May 12, 2016 -
Matching biometric data on a device better satisfies global privacy requirements than matching it on a server, particularly with regards to personal control, and data residency, according to new report from PricewaterhouseCoopers Legal LLP.
Biometric authentication and cloud computing are gaining popularity at the same time, and cloud capabilities like rapid scaling and remote storage have apparent benefits for some biometric deployments, but the research suggests that the privacy laws make realizing those benefits challenging, if not impossible.
Biometrics and Privacy: On Device vs On Server Matching was produced by PwC Legal for Nok Nok Labs to survey the privacy aspects of biometrics from an international legal perspective, focussing on the differences between one-to-one and one-to-many approaches.
“What we wanted to do by commissioning this report was clarify some of those privacy concerns from a legal perspective,” Nok Nok Labs VP of marketing Todd Thiemann told Biometric Update in an interview.
The privacy implications of processing consumer biometrics around the world depend somewhat on the laws of the country the user is in. Swiss law requires that every international transfer of personal data be specifically consented to. Despite this, researchers found a number of globally accepted privacy principles. “Even if you are a corporation base in one geography, organizations typically take a lowest common denominator compliance approach,” and the report identifies those common denominators, Thiemann says.
Among consistencies that enable organizations to make biometric deployment decisions with confidence, the report says, cross-border transfers of biometric data are generally prohibited, and organizations must have measures in place to prevent unauthorized access and processing of data.
The report says that many of the legal privacy concerns it considers are satisfied by the authentication protocols of the FIDO Alliance. By keeping the data on the device, one-to-one matching keeps control of the data itself with the end user, and the volume of data potentially at risk is minimal.
The fast-growing FIDO Alliance was founded in 2011 by Nok Nok Labs, along with PayPal, Lenovo, Validity Sensors, Infineon, and Agnitio. It seeks to establish industry standard best practices for unlocking the potential of password-less authentication.
The report says that high-profile breaches of biometric data like that of the US Office of Personnel Management highlight the risk of centralized biometrics databases, but Thiemann still sees a place for one-to-many authentication on a server.
“When you look at on-device versus on-server, there are absolutely legitimate and good uses of server-side matching, such as border control, where you need a big repository of that biometric information, that’s absolutely a good place to have it. Also your typical government entity can spend the necessary resources to defend that against bad guys. Inevitably bad guys are quite clever and things might happen, but on the whole, governments are best positioned to defend that, so that’s a good use of that sort of approach. When it comes to consumer-facing mobile applications, that’s a different beast,” Thiemann says, advocating for the FIDO protocols in that case.
For organizations deploying biometric authentication that find it necessary to store mass amounts of biometric data on a server, there are also extra considerations necessary to protect consumer privacy.
“You’re using a third party to process the data, you’re the one requesting it, so you have to do your due diligence with that third party provider to make sure that its kept secure and confidential.”
Ultimately, privacy protection ends up being a matter of control, and on-device biometric security allows consumers to more easily withdraw permission, and control where their data is located, as part of the organization’s satisfaction of legal requirements.
“If you’re an organization deploying on-device matching using the FIDO specifications, you can go out to your consumers and say ‘You hold the keys to the kingdom right there in your hand, so you’re the one that’s in control.’”
Over the near future the ultimate test of effective biometric data privacy controls will be conducted in the wild, with consumer mobile application authentication. The privacy benefits of on-device matching laid out by PwC Legal suggest an eventual industry standard practice, just as FIDO has sought since 2011.