Our biometric data is collected everywhere, from the fingerprint readers on our phones to the omnipresent security cameras in our city centers. Few places are safe from data collection. Yet, remarkably, few people fight back with tools like glare scarves. Even more impressively, many consumers voluntarily gave up their DNA information to gain insight into their relatives and genetic makeup. This data collection has led to disastrous consequences, with breaches at 23andMe potentially compromising the DNA data of millions of customers and their relatives.
Most data created during our lifetime either loses its value within a year, like research data, or is changeable, like passwords, making older versions obsolete and useless for hackers. Yet, in many cases, we share parts of our biometric data without even considering its value. That’s also true for much more mundane biometric data, such as fingerprints and face scans. What they do have in common with genetic profiles is that choosing biometric logins puts us at the mercy of developers creating those systems.
Biometric data, especially with analytics and AI, might open up new and dangerous possibilities. Consider the numerous AI passport photo apps that can create a fake passport from your social media profile. This misuse of biometric data is a stark reminder of the potential risks we face.
Therefore, it’s crucial to understand why businesses and consumers should avoid biometric data. This knowledge empowers us to make informed decisions and protect our privacy and security.
Biometric Data is Data
You know the drill: pick up your phone and unlock it by pressing your finger on a sensor. Conveniently and fast, the fingerprint sensor reduces the friction of authentication. After all, passwords, passcodes, and any other authentication method are an annoying barrier between us and our applications and data.
Yet, the focus on the barrier lets us forget that the little fingerprint, the password, or the face scan are data in themselves. It is also precisely the type of data criminals want to harvest during data breaches or ransomware attacks.
Well-designed software will protect the data. It first reduces the image of your fingerprint, face, or iris to a few distinct data points: things that stand out and are likely to be recognizable from different angles. Then, these data points are run through a mathematical formula or hash function to obfuscate them. The hash function is like a cryptographic one-way street. Ultimately, you have a number that should be the same every time your biometrics are scanned, yet cannot be used to reconstruct them.
Unfortunately, not all software is secure. Likewise, the rise of quantum computing might turn the cryptographical one-way street into a highway.
Government Interference and Software Engineering
Advances in computing, though, are only the third most significant risk. Government mandates are more likely to compromise the security of our fingerprints. A few years ago, the U.S. Government tried to compel Apple to build a backdoor into its iCloud service. While Washington didn’t prevail in court, there is no guarantee that a less democratic nation couldn’t force technology companies to build a similar backdoor into its products. The ongoing battle over access to encrypted chats in the EU is a little taste of things to come.
As with most software, shoddy engineering practices and human errors during software creation are the most likely risks to your fingerprints. While quality control and tests should weed out problems and identify compromised security settings, such as bypassing the hash function, neither humans nor the systems we create are perfect.
Take Control of Your Biometric Data
Fingerprints and facial scans are a very convenient and fast way for users to log into a device. Likewise, our fascination with science and scientific data drives us to use DNA analytic services. Yet, unless businesses reduce the use of biometrics and consumers opt out of the data collection, we will see an increasing number of data breaches involving biometrics.
Choosing a two-factor login system that doesn’t rely on who we are can help us stay safe and secure our unchangeable features. The combination of something we know, such as a password, and something we own, such as a phone, is as secure, particularly if we use modern mechanisms such as passkeys, which create a unique digital key during login.
Opting out of data collection at airports and the border is more challenging yet still possible. So is avoiding businesses and hotels that want to use customers’ fingerprints for access controls and key replacements.
Mind Your Data
To most individuals and data protection plans, data usage defines biometrics. Fingerprints are nothing more than a password, facial features are airplane tickets, and DNA is a form of scientific knowledge and entertainment.
Yet, biometric information is unchangeable and follows everyone throughout life. Choosing alternatives can go a long way in keeping this data secure and avoiding many of the issues that can come with having defining information stolen in a data breach.