Ethical biometrics tools available now, education needed, Valid exec says
The technology for biometric data to be ethically and responsibly handled has raced out ahead of other areas of capability, according to Valid, creating risk in the short term, but also opportunity for rapid improvement.
Kevin Freiburger is Director of Identity Programs and Product Management at Valid working on identity management and biometric matching solutions for businesses and governments across the U.S. Freiburger spoke to Biometric Update in an interview about consumer data privacy, decentralized identity, and implementing ethics in the process.
Valid’s customers mostly operate within the U.S., though not only do states have differing laws around biometric data usage, city municipalities and county governments may conflict within a state too.
“The way we navigate that is we’ll typically have a contract with a state and if that state allows their agency to use face recognition (or some other biometric), as long as at the state level it’s allowed, we can deploy our drivers’ license solution because it’s not a city managed program, and it’s not a county managed program. So we can implement biometric matching for a state at a state level if it is legal and regulated.”
This means that any photos in the driver’s license system are stored separately to biometric matching data. If Valid’s customers do not require biometric matching, Valid will not create matching data per photo.
Many, like Yuval Noah Harari, have suggested that COVID-related biometric data storage would be safer collected and held by an independent authority, rather than combined with other government databases.
“There is a movement in the industry to go to Decentralized Identity. In other words, data won’t live in any government systems or social platforms” Freiburger says. This uses cryptography in the form of public key infrastructure (PKI) which helps to establish the identity of people, devices and services. Meaning individuals could be in charge of this data to share or distribute as and when. PKI’s have also been used in National ID schemes to support e-government services.
Technology has developed at a rapid pace over the past year, but, Freiburger explains, there would still be a mismatch between technology and capability, even had this development happened over several years.
“COVID sped up online transactions in every sense…two things are paramount, identity and authentication,” he states. “We didn’t have the education, and the improvements and the robustness that would come with authentication and authorization over that same time period. We changed the way we do things, the technology that we have to secure those things got better but there is still a long way to go. That might be where we see people take advantage (of data) because we haven’t built out the authentication and authorization that we should have over the course of 5 years.”
Interoperability is a key factor then because even in a world of decentralized identity, individuals will need to provide their data to an entity at some point, in exchange for a service. Freiburger recommends that more laws and regulations should come into play for the storing and reading of this data, should entities want to hold decentralized data in a centralized system.
“We try to make that at the forefront of a customer conversation, we want to make sure they’re thinking about it. Data sharing agreements and data collection agreements, have to be very transparent to the end user.” Importantly, this means understanding what type of data is being collected and who any partners are who may have data sharing agreements. Valid helps customers consider how these can be implemented.
When it comes to public reassurance on the usage of the collected data, “a lot of times our customers will do public outreach, so they might have a website and a media campaign” to explain how data will be protected, stored and instances it will not be used for, Freiburger says. “Almost all of our customers don’t have data sharing partnerships with the federal government,” and therefore supplement the legal language of online policies with public outreach or a legal campaign.
Data protection and ethical data use can be expensive to upkeep. Cutting potential biases out of a system, meanwhile, varies between companies, depending on different factors.
“It’s a much more nuanced conversation than just saying: there’s bias,” Freiburger explains. “With vendor A that bias could be very large and measurable, and with vendor B, almost indistinguishable. It can vary greatly. NIST is now doing testing just on the bias variability but with different vendors. Not every institution can afford the premium system, they might have to go with a lower cost system which might be coming from a vendor that has traded off security or biometric matching accuracy.”
Cloud infrastructures, leveraged by providers like Valid, can play a role in mitigating some of that cost, Freiburger says.
“A lot of the things that governments or corporations used to have to do themselves are now abstracted and done by third parties,” Freiburger says. “There are technology improvements that can lower the cost of entry for some of this to be deployed. There are still areas where the cloud isn’t going to be an option, so you still need solutions for those parts of the world, but as the world starts developing and there’s greater internet access, a lot of those costs start decreasing.”
“I think the cloud is the best option we have now versus storing on premise, but decentralized identity, that’s the better long-term approach. Some standards bodies are starting to write standards around how this might look.”
The Decentralized Identity Foundation, among others, are proponents of this.
It is important for Valid to be able to be versatile for customers, “we have to adapt to this new world of how these identities are being consumed, think differently and collect data differently, and issue mobile drivers’ licenses in a way that are interoperable and can be verified at retailers or pharmacies (etc.).”
Valid’s multifaceted work is paving the way for companies to take both environmental and social responsibility, according to Freiburger, and promoting a more ethical approach in identity and data management.
authentication | biometric data | biometric identification | biometrics | data protection | data storage | decentralized ID | digital identity | ethics | identity management | interoperability | privacy | Valid