Biometrics-technology-driven human identity authentication applications are taking off. While these applications have seemingly enormous potential, are we prepared for the emerging threats to human identity?
Introduction
Humans cannot exist without systems of meaning and having an identity. Over the years, human identity has been represented by a complex set of many external variables: family, community, ethnicity, nationality, religion, philosophy, science, occupation, and so on. We are now moving towards internal variables of a human body: biometric indicators for human identity authentication. As seen across nations, biometrics technology-driven human identity authentication applications are taking off. Since human identity is central to the functioning of the human ecosystem, any emerging threat to its biometric indicators is a threat to human identity authentication–bringing complex security risks for the future of humanity.
Driven by advances in biometric technology, the push towards government-issued human identity cards is going global. Nations are further moving towards accepting artificial intelligence-driven automation efficiency for human identity authentication. While biometric technology is being introduced to bring more security to human identity authentication, a number of complex technical, process, people, and policy challenges need to be addressed in parallel if we want biometrics technology to shape human identity authentication applications effectively. The question is whether nations are doing so and are ready to use biometric identifiers for human identity authentication.
Current Trends
From digital security to border security, employee ID to national ID, and prison security to airport security, biometric identification, and authentication that identifies and authenticates individuals based on physical characteristics is proliferating. Since biometrics are an intrinsic part of each human, they are fueling a growing trend to replace encryption keys, passwords, or codes for digital identification and authentication.
From fingerprint identification, iris and retina scans, facial recognition, gait, voice, DNA, brain waves, and more, each of these biometric technologies can be used to effectively identify and authenticate humans by pairing physiological or behavioral features of any individual human with the information from digital databases which describes the individual’s identity.
As seen across nations, biometric technologies are now used to verify that an individual human is whom they claim to be, to discover the identity of unknown people, to screen people against a watch-list, and much more. As biometric technologies become better, cheaper, more reliable, accessible, and convenient, they will increasingly be implemented in the human ecosystem at all levels: for a national ID, law enforcement, physical access control, border control, logical access control, convenience, and much more.
Prominent examples abound: biometric applications in law enforcement, the integration of biometrics into passports and visas, a growing FBI fingerprint database in the USA, the Malaysian multipurpose smart card, India’s Aadhar Act deployment based on retina scan and fingerprints, the Tri model biometric project of Mexico, the UAE watchlist system using iris recognition, Thailand’s iris biometric visa system, and China’s social ranking system based on facial recognition technology. Additionally, as seen across nations, casinos employ facial recognition to spot known card counters, banks use voice recognition to verify customers over the phone, employees’ heartbeats are used to secure mobile payments or authenticate them to a corporate network, and hospitals identify patients via the unique vein patterns in the palms of their hands. This is just the beginning.
Despite the seemingly enormous potential of biometric technology and its applications, the security it provides seems to be just an illusion due to the complex process, policy, and people challenges it brings with it. While it is almost impossible to lose or replace biometrics, the question remains whether biometrics technology is full proof and ready for global implementation. That brings us to an important question: can the evolving biometric system be in itself a complete human identification and authentication system, or it can only be part of an identification system?
Nation Preparedness and Complex Challenges
The rise of biometric technology and its use in human identification and authentication will likely have a profound impact on human society. While the rapidly evolving biometric technologies seem to offer the much-needed identification and authentication solution for nations, their use is also raising some security concerns. At the center of the security concern lies the potential of hacking and the need to protect collected biometric data from abuse and misuse as it is being collected, processed, stored, and accessed. Besides, as it seems, nations are just not prepared to secure the rapidly growing biometric data or indicators with the existing processes, policy, tools, and technology.
As new biometrics applications go global, there is a need to define effective procedures and policies. We must adequately protect biometric data from abuse and misuse. Considering the impact that it may have on human society, the risks to performance, accuracy, privacy, interoperability, multimodality and even potential health risks (vision risks associated with retinal scanners and more) need to be effectively managed. Data and network hacking risks also raise concerns, as do the rapidly evolving fraud capabilities, such as spoofed sensors and sensor inaccuracy. Moreover, the ability of AI systems to compromise biometric indicators is a cause of great concern.
The complex challenges emerging for and from such systems are growing rapidly. Perhaps most importantly, the automation of human identity authentication raises fears about the possibility of a surveillance society. While the use of biometric technology is not designed for the invasion of privacy, in many cases, the way the digital data is produced, stored, compared, and possibly linked to other information about the individual raises serious concerns for the blurring boundaries between privacy and security and security and surveillance.
Furthermore, since biometric sensors produce digital maps of a human body part, which are then used for future matching and unlocking, one of the most significant risks, as discussed, seems to be data security. This is because the digital map can be stored locally and/or transmitted across a network to a central storage database. Now while locally held data is better protected, the data in motion must be encrypted on its way to storage and then secured. As a result, in both transit and storage, the data becomes vulnerable. Also, during biometric enrollment events, the biometric system can be exposed to fraud during the sign-up process if guidelines are not adequately established or implemented.
Biometric identification and authentication is a statistical process. As a result, there is a concern that variations in conditions between enrollment and acquisition as well as bodily changes (temporary or permanent) mean that there is never a 100% match for many biometric indicators. This is a challenge for our current legal system because, from a legal perspective, anything less than 100% probability of a match may or may not be considered acceptable for identity authentication. As a result, when we compare the accuracy and reliability of biometric systems with the current authentication systems, like passwords or PIN, we see some discrepancies (with a password or a PIN, the answer given is either the same as the one that has been stored, or it is not—providing 100% accuracy in identification and authentication).
That brings us to an important question: when the smallest deviation in the human environment could be a reason for refusal for any biometric technology-based identification and authentication, and there is no clear line between a match and a non-match, what would a match depend on? Moreover, what if there is no fallback procedure defined for a non-match.
Perhaps the biometric system can only be one part of an overall human identification or authentication process, as there are many other variables and parts of that process that will need to play an equal role in determining identity verification effectiveness. Moreover, since the evolving biometric technologies are vulnerable to errors and are easily tricked and manipulated (by AI), it is essential that we evaluate whether the ongoing effort towards human identity authentication gives the decision-makers the level of security they are hoping for. That brings us to an important question: will biometric technologies deliver on their promise of greater security?
Acknowledging this emerging reality, Risk Group initiated a much-needed discussion on Human Identity and Authentication Automation with Professor Anupam Saraph, a Systems Thinker and Thought Leader at Symbiosis Institute of Computer Studies and Research based in India on Risk Roundup.
Disclosure: Risk Group LLC is my company
Risk Group discusses Human Identity and Authentication Automation with Prof. Anupam Saraph, a Systems Thinker and Thought Leader at Symbiosis Institute of Computer Studies and Research based in India.
Need for Global Standards
For any emerging technology and system, interoperability and universal standards across nations’ geographical borders are essential to its diffusion. As seen across nations, neither do we have global standards nor do we have a clear legal status of most types of biometric data. Moreover, nations’ current laws are not even remotely prepared to handle biometrics technology applications for human identity authentication automation.
While the simplicity and performance of biometrics still outweigh most of the security and privacy risks, the use of biometric technology applications will continue to expand—bringing complex threats to human identity.
What Next?
That brings us to an important question: what happens when the human biometric data is embedded in human-like robots? While biometric authentication and automation seem secure on the surface, the security seems to be an illusion because once biometric data has been compromised, replicated, or superimposed; there is no way to undo the damage to humans or human identity.
NEVER MISS ANY OF DR. PANDYA’S POSTS
Just join here for a weekly update