Biometric technology has become ubiquitous, with applications across so many fields. Biometrics provide opportunities to create and manage identities in places where identification standards were previously scant or non-existent.
They can provide a standard in places with traditional, well-established systems for identification. Biometrics are also replacing passwords and keycards in many places.
Biometric data loss: What really happens?
Data breaches result in loss of brand reputation, possible expensive fines, mitigation processes and loss of trust. Stock values drop an average of five percent following a data breach. CMO’s believe the greatest loss following a data breach is the reputational impact on a brand.
And there have indeed been several high-profile breaches of biometric data in recent years. The OPM data breach resulted in the loss of 5.6 million fingerprints; Suprema’s Biostar 2 data breach in the loss of biometric data for over one million users; the data breach of Chinese surveillance company Sensenets which revealed that the Chinese government was tracking nearly 2.6 million people; and a series of Aadhaar breaches in India which exposed identity records of 1.1 billion.
The magnitude and sensitivity of these breaches demonstrate the importance of solutions that better protect biometric data from data loss. While traditional data breaches have generally required password changes, biometrics are permanent.
The question of public trust
While law enforcement has been collecting biometric data in the form of fingerprints since the early twentieth century, the emergence of other biometrics has been more controversial.
Several cities have already banned police use of facial recognition, stating concerns over accuracy, abuse and the creation of a surveillance state. A report by Paysafe finds that “consumers are yet to be convinced of the security benefits of replacing passwords with biometric authentication… even if they make payments more convenient.”
The tension between privacy and convenience creates challenges in emerging biometric markets.
Legal responsibilities run parallel to the issue of trust. The American Bar Association has published recommendations that suggest the importance to “secure with encryption the biometric data at rest and in transit” and to “consider storing less than 100 percent of the entire biometric dataset for an individual. ” These are important legal considerations that may be addressed in the technological architecture.
Building in protections
Designing a solution to address these concerns before there is an issue is preferable to reactionary solutions. One pro-active method of protecting biometric data is to hash the data, a method more secure than encryption.
Hashing technology is different from encryption in that the hash is irreversible. This means that there is no single encryption key that would allow an entire data lake to be compromised.
Atlanta-based Trust Stamp, for example, has created the Evergreen Hash ™, an AI-driven solution capable of storing PII separate from identity hashes. The Evergreen Hash takes this a step further, allowing the biometrics to be destroyed when a hash is created or to be stored separately from the hash on a secure server.
The legal implications of losing biometric data in an era of fines approaching one billion dollars is a sobering thought. Solutions like hashing allow for low-friction with enhanced security. It is a tool that already exists and can be implemented with existing biometric technology.
Biometric identification will continue to increase. But this growth does not alleviate the moral and legal responsibilities to protect sensitive data from breaches. With technology already available to make this process more secure, it is imperative to continue researching and developing new ways to improve security and protect consumers and citizens.
John Bridge is Director of Financial Crimes Services at Trust Stamp, an Atlanta-based AI-powered biometrics technology company. Bridge was a Senior Inspector with the United States Marshals Service, serving as one of the founding members of the Financial Surveillance Unit. He has been a member of the International Association of Financial Crimes Investigators for fifteen years and serves as co-chair of the Cyber Fraud Industry Group. He co-authored the Certified Cyber Crimes Investigator certification as a founder of the CCCI and is a Certified Financial Crimes Investigator.