Opinion: Vendors must disclose responsible uses of biometric data

How should biometric vendors treat the biometric data they collect? John E. Bredehoft looks at the organizations that control and process biometric data, the rights that people have over their data, and key issues that biometric vendors must address regarding responsible data use.

Every day people provide biometric data — fingerprints, palm prints, faces, irises, voices, DNA, or other biometric modalities — to a myriad of organizations. These may be government agencies such as border crossing agencies, driver licensing agencies, or police departments. Or they may be private organizations such as banks, hospitals, and sports stadiums.

Biometric providers assist these organizations with collection, matching, and storage of biometric data.

Usually, the government agency or private organization acts as the “controller” or owner of the biometric data, while the biometric vendor is just the “processor” of the data.

But there are exceptions. In late April, Joel R. McConvey described a proposal in which the Milwaukee, Wisconsin Police Department would provide Biometrica with 2.5 million facial images from its jail records.

Why would any biometric vendor want to be the controller of biometric data? One plausible reason is for internal testing to improve the vendor’s algorithms by continuously testing them against live data. There may be other reasons, such as offering new services.

Concerns about acquiring biometric data

Of course, any use of biometric data or other personal data raises privacy concerns.

• Why is the entity collecting the data?
• How will they use the data?
• What will they do with the data?
• Who will have access to the data?

Authorities, ranging in size from the European Union to local cities, have implemented regulations regarding the use of biometric data. These not only define the roles of a controller and processor but also grant rights to people when organizations collect their personal information, including biometric information.

For example, in the state of California, biometric information is classified as “sensitive personal information” under the provisions of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

The CCPA, CPRA, and similar legislation such as Europe’s General Data Protection Regulation (GDPR) provide people with rights over their personal data, including:

• The right to know, including what personal information a business collects, how the business uses the information, and if and how the business shares the information.
• The right to delete (in some instances) personal information from a business’ databases.
• The right to opt-out of the sharing or selling of personal information by a business.

A key part of these laws and regulations is the idea of consent.

• Every organization verifying your identity, such as a bank, should ask for your explicit consent to use the personal information for the purposes of identity verification and authentication.
• An optional second question may ask for your explicit consent to allow the biometric vendor to use your personal information for algorithmic training purposes.

Some government agencies, private organizations, and biometric vendors have well-established procedures for acquiring the necessary consents.

Others? Well…

How should biometric vendors act?

To ensure responsible biometric data use, vendors should:

• Exercise transparency. Remember that some people are convinced that every piece of data collected by every biometric vendor is fed into a super-secret worldwide surveillance supercomputer maintained by shadowy forces. If you don’t educate your customers and their users on the truth—how data is shared, and how data is not shared—they will believe the lies.
• Collect only the minimum necessary personal information. If you don’t need certain data, don’t collect it. If it’s never collected, fraudster hackers can never steal it.
• Store only the minimum necessary personal information. If you don’t need to keep certain data, don’t store it. I’m sure our decentralized identity friends will agree with this.
• Comply with all privacy laws and regulations. This should be a given, but sometimes vendors are lax in this area. If your firm violates the law, and you are caught, you will literally pay the price.
• Disclose the specific uses for all biometric data you control and/or collect. The law often requires this anyway, but even if it isn’t, educate your customers and their users regarding why you collect what you do.
• Employ comprehensive security measures. Ensure protection for the data on your systems, your customer systems, and the systems integrated with those systems. Employ third-party risk management (TPRM) to minimize the risk when biometric data is stored with cloud providers, application partners, and companies in the supply chain.
• Consider the ethical ramifications. Sometimes we as an industry are so intent on getting things done that we don’t pause to consider the ramifications of our actions. Those companies that address the ethical ramifications of biometrics, artificial intelligence, machine learning, and other technologies are well-positioned for future challenges.

If a biometric vendor emphasizes these approaches, this will reassure customers and their users about the responsible use of their data. This can be a powerful differentiator against competitors who merely speak of “trust” but don’t provide concrete reasons to trust them.

If a biometric vendor is cavalier with personal information, that vendor could get into trouble. Recall the 2019 incident in which a U.S. Customs and Border Protection (CBP) subcontractor stored biometric data on its own servers without authorization, and was subsequently hacked. CBP suspended the subcontract, and the subcontractor received significant adverse publicity. Do not let this happen to your business.

About the author

John E. Bredehoft has worked in the biometric industry for over 30 years, including marketing and other positions at Incode, IDEMIA, MorphoTrak, Motorola, and Printrak. He currently provides marketing and writing consulting services (content, proposal, analysis) via bredemarket.com.

Article Topics

banking  |  biometric data  |  biometric identifiers  |  biometrics  |  data privacy  |  data protection  |  facial recognition  |  responsible biometrics