Monday 2 February 2015

The Impact of Privacy and Data Protection Legislation on Biometric Authentication

As more and more biometric solutions are deployed to mainstream digital services, questions surrounding the privacy and security implications of biometrics are increasingly being asked.

With the growth of biometric technology and its expansion on to consumer digital services, privacy and security concerns are correspondingly growing.

As biometric data is being captured and stored on a wide range of smart mobile devices (SMDs) including Apple’s iPhone and iPad, Samsung Galaxy and Huawei smartphones, or stored in cloud-based biometric databases there are inevitably questions as to how this incredibly personal data of ours is being protected.  

There is much debate about the relative merits of these two trust models; is the device-centric approach that Apple and FIDO employed too restrictive a model? And can I trust the security of a database (cloud-based) biometric solution?

How, and where, is my biometric data being stored? Who has access to it? How well is it protected? When I enrol my fingerprint on my smartphone, is it stored in secure hardware and does it ever leave the security enclave? What legislation and regulation is in place to cover the privacy and security aspects of biometric technology?

These are all valid questions that citizens, service providers, biometric technology vendors, governments and hardware manufacturers need to answer.

Regulation is still playing catch up with the proliferation of biometric authentication and identity systems and in many regions there is little control on how biometric data is captured, stored and accessed. This is an alarming situation.

In a number of regions including the European Union (EU), biometric data is beginning to be considered as personal data and as such, is governed by data protection and privacy legislation.

In the case of the EU, protection of privacy and personal data is covered by the Data Protection Directive of 1995 (officially Directive 95/46/EC). The directive relates to the protection of individuals with regard to the processing of personal data and on the free movement of such data.

In April 2012, the Article 29 Working Party issued an ‘Opinion’ in biometric technologies with particular attention to fingerprints, vein patterns, facial, voice recognition, DNA and signature biometrics.[1] The Opinion aims to provide a framework of recommendations and guidelines for the implementation of data protection rules in biometric applications.

The Opinion has a number of recommendations (legal and technical) related to biometric data. These include suggestions on user consent, contract and the concept of “privacy by design” for biometric systems.

In other regions including Australia, Canada and the USA, there is federal and state data protection legislation that could be applied to biometric data but nothing specific (although there have been attempts to integrate biometric data into general data protection legislation in Australia).

In addition to federal and state data protection legislation there must be specific regulation and guidelines from a sector perspective. The financial services market is one sector that has a decent track record on data protection and identity (including authentication) matters and there are references in the EU’s Payment Services Directive II. The Payment Service Directive II regulates payment services and payment service providers such as banks within the EU and recommends “various due diligence procedures in regard to the safety of personalised security features of payment authentication instruments.”

The new Directive on Payment Services II which might possibly be approved in 2015 suggests that a biometric authentication system is deemed secure and advisable. The Directive recommends the use of `strong user authentication’ which is defined by the European Central Bank (ECB) in its “Recommendations for the security of internet payments” document.[2] The report defines strong user authentication as “a procedure based on the use of two or more of the following elements– categorised as knowledge, ownership and inherence: (i) something only the user knows, e.g. static password, code, personal identification number; (ii) something only the user possesses, e.g. token, smart card, mobile phone; (iii) something the user is, e.g. biometric characteristic, such as a fingerprint".

Fingerprint biometric authentication has been one of the fastest growing authentication technologies ever, offering a convenient method for authenticating users especially on smart mobile devices. It is not the only biometric method that will gain widespread adoption. I am a big fan of behavioral biometrics, especially for financial services as it fits well into existing anti-fraud and risk management solutions that are often used by financial companies. It can also complement existing authentication and biometric authentication solutions in enabling service providers to have a much more accurate mechanism of proving that a particular device or web session is actually being used by the legitimate user; rather than in the hands of a fraudster. 

Behavioral biometrics is based on a behavioral trait of an individual and includes how individuals uniquely interact with a device – be it a smartphone or a laptop accessing a website. Behavioral traits include keystrokes and interactions with a touchscreen.

Goode Intelligence has just published a white paper commissioned by behavioral biometrics specialist, BehavioSec investigating the impact of privacy and data protection legislation on biometric authentication and it is available free to download here.

As always, I welcome your thoughts and opinion on this blog and on the contents of the white paper.







[1] Opinion 3/2012 on developments in biometric technologies, 0072012/EN/WP193, 27/04/2014, Article 29 Data protection Working Party: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp193_en.pdf