Biometrics and Privacy Law Compliance - Part 1
Biometrics and Privacy Law Compliance
Part 1: Global Data Protection Regulations and How Anonybit Steps Up to the Challenge
(Note: The following blog is an excerpt of a comprehensive privacy law analysis that was conducted by the Anonybit team. To request a copy of the full report, click here.)
Data protection regulations are driving enterprises around the world to rethink how they manage and protect personal data, from photos, to location information, financial, demographic, biographic, crypto assets and more. One key emerging trend as a result is the growth of privacy-enhancing technologies (PECs) which are expected to be adopted in some capacity by roughly 60% of large enterprises by 2025.
The challenge of biometric security
PECs are taking many shapes and forms to help protect sensitive data and can drive customer loyalty, increased security and more seamless digital interactions. For the biometrics industry though, the answer is not so simple. The industry has long looked for ways to decentralize stored images and templates and avoid honeypots of information that can be stolen, but all previous attempts for decentralization storage have failed. The reason for this is generally that the biometric template had to be in a holistic form in order to conduct a match.
It is a critical problem to solve; biometrics are vital to verifying identity and drive so many use cases across our society. They cannot be lost, stolen or phished, like PINs, passwords, OTPs, etc. and are really the only link between a person and their physical identity. At the same time, biometric data is critical to secure and protect; templates can be reverse engineered and can be used in injection attacks to impersonate people, and under many data protection regulations, even photos are considered to be biometric assets. Furthermore, as the passwordless future becomes more and more pervasive, we can expect that attackers will go after biometric information as a way to impersonate people.
Anonybit addresses this challenge by decentralizing biometrics for both storage AND matching, overcoming the past challenges around biometric privacy. As soon as the biometric image is captured, it gets broken up into “anonybits”, and then both the original image and the subsequent biometric template that is generated get discarded from the system. The Anonybit network never receives any raw biometric data. Leveraging multi-party computing and zero-knowledge proofs, the anonybits are stored in specific nodes; other nodes are responsible for computation and additional processing functions. The anonybits themselves never get recompiled for matching.
Mapping biometric security to data protection laws
Biometric data is generally considered a particularly sensitive data type under most data protection frameworks, and in some cases it is subject to specific legislation. Anonybit’s solution has been designed keeping in mind the ever-expanding number and reach of global and local privacy and data protection laws – from the EU’s General Data Protection Regulation (GDPR), to Brazil’s Lei Geral de Proteção de Dados (LGPD), and the U.S.’s California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA), Illinois Biometric Information Privacy Act (BIPA) and New York City’s biometric data ordinance.
While any robust authentication solution – particularly those reliant on truly unique identifiers like biometrics – by necessity processes personal data, Anonybit’s systems are designed with best practices in mind to address personal data security and privacy requirements, by: minimizing the amount of data collected; limiting the amount of data stored, the locations of storage, and the time data is retained; providing data integrity and confidentiality by maintaining robust security; limiting the purposes for which the data can be used; and providing transparency with respect the processing of the personal data.
Below we discuss a number of the key privacy and data protection principles that are common among data protection legislation, and point out a few (of many) examples of the many laws and regulations that address the requirements for the collection, use and protection of personal data generally, and biometric data in particular.
Transparency and Consent
BIPA Section 15
No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first:
(1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;
(2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
(3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.
GDPR Article 7
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
The Anonybit process is designed to facilitate compliance with those legal requirements, including by providing sample consent and notice forms to be provided to individuals before their data is collected and passed through Anonybit’s system, that clearly inform them that their biometric data will be collected and processed by Anonybit for specific purposes, and how long the data will be retained.
Anonybit’s system limits the use of the anonybits to user authentication and matching within Anonybit’s ecosystem, so the biometric data collected from the user can only be used for those purposes, as are disclosed in the biometric consent and notice forms.
Data Minimization, Storage Limitation and Pseudonymization
GDPR Article 5
Personal data shall be:
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’) […]
(e)kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; […] ('storage limitation');
GDPR Recital 28
The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.
Anonybit’s process for biometrics collection minimizes the amount of data collected to just the biometric information needed for purposes of enrollment, search, matching, and authentication, and a user identifier, and significantly limits the amount of time the raw biometric is retained – full biometric templates are either not handled by Anonybit or are held for seconds or minutes.
Data Transfer and Data Localization
GDPR Article 44
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. 2All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.
Despite being decentralized, Anonybit’s system is designed to allow compliance with those requirements, as well as with client-specific concerns. A client can request, and Anonybit can ensure, that a particular deployment of an Anonybit instance is limited to a specified geographic location or environment – all the nodes could be in the United States, the EU, or even a specific user environment (though obviously that last implementation would limit some of the resiliency and decentralized benefits).
BIPA Section 15
(e) A private entity in possession of a biometric identifier or biometric information shall:
(1) store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and
(2) store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.
GDPR Article 5(1)
Personal data shall be:
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').
Anonybit has kept security and data protection at the forefront of the development of its systems, addressing both data security at rest (while stored) and in use. The multi-party computing zero-knowledge approach is designed to ensure that even an insider attacker cannot manipulate the system to capture the biometric data. In fact, under current data protection and data breach notification laws, even if the anonybits in a particular node were compromised, there would likely be no requirement to notify impacted individuals.
Anonybit's revolutionary decentralized biometric authentication infrastructure provides a privacy and security-focused system for authentication that takes into account today's myriad data protection and privacy laws – from GDPR and BIPA to local ordinances – in a way that few, if any, other similar solutions accomplish. Implementing Anonybit's system allows for a transparent, consent-based biometric solution, that minimizes data collection, allows control of data localization, and provides strongly-protected storage and management of data necessary for your authentication processes.
Request a copy of the full legal analysis here.