The Ethics and Concerns of Biometric Data Collection
Increased use of biometrics in our daily lives will only continue into 2024 and beyond as this popular and secure method of authentication continues to replace passwords. According to the FIDO Alliance’s 2023 Online Authentication Barometer on biometrics and ethics, “biometrics is both the preferred method for consumers to log in and what they believe is most secure.” This follows an earlier report, which found that consumers preferred biometrics, such as facial scans and fingerprints, over all other methods of accessing their accounts by 29 percent.
Since most people need to log in to personal and business accounts multiple times per day, passwords pose a true headache. In fact, consumers surveyed for the above report said they entered a password manually an average of four times a day – which is around 1,280 times per year. They also reported abandoning a purchase or giving up on accessing services online nearly four times per month per person, which is a 15 percent increase in 2022.
Unlike passwords, which must be complex in order to be secure, are hard to remember, and have to be reset whenever they’re forgotten, biometric verification combines security and convenience for consumers, employees, and citizens. It uses unique physical features, such as a facial scan, voiceprint, or fingerprint, or inherent behavioral characteristics, such as how a person types, scrolls, touches, or swipes between screens, to enable authentication.
With nothing to remember, forget, lose, or steal, biometrics is both more secure and faster, requiring a user to simply place their finger on a key, say a few words, or use the camera on their phone instead of manually entering a complex password.
When the user attempts to gain access to an account or data, the physical or behavioral characteristic is compared against a stored template that contains just enough data points to identify a person when the live characteristic is also present. Biometric liveness detection ensures that an unauthorized person can’t use a previously captured photo or fingerprint to gain access.
It’s been estimated that 66 percent of smartphone owners will use biometrics for authentication this year. In 2023, 46 percent of travelers used biometrics at airports, compared to 34 percent in 2022. Research and Markets predicts that the use of digital wallets, another technology driving the increased use of biometrics, will surpass EUR 10 trillion globally by 2028.
Statista reported that 26 percent of global respondents believed that the most significant development in the use of biometrics over the next five years would happen in the artificial intelligence (AI) area. Another 22 percent believed the most significant development would come from digital identity.
Despite, or perhaps because of, this growth in the use of biometrics, many people have real concerns about the collection, security, and use of their biometric data. It’s a natural worry, especially in a time when regulations have arisen to protect other forms of personal data from unethical collection and improper storage or use, but one that can be mitigated by understanding more about how biometric data collection functions.
Ethical Concerns in Biometric Data Collection
Countries and jurisdictions around the world have undertaken personal data privacy laws, including the following:
- GDPR in the EU
- Digital Personal Data Act in India
- Privacy Act in Australia
- Data Protection Law in Colombia
- Protection of Personal Information Act in South Africa
While many of these regulations include protection for biometric data privacy, others are being re-visited, adapted, or developed to accommodate them.
While the regulatory landscape is rapidly changing everywhere, it is particularly fluid in the United States. In May 2023, the Federal Trade Commission issued a warning “that the increasing use of consumers’ biometric information and related technologies, including those powered by machine learning, raises significant consumer privacy and data security concerns and the potential for bias and discrimination.”
It also issued a biometric privacy policy statement that it is committed to “combatting unfair or deceptive acts and practices related to the collection and use of consumers’ biometric information and the marketing and use of biometric information technologies.”
Despite such warnings and policies, no national regulation exists in the U.S., and protection varies by state and local jurisdictions. For example, in 2008, the state of Illinois passed the Illinois Biometric Protection Act (BIPA), which makes it the only state that enables individual employees and customers to sue a business for the improper collection and handling of biometric data.
Texas and Washington also have passed biometric privacy laws but without the right of private action. Biometric data is also included in comprehensive consumer privacy laws passed in Virginia, Colorado, Connecticut, Utah, and California, and similar legislation is being considered in other states. Whereas a state has no protection, a city might (such as New York City’s Biometric Information Privacy Law). Biometric data protection may also be governed by industry-specific regulations, such as the HIPAA rules for healthcare.
Despite variations in regulation, legal and ethical use of biometric data is based on three key concepts: privacy and consent, informed consent and data usage, and the potential for unauthorized use.
Privacy and Consent
People want control over the privacy of their data – who can use it, how it’s used, how it’s saved, and more. This requires enabling people to consent to the collection of their biometric data. For example, a person opening an account may agree to biometric data collection for the stated purpose of accessing their account in the future using that data.
Using that data for other purposes, such as sharing it with a third-party marketing agency, may violate local regulations and customer trust that their data will be kept private. An example of non-consensual collection of biometric data would be a judicial agency scanning faces in a crowd without the knowledge or consent of the affected individuals.
Informed Consent and Data Usage
If the way the business or government agencies want to use the data changes, they must ask the individual for consent to do so. So, if an individual consented to providing data specifically to receive certain benefits, and the agency wants to share that biometric data with another governmental agency not involved in providing those benefits, they need to contact the citizen with an explanation of the new data usage and get them to agree before new usage occurs.
Potential for Unauthorized Use
This is one of people’s biggest fears and is something that every business or agency that uses biometric data must consider: Can their biometric data be used in ways that they haven’t authorized? How easily can the local or national police access the data? How well protected is the location where it’s stored? How easy is it for unauthorized individuals inside the organization to access the data?
Businesses and agencies also need to look beyond the need to comply with regulations to how their customers, employees, and citizens expect their biometric data to be handled. Trust is an essential basis for relationships with these individuals. Misusing biometric data will break that trust, so it’s important for every organization to have a biometric ethics framework.
Biometric Data Ethic Guidelines for Responsible Usage
Several organizations have created guidelines for the ethical use of biometrics, particularly face recognition biometrics, including the ACLU, the International Biometrics + Identity Association (IBIA), and the World Economic Forum. Key principles described in several of these guidelines include the biometric data collection process, biometric data privacy, data misuse, transparency, accountability, and security.
Data Collection
When an individual onboards, opens an account, or enrolls, an organization must provide them with specific written information on how any biometric data collected will be used and then receive the individual’s written consent before collecting the data. The organization should commit to collecting the least amount of data necessary to fulfill the specific purpose.
Data Privacy
One of the most ethical concerns about biometrics is user privacy. Users should be able to control, edit, and delete their collected data.
Data Misuse
Biometric data should only be used for the express purpose for which it was collected. Sharing within or outside an organization or for another use that was not consented to at onboarding constitutes misuse of data. The organization should maintain a process for contacting individuals to receive updated informed consent any time it wishes to use the data for a new purpose or to expand access to it.
Transparency
Being transparent about the policies around biometric data collection and use will help customers, employees, and citizens trust the organization with their data. It should be clear to them how long the data will be saved, how it will be used, who can access the data, how individuals can both modify and delete data, how they can request modification and deletion of data, and how the organization will treat them if it wants to modify the way data can be used or accessed after it is collected.
Accountability
It’s important that an organization can measure compliance with regulations and their internal ethics framework, and promptly resolve any issues that arise. A culture of personal responsibility can reduce the element of human error and an audit system can reduce any problems with processes or algorithms.
Security
Security is a key concern for individuals whenever their data is collected, and the World Economic Forum predicts that after a 72 percent increase between 2022 and 2023, “2024 could see record-breaking data breaches.” Organizations must treat biometric data privacy as they do their most valuable information and secure it accordingly.
Ensuring Reliable Data Security
The Information Commissioner’s Office (ICO) in the UK recommends starting with a risk assessment to determine appropriate security measures, while noting that due to the sensitive nature of biometric data, “’appropriate’ is a higher bar here than for personal information generally.”
Data should be encrypted and access tightly controlled, limited only to those individuals who need to access it and who have received the appropriate training and authorization. This includes both digital access and physical access to the location where data is stored.
While biometric data requires a higher level of security, protecting it should be part of an organization’s overall security plan in that, there’s a holistic approach where responsible parties coordinate with each other–not an organizational silo where problems can develop unseen.
Once security measures are in place for biometric data, the ICO recommends regularly testing and reviewing the measures to ensure they remain effective. As the criminals who conduct data breaches grow ever more inventive and technologically empowered, it’s important to ensure that an organization’s power to protect its data keeps up with these industry changes.
Bringing Compliance & Ethics to Biometric Data
Daon xFace, our biometric facial authentication solution, is built on proven algorithms, driven by AI and machine learning (ML) technology, and designed to provide maximum security by meeting the most stringent regulatory and ethical requirements. xFace provides step-up authentication for highly regulated industries and combines this protection with convenient authentication that keeps customers, employees, and citizens happy.
The biometric solutions a business chooses to use are critical, as they can simplify the collection, use, and protection of biometric data while still complying with changing regulations and adhering to the organization’s ethical framework.