Biometric technology vendors move their focus on midsize and small firms. It generates huge risks that have been neglected until now.
How many cards do you have in your wallet? In valet of a typical European, you can find an ID card, a driving license, one or two discount cards into restaurant chains, up to five cards to petrol stations or supermarket chains, health insurance, and car assistance. Now try to imagine that each of these cards is replaced by biometry entry in a database – fingerprint, voice, face geometry, iris, a rhythm of walk… the valets would not be so overloaded, there would be no need to deal with card losses, companies would improve their insight into customer behavior.
Do you think it is unrealistic? It was the prevailing vision at a trade show a and conference Connect:ID which took place a few weeks ago in Washington, D.C. We introduced technological innovations for an anti-counterfeit protection of physical ID cards and passports. However, most of the participants focused on biometric readers, information systems for biometric data storing and, most strikingly, on big data tools tuned for biometry.
Iris readers for everybody
The main trends can be summarized as the following.
1) Growing number of biometric features for definitive identification and authentication of a person. There is no need to rely on fingerprints. Fingers, iris, voice, face geometry, moves… rhythm of walk and heartbeat are innovations of this year. There is almost no part of human body that cannot be used for authentication.
2) The readers are more and more available, smaller and smaller, cheaper and cheaper. There is a growing number of extensions for smartphones and notebooks.
3) Because market of governments and authorities is close to the saturation and competition is limited to a quite small number of players, most vendors try to sell to smaller subjects, such as hospitals, towns, universities but mostly companies. Business models are adapted to smaller customers. You do not need to buy hundreds or tens of contact points. You can select just three readers; the server can be replaced by any notebook etc.
It must result in a situation described above, with out of sight consequences and the unknown impact on user privacy. Very likely, it is only a matter of time that most of the biometric information are compromised. Because many of them can be copied, such security incidents will generate a high risk of identity theft up to the end of your life. You can change your card if its number is compromised. You cannot change your fingerprint, voice, iris, etc.
Too easy destruction of privacy
Users may refuse to accept biometric solution but do not bet on it. Some users will refuse to use them. But experience from legacy projects, such as voice identification in Tatrabanka, show that most users are ready to trade privacy and security for comfort. Moreover, reading of biometric data is easier and easier. „Mrs. Smith, please look into the camera.“ There is even no need to take glasses off; the database entry is completed in a few seconds. Face geometry can be even red from a portrait photography.
Growing pressure on biometry solutions implementation, selling databases and automated data mining can be therefore expected. Most vendors do not worry about security issues. Direct question on representatives of the industry association was answered: We already recommended to implement strong security measures (without more detailed definition). And that´s all. The only skeptic view was expressed by a representative of Homeland Security stating that any transfer of biometric data through public communication networks is unacceptable, even if data are encoded.
Self-regulation does no work
We cannot expect anything else. The sales departments need to meet their quotas. It is not their job to take car of all consequences. They are in a situation: if I do not sell, anybody else does.
In theory, such issues should be mitigated by industrial associations. However, companies are not represented by gray hair men with many year experiences from technological development or security projects. The companies are represented by sales and marketing people who are actively interested in sales growth. There is no wonder that risks are underestimated.
It is a task for governments. Instead of mechanic „support of any technology innovation“, the governments should ensure that:
- a) Users understand the situation, including difficult issues
- b) Information security is perhaps not perfect but at least at a respectable level
- c) There is a backup solution in place that enables people, whose biometric data have been compromised, to continue a normal life.