Biometrics are becoming a fact of life. All security experts agree we will become a biometrically identified society. Yet choosing the wrong biometric can place you in the hot seat for a class action lawsuit and significantly increase your liability.
It is called a privacy law and most states have one to protect the capture and use of biometric identifiers for employees of state and federal agencies. Several states have laws that extend to companies that may be collecting biometric data. In Illinois for example it is called the Biometric Information Privacy Act (BIPA). So if you are asked to give an image of your retina or iris scan, fingerprint, voiceprint, or scan of your hand or face geometry by any company beware! These are called physical biometrics and because they cannot be replaced or reset they are invaluable. If they’re stolen, there is no new set of hands, new voice or face that can be used. This makes some biometrics very risky; many have been hacked already.
If a vendor is collecting these type of biometrics the laws request they obtain written release in advance from subjects and then provide a written statement about the specific purpose and term of use for their stored biometrics.
Wow, wait a minute…what about all those companies collecting face scans, photos and more? Are they in trouble? And is your institution subject to liability because you are using a vendor who is collecting biometric data? The answer is most likely YES. This is now the basis for multiple class action lawsuits against Shutterfly and Facebook for example who collect facial tagging software to identify their users. These are serious lawsuits and could decide the new legal direction for collection of biometrics. But wait. Why provide an image of your precious body parts – a part of your DNA to the increasing number of companies that ask for these? Do you want to have grocery stores or any company keep a part of you and then be hacked? Is there is a safer alternative? Yes, there’s a better way. There’s another type of biometrics that are way less intrusive yet just as distinguishing and accurate as other biometrics.
These are called behavioral or dynamic biometrics (they change all the time). There are various types, including a person’s gait, the way they write (gestures), or keystroke analysis. False positives (letting the wrong people in) and false negatives (not allowing access to registered users) vary widely between biometrics so choose carfeully. Otherwise the user experience (akin to road rage if they cannot get into their account or PC) and your security will not meet expectations. Independent testing confirms that gesture biometrics have the highest (best) accuracy levels in the behavioral biometrics class. Because these actions are behavioral and not about capturing images of your body parts (that do not change over time), the risks that come with physical biometrics don’t apply to behavioral biometrics.
Today’s concerns about big brother data gathering and invasion of your privacy are very real. We have banks that want you to use selfies, mobile apps that ask for fingerprints, voice and iris images before you can access your device and more. We even have proctoring companies asking students to give up images of their body parts and capture your photo ID or face image and put this into a nice file so if hacked all the students information is right there.
We don’t want to stop using biometrics because the alternatives of using pins and passwords or hardware based devices no longer are secure or practical. So you need to look for a better biometric that can be reset. In the event of a hacking intrusion, if the criminals get your biometric data behavioral based biometrics like gesture biometrics can be easily “revoked and replaced”. In other words a reset, (start over) just like you can do with your current pin and password, except it is so much more secure.
As we all move to the Internet of Things where our devices control access to many aspects of our lives, biometrics are the only answer. There is just too much valuable information in our devices, we need the highest level of security. The user experience, accuracy, ease of use will all become big factors in which biometric you select. Make sure the biomertic you choose has proof of third party testing that is publically available. It is easy to say you are secure but it means nothing unless independent testing confimrs this. Make sure the biometric you choose is also patented. You don’t want to implement a solution and then find your self caught in a legal battle.
Remember your body is the last frontier- don’t give up your body parts. The time to start taking care of your privacy is now. You have an excellent alternative with gesture biometrics.