Understanding Biometric Data Collection in 2023
Does anyone really have completely unique traits in a world with billions of people? The answer: Yes. Your fingerprints, the shape of your optic nerves, the way you walk and talk, and even how your heart beats are all one-of-a-kind. All these traits comprise your biometric data, and when that data is gathered, it’s called “biometric data collection.”
Biometric data collection bills itself as a way to make the streets and the internet safer, but it comes with serious risks. In this article, I’ll cover what biometric signatures are, who wants your data, and why you shouldn’t hand it over.
What Is Biometric Data Collection?Biometric data collection is the act of harvesting and saving unique biological identifiers like your fingerprints, face shape and voice signature.
Is Collecting Biometric Data Legal?Yes, though several nations and U.S. states have laws against collecting biometric data without the user’s knowledge and consent. Without a law, there’s nothing preventing corporations and governments from gathering biometric data.
What are the 4 Main Types of Biometrics?Four of the most prominent types of biometrics are fingerprints, face shape, eye scans and DNA.
Why Do Companies Collect Biometric Data?Because it’s valuable. Biometric data can be used to target advertisements, or sold to other entities who want to build profiles on individuals (like law enforcement).
Types of Biometric Data Collection
Biometric data generally breaks down into two categories:
- Physical biometrics identify you via passive physical traits. Your fingerprint, the shape of your retina and your DNA are all unique biological markers.
- Behavioral biometrics identify you via the unique way you perform certain actions such as speech patterns, handwriting or gestures.
There are enough variations within those two categories to make me wish Hollywood screenwriters had half the creativity of the people trying to violate my privacy. There’s no way I could encompass them all in one article — it would be outdated by the time I posted it. Therefore, this is a necessarily incomplete list.
One more note: When I talk about the advantages and disadvantages of these traits, I’m speaking on a purely technical level. Rest assured that I’ll get into the horrifying privacy implications of all biometric data collection later on.
These biometric methods rely on a static physical trait.
- Face shape. Algorithms create a profile of a face by taking thousands of measurements and translating them to numerical codes. In theory, extreme granularity creates a system where every face is unique. Anybody who’s ever played a video game with a character creator knows how deep in the weeds it can get. (Seriously, what the hell is “eyeball depth?”)
Facial recognition is popular because it mimics the way that humans identify other humans. But it suffers from some technical problems. Any facial alteration, like a new piercing or even an especially vivid expression, can foil it.
- Eye scans. There are two main approaches here. Iris scans check the colored band around your pupil, while retinal scans check the shape of the optic nerves at the back of your eyeball. Each has its pros and cons.
Retinal scans are more accurate than iris scans — up to 70 times more accurate, according to several reports I couldn’t independently verify. But they’re far less convenient, requiring the user to put their eye up close to a scanner and hold it open for a few seconds.
Iris scans can be done quickly and used from a distance, so they’re growing faster in popularity. That said, they aren’t as accurate as retinal scans, making false positives and negatives more likely.
- Fingerprints. Fun fact: Biometric identification doesn’t require advanced technology! Taking someone’s fingerprints and checking them against a database is an old-school biometric ID and authentication method. All you need is ink, a pad and something you can compare the prints to.
Fingerprint ID has persisted into the information age. Smartphones can be keyed to the user’s fingerprints, so only one person can unlock them. This has big advantages since fingerprints truly are unique, even on identical twins.
However, it doesn’t protect systems against certain kinds of forced access. You know when a movie character knocks out a henchman and holds their finger against the scanner? That’s a real, exploitable digital security weakness.
- DNA. Everybody’s genetic makeup is subtly unique in ways that can be tested by instruments. This isn’t in wide use as a security measure, but it does demonstrate one of the few positive effects of widely accessible biometric information: the exoneration of defendants and convicted criminals.
On the other hand, while DNA is good for providing justice, it’s also a great way to discover extremely personal information about a stranger. A recent investigation showed that “recreational genetics” companies like 23andMe claim the right to share your genetic information with third parties.
These biometric methods rely on individuals performing actions in unique ways.
- Voice. Thanks to voice-controlled smartphones and home assistants, voice recognition technology is on the upswing. What’s less known: The technology can recognize not just what is being said but who is saying it.
Each person’s voice is unique. No matter how gifted an impressionist may be, they can’t copy a voice down to the molecule. Voice recognition is popular because it can be done hands-free and is generally non-invasive, but it can be a problem in places with high ambient noise.
- Signature. Handwriting can be considered another old-school method of biometric identification. However, as anyone who’s ever needed a parent’s permission for a school trip knows, it’s easy to fool.
The advent of touchscreen technology has created interest in biometric locks that measure how the signature is written. Even the best forger won’t use the exact same pressure and angle as the real person.
The big problem here is people like me who never managed to develop a consistent signature. Mine looks different every time. If Google is spying on my signatures, I’ve cleverly fooled it into thinking I’m at least eight different people.
- Keystrokes. Similar to the signature method, anybody can type in a password, but no two people will type exactly the same way. Biometric keyboards can measure how a password gets entered, ensuring that stealing your password isn’t enough to crack your devices.
The downside: This only works on physical keyboards. A hacker with your credentials can still access your system remotely.
- Heartbeat. Every person’s heartbeat forms a unique fingerprint. This can be used to continuously authenticate internet-capable devices, shutting them down whenever they’re too far from their linked heartbeat signature. It can also be used in “customer service environments,” which isn’t terrifying in the slightest.
Biometric Identification vs Biometric Authentication
Before we go any further, it would be a good idea to untangle a common point of confusion in biometrics: the difference between identification and authentication.
The field of biometrics exists to solve two separate but related problems. Authentication means verifying that a person is who they claim to be. Identification means assigning a name and data to an unknown person.
In other words, authentication is one-to-one (1:1), while identification is one-to-many (1:N). Identification requires an existing database to check unknowns against. The FBI’s national fingerprint database is a good example.
Authentication is the principal concern of biometric security features. The goal of biometric locks on doors and devices is to prevent anybody without credentials from accessing the system. The lock has a list of the biometric signatures of authorized personnel, so if you match one of those, you’re in.
Identification is the domain of the more sinister uses of biometric data collection. It does have benign uses, mostly in criminal justice — fingerprinting and DNA evidence aren’t perfect, but they’re far more reliable than eyewitness testimony. However, it’s also frequently co-opted to violate the anonymity of everyday people.
Innocent authentications can also bleed into invasive identifications. A system that locks your door based on a heartbeat scan sounds cool, but it can share your unique biometric data with people who won’t respect your privacy.
Who Collects Biometric Data?
Now that we’re talking about biometric data being traded as a commodity, let’s go over who actually collects and uses it.
Just to head off a common talking point: Yes, people have technically been collecting “biometric data” on each other for millions of years. Yes, a baby recognizing their mother is technically a form of facial recognition. No, this does not justify harvesting people’s personal photos so you can sell them ads. Let’s move on.
Some companies present biometrics as their key product. Some of them are security companies, which argue that usernames and passwords are obsolete and that biometrics represent an “unhackable” alternative. They won’t generally mention that it’s just as easy to steal fingerprints as passwords.
Suprema, the company whose biometric database got hacked in the linked article, is one of the fastest-growing examples, with customers that include private companies, universities, banks, law enforcement agencies and governments.
Other companies gather significant amounts of biometric data as their product but don’t necessarily use it for identification or authentication. These include health and exercise companies that monitor users’ vital signs, recreational DNA companies and even goofy Face Swap apps.
If these companies do anything shady with your DNA, vitals, or face shape, they often bury the rights to your biometric data deep in their privacy policies.
Biometric data collection is increasingly prominent as a feature of companies where it’s not the primary product.
While collecting biometric data on their customers, companies also find time to gather invasive info on their employees. Amazon is currently facing a lawsuit alleging that it collected medical data on employees without their consent to check them for Covid-19.
Local and national police forces have been collecting fingerprints for decades, but as every cop movie shows us, you usually need to be charged with a crime before taking those particular biometrics.
However, a 2016 ProPublica report broke the news that police forces across America had been demanding DNA swabs from people who weren’t suspects. Technically, most people consented, but only because the cops never told them they had the right to decline.
It gets worse (when does it not?). Not only can your data end up in a law enforcement database without your consent, but you may not even know if it’s happened.
Clearview AI, a company possibly run by James Bond villains without the sense of style, scrapes facial recognition data from across the internet, collates it, and makes it available to police access. If you’ve posted a selfie to any public website ever, you could be in there.
If biometric data can get to cops, it can also get to governments. The U.S. Department of Homeland Security (DHS) is a major customer for biometric ID systems, which it mainly uses to screen people entering the country. ICE and the Border Patrol aren’t exactly respected champions of human rights, so there’s reason to worry.
The Best & Worst Countries for Biometric Data Protection
Not all governments are approaching biometric data collection as a sexy new way to violate their citizens’ privacy rights. Some are putting the people first. Comparitech runs a regularly updated study of the best and worst countries for protecting citizens’ biometric data.
The Best Countries for Biometric Data Protection
Turkmenistan has no national biometric database, no facial recognition cameras pointed at the public, and laws that make biometric data a protected category.
Ethiopia also doesn’t use biometrics for law enforcement. Both Ethiopia and Turkmenistan score high mainly because of what they don’t do; Ethiopia comes in second because it has no explicit privacy law.
Azerbaijan and Bahrain tie for third. Azerbaijan is stuck at bronze due to a DHS-like biometric visa system, while Bahrain uses facial recognition software on public cameras. However, both nations do have laws protecting the biometric data of citizens.
The Worst Countries for Biometric Data Protection
China’s enormous national biometric database now includes citizen DNA records that’s being used for everything from detaining Uyghurs to learning about “children born outside of socially sanctioned norms.”
Costa Rica is one of the most progressive countries in the Western hemisphere, but it has been developing two nationwide databases and has no law protecting citizens’ data.
Iran’s police force extensively uses facial recognition software.
Biometric Data Privacy Concerns
Proponents of biometric data collection like to talk as though it’s no big deal. They’ll say it’s just a computer recognizing a person’s face or gait like humans do every day. They’ll describe how biometric recognition software can make society safer and more convenient.
It’s hard for these arguments not to sound disingenuous when biometric recognition systems face massive resistance every time someone tries to implement them. Those people aren’t just Luddites who can’t handle the future — their concerns are legitimate. Why is biometric data collection such a disaster for safety?
Biometric Technologies Are Unregulated
We learned in the last section that many countries have no laws whatsoever about how corporations and the government can treat your biometric data. Here in the U.S., we have no federal privacy law, leading to a convoluted patchwork of states that do and don’t protect your biometric privacy rights.
That’s important because if you don’t explicitly outlaw corporations from violating individual privacy, they’ll do whatever they can get away with. For example, those non-consensual Covid-19 tests that were administered to Amazon warehouse employees.
We can all agree stopping Covid-19 is a good thing, but here’s the problem: Most employee health records aren’t protected by HIPAA. Employers can grab personal health data from you and then do whatever they want with it.
Of course, not everyone who gets their hands on your biometric data will do evil things with it. Yet the more data gets shared, the more likely it is to reach someone who’ll put profits or power ahead of privacy. If we want our data protected, we need data protection laws.
Biometric Databases Are Not Secure
As Leif-Nissen Lundbaek points out in a TechCrunch editorial, biometric data can be collected for good reasons and still used for evil.
Picture this: A company just wants to help the world and gathers a database of DNA — then Google or Amazon buys that company, and now that data is owned by people who don’t give a hoot about privacy or consent. That’s not even getting into the risk of hackers stealing and exploiting reams of biometric data.
Sensitive Data Can Be Obtained Without Consent
As I type this, a corrupt government official has a smorgasbord of options to stalk and harass a private citizen without that citizen signing any rights away.
Activists have been sounding the alarm about police surveilling protests and gathering biometric data they can then use to harass protestors later on. That’s just one example of how easy it is to get biometric data on someone without getting their permission first, like Clearview AI stalking your Facebook or Amazon performing unsanctioned medical tests on its workers.
Facial Recognition Technology Is Racist
As if all that weren’t enough, biometric recognition algorithms reflect human biases — AI is trained by humans — making facial scans much worse at correctly identifying women and black people.
In a world where a famous black film director can be mistaken for a criminal, how hard is it to imagine a facial recognition system confusing one black man for another with tragic results?
I’m not out to cause mass panic here, but you should know how valuable your data is. If you don’t protect it, people will queue to take advantage of it.
I don’t mean to blame the victims. The fault is absolutely with the powerful and privileged — but they’re not going to rectify their own mistakes. In the absence of legislative action, we have to arm ourselves with information and action.
What you can do is put as little biometric data out into the world as possible. Demand that your city follow the lead of Portland, Oregon, by banning facial recognition software in public. Protest and call your legislators.
It works: Public outcry has led to fines, legal judgments and even regulations against those who would misuse biometric data.
How do you feel about the use of biometrics? Have you ever confirmed your biometric data was used without your consent? Do you think your state needs more privacy laws and the country needs privacy legislation? Tell me about it in the comments. Thanks for reading.
Leave a Reply