ID’s Compliance Director, Mick Williams, Reviews the Biometric Controversy

There have been quite a few incidents over the past couple of weeks regarding the use of facial recognition technology. There are a number of fundamental things that are problematical about facial recognition systems.

Foremost is reliability. All biometric systems suffer from errors. If we look at the False Rejection Rate vs the False Acceptance Rate at the crossover point, we have the Equal Error Rate. We can adjust this by altering one of the failure rates, but this will inherently increase the failure rate. Therefore, it is imperative that any reader or analysis system is accurate, and if they are not then the Error rates will increase.

The next issue is that you generally cannot change your biometrics! In the film Minority Report where iris/retinal scanning is routinely used to by the state for surveillance, Tom Cruise’s character is on the run and goes to a back street black market doctor and has replacement eyes fitted in order to foil the system. This is not something I would contemplate personally!

And the final point of storing biometric data is that of secure storage. Suprema recently had 27.8 biometrics records accessed from BioStar 2 systems. Not only were the biometrics stored here, but plain text passwords for administrator accounts. The problem here is not that the data was stored but it was not hashed or encrypted. Privacy by design? Suprema has now fixed the problem and the data is no longer publicly available.

The next area of concern is the issue of data privacy. The use of routine facial recognition is now under the microscope as both the Mayor of London, Sadiq Khan and the ICO is now asking questions around the legality of large scale surveillance and in the words of the ICO it is “deeply concerned about the growing use of facial recognition technology in public spaces”.

The increasing use of biometrics in our everyday lives is something we should be aware of, and we as the subjects should be asking questions around the use of our data.

An example where the use of biometrics being used properly was showcased by Natwest bank this week. They have developed a card which has a fingerprint reader built into it and they seem to have got it right. The card has to be placed into a device to enable the fingerprint to be read and stored on the card chip. Using contactless NFC when the card is presented to the terminal the chip is powered, the fingerprint is read and then only an authorised/not authorised message sent to the card. The actual fingerprint data never leaves the device. If you lose your card the data cannot be altered, and the card is useless to someone else. (Caveat Emptor – Someone may figure out how to get the data from the chip, but it is already possible to extract card data with a reader)

So, if you are planning to or already use biometrics start asking questions around how that data is stored, who has access and most importantly is it reviewed and cleansed.

For more information visit: