Biometric data is everywhere in the news these days. One Google searches for “Biometric data,” and you’ll find tons of stories from people discussing the safety of using it for physical and behavioral identification.
One of the most recent stories that took quite an unexpected turn on July 17 involves FaceApp, the app that uses AI to create old photos of its users. Thomas Brewster, a cybersecurity specialist, working for Forbes, has published an article that day, speculating that the app (which, by the way, was owned by a Russia-based company) might be a threat to the privacy of its user because it stores their biometric data.
Chuck Schumer added more fuel to the fire, one of the Democratic senators, published a tweet where he called on the FBI and FTC to look into the matter and find out whether the developers of the app now own biometric data of American citizens.
BIG: Share if you used #FaceApp:
Because millions of Americans have used it
It’s owned by a Russia-based company
And users are required to provide full, irrevocable access to their personal photos & data pic.twitter.com/cejLLwBQcr
— Chuck Schumer (@SenSchumer) July 18, 2019
While some reviewers suggested that there are no significant security or privacy concerns with FaceApp, many people thought that the issue was worth investigating. For example, some of the people who responded to Schumer’s tweet were indeed very creative with their replies, such as this one below.
However, as funny and entertaining these replies might be, the broader issue of access and monetization of biometric data in digital products remains. A developer of a digital product, a government, or an organization can lose biometric data to third parties (or even sell it) or misuse it.
So, it’s completely unreasonable to assume that the range of truly dangerous cybercriminals looking to steal biometric data doesn’t exist and ignore the problem. For developers looking to use and store biometric data for legal purposes, this craze also creates additional concerns. That’s why in this article, we’re going to look at three reasons why collecting biometric data is so dangerous.
Reason #1: The Risk of Data Breaches
“The news about FaceApp and possible data breaches is just one example of the craze that has been happening since the first set of biometric data has been collected,” says Adam Greenberg, a cybersecurity specialist from Trust My Paper. “The laws on the use of biometric data are still not exactly perfect, and someone may use it for illegal reasons if that data has been stolen.”
Let’s consider an example. Domain Awareness System is a framework of several thousand surveillance cameras installed throughout New York City to assist law enforcement with detecting criminals. If someone commits a crime and one of the cameras records the act, the police officers can view the footage and try to identify the person.
Now, we’ve gotten to the point where we can equip such a system with AI facial recognition technology, which means that identifying a criminal would be much more comfortable. However, on the other hand, this also means that people in charge of the surveillance system can track people throughout their daily lives. Moreover, if there’s a data breach, the criminals get access to biometric data such as faces, which opens a lot of “opportunities” for them.
This example shows how profound the consequences of data breaches might be. That’s why governments, digital product developers, and other stakeholders continuously face the risk of losing biometric data of citizens or customers due to a data breach.
Reason# 2: The Lack of Comprehensive Laws
As it was briefly mentioned in the above section, we still don’t have the legal framework governing the collection, storage, and processing of biometric data. However, the technology required to create all the risks associated with biometric data already exists and continues to develop at the speed of light.
The lack of comprehensive laws makes individual legal bodies to develop their regulations to protect sensitive data. For example, there have been two significant steps forward made by local governments in the U.S. recently.
First, Biometric Update described that Washington lawmakers “have passed a law extending the state’s data breach notification law to several new types of information, including biometric data.” Moreover, the law, which is called HB 1071, also reduced the deadline for reporting data breaches to authorities. According to Chris Burt, the author of the article, the law was a response to the fact that the number of people affected by data breaches in the state increased by 26 percent to more than 3 million people within 12 months.
The lawmakers in New Hampshire are considering even harsher measures to protect biometric data of the local citizens. According to Biometric Update, the businesses registered in the state could be barred from several uses of customer biometrics if the legislators vote to make a newly proposed bill a law.
“If your biometric information is compromised, there is no going back,” Biometric Update quoted David Luneau, one of the senators behind the bill, as saying. “You’re locked into whatever it is that others are doing with that information.”
This means that until a comprehensive legal framework is in place, businesses will face a lot of concerns when dealing with biometrics. Moreover, when the structure is enacted, the collectors of biometric data will have to follow the guidelines to avoid legal problems.
Reason #3: Cultural Considerations
In addition to the broadly discussed issues of security and privacy, there are also some cultural considerations that businesses and governments should consider. For example, one study published in AI & Society Journal concluded the following:
“…cultural differences have an impact on the way biometric systems will be used and argue that these factors should be taken into account during the design and implementation of biometric systems.”
So, since the perception of the technology among various cultures may differ, businesses should study attitudes of their target customers towards biometric technology before implementing it in their products.
Indeed, storing biometric data carries significant risks for both governments, businesses, and customers/citizens, so it’s safe to assume that we are on the way to read more news related to FaceApp-like apps and government requirements. The concerns of people are more than understandable because their data should have the security it requires; moreover, appropriate legal bodies should speed up the creation of the comprehensive legal framework to ensure that.
And, even though the developers of FaceApp have responded to the online discussion by saying that the app stores most of the user images for 48 hours only, the risk of losing biometric data is still authentic and should be adequately addressed.