Within the physical security industry, biometrics systems – those that can use an individual’s unique fingerprint, iris, face, vein structure, etc., to verify a person’s identity – have historically been viewed as a technology that would one day revolutionize the market. After all, the potential use cases for these solutions are vast.
Imagine being able to walk into an office or apartment building without the need to scan a credential or enter a PIN or track the movements of a criminal suspect within a facility by capturing an image of their face. But just as technological advances have made widespread adoption of biometrics more feasible, the use of these solutions has come under fire.
Facial recognition, in particular, has drawn the ire of privacy advocates and lawmakers alike in recent months. In May, San Francisco became the first city in the nation to ban the use of facial recognition systems by government agencies and just last week, city council members in Somerville, Mass., also passed an ordinance prohibiting the use of the technology in their city. City leaders in Oakland, Calif., are also set to vote on a facial recognition ban later this month.
In addition to concerns about how law enforcement and other government entities are using facial recognition, some have also taken issue with biometrics being used in private settings. Residents of a New York high-rise recently came out in opposition to a plan by their landlord to install a biometric security system in the building.
Biometrics and the Law
While there has been increased debates over the use of facial recognition and other biometric solutions recently, according to Karla Grossenbacher, an attorney with the law firm of Seyfarth Shaw LLP who heads up the firm’s Biometrics Privacy Compliance & Litigation Group, laws governing how these technologies can be used has changed very little over the past few years. However, rising public awareness about the existence of these technologies and their proliferation has resulted in an increased level of scrutiny. For example, Illinois passed its Biometric Information Privacy Act (BIPA) more than a decade ago but litigation under the law, which places requirements on how private entities can collect and use a person’s biometric data, had been scant until recently.
“What’s changed is that, all of a sudden, people are aware of them and particularly the Illinois law because at some point in 2016 and 2017 someone woke up, realized this law was here and started filing lawsuits,” she says. “Right now, pretty much every state is looking at some form of biometric privacy legislation and I would expect at some point later this year we’re going to see some more come through.”
Earlier this year, the Illinois Supreme Court issued a ruling in a landmark case, Rosenbach v. Six Flags Entertainment Corp., in which they found that someone doesn’t need to sustain actual damages beyond technical violations of BIPA in order to pursue a claim under the law. The lawsuit was brought by the mother of a 14-year-old boy who alleged that the amusement park scanned and stored her son’s fingerprint without parental consent.
Employers Largely Exempt
Though there has been a furor over how law enforcement and other government entities might be misusing facial recognition, Grossenbacher doesn’t believe that those same concerns will bleed over into the private sector, which uses biometrics as more of a business enabler.
“Most employers aren’t scanning around trying to find faces in the workplace. When they use biometrics it is to enable a specific user to do a task that they need to do or want to do like punch into a timeclock, accept a package, get into a secure area, etc.,” she explains.
In fact, as more states look into implementing biometric privacy laws, Grossenbacher expects to see exceptions made for employers who leverage biometrics for access control and various other applications in their organizations.
“There’s currently an amendment in bill form in Illinois that would exempt biometric use in the employment setting altogether from the coverage of the law (BIPA). I think people are realizing that the way biometrics is used in the workplace is a little different and little less scary than it is in the public context for people,” she says.
To avoid running afoul of the law or creating an atmosphere where employees are hesitant to use a biometric solution in the workplace, Grossenbacher says that implementing sound information security policies and procedures is always a good place to start when it comes to balancing security and privacy.
“I don’t think most people mind using biometrics to access certain things at work as long as it is being done in a secure manner. For me, the biggest thing in the workplace is to make sure you’re protecting the information because that is the only reason an employee would typically object to the use of biometrics in the workplace is if they think you’re not going to protect the information, store it properly and protect it from disclosure.”
CBP Breach Raises Concerns
However, protecting biometric data from falling into the wrong hands is a challenge within itself as evidenced by a recent data breach that exposed traveler photos and license plates collected by U.S. Customs and Border Protection. According to published reports, hackers gained access to the data via a cyber-attack against a third-party vendor, which was reportedly using the data to match faces with license plates.
In the wake of the breach, U.S. Sen. Edward Markey (D-Mass.) called on DHS to stop using facial recognition technology until it can implement policies to better safeguard its data.
“This data breach raises serious concerns about the Department of Homeland Security’s ability to effectively safeguard the sensitive information it is collecting,” Markey said in a statement. “It only underscores the urgent need for the Department of Homeland Security to pause its deployment of facial recognition technology until it has instituted enforceable rules prioritizing cybersecurity and protecting travelers’ privacy. Malicious actors’ thirst for information about U.S. identities is unquenchable, and DHS must keep pace with emerging threats. It should start with formalizing guidelines for exactly who has access to the data DHS collects, how long this data will be maintained, how that information will be safeguarded, and how we can say no to this collection in the first place.”
Dan Tuchler, CMO at data security firm SecurityFirst, says that the breach raises serious concerns about the dangers posed by biometric data being compromised by hackers and how it could manipulated for nefarious purposes in the future.
“With the theft of photos of people entering or exiting the country, will hackers use these photos in combination with other data to create problems for citizens and travelers?,” Tuchler asks. “Once again it is a partner that was hacked. Every responsible organization needs to be vigilant and ensure that their partners are securing vital data.”
Paul Bischoff, Privacy Advocate with Comparitech.com, says the CBP breach is likely the beginning of more privacy issues being brought the forefront when it comes to the deployment of biometrics.
"The breach of the CBP's photo database shows just how easily facial recognition technology can get out of hand when mistakes are made. I think we're on the cusp of major privacy issues regarding this fast-growing field of technology, and this breach is just the start,” he says. “When the government takes and stores photos of people not suspected of any wrongdoing without their consent, and then loses those photos to criminals or nation-state actors, it has ramifications for all of us. Through a combination of search algorithms and facial recognition, we are getting to a point where we can instantly identify many people with nothing but a photograph. When those photographs are combined with other information, such as a license plate number, it enables harassment, stalking, intimidation, and other crimes."
About the Author:
Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at email@example.com.