An IT lawyer digs into the implications of collecting biometric data, why it can't be anonymized, and what nations are doing about it.

Kelly Sheridan, Former Senior Editor, Dark Reading

October 2, 2020

5 Min Read

Security is growing more reliant on our biometric data for authentication and national security purposes. Consumers are willing to hand over their facial scans, fingerprints, and other pieces of immutable data without understanding the potential consequences or privacy legislation.

Privacy has come under a harsh spotlight in recent years. Consider FaceApp, the photo special effects app that made headlines last summer when accused of uploading users' images to the cloud and transferring them to Russia. While evidence didn't support the claim, it was enough for many people to become concerned with how organizations are using their personal data.

"One of the things that has been so great about technology is not only the convenience, but we've really started to look at privacy, and privacy is coming to the forefront," said Melissa Wingard, special counsel at law firm Phillips Ormonde Fitzpatrick, in a virtual Black Hat Asia talk.

Modern society was transitioning to touchless technology and contactless pathways before the coronavirus pandemic. Now, COVID-19 has increased the need to navigate day-to-day life with less contact. We're looking for new ways to access our offices without touching elevators, she noted, and pay for things without swiping credit cards.

Wingard, who specializes in IT, cybersecurity, and privacy, explained how biometric data falls into two buckets. There's physiological data, which is made up of biological and morphological (external, or appearance-related) data; there is also behavioral data, which is considered to be biometric data. There are several repeatable traits that can be used to identify an individual: DNA, smell, the shape of your ear — "apparently that's unique to us" — gait, and keystroke dynamics.

"I think we need to think more than just fingerprints [and] facial recognition, although they're obviously the key ones," she said. As both the public and private sector implement biometric authentication, the law needs to keep up and people must balance the sharing of their data. Government's use of technology is outpacing the legislation to protect individuals' information.

Biometrics for the purpose of authentication demands scrutiny. You can change your password if it's exposed, but what happens if you're using your face or fingerprint to prove who you are?

Our biometrics are "inherently identifiable," Wingard said, and while there are some privacy laws that mandate biometric data be treated as sensitive data, not all laws are at this stage. She also questioned the ability of government and businesses to fully anonymize biometric data.

People rely on legislation to provide them with rights and a framework within which to operate. Without laws to defend the privacy of our data, we're left to take personal legal action if we feel our data is being misused; most people don't have the time, money, or often an inclination to undergo that process, she pointed out.

This is a global issue because every nation handles privacy laws differently and each has its own issues and gaps. Many privacy laws, for example, heavily rely on anonymization. Once personal information is anonymized, businesses are free to handle that data as they wish.

Privacy Laws in APAC
Speaking to her virtual audience of Black Hat Asia attendees, Wingard provided a high-level view of different nations' privacy laws throughout the region. The European Union's General Data Protection Regulation (GDPR) has gotten a lot of press; however, it's far from the only one. 

She started with Singapore, which has a few pieces of legislation. The Personal Data Protection Act (2012) covers how organizations can collect, use, store, and disclose personal data. It puts restrictions to know what is required for consent and how long they can keep data after it's needed. The PDPA acknowledges biometric data is personal data and calls out facial recognition and DNA. People can request an organization change their data, but not delete it. "The right to be forgotten," as it's described in the GDPR, is often what people are looking for, she noted.

Singapore has different rules for the public and private sectors. Its Public Sector (Governance) Act of 2018 mandates public agencies comply with the Prime Minister's directions on data protection. The Prime Minister hands down rules; it's up to public agencies to implement those. If a public sector agency is found to have breached their obligations to protect personal and biometric data, it's not the agency that gets in trouble — it's the official who is personally liable for the breach of privacy.

While unsure how this applies in practice, Wingard noted this could have the effect of officials managing information more closely than they would if there wasn't any personal responsibility.

Steps You Can Take
Rather than relying on organizations to safeguard our data, or on governments to regulate its use, Wingard encouraged listeners to think closely about how they give away biometric data. Think about who is collecting it. What will they use it for? What could they use it for?

She advised reading the privacy policy in this way: "You don't even need to read all of it; just read the section that talks about 'we're collecting your information for whatever the purpose.'" This will reveal how an organization will use the data and who it will disclose that information to; depending on the nature of the information, it may say it won't disclose to anyone outside the organization.

This can help you decide whether you're comfortable sharing information with a particular entity and decide whether the services you're getting in return are worthwhile, she explained.

Wingard also suggested taking a close look at government officials' approach to privacy. What are your elected representatives doing? Do they have thoughts on privacy? Do their views align with yours? While there is no immediate gratification in the democratic process, officials who support privacy rights can eventually shift the balance toward users in the long run, she said.

"We need to balance this disconnect between the rights of individuals and the power of organizations, and the people that can do that; the people that can shift the balance, is our government," said Wingard.

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights