Biometric data hacking: A warning for brands and consumers
Biometric data is individually unique, this makes it perfect for cyber security, but also impossible to change, so once hacked, there is little recourse: individuals cannot change their biometric or DNA like they can passwords. Individual vigilance is key to staying safe in this biometric world. Implications for companies that store consumer biometric data are enormous (Madhumita Murgia, Financial Times).
Key points
- Biometric data such as fingerprints, iris, voice, gait, facial recognition, expressions and physical DNA, are uniquely individual, and can identify an individual with amazing accuracy
- Use of such data is increasing for commercial security use. Voice, facial, fingerprint recognition passwords are used by banking, computer, housing industries
- While it makes for unique security markers, databases held by companies can be hacked, and since biometric data cannot be changed, once hacked, can result in identity theft of irreversible proportions
- Individuals must be hyper vigilant about giving up any part of their individual biometrics. Companies storing consumers' biometrics need voice or facial hashing/ pixilation technology to prevent hackers hijacking and engaging in this particularly personal identity theft.
Murgia presents several cautionary tales about the danger of storing biometric data that are rather chilling.
For example, Ogilvy & Mather in Hong Kong in 2015 ran an anti-littering campaign, using DNA left on chewing gum, used tissues, cigarette butts. With people's permission they constructed computer generated likenesses of the 'litterers' from their physical DNA, placing them on billboards all over town.
Eye, hair and skin colour were completely accurate as were face shape, ethnicity, and gender.
In August 2019 Suprema, a UK Company that that provides a platform for biometric recognition to UK banks, government and the Metropolitan police found a leak of more than million fingerprint and facial recognition data on one of their public websites. Suprema is also used through Nedap by over 5,000 organisations in over 80 countries.
The scale of harm from potential breaches/hacks is enormous and could be irreparable to reputations and lives.
Other examples the Aadhar card in India (biometric data ID card of all Indian citizens) also linked to their banking ID, or the collection of biometric data from refugees to the Democratic Republic of Congo by the UNHCR which opens up the potential for surveillance and misuse of population level data by hackers or unauthorised groups.
Amazon Echo and Google Home recognise voices and patterns of choices associated with that voice which can potentially be used by hackers as much as marketers.
The alleged Golden gate killer, Joseph James DeAngelo, was caught by matching DNA at the crime scene to DNA of a relative submitted to a genetic open source database called GEDmatch (used for research). A good outcome, one could argue, but could be just as easily used by criminals with negative outcomes.
Finally, a seemingly strange example cited by Murgia is P&G and Alphabet's Verily, which has created diapers that collect sleep, urine pattern data from babies to alert parents through a phone app.
It is not fully clear how this data can help parents, but the data is linked to individual baby profiles containing name, gender, age and even profile pictures, so like Fitbit data, it could prove to be a hackers' dream.
It is time for consumers and marketers to think very carefully about the usage, storing and unregulated security of such personal, intimate, and unique DNA related data. The responsibility is enormous, your fingerprints are not a temporary password that can be reset if hacked.