Privacy, personal nature of biometrics don’t necessarily mix

As individual identifiers are used more often, the legalities become muddy

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Using bio­met­rics to ver­i­fy one’s iden­ti­ty is no longer some­thing you’d expect to see only in a Hol­ly­wood depic­tion of a dystopi­an future. Bio­met­ric iden­ti­fi­ca­tion has been in prac­ti­cal use for a while now, and the tech­nol­o­gy is get­ting more sophis­ti­cat­ed every day.

As you might expect, pri­va­cy con­cerns have arisen along the way. And now the legal ram­i­fi­ca­tions are get­ting more complicated.

Wash­ing­ton state last month passed House Bill 1493: pio­neer­ing leg­is­la­tion for­bid­ding busi­ness­es from obtain­ing or sell­ing bio­met­ric infor­ma­tion with­out the con­sent of the indi­vid­ual. Gov. Jay Inslee is expect­ed any day to sign the new law, which is direct­ed at con­cerns about the use of bio­met­ric iden­ti­fiers to com­mit iden­ti­ty fraud.

Robert Capps, NuDa­ta vice pres­i­dent of busi­ness development

I recent­ly sat down with Robert Capps, vice pres­i­dent of busi­ness devel­op­ment at NuDa­ta, to dis­cuss these devel­op­ments. Based in Van­cou­ver, British Colum­bia, NuDa­ta sup­plies sys­tems that help ecom­merce com­pa­nies and banks detect and pre­vent online iden­ti­ty fraud. It does this by study­ing nuances of how an indi­vid­ual inter­acts with his or her com­put­ing device, such as how he or she types on, touch­es and even holds his or her com­put­ing device. Here are a few take­aways from our conversation:

Bio­met­ric iden­ti­fiers defined. These are unique phys­i­cal or behav­ioral char­ac­ter­is­tics of indi­vid­u­als, includ­ing fin­ger­prints, reti­nal scans, voice­prints, facial recog­ni­tion, and even the dis­tinc­tive way a per­son walks and moves. Heart­beats can even be used to authen­ti­cate users for access not just to secure loca­tions but also in a wide vari­ety of dig­i­tal services.

Usage becom­ing com­mon­place. It’s no longer that unusu­al for online ser­vices to request data refer­ring to your phys­i­cal traits in lieu of just a user­name and pass­word. And gov­ern­ment agen­cies are increas­ing­ly using bio­met­ric iden­ti­fy­ing tech­nolo­gies to keep places, like air­ports, secure.

They’ll use facial recog­ni­tion, gait analysis—how you walk,” Capps says. “These data points are also used in places like casi­nos look­ing for cheats and crim­i­nals walk­ing into those facil­i­ties. So, any­where there’s a place where you want to tru­ly know who that human is, you’re start­ing to see some bio­met­ric verifications.

Legal ram­i­fi­ca­tions. The new law passed by Wash­ing­ton state leg­is­la­tors impos­es strict cri­te­ria for the sale, lease or dis­clo­sure of bio­met­ric iden­ti­fiers for com­mer­cial use. One bench­mark: The bill makes putting bio­met­ric iden­ti­fiers into a data­base ille­gal with­out the person’s consent—meaning such infor­ma­tion can­not be col­lect­ed surreptitiously.

By con­trast, oth­er juris­dic­tions are dis­cussing the pos­si­bil­i­ty of actu­al­ly requir­ing an iris scan or fin­ger­print or facial recog­ni­tion read­er for cer­tain high-val­ue trans­ac­tions in order to mit­i­gate iden­ti­ty fraud, Capps says.

Every­body has a dif­fer­ent approach to it. Some peo­ple are push­ing to require bio­met­rics online and oth­er peo­ple are say­ing, ‘Oh, we’ve got to be care­ful here because phys­i­cal bio­met­rics can’t be changed, so putting more detailed data out to those data­bas­es to be stolen is a real­ly ques­tion­able propo­si­tion,’” he says.

For a deep­er drill down, please view the accom­pa­ny­ing video.

More sto­ries relat­ed to biometrics:
Is it time to buy a bio­met­ric scanner?
Behav­ior-based user pro­files can help stymie hackers
Embrace bio­met­rics to stay ahead of advanced cyber threats