Spanish data protection regulator targets 14 misconceptions about biometrics in technical note
Unauthorized access to biometric data in one system would allow the biometrics to be used in the rest of systems which use such data, the Spanish Data Protection Agency (AEPD) claims in a technical note on 14 common misconceptions about biometrics.
The note was developed in cooperation with the European Data Protection Supervisor (EDPS), and addresses what the AEPD says are misunderstanding people have about biometric technology.
According to the AEPD, some people believe biometric data is stored as an algorithm, and the agency clarifies that it is stored as a template, and the algorithm comes in when it is analyzed for identification and authentication processes. The AEPD also argues that biometric data is more intrusive than other identification and authentication methods, because it reveals more personal information about the subject, and also that it is probabilistic, rather than 100 percent accurate.
The AEPD also notes that biometric technology can not always differentiate between two people, that some people cannot use certain biometric systems due to their physical characteristics, and that biometric processes can be spoofed. The public availability of faces and other biometric factors means that biometric information is exposed, the regulator says.
AEPD believes that biometric identification and authentication are not safer for users than other methodologies, and that systems using only biometrics for authentication are inherently insecure, by definition, as single-factor systems. Biometric systems may not always be comfortable for users, and partial reconstructions from templates that may be sufficient to fool other biometric systems are possible, the note says.
Even if biometric data is converted to a hash, AEPD cites an article in the EURASIP Journal on Advances in Signal Processing which suggests it may be possible to obtain biometric data, or reverse the process.
The agency says the document is intended for data protection officers and others to help them understand the complexities of biometrics.
The AEPD warned businesses that facial recognition use as part of COVID-19 screening systems is only legal under GDPR under certain conditions.