Biometric data should never be stored with other personally identifiable information such as names, birthdates, etc. Instead, biometric data should be stored anonymously using an opaque key that maps back to the identity. In this way, if the biometric data is ever compromised, it will be useless as there’s no way to map it back to a specific individual. Any association of identities (e.g. spouses, parents, children, employers, known associates, etc.) should also be mapped anonymously, using opaque key pairings.
In the case of law enforcement, only specific identities should ever have their biometrics linked back to their personal information. For example, if someone is identified using a camera placed in a public place for safety purposes, unless that person is known to be a danger to the public, their information should not be linked and exposed. This would require strict and legally enforced policies and procedures as well as external oversight to ensure public trust. We have similar requirements and policies when it comes to other law enforcement tools such as search warrants, wiretapping, and surveillance. The use of biometrics as a public safety tool should have no less strict laws dictating policies and procedures.
Privacy and Data Security: Privacy is always an ongoing task, and in this case, is multifaceted. All information, whether biometric or otherwise, needs to be encrypted and isolated. Access needs to be unidirectional. In other words, any biometric matching needs to occur in a software platform that acts as a “black box” and doesn’t expose the data to any other software processing. Thus the biometric data would be quarantined and not open to retrieval. It’s also important that when an identity is removed from the platform, so is the biometric data.
When looking for a platform that would host the entire solution, enterprises, government and others in the public sector should seek one that’s hosted and managed by a trusted third-party with the appropriate experience, certifications, monitoring, and security measures and certifications. This acts as a protection to the consumer of the biometric authentication service as well as the identities being managed by it. Finding the Balance: It’s easy to understand the justifiable concerns over the use of biometrics such as facial recognition. I’ve outlined several, but not all, of the key elements required to use such tools effective for both government agencies as well as private industry. There’s no “magic bullet” nor a “one size fits all” solution. However, simply dismissing biometrics as a whole because of privacy or authoritarian concerns is not a valid argument either.
With effective biometric data security and appropriate policies and procedures to ensure privacy, the use of biometrics such as facial recognition can dramatically reduce data breaches, protect our personal information, and keep us safer in a dangerous world.
© 2019 FACIOTICS Inc. All rights reserved