You can’t change your physical traits very easily, so if a hacker steals your biometric data–look out.
Scanning a fingerprint or even an eyeball to authenticate your identity is no longer the stuff of science fiction. Biometric identification has been in practical use for a while now, and the technology gets more sophisticated every day.
It should come as no surprise that security and privacy concerns have arisen along the way. And now the legal ramifications are rapidly getting more complicated.
Washington state lawmakers last month passed pioneering legislation that forbids companies from obtaining or selling biometric information without consent of the individual. Due to rising concerns about the use of stolen biometric identifiers to commit identity fraud, the vote wasn’t even close. State senators voted 37-12 in favor, the House 81-17. Gov. Jay Inslee is expected to sign the bill any day.
Here’s some context about what to expect, going forward, as biometric IDs seeps deeper into our digital lives.
Traits and characteristics
It’s now possible for a physical characteristic, or even a behavioral trait, to be parsed into data and stored in a database. That file can then be used to verify your identity, or to check against other entries in the database. Fingerprints, retinal scans, voiceprints, facial recognition, and even the distinctive way a person walks and moves can be converted into data for identification purposes. Heartbeats can even be used to authenticate service users.
Finding cheats and criminals
It’s no longer unusual to encounter a biometric scanner at the entryway to a secure area, or even to access and use certain kinds of online services, says Robert Capps, vice president of business development at NuData, a Vancouver, British Columbia, supplier of fraud detection systems.
“These biometric data points are being used in places like casinos, looking for cheats and criminals walking into those facilities,” Capps says. “Anywhere there’s a place where you want to truly know who that human is, you’re starting to see some biometric verifications.”
The Enhanced Border Security and Visa Entry Reform Act of 2002 actually mandated the use of biometric identifiers in U.S. visas. U.S. embassies and consulates now issue machine-readable visas and travel documents based on biometric technology. And for visa applicants desiring to enter the U.S., the standard for biometric screening is ten fingerprint scans collected at U.S. overseas compounds.
Theft and fraud potential
While border security agents view biometrics as a useful tool, state lawmakers are starting to respond to their constituents’ concern about the potential theft and subsequent fraudulent use of biometric data. Given rampant data breaches, who can blame them?
Washington’s new law imposes strict criteria for the sale, lease or disclosure of biometric identifiers for commercial use. One important benchmark: the bill makes putting biometric identifiers into a database illegal without the person’s consent — meaning such information cannot be collected surreptitiously.
Other states are jumping on board. Alaska is considering a bill like Washington’s that would prohibit the collection of biometric data without an individual’s consent, among other restrictions. And a proposed bill in Connecticut would make facial recognition illegal for marketing purposes. In Illinois, lawmakers are pushing for changes that would require entities that collect biometric data to destroy the information after a certain period of time.
“Everybody has got a different approach to it,” Capps says. “Some people are pushing to require biometrics online and other people are saying, ‘Oh, we got to be careful here because physical biometrics can’t be changed, so putting more detailed data out to those databases to be stolen is a really is questionable proposition.’ ”
I couldn’t agree more. While we’re still early in the game, this bears watching. You should be prepared to make your voice heard. We can only hope that state legislators continue to listen. The bigger question: will Congress get the message?