With Amazon’s palm recognition technology making its way across various retail outlets, including all Whole Foods stores, and Sam Altman launching a digital ID company based on retina scans, consumers are understandably apprehensive about how safe their biometric information is.
However, according to James Wester, Co-Head of Payments and Director of Cryptocurrency at Javelin Strategy & Research, some of that nervousness is misplaced. The problem is not with biometric data per se but how it’s guarded.
“There is a common concern that if I scan my thumb, and somebody steals that database, they’re going to have my thumbprint—but that’s actually not the case,” Wester said.
Breaking Down Misconceptions
When a thumbprint or a palm print is registered in a biometrics system, actual images of the print aren’t kept. And when someone breaks into this database, they don’t find actual pictures of fingerprints or faces. Instead, all they see are encrypted codes. If an unauthorized person gets access to the code, it’s difficult to turn that back into the original fingerprint or face. It’s similar to having a locked box that only the right key can open.
“If the database’s security is strong, if somebody gets in there, all you have to do is change the encryption and the data is useless to the person who broke in,” Wester said.
Biometric data itself isn’t something to be really scared of; the worry comes from making sure this data is properly protected. For this protection to work, the organization holding the data has to be trustworthy. And that is the real concern with companies such as WorldCoin.
“Right now, some organizations just say ‘trust us’ without showing how they’re taking care of your information,” Wester said. “This doesn’t sit well, especially if they’re building a big ID database. I don’t really know what they’re using it for. I need to have 100% guarantee that they’re protecting it—there needs to be some way for me to know as a consumer that data protection requirements are put into place.”
New Rules
Regulation inevitably lags behind industry developments, and biometrics is no different. However, legislation is slowly emerging that regulates the biometric industry and holds it accountable.
In the United States, there is no single, comprehensive federal law that regulates the collection and use of biometric data. However, several states—including Illinois, Texas, and Washington—have passed their own biometric privacy laws. The most well-known of these is the Illinois Biometric Information Privacy Act (BIPA), which was enacted in 2008 and was the first state biometric privacy law in the United States. BIPA regulates the collection, use, and storage of biometric information, including iris scans and fingerprints.
The trend has caught on, with nine states introducing biometrics-focused legislative proposals modeled on BIPA this year. This is an important trend if consumers are to have enough confidence in private companies to provide biometric data. And as previously discussed, security for biometric information is certainly achievable. We just need the confidence that companies are doing it properly.