rooted in the data used for training these systems, which may not accurately represent diverse demographics. Despite historical challenges in this area, a lot of progress has been made by the leading facial recognition vendors to eliminate racial and gender bias.
Data Protection
The storage and handling of biometric data pose significant privacy challenges. Ensuring the security of databases that house sensitive biometric information is vital to protect individuals from data breaches.
Related Reading
- Biometric Authentication Methods
- Biometric Data Privacy
- Biometric Data Breach
- Biometric Spoofing
- Device Based Verification
- How Is Biometric Data Stored
- Biometrics In Healthcare
- Biometric Authentication Banking
- Biometric Data GDPR
Which Biometric Privacy Laws Exist?
The following are the most prominent US data privacy laws that specifically address the protection of biometric data:
Illinois Biometric Information Privacy Act (BIPA)
BIPA is considered one of the strictest biometric privacy laws in the US. It regulates the collection, use, and storage of biometric data, such as fingerprints and facial recognition, by private entities. Under BIPA, companies must obtain explicit consent from individuals before collecting their biometric data and inform them of the purpose and duration of its use. Failure to comply can result in significant penalties.
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
The CCPA and its successor, the CPRA, define biometric data as “an individual’s physiological, biological, or behavioral characteristics” that can be used to establish individual identity. These laws grant California residents specific rights regarding their biometric data, including the right to access, delete, and opt out of the sale or sharing of such data. Companies must implement robust data protection measures and obtain explicit consent for collecting and processing biometric data.
General Data Protection Regulation (GDPR)
While not a US law, the GDPR has a significant impact on US businesses that handle data of European Union citizens, including biometric data. It sets strict guidelines on data protection, privacy, and individual rights, requiring explicit consent for collecting and processing biometric data and mandating robust security measures to safeguard such sensitive information.
Other US laws that indirectly address biometric data privacy include:
SCA Protects the Privacy of Stored Communications
The Stored Communications Act (SCA) of 1986 aims to safeguard the privacy of electronic communications while they are in storage. This law protects stored emails on servers and subscribers to email services. Companies must have robust communication security protocols when dealing with biometric data via email. The SCA does not specifically mention biometrics, but they are indirectly covered in the form of stored emails containing biometric data.
GLBA Protects Customer Information Privacy
The Gramm–Leach–Bliley Act (GLBA) of 1999 governs financial institutions’ customer data handling. This act demands financial institutions explain how they utilize personally identifiable information, including biometric data, while protecting it from cybersecurity threats. Financial institutions must also have robust systems and security protocols when analyzing large data sets containing biometric data.
HIPAA Protects the Privacy of Patient Health Information
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes national standards for protecting patients’ private health data. HIPAA requires organizations handling medical records, including biometric data, to implement safeguards to protect Protected Health Information (PHI). To avoid data breaches, organizations must consider cybersecurity risk management, especially when dealing with biometric data.
COPPA Protects the Privacy of Children’s Online Information
The Children’s Online Privacy Protection Act (COPPA) of 1998 imposes requirements on online services aimed at children under 13. Companies that use children’s biometric data must inform users of how and why they collect it under COPPA. Facial biometric data falls under COPPA regulations, and companies must gather and use it fairly and transparently.
Prominent Privacy Lawsuits
A series of high-profile privacy lawsuits involving biometric data have raised concerns about the risks associated with noncompliance with biometric privacy laws, such as the Illinois Biometric Information Privacy Act (BIPA). These lawsuits serve as a cautionary tale for businesses that collect biometric information, highlighting the importance of taking privacy concerns more seriously and implementing robust compliance measures.
Illinois Supreme Court’s Ruling in Rosenbach v. Six Flags Entertainment Corp
In 2019, the Illinois Supreme Court delivered a landmark ruling in Rosenbach v. Six Flags Entertainment Corp., establishing that a plaintiff can be considered an “aggrieved person” under BIPA without alleging an actual injury. This decision paved the way for individuals to seek damages and injunctive relief for biometric privacy violations, even without tangible harm, signaling a significant shift in how courts interpret and enforce biometric privacy laws.
U.S. Court of Appeals’ Decision in Bryant v. Compass Group USA, Inc
Building on the precedent set by Rosenbach, the U.S. Court of Appeals for the Seventh Circuit clarified in Bryant v. Compass Group USA, Inc. that individuals have standing under BIPA Section 15(b) if they have suffered an injury-in-fact, irrespective of whether they can demonstrate actual harm. This ruling further solidified the rights of individuals to pursue legal action against entities that mishandle their biometric data, emphasizing the need for businesses to prioritize compliance with biometric privacy laws.
Facebook Settlement in Patel v. Facebook, Inc
The Facebook BIPA class action lawsuit, Patel v. Facebook, Inc., culminated in a $650 million settlement, marking one of the largest consumer privacy settlements in U.S. history. The case highlighted the potential financial repercussions of mishandling biometric data and the importance of obtaining explicit consent before collecting such sensitive information.
First Jury Verdict in a BIPA Class Action Lawsuit – Rogers v. BNSF Railway Company
In October 2022, the first-ever jury verdict in a BIPA class action lawsuit was rendered in Rogers v. BNSF Railway Company. While the defending company announced its intention to appeal the decision, the plaintiffs’ success at the trial level will likely embolden other individuals to pursue their own BIPA claims, underscoring the growing legal risks associated with biometric data collection.
Illinois Supreme Court’s Rulings in Cothron v. White Castle System, Inc., and Tims v. Black Horse Carriers, Inc
In February 2023, the Illinois Supreme Court handed down significant rulings in Cothron v. White Castle System, Inc., and Tims v. Black Horse Carriers, Inc., further clarifying the legal landscape surrounding biometric privacy violations. The court held that each scanning or transmitting biometric information instance constitutes a separate violation under BIPA, and damages for such violations are discretionary. The court established a five-year limitations period for all BIPA claims, imposing stricter deadlines on legal actions related to biometric privacy violations.
Related Reading
- Biometric MFA
- Biometrics and Cyber Security
- Biometrics Privacy Concerns
- Biometric Identity Management
- Multimodal Biometrics
- Decentralized Biometric Authentication
- Biometrics Integration
- Biometric Security Solutions
- Future of Biometrics
Book A Free Demo To Learn More About Our Integrated Identity Management Platform
At Anonybit, we help companies prevent data breaches and account takeover fraud with our decentralized biometrics technology. With our decentralized biometrics framework, companies can enable passwordless login, wire verification, step-up authentication, help desk authentication, and more.
Comprehensive Security Solutions for Companies
We are on a mission to protect companies from data breaches, account takeovers and synthetic identity on the rise, privacy regulations, and digital transformation. To achieve this goal, we offer security solutions such as:
- Secure storage of biometrics and PII data
- Support for the entire user lifecycle
- 1:1 authentication and 1:N matching for lookups and deduplication
Balancing Privacy and Security with Anonybit’s Integrated Platform
Anonybit eliminates the tradeoffs between privacy and security. Prevent data breaches, reduce account takeover fraud, and enhance the user experience across the enterprise using Anonybit. Book a free demo today to learn more about our integrated identity management platform.