Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:05 PM
Connect Directly

Biometric Data Collection Demands Scrutiny of Privacy Law

An IT lawyer digs into the implications of collecting biometric data, why it can't be anonymized, and what nations are doing about it.

Security is growing more reliant on our biometric data for authentication and national security purposes. Consumers are willing to hand over their facial scans, fingerprints, and other pieces of immutable data without understanding the potential consequences or privacy legislation.

Privacy has come under a harsh spotlight in recent years. Consider FaceApp, the photo special effects app that made headlines last summer when accused of uploading users' images to the cloud and transferring them to Russia. While evidence didn't support the claim, it was enough for many people to become concerned with how organizations are using their personal data.

Related Content:

Simplify Your Privacy Approach to Overcome CCPA Challenges

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: CFAA 101: A Computer Fraud & Abuse Act Primer for InfoSec Pros

"One of the things that has been so great about technology is not only the convenience, but we've really started to look at privacy, and privacy is coming to the forefront," said Melissa Wingard, special counsel at law firm Phillips Ormonde Fitzpatrick, in a virtual Black Hat Asia talk.

Modern society was transitioning to touchless technology and contactless pathways before the coronavirus pandemic. Now, COVID-19 has increased the need to navigate day-to-day life with less contact. We're looking for new ways to access our offices without touching elevators, she noted, and pay for things without swiping credit cards.

Wingard, who specializes in IT, cybersecurity, and privacy, explained how biometric data falls into two buckets. There's physiological data, which is made up of biological and morphological (external, or appearance-related) data; there is also behavioral data, which is considered to be biometric data. There are several repeatable traits that can be used to identify an individual: DNA, smell, the shape of your ear — "apparently that's unique to us" — gait, and keystroke dynamics.

"I think we need to think more than just fingerprints [and] facial recognition, although they're obviously the key ones," she said. As both the public and private sector implement biometric authentication, the law needs to keep up and people must balance the sharing of their data. Government's use of technology is outpacing the legislation to protect individuals' information.

Biometrics for the purpose of authentication demands scrutiny. You can change your password if it's exposed, but what happens if you're using your face or fingerprint to prove who you are?

Our biometrics are "inherently identifiable," Wingard said, and while there are some privacy laws that mandate biometric data be treated as sensitive data, not all laws are at this stage. She also questioned the ability of government and businesses to fully anonymize biometric data.

People rely on legislation to provide them with rights and a framework within which to operate. Without laws to defend the privacy of our data, we're left to take personal legal action if we feel our data is being misused; most people don't have the time, money, or often an inclination to undergo that process, she pointed out.

This is a global issue because every nation handles privacy laws differently and each has its own issues and gaps. Many privacy laws, for example, heavily rely on anonymization. Once personal information is anonymized, businesses are free to handle that data as they wish.

Privacy Laws in APAC
Speaking to her virtual audience of Black Hat Asia attendees, Wingard provided a high-level view of different nations' privacy laws throughout the region. The European Union's General Data Protection Regulation (GDPR) has gotten a lot of press; however, it's far from the only one. 

She started with Singapore, which has a few pieces of legislation. The Personal Data Protection Act (2012) covers how organizations can collect, use, store, and disclose personal data. It puts restrictions to know what is required for consent and how long they can keep data after it's needed. The PDPA acknowledges biometric data is personal data and calls out facial recognition and DNA. People can request an organization change their data, but not delete it. "The right to be forgotten," as it's described in the GDPR, is often what people are looking for, she noted.

Singapore has different rules for the public and private sectors. Its Public Sector (Governance) Act of 2018 mandates public agencies comply with the Prime Minister's directions on data protection. The Prime Minister hands down rules; it's up to public agencies to implement those. If a public sector agency is found to have breached their obligations to protect personal and biometric data, it's not the agency that gets in trouble — it's the official who is personally liable for the breach of privacy.

While unsure how this applies in practice, Wingard noted this could have the effect of officials managing information more closely than they would if there wasn't any personal responsibility.

Steps You Can Take
Rather than relying on organizations to safeguard our data, or on governments to regulate its use, Wingard encouraged listeners to think closely about how they give away biometric data. Think about who is collecting it. What will they use it for? What could they use it for?

She advised reading the privacy policy in this way: "You don't even need to read all of it; just read the section that talks about 'we're collecting your information for whatever the purpose.'" This will reveal how an organization will use the data and who it will disclose that information to; depending on the nature of the information, it may say it won't disclose to anyone outside the organization.

This can help you decide whether you're comfortable sharing information with a particular entity and decide whether the services you're getting in return are worthwhile, she explained.

Wingard also suggested taking a close look at government officials' approach to privacy. What are your elected representatives doing? Do they have thoughts on privacy? Do their views align with yours? While there is no immediate gratification in the democratic process, officials who support privacy rights can eventually shift the balance toward users in the long run, she said.

"We need to balance this disconnect between the rights of individuals and the power of organizations, and the people that can do that; the people that can shift the balance, is our government," said Wingard.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.