Biometric Data Collection

Understanding Biometric Data Collection in 2024

sam chapman headshot
Last update: August 30, 2024

Biometric data includes unique identifiers like your fingerprints, face shape and DNA. Corporations want it for advertising, and governments for warrantless law enforcement. You can fight data harvesting by using a VPN like ExpressVPN — try it for free with a 30-day money-back guarantee.

Does anyone really have completely unique traits in a world with billions of people? The answer: Yes. Your fingerprints, the shape of your optic nerves, the way you walk and talk, and even how your heart beats are all one-of-a-kind. All these traits comprise your biometric data, and when that data is gathered, it’s called “biometric data collection.”

  1. Best to prevent data collection
    Overall Rating 9.5 / 10
    Get 49% Off ExpressVPN
  2. Overall Rating 9.2 / 10
    Visit NordVPN
  3. Overall Rating 8.9 / 10
    Visit Surfshark

Biometric data collection bills itself as a way to make the streets and the internet safer, but it comes with serious risks. In this article, I’ll cover what biometric signatures are, who wants your data, and why you shouldn’t hand it over.

  • What Is Biometric Data Collection?

    Biometric data collection is the act of harvesting and saving unique biological identifiers like your fingerprints, face shape and voice signature.
  • Is Collecting Biometric Data Legal?

    Yes, though several nations and U.S. states have laws against collecting biometric data without the user’s knowledge and consent. Without a law, there’s nothing preventing corporations and governments from gathering biometric data.
  • What are the 4 Main Types of Biometrics?

    Four of the most prominent types of biometrics are fingerprints, face shape, eye scans and DNA.
  • Why Do Companies Collect Biometric Data?

    Because it’s valuable. Biometric data can be used to target advertisements, or sold to other entities who want to build profiles on individuals (like law enforcement).

Types of Biometric Data Collection

Biometric data generally breaks down into two categories:

There are enough variations within those two categories to make me wish Hollywood screenwriters had half the creativity of the people trying to violate my privacy. There’s no way I could encompass them all in one article — it would be outdated by the time I posted it. Therefore, this is a necessarily incomplete list.

One more note: When I talk about the advantages and disadvantages of these traits, I’m speaking on a purely technical level. Rest assured that I’ll get into the horrifying privacy implications of all biometric data collection later on.

Physical Biometrics

These biometric methods rely on a static physical trait.

Behavioral Biometrics

These biometric methods rely on individuals performing actions in unique ways.


Biometric Identification vs Biometric Authentication

Before we go any further, it would be a good idea to untangle a common point of confusion in biometrics: the difference between identification and authentication.

The field of biometrics exists to solve two separate but related problems. Authentication means verifying that a person is who they claim to be. Identification means assigning a name and data to an unknown person.

In other words, authentication is one-to-one (1:1), while identification is one-to-many (1:N). Identification requires an existing database to check unknowns against. The FBI’s national fingerprint database is a good example.

Authentication is the principal concern of biometric security features. The goal of biometric locks on doors and devices is to prevent anybody without credentials from accessing the system. The lock has a list of the biometric signatures of authorized personnel, so if you match one of those, you’re in.

Identification is the domain of the more sinister uses of biometric data collection. It does have benign uses, mostly in criminal justice — fingerprinting and DNA evidence aren’t perfect, but they’re far more reliable than eyewitness testimony. However, it’s also frequently co-opted to violate the anonymity of everyday people.

Innocent authentications can also bleed into invasive identifications. A system that locks your door based on a heartbeat scan sounds cool, but it can share your unique biometric data with people who won’t respect your privacy.


Who Collects Biometric Data?

Now that we’re talking about biometric data being traded as a commodity, let’s go over who actually collects and uses it.

Individuals

Just to head off a common talking point: Yes, people have technically been collecting “biometric data” on each other for millions of years. Yes, a baby recognizing their mother is technically a form of facial recognition. No, this does not justify harvesting people’s personal photos so you can sell them ads. Let’s move on.

Security Companies

Some companies present biometrics as their key product. Some of them are security companies, which argue that usernames and passwords are obsolete and that biometrics represent an “unhackable” alternative. They won’t generally mention that it’s just as easy to steal fingerprints as passwords.

Suprema, the company whose biometric database got hacked in the linked article, is one of the fastest-growing examples, with customers that include private companies, universities, banks, law enforcement agencies and governments.

Data-Gathering Companies

Other companies gather significant amounts of biometric data as their product but don’t necessarily use it for identification or authentication. These include health and exercise companies that monitor users’ vital signs, recreational DNA companies and even goofy Face Swap apps.

If these companies do anything shady with your DNA, vitals, or face shape, they often bury the rights to your biometric data deep in their privacy policies.

Other Companies

Biometric data extraction is increasingly prominent as a feature of companies where it’s not the primary product.

TikTok, never a privacy champion at the best of times, caught flack in 2021 for altering its privacy policy, so it could collect users’ face and voice prints (for reasons that are still unclear). Facebook lost a $650 million lawsuit when a judge found its facial tagging feature violated a tough Illinois law against storing biometric data without its owner’s consent.

While collecting biometric data on their customers, companies also find time to gather invasive info on their employees. Amazon is currently facing a lawsuit alleging that it collected medical data on employees without their consent to check them for Covid-19.

Police

Local and national police forces have been collecting fingerprints for decades, but as every cop movie shows us, you usually need to be charged with a crime before taking those particular biometrics.

However, a 2016 ProPublica report broke the news that police forces across America had been demanding DNA swabs from people who weren’t suspects. Technically, most people consented, but only because the cops never told them they had the right to decline.

It gets worse (when does it not?). Not only can your data end up in a law enforcement database without your consent, but you may not even know if it’s happened.

Clearview AI, a company possibly run by James Bond villains without the sense of style, scrapes facial recognition data from across the internet, collates it, and makes it available to police access. If you’ve posted a selfie to any public website ever, you could be in there.

Governments

If biometric data can get to cops, it can also get to governments. The U.S. Department of Homeland Security (DHS) is a major customer for biometric ID systems, which it mainly uses to screen people entering the country. ICE and the Border Patrol aren’t exactly respected champions of human rights, so there’s reason to worry.


The Best & Worst Countries for Biometric Data Protection

Not all governments are approaching biometric data collection as a sexy new way to violate their citizens’ privacy rights. Some are putting the people first. Comparitech runs a regularly updated study of the best and worst countries for protecting citizens’ biometric data.

The Best Countries for Biometric Data Protection

Turkmenistan has no national biometric database, no facial recognition cameras pointed at the public, and laws that make biometric data a protected category.

Ethiopia also doesn’t use biometrics for law enforcement. Both Ethiopia and Turkmenistan score high mainly because of what they don’t do; Ethiopia comes in second because it has no explicit privacy law.

Azerbaijan and Bahrain tie for third. Azerbaijan is stuck at bronze due to a DHS-like biometric visa system, while Bahrain uses facial recognition software on public cameras. However, both nations do have laws protecting the biometric data of citizens.

The Worst Countries for Biometric Data Protection

China’s enormous national biometric database now includes citizen DNA records that’s being used for everything from detaining Uyghurs to learning about “children born outside of socially sanctioned norms.” 

Costa Rica is one of the most progressive countries in the Western hemisphere, but it has been developing two nationwide databases and has no law protecting citizens’ data.

Iran’s police force extensively uses facial recognition software.


Biometric Data Privacy Concerns

Proponents of biometric data collection like to talk as though it’s no big deal. They’ll say it’s just a computer recognizing a person’s face or gait like humans do every day. They’ll describe how biometric recognition software can make society safer and more convenient.

It’s hard for these arguments not to sound disingenuous when biometric recognition systems face massive resistance every time someone tries to implement them. Those people aren’t just Luddites who can’t handle the future — their concerns are legitimate. Why is biometric data collection such a disaster for safety?

Biometric Technologies Are Unregulated

We learned in the last section that many countries have no laws whatsoever about how corporations and the government can treat your biometric data. Here in the U.S., we have no federal privacy law, leading to a convoluted patchwork of states that do and don’t protect your biometric privacy rights.

That’s important because if you don’t explicitly outlaw corporations from violating individual privacy, they’ll do whatever they can get away with. For example, those non-consensual Covid-19 tests that were administered to Amazon warehouse employees.

We can all agree stopping Covid-19 is a good thing, but here’s the problem: Most employee health records aren’t protected by HIPAA. Employers can grab personal health data from you and then do whatever they want with it.

Of course, not everyone who gets their hands on your biometric data will do evil things with it. Yet the more data gets shared, the more likely it is to reach someone who’ll put profits or power ahead of privacy. If we want our data protected, we need data protection laws.

Biometric Databases Are Not Secure

As Leif-Nissen Lundbaek points out in a TechCrunch editorial, biometric data can be collected for good reasons and still used for evil.

Picture this: A company just wants to help the world and gathers a database of DNA — then Google or Amazon buys that company, and now that data is owned by people who don’t give a hoot about privacy or consent. That’s not even getting into the risk of hackers stealing and exploiting reams of biometric data.

As I type this, a corrupt government official has a smorgasbord of options to stalk and harass a private citizen without that citizen signing any rights away.

Activists have been sounding the alarm about police surveilling protests and gathering biometric data they can then use to harass protestors later on. That’s just one example of how easy it is to get biometric data on someone without getting their permission first, like Clearview AI stalking your Facebook or Amazon performing unsanctioned medical tests on its workers.

Facial Recognition Technology Is Racist

As if all that weren’t enough, biometric recognition algorithms reflect human biases — AI is trained by humans — making facial scans much worse at correctly identifying women and black people. 

In a world where a famous black film director can be mistaken for a criminal, how hard is it to imagine a facial recognition system confusing one black man for another with tragic results?


Conclusion

I’m not out to cause mass panic here, but you should know how valuable your data is. If you don’t protect it, people will queue to take advantage of it.

I don’t mean to blame the victims. The fault is absolutely with the powerful and privileged — but they’re not going to rectify their own mistakes. In the absence of legislative action, we have to arm ourselves with information and action.

What you can do is put as little biometric data out into the world as possible. Demand that your city follow the lead of Portland, Oregon, by banning facial recognition software in public. Protest and call your legislators. 

It works: Public outcry has led to fines, legal judgments and even regulations against those who would misuse biometric data.

How do you feel about the use of biometrics? Have you ever confirmed your biometric data was used without your consent? Do you think your state needs more privacy laws and the country needs privacy legislation? Tell me about it in the comments. Thanks for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *