In a move that has caught the attention of businesses across the United States, the Federal Trade Commission (FTC) has unveiled a comprehensive biometrics policy designed to protect consumer interest. By detailing acceptable practices and potential pitfalls surrounding the use of biometric data, FTC aims to bring greater transparency and accountability to the space.
The newly released policy highlights the actions that could trigger an FTC investigation and the measures necessary to avoid sanctions. Their framework stands as a significant milestone in the FTC’s ongoing efforts to regulate the use of biometrics, and comes on the heels of similar state regulation in Illinois.
Guidelines in Place
The FTC policy addresses a range of critical issues surrounding the handling of biometric data. Five of the outlined practices serve as reminders for businesses, emphasizing their obligations and responsibilities in relation to biometric information. The remaining point, takes the form of a cautionary directive, specifically warning against surreptitious and unexpected collection or use of common biometric data, such as fingerprints, facial features, and iris scans. Importantly, this warning extends to biometric systems used to determine personal attributes like age, gender, race, and even personality traits.
The policy notes that, “failing to clearly and conspicuously disclose the collection and use of biometric information makes such collection and use unavoidable by the consumer. Injuries to consumers may also be compounded if there is no mechanism for accepting and addressing consumer complaints and disputes related to businesses’ use of biometric information technologies.”
The FTC is also highlighting the need for businesses to assess and mitigate potential risks associated with the collection of biometric data. Before gathering such information, companies are urged to thoroughly evaluate the foreseeable harms it could pose to consumers, while actively working to minimize known risks.
The FTC is emphasizing the importance of ensuring that third-party vendors, employees, and contractors possess the necessary reliability and competence to work with sensitive personal information. Companies are also reminded of their obligation to train and supervise employees to ensure the responsible and ethical use of data.
In the grand scheme of things, the FTC’s biometrics policy represents a crucial step towards establishing a comprehensive regulatory framework for the rapidly expanding field of biometric technology. With the increasing adoption of biometric authentication systems and the growing reliance on personal data, the need for robust consumer protections is paramount. By providing businesses with clear guidelines and expectations, the FTC aims to strike a delicate balance between innovation and safeguarding individual privacy rights.
The Danger of Deepfakes
Part of the concern with biometrics is what criminals can do with biometric information if it’s stolen. The FTC details some of the potential scenarios that can happen when biometric information is used to commit fraud. For example, biometric information, such as voice recordings, can be used to produce counterfeit videos or voice recordings, commonly known as “deepfakes.” This can allow malicious individuals to convincingly impersonate others and wreak havoc.
Here’s one example the report cited from an article in the WSJ. Two attackers successfully hacked the local government’s facial-recognition service using deepfakes and allegedly purchased high-definition photographs of faces from an online black market. They then used a mobile app to manipulate these photos and create videos that appeared as if the faces were nodding, blinking, and opening their mouths.
To carry out their scheme, the attackers used a specially modified mobile phone that disabled its front-facing camera. They utilized this device to upload the manipulated videos when it was supposed to be capturing a video selfie for Shanghai’s tax system.
These details highlight the potential vulnerabilities in facial recognition systems and the potential risks associated with the manipulation of biometric data. It underscores the need for better security measures and constant vigilance to safeguard against such attacks.