What is bio-metric data?
If I had a quid for every time someone in the business proposes using bio-metric data as a solution to a verification challenge, I’d have about £17. Tech like facial recognition & retinal scans seem to have been around for ages but We’ve mostly seen them in sci-fi & spy films where, let’s be honest, it seems to do the job.
If you do your research, you’ll find that things are a bit ‘smokier’ than the movies suggest. In my studies, the metric that really seem to come out on top was the Iris scan (just in case you were wondering!)
I sat in on recent webinar where the marketing presenters talked about examples of smart loos using the data from analysed waste to make suggestions related to health & diet. If you know anything about security and data, you’d have more alarms going off then Pudding Lane on the night of the Great Fire (well, you get the point).
Anyway, back to basics – what is bio-metric data?
Bio-metric data is ‘personal data’ (important) relating to the physical, physiological or behavioral characteristics of a person that allows or confirms the unique identification of that person. Good examples include fingerprints, facial recognition but also gait or the way an individual walks.
With bio-metric data, you don’t need name, date of birth or any other piece of meta-data – the body or habits tell us everything we need to know…
Is it covered by data protection legislation?
No previous enforced data protection law addresses bio-metric data but GDPR changes all that & its definition of personal data is specific & addresses bio-metrics.
The GDPR kinda emphasizes the need for ‘caution’ around bio-metrics – the same canons apply in areas such as explicit consent, processing only as necessary, protecting the data etc. But, I think the cool catz at GDPR central command are concerned about the potential damage & the uniquely personal nature of bio-metric information – in fact data can’t get much more personal.
Many folks, particularly marketers see the GDPR as an irritation – is that fair? I think so. But if history has taught us anything, one of its lessons is to prove once & for all the law of unintended consequences.
Back in the 1930s the Dutch government made intelligent use of its census, collecting all kinds of information about citizens. By 1941, the Nazis used this information to round up any remaining Dutch Jews. My point is that information can be misused for purposes way beyond what was intended. You don’t need to be paranoid like me to imagine what uncontrolled bio-metric data could be used for.
Why would someone want to nick it?
Unless it belonged to Elvis, most would-be thieves won’t be interested in your bio-metric data just for the sake of it.
What they are really interested in is bio-metric verification.
That’s where the magic is for the super-villains. The chance to fool any verification process that uses bio-metrics – be that facial recognition to enter your secret lair or retinal scans to fool your homemade supercomputer….
What? You don’t have a lair or supercomputer?
What about planting evidence at a crime scene? Is this a real risk for most people?
I make no apology for the ‘more questions than answers’ in this post. Things are still up in the air kids. Rather than someone using carefully created plastic copies of your fingerprints, I think it’s far more likely that someone would nick the string of numbers it’s converted into once you scan into any digital system. Who needs to mess around with fake fingers when the numbers will do?
In all honesty, all we need to know is that someone could do something nasty with it AND it’s covered under GDPR data legislation.
So, if you’ve got a stack of fingerprint data sitting somewhere on a server, a left over from some event years ago then you should really take another look at this data.
Crazy Adventures in Cyber Security 