All seeing, all knowing

Biometrics are increasingly being used to identify individuals in all manner of ways,but are we starting to cross a privacy line?

Once the stuff of science fiction, biometrics that identify people by their physical characteristics or the way they behave are becoming commonplace. A KFC restaurant in China, for example, is already appealing to young customers by using a facial recognition system that allows them to pay for their chicken with a smile.

These days, technology can recognise us by looking at everything from our facial features, fingerprints, iris and vein patterns, to the unique way in which we walk, sign our names or use our keyboards. 

In 2016, NEC Corporation announced that it had developed a biometric that could identify people by the resonation of sound determined by the shape of human ear cavities.

The reality is that biometrics are already part of everyday life, thanks largely to their adoption in mobile phones – the iPhone X is accessed using facial recognition, with the fingerprint recognition of previous iterations all rather ordinary now. 

Not only does biometric information in our passports allow us to pass through borders more quickly, but banks are increasingly using such technology to protect our accounts and transactions. TSB uses an iris scanning system, Coutts has installed voice recognition, while Banco Bradesco in Brazil claims to have reduced ATM fraud to almost nil by adding palm vein scanners to 35,000 machines. 

In the motor industry, Honda, BMW and Volvo are among a number of manufacturers that have unveiled biometric security that requires the driver’s fingerprint to open and start the car. 

And in sport, Ferencvárosi Soccer Club in Budapest uses palm vein scanning to identify banned fans and to ensure that each visitor can only enter their designated section, thereby keeping rival fans apart.   

The technology could soon be used to make travel in major cities easier. Graham Fletcher, Manager of Cubic Transportation Systems’ London research centre, explains that biometrics could pinpoint where a passenger leaves a train so that they’re charged the right amount, or track people who jump a barrier and identify regular offenders. 

Dr Richard Guest, a lecturer in biometric engineering at the University of Kent, heads the EU’s AMBER project, which is looking at the use of biometrics on mobile devices. He explains that there was a major focus on biometric research after the 9/11 attacks in the US, as countries sought ways to improve security. 

“But it wasn’t until four or five years ago that mobile device companies started putting biometric sensors and systems on their devices,” he says. “That represented a fundamental shift in terms of the use of biometrics. When people such as Apple and Samsung started putting biometric systems onto their phones, it was the largest roll-out that had been seen.”

Data protection

One area of research focuses on continuous authentication, by using phones to monitor people on an ongoing basis. It would involve not just biometric sensors but location, app usage and even the way you swipe the phone, so that you’d never have to use a password or a fingerprint when using the device. But this could involve constant monitoring by companies such as Google or Apple, raising privacy questions.  

Indeed, while the potential for biometrics to make our lives easier is undeniable, it presents all sorts of privacy and security risks. When a password is stolen, it can simply be changed, but the same isn’t true of your fingerprint or face. 

Ricky Magalhaes, Managed Security Services Director at Logicalis, says it’s already possible to buy the fingerprints of well-known people on the dark web because waiters, for example, can easily collect them from wine glasses to sell.

“You can steal fingerprints, and the thing about biometrics is that once they’re stolen, you can’t change your fingerprint,” says Magalhaes. “So, it’s not like a passport that you can change once it’s stolen. Biometrics need to be properly protected, because once they get compromised it can cause a huge issue.”

He believes the advantages of biometrics outweigh the risks. But systems are emerging that do everything from confirming the identity of dementia patients before drugs are administered, to recording and transcribing meetings, which means privacy and data security have become critical issues.

Multiple biometrics and security measures can be used to identify people and guard against theft and the misuse of biometric information – and the increasing use of machine learning and artificial intelligence is also helping. Artificial intelligence is smart enough to question suspicious biometrics, so if a facial reading is inconclusive, then fingerprints or voice patterns can be checked.

Regulatory response

Biometrics and other advances in technology have posed a challenge for regulators, because existing regulation has begun to fall behind the pace of change. On 25 May, however, we will see one of the biggest shake-ups for years, when the European Union’s General Data Protection Regulation (GDPR) comes into force. 

The law covers biometrics for the first time, and companies that fail to comply with strict data processing rules face big fines of up to €20 million or four per cent of global turnover. New laws will come into force on the same day in both Jersey and Guernsey with the intention of strengthening data protection on the islands.

Paul Vane, Acting Information Commissioner for the States of Jersey, explains: “While the current data protection regime we have in place in Jersey and Guernsey would broadly cover this kind of information, this technology didn’t really exist when those laws came into force. Technology has moved on rapidly and the law has been stretched to its limits to apply the same principles to emerging technologies.

“GDPR, which has also triggered the revision of Jersey and Guernsey laws, actually specifically mentions biometric data as part of its definitions of special category data.”

Under the Jersey Data Protection Law 2018, companies can be fined up to £10 million for failing to protect data properly. However, Vane says the focus will be on working with companies to help comply, and only those that ignore advice or fail to put a proper action plan in place to ensure they comply with the regulation are likely to face fines.

“No legal mechanism wants to stand in the way of innovation and the data protection law is no different in that,” he says. “There are lots of benefits to using biometrics as a secure method of identity authentication or reducing the chance of hacking by using multi-factor identification techniques. 

It’s a research and analytical tool that leads to brilliant creativity and innovative technologies but ultimately, you’ve got to have a lawful basis to process that kind of information.”

Now that biometrics have become an everyday method of identification, there’s no escaping the fact that they’re likely to become more prevalent. And as criminals continue to grow in sophistication, the public is going to need to be as protected as possible from identity theft.