Forget about the NSA spying on you through your fridge. When biometric security becomes the norm, they’ll know who you are and what you’re doing everywhere you go. They’ll hardly have to lift a finger, either, as companies and consumers rush to embrace increasingly affordable and increasingly available biometric security tools.
It’s not just the NSA we need to worry about, either. According to several security experts and industry insiders, replacing passwords with biometric identifiers—fingerprints, retinal scans, facial recognition, etc.—opens new and potentially irreversible security risks even as it solves old problems. To get to the bottom of biometrics, we have to go more than skin deep.
Biometric Security On the Rise
The first documented use of a fingerprint to solve a crime was in 1892. In 1894, Mark Twain used fingerprint evidence to solve a very different murder in his serialized novel Pudd’nhead Wilson. Sir Arthur Conan Doyle first put fingerprints in a Sherlock Holmes story in 1903, and the age of biometrics was upon us, in both the real world and the public imagination.
We’ve come a long way since then. DNA from hair and skin samples shed innocuously everywhere we go is now the top-shelf evidence in crime procedurals and many criminal cases, and retinal scans and facial recognition have become the biometrics de jour in security applications and spy movies. But 2017 looks like it could be the year advanced biometrics go truly mainstream, as improvements in hardware are bringing down costs and years of software development are bearing substantial and scalable fruits.
Atlanta’s Hartsfield-Jackson just joined the growing number of airports offering Clear, a private biometric alternative to TSA’s ID check. HSBC, one of the world’s largest banks, just appointed a new tech advisory board and listed biometrics as one of their top priorities. Transmit Security is a startup offering white-label biometric functionality to other app developers and companies for a far more affordable rollout or update. And it’s all possible because we can make tiny cameras that can take high-res pictures of your eyeballs, super-sensitive touchscreens that can feel your fingerprints, and microphones that can capture an accurate voiceprint for just a couple bucks. Jam them into a smartphone, laptop, or a standalone security device, and you’re good to go.
Biometric security is more reliable than passwords and PIN codes as a security measure, too—at least on the surface. There’s no brute-forcing a fingerprint, and you can’t exactly social engineer your way to a copy of a retinal scan. You can’t “trick” a biometric security device the way you can with something that’s merely password-protected. As President and CEO of Descartes Biometrics Michael Boczek explains it, biometrics like your ear folds and crevices—the physical attribute his company focuses on—are completely unique, lasting and non-transferable: “It’s stable and enduring, which means it changes very little over the course of one’s life.” Unlike those passwords we’re supposed to be changing every few months.
Now your symbols of edgy rebellion are also effective security measures.
But therein lies the rub.
Bend Over to Access Your Account
We’re supposed to change our passwords frequently precisely because passwords—like any other digitally-stored information—can be hacked. Data breaches like Yahoo’s and countless others led to the release of millions of usernames and passwords; the idea is that using different passwords on different sites and changing them frequently limits your exposure if any one of your passwords is nefariously uncovered. Your biometric data could be hacked and copied, too, but you can’t change your retinas or fingerprints. You can’t get a new face every time Target’s IT team screws up. You’re stuck, and any account that uses biometric marker(s) involved in a data breach is going to be compromised.
“Biometrics are tricky,” said Woodrow Hartzog, an Associate Professor of Law at Samford University, in an interview with WIRED. “They can be great because they are really secure. It’s hard to fake someone’s ear, eye, gait, or other things that make an individual uniquely identifiable. But if a biometric is compromised, you’re done. You can’t get another ear.”
Individual identity theft could also become easier once certain biometrics become popular. It’s relatively easy to keep your passwords a secret from non-hackers. Don’t write them down, don’t say them out loud, don’t use them on public networks/devices, and you’re largely in the clear unless you get tricked by a spoofed login (don’t do that, either). You leave your fingerprints everywhere you go, though, and they can already be used against you. Your face and voice are easy to capture without you noticing, too; though thieves will need to be a bit more sophisticated to use these stolen authenticators, you can bet several solutions are already in the works.
Some have proposed using less “public” biometrics in response. Detailed retinal scans are harder (though probably not impossible) to capture surreptitiously, and Salvador Dali claimed that all human anuses are, like snowflakes, completely unique; I might start going back to the bank in person if that ever catches on. Of course, this still doesn’t solve the problem of your rectal readout being ripped off in a massive data breach, leaving a gaping hole where your available funds used to be. No matter how securely your ass data is locked away, someone will eventually get their fingers on it.
This man has forgotten more anuses than you’ll ever see.
Poor Privacy Rights Make Security Impossible
The “someone can get our data” contention was made in a lawsuit brought against Take-Two Interactive in Illinois, one of only two states with privacy laws surrounding recorded biometric data (Texas also limits the collection and use of biometrics for commercial purposes). Two gamers contended that they were not informed their facial recognition data, which was only collected after they opted-in to the personalization feature on NBA 2K15, was now Take-Two’s property in perpetuity. This, they argued, put their privacy at risk and potentially endangered their security—in a world where biometrics are being relied on more and more, having their face data in the wrong hands could mean trouble was afoot.
The video game publisher won their case, the judge agreeing that there was no privacy violation under Illinois law. The gamers’ face data is now on Take-Two’s apparently unencrypted servers and may even be publically available. Thankfully they were more careful reading MLB Ass Masters 3000‘s Terms and Conditions.
This has been the overall industry response to privacy concerns. In a meeting/working group held by the National Telecommunications & Information Administration in 2015, consumer advocacy and public interest groups met with trade representatives from various companies and industries interested in using biometric markers like facial recognition. Efforts to establish voluntary regulations on biometric collection and use stalled as soon as they started, though, when not a single trade rep would agree that an opt-in should be necessary to record anyone and everyone’s face for facial recognition purposes. The consumer and citizen groups walked out, and there hasn’t been so much as a budge in federal guidelines since.
San Francisco-based startup UnifyID has thought up a security solution that largely sidesteps privacy concerns, developing ways to measure a bunch of behavioral biometrics like your typing speed and style, the way you walk and talk, and things they probably don’t want to tell you about and combine them other data to verify your identity. Like your unique asshole, this kind of thing isn’t exactly on public display and isn’t as susceptible to irresponsible collection without an opt-in. The data is also more sophisticated and has more points than most biometric markers; if someone stole the data they’d still have a harder time spoofing your identity to break into your accounts and files.
That doesn’t mean they won’t eventually be able to, though, and then they know everything. Even that you achieve your moderately-respectable typing speed using only two fingers on each hand.
To my mind, something that matches biometrics to changeable, knowledge-based passwords is probably our best bet. Measuring how fast a password is typed in, and which fingers are pressing which keys, provides the unique and constant security of biometrics and the limited exposure of a changeable password. But if I’m the one coming up with the security ideas, we’d all better be prepared to have our asses reamed.
