Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/2/2020
05:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Biometric Data Collection Demands Scrutiny of Privacy Law

An IT lawyer digs into the implications of collecting biometric data, why it can't be anonymized, and what nations are doing about it.

Security is growing more reliant on our biometric data for authentication and national security purposes. Consumers are willing to hand over their facial scans, fingerprints, and other pieces of immutable data without understanding the potential consequences or privacy legislation.

Privacy has come under a harsh spotlight in recent years. Consider FaceApp, the photo special effects app that made headlines last summer when accused of uploading users' images to the cloud and transferring them to Russia. While evidence didn't support the claim, it was enough for many people to become concerned with how organizations are using their personal data.

Related Content:

Simplify Your Privacy Approach to Overcome CCPA Challenges

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: CFAA 101: A Computer Fraud & Abuse Act Primer for InfoSec Pros

"One of the things that has been so great about technology is not only the convenience, but we've really started to look at privacy, and privacy is coming to the forefront," said Melissa Wingard, special counsel at law firm Phillips Ormonde Fitzpatrick, in a virtual Black Hat Asia talk.

Modern society was transitioning to touchless technology and contactless pathways before the coronavirus pandemic. Now, COVID-19 has increased the need to navigate day-to-day life with less contact. We're looking for new ways to access our offices without touching elevators, she noted, and pay for things without swiping credit cards.

Wingard, who specializes in IT, cybersecurity, and privacy, explained how biometric data falls into two buckets. There's physiological data, which is made up of biological and morphological (external, or appearance-related) data; there is also behavioral data, which is considered to be biometric data. There are several repeatable traits that can be used to identify an individual: DNA, smell, the shape of your ear — "apparently that's unique to us" — gait, and keystroke dynamics.

"I think we need to think more than just fingerprints [and] facial recognition, although they're obviously the key ones," she said. As both the public and private sector implement biometric authentication, the law needs to keep up and people must balance the sharing of their data. Government's use of technology is outpacing the legislation to protect individuals' information.

Biometrics for the purpose of authentication demands scrutiny. You can change your password if it's exposed, but what happens if you're using your face or fingerprint to prove who you are?

Our biometrics are "inherently identifiable," Wingard said, and while there are some privacy laws that mandate biometric data be treated as sensitive data, not all laws are at this stage. She also questioned the ability of government and businesses to fully anonymize biometric data.

People rely on legislation to provide them with rights and a framework within which to operate. Without laws to defend the privacy of our data, we're left to take personal legal action if we feel our data is being misused; most people don't have the time, money, or often an inclination to undergo that process, she pointed out.

This is a global issue because every nation handles privacy laws differently and each has its own issues and gaps. Many privacy laws, for example, heavily rely on anonymization. Once personal information is anonymized, businesses are free to handle that data as they wish.

Privacy Laws in APAC
Speaking to her virtual audience of Black Hat Asia attendees, Wingard provided a high-level view of different nations' privacy laws throughout the region. The European Union's General Data Protection Regulation (GDPR) has gotten a lot of press; however, it's far from the only one. 

She started with Singapore, which has a few pieces of legislation. The Personal Data Protection Act (2012) covers how organizations can collect, use, store, and disclose personal data. It puts restrictions to know what is required for consent and how long they can keep data after it's needed. The PDPA acknowledges biometric data is personal data and calls out facial recognition and DNA. People can request an organization change their data, but not delete it. "The right to be forgotten," as it's described in the GDPR, is often what people are looking for, she noted.

Singapore has different rules for the public and private sectors. Its Public Sector (Governance) Act of 2018 mandates public agencies comply with the Prime Minister's directions on data protection. The Prime Minister hands down rules; it's up to public agencies to implement those. If a public sector agency is found to have breached their obligations to protect personal and biometric data, it's not the agency that gets in trouble — it's the official who is personally liable for the breach of privacy.

While unsure how this applies in practice, Wingard noted this could have the effect of officials managing information more closely than they would if there wasn't any personal responsibility.

Steps You Can Take
Rather than relying on organizations to safeguard our data, or on governments to regulate its use, Wingard encouraged listeners to think closely about how they give away biometric data. Think about who is collecting it. What will they use it for? What could they use it for?

She advised reading the privacy policy in this way: "You don't even need to read all of it; just read the section that talks about 'we're collecting your information for whatever the purpose.'" This will reveal how an organization will use the data and who it will disclose that information to; depending on the nature of the information, it may say it won't disclose to anyone outside the organization.

This can help you decide whether you're comfortable sharing information with a particular entity and decide whether the services you're getting in return are worthwhile, she explained.

Wingard also suggested taking a close look at government officials' approach to privacy. What are your elected representatives doing? Do they have thoughts on privacy? Do their views align with yours? While there is no immediate gratification in the democratic process, officials who support privacy rights can eventually shift the balance toward users in the long run, she said.

"We need to balance this disconnect between the rights of individuals and the power of organizations, and the people that can do that; the people that can shift the balance, is our government," said Wingard.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11854
PUBLISHED: 2020-10-27
Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) vulnerability in Micro Focus products products Operation Bridge Manager, Operation Bridge (containerized) and Application Performance Management. The vulneravil...
CVE-2020-11858
PUBLISHED: 2020-10-27
Code execution with escalated privileges vulnerability in Micro Focus products Operation Bridge Manager and Operation Bridge (containerized). The vulneravility affects: 1.) Operation Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 ...
CVE-2020-23945
PUBLISHED: 2020-10-27
A SQL injection vulnerability exists in Victor CMS V1.0 in the cat_id parameter of the category.php file. This parameter can be used by sqlmap to obtain data information in the database.
CVE-2020-7754
PUBLISHED: 2020-10-27
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
CVE-2020-6023
PUBLISHED: 2020-10-27
Check Point ZoneAlarm before version 15.8.139.18543 allows a local actor to escalate privileges while restoring files in Anti-Ransomware.