Biometrics adoption for identity fraud protection depends on regulatory balance

Biometrics use at borders, in age assurance and law enforcement run quickly into concerns around data privacy and proportionate use, as seen in many of the week’s top stories on Biometric Update. Identity fraud attacks of varying levels of sophistication are putting pressure on businesses to strengthen their protection and onboarding processes, and while cross-border digital ID use could help, it must clear several hurdles to become a practical option. Naturally, some of those barriers are posed by the regulations put in place to prevent harms that would close off public adoption.

Border barriers

Aviation industry bodies including IATA have requested the European Commission confirm the rules allowing countries to suspend the beginning of their EES border biometrics operations until the end of the year. EU institutions are disconnected from reality, they say, which is that passengers are already experiencing delays.

The latest draft of an EU-U.S. data sharing agreement in negotiation would give DHS access to biometrics, but also information on political opinions, union membership and sexual preferences. It does not include a prohibition on algorithmic decision-making, or make clarify how such data-sharing might align with DHS use of Clearview AI, which faces fines and criminal complaints in Europe.

An OfDIA survey suggests digital ID providers want the UK government to help enable cross-border interoperability by helping to remove regulatory barriers and solve technical challenges. Mutual recognition deals and harmonized alignment around ISO and W3C standards are high on the industry wish-list.

National ID model choices

The ADVP has reminded the government it has some rules already set for digital identity by the Data Act and the DIATF to play by as it prepares to launch its public consultation. Specifically, the former mandates a market of choices, and the latter has a role set by legislation in regulating it.

Pakistan’s government has approved QR codes as an identity verification tool, paving the way for their inclusion on ID cards, possibly with fingerprint and iris biometrics embedded. The changes also close a loop-hole that had allowed suspended IDs to be used in digital systems. The country also introduced a temporary facility enabling citizens to obtain CNICs without presenting a computerized birth certificate. The initiative is aimed at closing gaps in national identity coverage. Meanwhile NADRA wrapped up a Bug Bounty Challenge that proactively identified potential vulnerabilities in its system.

Age of online discord

Persona has launched a public relations campaign after an exodus of Discord users drew in the facial age estimation provider, without even adding to its count of customers in production. The suddenly-attentive noticed a controversial investor and code on a “U.S. government authorized server.” The company denied working with ICE and explained how it protects privacy.

Apple has updated its parental-declaration age assurance API to help ensure app store-level compliance with regulations in Brazil, Australia, Singapore, Utah and Louisiana. Downloading adult-rated apps from the App Store in Brazil, Singapore and Australia now requires age verification.

An article on Lawfare makes the case that age checks at the level of the app-store or operating system, if they must be used at all, on grounds that is the most effective, privacy-preserving and scalable place in the stack for them. This approach is easier for compliance monitoring and enforcement and for control by parents, Soham Mehta of the Foundation for American Innovation argues.

Two faces of identity fraud

An analysis from Github shows how North Korean hackers have used stolen and synthetic identities to infiltrate overseas business and evade sanctions, turning fake IDs and AI tools into a lucrative fraud channel. Pindrop, which published its own analysis of the threat last year, explains how deepfake detection works in consort with hiring telemetry to spot imposters.

It was less-sophisticated fraud that bilked FanDuel and other gambling platforms out of $3 million dollars. Jumio’s Reinhard Hochrieser tells Biometric Update that the attack shows the value of biometrics and liveness detection, but also further layers of protection including identity networks.

Rules for police

UK Biometrics and Surveillance Camera Commissioner William Webster responded to the Home Office consultation on police use of biometrics by urging clear definitions among any framework’s core principles. And the proposed new regulator formed by merging the Forensic Science and BSCC roles will need additional powers, he argues.

Eyes up next

An RFI from the FBI’s CJIS division asks for information from the industry about the maturity of NIR iris biometrics and the technical capability available. Integration with current infrastructure is required. The FBI’s NGI Iris Service had 2.5 million identities two and a half years ago, according to Iris ID.

A DCSA spokesperson told Biometric Update it is exploring eye-movement deception detector for potential future use, in line with the Pentagon’s goal of modernizing vetting. The NCCA-led research began with effectiveness comparisons to polygraphs.

Please let us know in the comments below of through social media if you spot any podcasts, videos or other content we should share with the people in biometrics and the digital identity community.

Article Topics

biometrics  |  data privacy  |  digital ID  |  digital identity  |  week in review