Biometrics: Appropriate & Ethical Use

Thursday , 1, August 2019

Authentication in computer systems means validating that you are who you say you are. There are many ways to authenticate users these days, and they have important implications for privacy. Username and password combinations are problematic, yet we don’t really have great alternatives at this point.

Fingerprints and facial recognition systems are the most common forms of biometric authentication, and are already used in many smartphones. They are certainly convenient, but come with security and privacy problems of their own. If collections of this biometric identification data are collected and stored it may well be altered or stolen.

All of your private data is at risk if secured by biometric identifiers. These systems are vulnerable to attack whether they rely on fingerprint matching, facial recognition, retinal scans, gait, voice, vein mapping, DNA or other. To add insult to injury, once compromised these biometric identifiers cannot just be changed like a password. When they are compromised, you have little recourse. Your biometric data is both intimate and immutable!

This is not simply an issue of smartphones being able to be unlocked using real fingers or faces while the owner is asleep, under arrest, dead, or not aware that they are granting access. When biometric data is the means by which we identify ourselves, it is vulnerable and an attacker can impersonate us.

Governments claim that facial recognition and similar technologies can be used to improve border security, combat terrorism and identify criminals. Big corporations use these to identify individuals, in hopes of selling their behavioral data, or more effectively selling products to them. Yet neither has demonstrated that they can secure such data over time, let alone disclose what it’s being used for, who it’s being shared with, who has access to it and how, what their data retention policies are, whether or not it will be sold, what rights the original data owner has if any, what their responsibility is once the data has been stolen or lost, and so on.

In fact these systems can and are used for more than authentication, they can be used for surveillance purposes, and are less reliable in this domain. There is little or no control over what correlated data is used to identify people, which companies are allowed to use the information in what ways, who they can share it with and what they are required to do to secure it from theft. As noted earlier, there is little recourse for an individual whose biometric identifiers have been compromised – it is a problem for the remainder of that person’s life.

When nations or companies compile biometric databases they degrade our privacy and the value of our personal identifiers, because they invariably do so without responsible planning. At a minimum the entities that intend to build and use biometric databases should have published policies describing how this data will be managed. Given the track record of governments and corporations securing data, I’d suggest that even these safeguards are insufficient.

Error rates are a contentious issue related to biometric identifers as well, and for good reason. To investigate error rates we need to provide context. Facial recognition systems, for example, can be used for authentication like on smartphones or in systems that try to determine if a face scan matches a face in a database. The former has success rates in excess of 99% while the latter does considerably poorer.

Studies like this NIST report on bias in facial recognition systems show that error rates are significantly higher for people of color and females. That makes some use cases unethical. Someone I can’t remember once said, “biometric identifiers are intimate and immutable” and I think we’d be well advised to keep that in mind when deciding where to use and where not to use these as identification systems in particular.

Well that’s quite enough about policy and ethics for now, let’s look at some of the actual biometric identity systems out there and how they work. In the next post we’ll get started with the one everyone fears the most and finds the most fascinating – facial recognition systems.