A Tale of Biometrics Fail
Meet Sina. A 32-year old human rights activist from India, Sina works across the borders to ensure that the rights of her people are respected and upheld. In 2009, Sina's country implemented a "12-digit unique identification number” system called Aadhaar, or "foundation." This ‘unique' identification number given to Sina is used by the Indian government to give her and her fellow citizens access to food assistance programs, bank accounts, phone services, energy replenishments and health services. This system is an incentivized, country-sponsored efficiency welfare program which assigns Sina a number based on her biometric and demographic data.
The Aadhaar is the largest biometric database in the world, with over 1.3 billion Indian citizens registered.
To get her number, Sina takes a valid photo ID and proof of address card to the enrollment center. Once there, she's required to provide her demographic data, have a photograph taken of her face, and give 10 fingerprints and 2 iris scans. After Sina has completed her enrollment and created her digital identity, she is given a number, which will be good for life and kept in India's Aadhaar database, stored on government servers within India.
The Aadhaar is the largest biometric database in the world, with over 1.3 billion Indian citizens registered. This raises many concerns regarding the physical security of the database as well as its legal security. Within India, data protection and privacy remain to be questioned. Under the current Information Technology Act and the Information Technology Rules, personal privacy and data protection are not recognized as fundamental rights.
What happens when those unique and personal physical characteristics become subject to identity theft and your authentication fails? – sina knows.
Not long after receiving her Aadhaar, Sina is working across the border and gets caught in an explosion, causing injury to the right side of her body, including her hand and eye. She is transported to a local hospital for treatment. Upon release she makes her way back to the border. This time however, the border guards are using a scanner to process people. They not only observe and check papers, but are asking to see Aadhaar cards which need to be verified with facial recognition, fingerprinting or iris scanning. When Sina approaches and provides her paperwork the scanners cannot verify her identity – authentication fail. Her digital identity is not recognizing her physical identity.To the computer and the database, Sina is a different person. The biometric system failed her, and try as she might to explain the situation, Sina is refused access back into her home country of India.
Maybe this illustration doesn't seem relatable to you, but take a minute to think about your day. In what ways are your biometrics being used to allow access to something? Do you unlock your phone with your fingerprint or face? Do you go shopping? Do you drive? How about fly? Or bank online? All of these daily activities have implemented, in one way or another, a program requiring access to your personal biometrics with or without your consent.
We reveal our eyes whenever we look at something, we leave our fingerprints like a trail, documenting where we've been and what we've touched. Many of us use our voice to communicate, leaving messages, calling our credit card companies and ordering food. Even home electronics can recognize our voice. These are just normal parts of our daily routine. But did you know, in the United States, it's legal in 48 states to use software to identify you using images taken without your consent for commercial purposes?
In what ways are your biometrics being used or accessed to allow permission to something?
Have you thought about where your image is stored? I assume that many of us using Facebook allow our faces to be tagged in photos, whether we know it or not. On Instagram, live stories capture our faces and voices. But, have you considered where your photos and videos are stored, and who has access to them? The idea that unknown people with unknown purposes have personal biometric data from the live story you just streamed on Instagram is a bit alarming. Does this ambiguity make you question the consequences of using services like Facebook and Instagram?
The security issue with biometric and identity management is that much of it is being implemented and tested without protocols, laws, appropriate technical knowledge, user consent or even user knowledge. The biometrics system itself is quite opaque and unknown.
Worldwide, we must think about who has access to biometric databases, and what protection is in place for individuals subject to having their identity stolen from a database. Further, we need to ensure that a digital identity can adapt when one's physical identity changes, like Sina's did when she was injured.
What happens when your physical appearance changes? When your digital identity is stolen, can you get it back?
Each day you have a new number of hairs on your head, you age, you may gain or loose weight over a period of time, get Lasik or have body augmentation surgery. All of these contribute to a dramatic, yet common, alteration of your physical look. While widely popular, biometrics databases and software are static. They are not a living and breathing representation of your living and breathing self.
What happens when those unique and personal physical characteristics become subject to identity theft and your authentication fails? Once your biometrics are lost, you can't replace them. As Marc Goodman, an advisor to Interpol and the FBI told NBC so plainly, “You can always get a new credit card. You can always create a new password. [It’s] really hard to get new fingers. You only have ten of them and once that information leaks, it’s out and there’s nothing you can do.”