Even though it provides an opportunity to uniquely identify an individual, biometrics come with their own weaknesses. Unlike passwords, if biometric data is leaked, there is no way the user can reuse that biometric feature in the future, given that perpetrators successfully managed to replicate the stolen biometric.
As an organization, if you are processing biometric data, you need to adhere to best practices to process them since they are considered as special categories of personal data (as defined by the GDPR). Hence, appropriate laws and regulations should be in place to reduce the impact to individuals through processing their biometric data.
According to the GDPR, if you are processing special categories of data (including biometric data), organizations have to carry out a Data Processing Impact Assessment (DPIA) to evaluate the risk for individuals and also to take required control measures to minimize the impact. Hence, it is necessary to have international privacy laws to protect individual biometric data with the recent increase use of biometric identifications in new product and services offerings.
What is biometric data?
Due to its unique and accurate form of identification, biometrics are widely used in a number of applications such as finger scans (e.g. mobile phones), iris scans, DNA matching etc. An added advantage of biometrics is the possibility to use them without touching the identification device, for example facial and behavior recognition.
Biometric data for identification and privacy and security issues
With all of the promised usage of biometrics, there are security and privacy concerns as if stored biometric data is leaked, the concerned individuals may not be able to use the breached biometric feature again for any of the above functions.
However without having access to the RAW copy of the biometric, it would be no use with the stolen coded representation of the biometric feature. For instance, RAW fingerprints are converted to a coded representation via Automated Fingerprint Identification System (AFIS). Even though attackers managed to steal the coded representation of the fingerprint, they may not be able to reproduce the RAW format of the fingerprint.
Recent reports showed a researcher accessing a large biometric database (unprotected and mostly unencrypted), which is used by a number of global organizations including UK Metropolitan Police. It was revealed the researchers had access to over 27.8m records, and 23 gigabytes-worth of data including fingerprint data, facial recognition data, face photos of users, and personal details of staff, etc.
One way to improve security would be to use encryption technologies such as hashing to store biometric data as while an attacker managed to access biometrics, they would not be able to access the raw copy or coded representation of your biometrics.
Security best practices can also play a big role in these situations by providing detailed guidelines on how to protect biometric data. For example, the NIST Biometric research and guidelines have helped many government organizations to protect biometrics data. Furthermore, additional guidelines can be provided through international information security and privacy standards such as ISO27701.
The newest privacy information management standard by ISO (ie., ISO27701) provides detailed guidelines for biometrics as one of the important application domains. Therefore, it should adhered to by any organization which is willing to use biometrics for their business processes.
The lack of global privacy laws surrounding biometrics hinder the protection of sensitive personal data across the globe. If the laws are restricted to individual states, countries or regions, it will be difficult to maintain the privacy during the lifecycle of biometric data and enforcing the protection laws and regulations.
For instance, there is no single data protection law in USA, relying on a number of federal and state level laws to protect their citizens. While EU countries have the GDPR to protect sensitive data across the EU and beyond, it is apparent that other big counties are realizing the importance of personal data protection. For instance India is preparing to enact a data protection regulation called Personal Data Protection Bill (PDPB) which reflects fundamentals of GDPR.
Having national or state privacy laws will protect a countries’ citizens when they are using biometric data. However the absence of global or regional privacy laws will hinder the global awareness and acknowledgement of best practices for protecting personal data.
In the near future, we will see increase use of biometrics in wide range of applications. As a general public, we should consider whether our sensitive personal data and your rights are protected by relevant local or country or regional privacy laws.
A lack of global privacy laws will hinder the consistent handling of biometrics across the world. Furthermore, there should be strict guidelines for the controllers and processors of biometric data, and upcoming privacy standards such as ISO27701 will help organizations to establish privacy integrated processing of your data and minimize the impact for individual rights.
Dr Chaminda Hewage- BSc Eng. (Hons), PhD (Surrey) is an Associate Professor in Data Security at Cardiff Metropolitan University, UK. He is an expert in data security and research on human/social factor and emerging threats in cybersecurity. He is the principle investigator of a number of research projects looking at various frontiers of cybersecurity.