FB pixel

Global privacy law research supports on-device matching

 

Matching biometric data on a device better satisfies global privacy requirements than matching it on a server, particularly with regards to personal control, and data residency, according to new report from PricewaterhouseCoopers Legal LLP.

Biometric authentication and cloud computing are gaining popularity at the same time, and cloud capabilities like rapid scaling and remote storage have apparent benefits for some biometric deployments, but the research suggests that the privacy laws make realizing those benefits challenging, if not impossible.

Biometrics and Privacy: On Device vs On Server Matching was produced by PwC Legal for Nok Nok Labs to survey the privacy aspects of biometrics from an international legal perspective, focussing on the differences between one-to-one and one-to-many approaches.

“What we wanted to do by commissioning this report was clarify some of those privacy concerns from a legal perspective,” Nok Nok Labs VP of marketing Todd Thiemann told Biometric Update in an interview.

The privacy implications of processing consumer biometrics around the world depend somewhat on the laws of the country the user is in. Swiss law requires that every international transfer of personal data be specifically consented to. Despite this, researchers found a number of globally accepted privacy principles. “Even if you are a corporation base in one geography, organizations typically take a lowest common denominator compliance approach,” and the report identifies those common denominators, Thiemann says.

Among consistencies that enable organizations to make biometric deployment decisions with confidence, the report says, cross-border transfers of biometric data are generally prohibited, and organizations must have measures in place to prevent unauthorized access and processing of data.

The report says that many of the legal privacy concerns it considers are satisfied by the authentication protocols of the FIDO Alliance. By keeping the data on the device, one-to-one matching keeps control of the data itself with the end user, and the volume of data potentially at risk is minimal.

The fast-growing FIDO Alliance was founded in 2011 by Nok Nok Labs, along with PayPal, Lenovo, Validity Sensors, Infineon, and Agnitio. It seeks to establish industry standard best practices for unlocking the potential of password-less authentication.

The report says that high-profile breaches of biometric data like that of the US Office of Personnel Management highlight the risk of centralized biometrics databases, but Thiemann still sees a place for one-to-many authentication on a server.

“When you look at on-device versus on-server, there are absolutely legitimate and good uses of server-side matching, such as border control, where you need a big repository of that biometric information, that’s absolutely a good place to have it. Also your typical government entity can spend the necessary resources to defend that against bad guys. Inevitably bad guys are quite clever and things might happen, but on the whole, governments are best positioned to defend that, so that’s a good use of that sort of approach. When it comes to consumer-facing mobile applications, that’s a different beast,” Thiemann says, advocating for the FIDO protocols in that case.

For organizations deploying biometric authentication that find it necessary to store mass amounts of biometric data on a server, there are also extra considerations necessary to protect consumer privacy.

“You’re using a third party to process the data, you’re the one requesting it, so you have to do your due diligence with that third party provider to make sure that its kept secure and confidential.”

Ultimately, privacy protection ends up being a matter of control, and on-device biometric security allows consumers to more easily withdraw permission, and control where their data is located, as part of the organization’s satisfaction of legal requirements.

“If you’re an organization deploying on-device matching using the FIDO specifications, you can go out to your consumers and say ‘You hold the keys to the kingdom right there in your hand, so you’re the one that’s in control.’”

Over the near future the ultimate test of effective biometric data privacy controls will be conducted in the wild, with consumer mobile application authentication. The privacy benefits of on-device matching laid out by PwC Legal suggest an eventual industry standard practice, just as FIDO has sought since 2011.

Article Topics

 |   |   |   |   |   |   | 

Latest Biometrics News

 

Cameroon live facial recognition project still trying to identify a banker

The President of Cameroon, Paul Biya, last week directed his government to source for money from a Chinese bank for…

 

Socure consortium hits milestones in tackling First-Party Fraud problem

Heeding the call for more collaboration and joint defense across industries facing a massive increase in identity fraud, Socure has…

 

Swiss e-ID has an official name, technical implementation plan

Switzerland’s government has outlined plans for the technical implementation of its upcoming national electronic identity, including a trust infrastructure that…

 

Identity verification scale and maturity to push average cost down

The costs that relying parties pay for digital identity verification, from collecting and analyzing selfie biometrics to ID document authenticity…

 

How the ID industry can become more sustainable – and help to raise awareness for greener travel

By Tobias Nuessle, COO of Veridos The travel and tourism industry is a significant contributor to global CO2 emissions. Various…

 

Biometrics upgrades arriving at borders (but check the schedule for updates)

New biometric technology is coming to borders in Europe and the UK, but as reflected in several of Biometric Update’s…

Comments

14 Replies to “Global privacy law research supports on-device matching”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events