Security of personal data is one of the top concerns of organizations that hold a large volume of PII (Personally Identifiable Information). With tightening data privacy laws, data security is becoming the top priority of organizations that collect and store users’ personal information. Despite following the data security practices, some organizations fall victim to data security incidents, causing a lot of harm to their brand value, reduced customer confidence, and regulatory actions on top of that.
For the longest, demographic information, financial data, healthcare data, and digital footprints were mainly considered to be the ‘personally identifiable information. Biometric information is also a type of PII as it can be used to identify a person. Now with the increasing penetration of biometrics in personal as well as business space, its security has become a priority for data security experts as well as the organizations that hold large chunks of biometric data.
Biometric data can be the most sensitive type of PII due to its distinctive characteristics, so it is important to understand how biometric data is stored and what are the biometric security issues? This article tries to answer these questions and beyond.
How is biometric data stored?
Like most other digital data, biometric data is also stored in digital format, i.e. in bits and bytes that can be stored, processed, or transmitted using modern IT systems. Since biometrics is sensitive information; storing, processing, or transmitting it in its raw form can make it vulnerable. Just like other personal and financial information, bad actors might try to steal biometric information of individuals (such as citizens, customers of a company, etc.) to take undue advantage.
Now when biometrics is on its way to replacing traditionally used digital as well as physical security means such as physical access control means, PINs or passwords for digital access, etc., its increasing penetration makes it more and more vulnerable. That is the reason why biometric data cannot be stored or transmitted in its original form. If it gets compromised, it can easily be misused by cybercriminals.
How to improve biometric data security?
Data stored in digital format offers many advantages – large data can be stored in a very small space, it can be processed with greater efficiency and transmitted to any part of the world. Digitization, however, also has problems specific to it. Digital data, if not properly secured, can be vulnerable to accidental or intentional leaks and breaches. In the age of digitization and connectivity, data security incidents are a reality that the world has to live with, and it gets more complicated when data security incidents include biometric data.
Data encryption has emerged as a powerful tool that can ensure the security of digital data, which can not only be stored safely but also transmitted without compromising security. Encryption is the process of encoding the digital data to make it illegible except for the party that has its decryption key. This data can only be decoded by the party that holds its decryption key.
To overcome the issue of data security incidents, biometric data is stored and transmitted in an encrypted format. Encryption ciphers the biometric information to something that can only be deciphered by a valid decryption key.
Modern biometric systems encrypt the data right on the device, which means data not only stays secure inside the device but can also be transmitted or stored without compromising its security. This is why it is extremely important to keep biometric information encrypted so that even if it is compromised, it cannot be deciphered or misused.
Biometric data collection
Biometric data is PII and it can be valuable if you have data of enough users. Google is a good example of a data-driven business. That is the reason large corporations are after biometric data to collect it as much as they can. One good example is Facebook, the world’s largest social media platform that introduced a facial recognition feature, which could automatically recognize your face from the photos uploaded to its platforms. After controversies and alarms raised by the privacy advocates, the company had to eventually turn it off.
Private organizations as the custodian of large amounts of biometric data may try to find ways to monetize it, even if it breaches the ethical limits. It also raises issues related to user privacy.
Though we have privacy laws in many parts of the world, only a few jurisdictions have laws specific to biometric data collection and its usage. Governments should understand the seriousness of the privacy issues that may arise due to the misuse of biometric data. The good thing is that the new data privacy laws such as GDPR define and take care of biometric data as well.
Biometric data is unlike other PII. It has particular characteristics, so it cannot be treated as just another piece of personally identifiable information. Despite its distinctive characteristic, there is no legal framework specific to biometric data collection in order to address biometric security issues. Most legislations cover biometric data in a broad sense treating it as PII.
Newer regulations such as GDPR (General Data Protection Regulation)- presently effective in the European Union (EU) and the European Economic Area (EEA), try to define and address biometric data. GDPR requires organizations working in the EU and the EEA, required to follow GDPR. They need to ensure the ‘right to be forgotten’ and biometric data collection only for ‘specified explicit and legitimate purposes.’ GDPR distinctively defines biometric data.
According to GDPR…
“Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;”
Like other identification, authentication, or access control systems, biometrics also faces the security issue of circumvention. The issue of circumvention of biometric security systems is no different than other systems, however, in the case of biometric systems it may have more serious consequences as changing biometric identifiers is not possible to replace locks, keys, or passwords.
Circumvention of biometric systems, commonly known as spoofing, is done by imitating the biometric patterns of an authorized individual to gain unauthorized access. A fingerprint replica made of silicone or glue – to circumvent a fingerprint recognition system or using a simple photograph to dodge a facial recognition system, are examples of spoofing attacks. Despite the unprecedented advancement of biometric technology, spoofing remains one of the biggest biometric security issues.
To address the biometric security issue of spoofing, experts rely on liveness detection technologies to figure if a biometric sample comes from a real person or a spoof.
Liveness detection and anti-spoofing technologies are used as countermeasures against spoofing. Liveness detection technology inspects minute liveness signals and structures that are hard to be included in spoofs. For example, detection of human body temperature, blood flow, sub-surface details, etc. are some of the techniques used by biometric systems to ensure liveness and avoid spoof attacks.
Biometrics is evolving as a futuristic approach that does not require people to remember or present anything to securely authenticate their identity. Biometrics, however, has to address many issues that are still dragging the technology behind. The security and safety of biometric data are one of the issues that make people reluctant to adopt biometrics. Spoofing is another issue that is yet to be fully mitigated. Once biometric systems are able to address the safety and security issues, nothing can stop this technology from attaining ubiquity in identification and authentication.