Privacy, personal nature of biometrics don’t necessarily mix
As individual identifiers are used more often, the legalities become muddy
By Byron Acohido, ThirdCertainty
Using biometrics to verify one’s identity is no longer something you’d expect to see only in a Hollywood depiction of a dystopian future. Biometric identification has been in practical use for a while now, and the technology is getting more sophisticated every day.
As you might expect, privacy concerns have arisen along the way. And now the legal ramifications are getting more complicated.
Washington state last month passed House Bill 1493: pioneering legislation forbidding businesses from obtaining or selling biometric information without the consent of the individual. Gov. Jay Inslee is expected any day to sign the new law, which is directed at concerns about the use of biometric identifiers to commit identity fraud.
I recently sat down with Robert Capps, vice president of business development at NuData, to discuss these developments. Based in Vancouver, British Columbia, NuData supplies systems that help ecommerce companies and banks detect and prevent online identity fraud. It does this by studying nuances of how an individual interacts with his or her computing device, such as how he or she types on, touches and even holds his or her computing device. Here are a few takeaways from our conversation:
Biometric identifiers defined. These are unique physical or behavioral characteristics of individuals, including fingerprints, retinal scans, voiceprints, facial recognition, and even the distinctive way a person walks and moves. Heartbeats can even be used to authenticate users for access not just to secure locations but also in a wide variety of digital services.
Usage becoming commonplace. It’s no longer that unusual for online services to request data referring to your physical traits in lieu of just a username and password. And government agencies are increasingly using biometric identifying technologies to keep places, like airports, secure.
“They’ll use facial recognition, gait analysis—how you walk,” Capps says. “These data points are also used in places like casinos looking for cheats and criminals walking into those facilities. So, anywhere there’s a place where you want to truly know who that human is, you’re starting to see some biometric verifications.
Legal ramifications. The new law passed by Washington state legislators imposes strict criteria for the sale, lease or disclosure of biometric identifiers for commercial use. One benchmark: The bill makes putting biometric identifiers into a database illegal without the person’s consent—meaning such information cannot be collected surreptitiously.
By contrast, other jurisdictions are discussing the possibility of actually requiring an iris scan or fingerprint or facial recognition reader for certain high-value transactions in order to mitigate identity fraud, Capps says.
“Everybody has a different approach to it. Some people are pushing to require biometrics online and other people are saying, ‘Oh, we’ve got to be careful here because physical biometrics can’t be changed, so putting more detailed data out to those databases to be stolen is a really questionable proposition,’” he says.
For a deeper drill down, please view the accompanying video.
More stories related to biometrics:
Is it time to buy a biometric scanner?
Behavior-based user profiles can help stymie hackers
Embrace biometrics to stay ahead of advanced cyber threats