Biometrics and Privacy: How to Create that 'Peaceful Easy Feeling'

Dec. 8, 2015
While high security use gains ground, the trust factor still a barrier in common organizational deployment

Human beings are complex. Each person has a story and innumerable aspects and layers that come together to form a personality. As people interact with the world around them, they filter the information that they communicate about themselves to the world, allowing some things to be known, while not revealing other parts of themselves that they consider to be private.

I have a friend I’ve known since childhood. I know he likes to run, sail and fish. His favorite band is The Eagles, and his favorite dish is Spaghetti Bolognese. I even know what makes him tick and how to push his buttons. But, I only know what he has willingly shared with me over the course of our friendship.

The same can be said about his – or anyone’s – physical characteristics. Some physical traits are obvious upon seeing them – face, body shape, height, gait – while other physical characteristics require an up-close or even invasive examination. Someone’s unique iris, fingerprint, heartbeat, veins or brainwave pattern is not visible to the naked eye. So when these characteristics are used for biometric identification, people often feel that their privacy is at stake.

Undoubtedly, the question of privacy is one that continues to arise in the global conversation about biometric identification. But, we must delineate and understand the difference between biometric solutions that reveal “hidden” biometrics such as fingerprints, irises, or veins, and those that utilize “observable” biometrics, such as face, body behavior or even voice.

Observable biometrics are, well, observable. They are things that a person can notice from a distance, and then clarify as an individual comes closer. No different than a friend saying, “Hey, I thought I saw you today walking down the street,” observable biometrics is the information we expose to the public by simply being. We don’t cover our faces, and we don’t hide our style of walking or voices.

In fact, with almost any social media channel, we can find this type of information about a person. We can go to his profile, see his pictures, and view his videos. Based on someone’s specific privacy settings, most of this information is available to the public.

When applying observable biometrics to biometric identification and secure access, one might argue that storing a person’s biometric information – even their observable biometrics —compromises an individual’s privacy. While a person might store observable biometric information in his or her brain to identify several hundred people – friends, relatives, coworkers and others — no person, no matter how good his memory, will be able to remember tens of thousands of faces and names. 

A computer’s biometrics system, however, can “remember” hundreds of thousands of people, and this is precisely what makes them dangerous; a person might forget a face, but a computer won’t. A computer can store innumerable biometric profiles, which consist of a person’s facial image, behavioral characteristics or other biometric data, coupled with personal information such as name, height, gender, etc. How then, can we make use of observable biometrics in a way that does not encroach on a person’s privacy?

Physical ID Versus Biometric Profiles

First, we need to contextualize what it means to have a biometric profile comprised of observable biometrics. The way in which a biometric profile is used, is very similar to how one uses a photo ID card. Any ID card with a photo be it an employee ID, student ID, or loyalty/membership card, ties a person’s facial image to personal information such as name, address, birthday, etc. All of this information, making up a personal profile, is all stored in a database. The difference is, usually a biometric database has more security measures in place protecting a person’s information.

When a user has an ID card that contains an image, a name, and perhaps a place of work, job title, birthday, or address, this person would certainly not want his or her ID card to fall into the wrong hands. But even with the most diligent efforts, these cards can be lost or stolen, putting the card-owner in a vulnerable position. With biometric profiles, a user only inputs his or her information to the database; it can’t fall into a stranger’s hands.

If a person tries to imitate someone else, and tries to use their card to enter a particular building or perhaps to make a purchase, the only lines of defense are miniscule.  Perhaps an astute security guard or cashier who thoroughly checks the ID or maybe a password tied to the person’s account. With a biometric profile, however, a camera combined with complex identification algorithms become the security guard – and these are much harder to fool than a person –the margin of error is infinitely smaller.

People understand and mostly trust physical ID cards, but in the wrong hands, a person could easily lose that peaceful, easy feeling of security. When a biometric profile is used instead, it is much easier to protect a person’s identity, as this profile cannot be lost or stolen, and encryption, hashing, and other security measures can be put in place.

I Know You Won’t Let Me Down: Building Trust and Improving Understanding

Despite the similarities between using a physical ID card and a biometric profile, many people are still skeptical of using biometrics. This comes down to an issue of trust. People often don’t trust what they don’t know. When telephones were first introduced, people were concerned that if this technology became widespread, people would stop visiting one another. In actuality, this technology connected people more than ever before. It just took time for people to trust the new technology, and accept it as part of everyday life.

In order to gain and maintain users’ loyalty and trust when trying to deploy a biometric identification solution, it is critical that companies, schools and other institutions do their utmost to secure the users’ privacy. This occurs on two levels: people must feel emotionally that they are not giving away “hidden” information, and they must understand logically that the information they provide is protected.

To fulfill the first level of protecting a user’s privacy, companies, schools, and other organizations can opt to use observable biometrics –facial recognition, behavioral analytics, and voice recognition –those identifying factors that are visible to the naked eye (or ear). Users don’t need to feel that they are giving over their whole identity, as other types of biometrics can feel more invasive. This will also help management achieve “buy-in” on biometric systems by the users...

The second level of privacy can be achieved by ensuring that databases are only utilized in an opt-in basis. In this way, people can feel in control of their own identity and how management is handling it. Further, the company, university, residence, retailer, or any other facility, can communicate to their user-base that all of the information they provide is further safeguarded by hashing the data; data can be encrypted using algorithms, which anonymizes the information to ensure users’ privacy.

My Eagles-loving friend might be perfectly comfortable opening himself up to friendly banter by tagging himself in embarrassing photos using Facebook’s facial recognition tools. But when it comes to using his observable biometrics for identification purposes, he’ll want to make sure his identity is secure. Ensuring that employees both feel and understand that their information is secure, – even public-facing information – will give them that “Peaceful Easy Feeling” they need, and allow employers to enjoy the benefits of deploying a biometrics secure access system in their organizations.

About the Author:

Arie Melamed is a senior marketing and sales executive with over 20 years of global experience. He has a proven record of leading sales teams to outstanding business results. Before joining FST, he was Head of Global Marketing and Channel Sales at ECI Telecom, a global network infrastructure solutions provider. Prior to that, Melamed managed multiple sales units in the hi-tech industry, including Enavis Networks, Tadiran Telecom and others. Melamed holds a BSc in Applied Physics and Electro Optics from the JCT and an MBA (cum laude) from Ben Gurion University.  He is a member of his town’s educational committee, and is a board member of the German-Israeli chamber of commerce.