Amid rampant data breaches and hacks, biometrics takes off
Biometric technology makes it easier to prove your identity – but brings its own security and privacy concerns
By Deborah Gonzalez, Esq Posted on 9 October 2014
There are many incidents throughout our day that require us to prove that we are who we say we are. We log in to our laptop to access our email, we type a PIN at the ATM to retrieve cash, we present an ID badge to enter our workplace, and we show our driver's license to board a flight.
But what happens if we forget the login password or the ATM pin? What happens if we lose the ID badge or our photo license? How do we get access to our accounts or board the plane? Or what if these things were stolen from us? How do we reclaim, secure and protect our data, our assets, and our identity, especially in this digital world?
The headlines are full of data breaches and hacked accounts, such as Target in 2013 (40 million records) and Home Depot in 2014 (52 million records). Citibank launched a series of TV commercials to make the public aware of identity theft that you can still view on YouTube. And the entertainment industry – that mirror of current trends and mainstream pop culture – legitimized the pervasiveness of this threat by offering the 2013 film Identity Thief, starring Jason Bateman and Melissa McCarthy. We laughed at the antics as McCarthy took Bateman's financial assets through the ringer, but it was laughter tinged with anxiousness as we recognized the very real possibility that it could happen to us.
So what to do? If passwords are notoriously easy to hack and cards can be falsified with minimal effort, what are we left with to protect ourselves?
The answer may be as simple as ourselves. Enter the technology of biometrics.
The brave new world of biometrics
The use of physical and behavioral characteristics to verify an individual's identity as a security measure has taken on a new urgency considering the lack of protection of passwords and encryption keys. Fingerprint analysis, eye retina scans and voice pattern recognition have all been explored in the real world and in science fiction (remember Minority Report and Tom Cruise's eye replacement incident?). The Apple iPhone 5S was announced with additional fanfare because it offered fingerprint sensor authentication to unlock the phone, and the iPhone 6 has expanded on that feature to permit individuals to purchase products securely though Apple Pay. The sensor is embedded on the "Home" button of the phone, and the biometric is only stored on the device itself, making it unavailable to other apps or servers.
But biometrics is set to come of age, as smart devices become more advanced and nuanced via specific apps and connected plugins. For example:
- The Nymi wristband contains a voltmeter to read a heartbeat, which Nymi's creators suggest is unique to each individual, providing a secure means of identification. According to one of its creators, Dr. Karl Martin of the University of Toronto, one of Nymi's most secure features is that while a heart can be broken, a heartbeat cannot.
- At the University of California, Berkeley. Researchers are developing a $100 headset that can read your brain waves to verify your thoughts — including the password you are thinking of.
- Another concept being considered for development is the "password pill" that contains a microchip and battery and is activated by your stomach acid to emit a radio signal. In 2014, Regina E. Duncan, former director of the Defense Advanced Research Projects Agency (DARPA) and current Google executive, revealed potential production concepts for a small, ingestible microchip or "electronic tattoo" that would serve as your personal ID from ingestion until — we don't know. Ms. Duncan did not offer many details nor did she say when or how it could be deactivated.
Elsevier Connect Contributor
Deborah Gonzalez, Esq. (@DGOnlineSec) is an attorney and the founder of Law2sm LLC, a legal consulting firm focusing on helping its clients navigate the legal and security issues relating to the new digital and social media world. She is the co-developer of the Socially Legal Audit tool, which helps companies ensure that their online activity is in line with state and federal laws and regulations.
Gonzalez is a sought after speaker, writer, and news commentator. She is the author of two Elsevier books published this fall: Online Security for the Business Traveler and Managing Online Risk: Apps, Mobile, and Social Media Security.
One thing is for sure: biometrics is a growing market estimated to generate billions of dollars partly because of government support as an anti-terrorist and surveillance strategy, especially after the attacks of 9-11.
But biometrics as an identity and security control has some security risks and privacy concerns of its own.
What are the risks?
Let's take a look at facial recognition. Currently, Facebook has the largest facial recognition database in the world, which it started to compile in 2010. In 2014, it updated the technology to a more accurate identification system called DeepFace. Facebook offers facial recognition as a service to its users to help them identify and tag friends and themselves in photos and other content that is posted on its platform.
Now let's take it a step further. What happens if you combine the facial recognition and wearable technology such as Google Glass? The NameTag app for Google Glass is supposed to allow the user to look at anyone (including strangers), and the app will return a match with the stranger's name, occupation and Facebook profile if they have one. Can something like this facilitate stalking or harassment? Privacy advocates have taken notice. What if you don't want to be recognized or tagged in a photo by an app, especially by someone you don't know? Do you have the right to be anonymous? Will national surveillance become citizen surveillance?
As for its own part, Google has stated that it would not approve any facial recognition apps for Google Glass even though there are no current US laws that govern the use of face recognition technology. FacialNetwork.com, the developer of NameTag, is offering the app in beta format and hopes that Google will change its mind since it believes the app can also be used to help identify criminals and sexual offenders and therefore can be seen as a safety tool.
The Transportation Security Administration (TSA) seems to agree with FacialNetwork, considering face recognition technology as a way to help secure air travel, for example, in face-scanning checkpoints.
However, some companies have uses in mind that go beyond identification. For example, the Tesco online shopping platform is experimenting with the technology as a way to provide targeted advertising to individuals by focusing not on the face but on the eyes. Using OptimEyes technology from British firm Amscreen, they have set up a series of outdoor displays. These displays are outfitted with face detection cameras that connect to a database to gauge the age and gender of the person passing by the display and combine it with factors such as time of day and location to then determine which ads to display.
October is National Cyber Security Awareness Month
- The US Department of Homeland Security has organized various activities for National Cyber Security Awareness Month. The hashtag is #NCSAM
- The Information Systems Security Association (ISSA) International Conference is October 23 and 23 in Orlando, Florida. Deborah Gonzalez will give the keynote address at the Women in Security Breakfast, talking about "Women and the Future of Security." The conference hashtag is #ISSAConf
But TechCrunch has a more practical application for a biometrics system based on eye retinas/iris scans. They recently announced a crowdfunding initiative to be able to develop the EyeVerify app – nicknamed the "Eyeball Selfie" – for mobile banking security. The idea is that once you enter a traditional password to access your account via your mobile device, you bring the device up to your eye and let its internal camera scan your iris. If it's a match, you access your account. If not, try again. Either way, blink a lot to get the glare spots out of your view.
Privacy advocates do recognize security benefits of some of the biometric technologies but caution and urge their developers and users to apply them responsibly and with transparency. So since there are no laws, can the industry agree on some voluntary guidelines or best practices, like posting notices if facial recognition technology is being used in an event? What triggered this particular concern was a recent Super Bowl game where attendees were facially scanned without their knowledge by law enforcement. After the fact, individuals understood the possible benefit of identifying criminals, but they felt their privacy was violated because they were not told and did not give their consent.
Another concern that gets raised is that these biometrics are stored in a database, so all the information system security concerns are still there. Also, if a regular database of passwords gets hacked, you can change the password, but if a biometrics database gets hacked, you can't change your face.
The use of biometric data that has been collected also raises the question of what the data will be used for. India is being watched for one of the most ambitious biometrics data collection projects in the world – Aadhaar. With over a billion people, most of whom are poor and undocumented, the Indian government thinks biometrics could be the answer to identifying their own population and improving government services. The Aadhaar database has collected fingerprints, iris scans, and photos of over 500 million Indian citizens so far, who receive in exchange a 12-digit national ID number. But human rights activists in India and abroad fear that the data will be used to marginalize even more the poorer classes, demonstrating a level of mistrust not necessarily of the technology but of the government entity using it.
In some ways, this scenario echoes the cautionary tale told in the 1997 film Gattaca. Starring Ethan Hawk and Uma Thurman, the story follows Hawk in a world that believes in the superiority of genetically engineered humans. In other words, discrimination is now genetic. As an individual who was born with no genetic modification, he assumes the identity of one who was so he can have a better life. Combining this philosophy with the current state of genome research, it is not too far-fetched to understand the concern of the activists in India. Our physical makeup is only one part of who we are. To limit identification or the measurement of human value to just that one aspect can lead to a slippery slope.
Part of the story of Gattaca is the understanding that that world accepts its current state because children are born and raised in it and so conditioned not to question what or why it is happening. But in our digital world, we are still in transition. Take, for example, an experiment being conducted in UK schools to fingerprint all students and have them use their fingerprints to access school facilities and services, like the library or lunchroom. The European Union has questioned, "To what end?" Schools argue that they can more easily identify who should not be on campus and can better ensure student safety; however, the experiment links the fingerprints with student grades, class schedules and more. What happens with all the data is still left unanswered.
Of course, face recognition, fingerprinting and genetic (DNA) testing, represent just a few of the body parts that are being used in biometric systems. Projects that involve measuring ears, voice pattern recognition and behaviormetrics – based on patterns or rhythms of our conduct – are also being developed, tested and implemented. Conferences such as the Global Identity Summit continue to bring together the experts to evaluate and discuss these biometric systems, current and future applications, and ethical and other concerns regarding their impact on society.
So based on the above, there is no question that you are the best proof of who you are in this digital world. The new question is: How far do you want to go to make it easier to prove your identity?
- De Chant, Tim, "The Boring and Exciting world of Biometrics," June 18, 2013.
- Wired.com, "11 Body Parts Defense Researchers will Use to Track You," January 2013.
- Singer, Natasha, "Never Forgetting a Face," May 17, 2014
- International Biometrics & Identification Association (IBIA)'s Report "Biometrics and Identity in the Digital World," March, 2013.