Last week, I talked about a few of the challenges with the language around privacy. That kicked off an excellent conversation on social media and via email. It also made me think about another topic that I find challenging to talk about: biometrics.
Dictionary.com defines biometrics as:
the process by which a person’s unique physical and other traits are detected and recorded by an electronic device or system as a means of confirming identity
The problem is not the definition of biometrics; the term is not contextual in the same ways as privacy. The problem is in the implications of its use and getting past people’s assumptions about the technology.
Using Biometrics
Biometrics are often promoted as one of the easiest verification methods out there. Why, you don’t need a password! You just need a body part or two! Woohoo! Mobile phone manufacturers are increasingly using biometrics to unlock devices. Governments have been using biometrics for years, with semi-automated facial recognition leading the way in the 1960s.
With the rise of the use of biometrics to identify and, eventually, authorize individuals’ access to resources or locations come concerns regarding issues such as privacy and diversity, equity, and inclusion (DEI).
Biometrics and Privacy
Facial recognition is probably one of the least privacy-preserving tools out there. Unless you are willing to wear face paint or a full-face mask, you cannot control how others might use facial recognition to identify you when you’re out and about. It’s also one of the more convenient tools; you don’t have to do anything, just show up and stand in front of a camera.
In many regions, there are laws limiting government or law enforcement use of facial recognition technology, but that’s very hit-or-miss; not every locality, country, or region has those controls. The Center for Strategic & International Studies published an interesting paper in 2021 on the responsible use of facial recognition technology and the legislative landscape. It’s not a short read, but if you’re interested in the topic, it’s an excellent place to deep dive.
Biometrics and DEI
Diversity, equity, and inclusion are particularly fraught with compelling arguments for and against the use of biometrics. On the one hand, using biometrics for people with literacy challenges is a huge bonus for that demographic. The less they have to write or remember (for example, people with dementia), the better. Underlying the use of biometrics, however, is an assumption that the technology is, if not infallible, at least right most of the time.
“The impact of algorithm bias can be devastating, asymmetric and oppressive, with individuals discriminated against and businesses negatively impacted.”
Shahriar Akter et al., “Addressing Algorithmic Bias in AI-Driven Customer Management“
So, how often does biometric technology fail the individual? So many reports, so little time! Remember the Uber driver from 2021 who was locked out of the Uber system? What about the researchers who found that Amazon’s Rekognition software had significant difficulties with women and people of color? Despite the improvements in technology, it works best if you’re a white, cis-gendered man.
Questions to Ask
So all this leads to a list of questions I really want to ask whenever the topic of biometrics and a particular product comes up. Last year I enjoyed an opportunity to be the interviewer for a two-minute infomercial for a biometrics company. I wanted to ask so many questions, but a) we only had 2 minutes, and b) I didn’t want to come across as attacking the poor CEO.
- Biometrics, sometimes called the 10, 2, 1 model (10 fingers, 2 eyes, 1 face), is all about uniquely identifying individuals. Where does the use of biometrics make the most sense, and how does <Product X> help achieve that?
- <Product X> offers critical services that help prevent fraud while preserving user privacy. Can you say more about how <Product X> makes that happen?
- Biometrics are a powerful tool to help verify users, but they have traditionally included some challenges when it comes to fully supporting the diversity of humanity. There have been challenges with skin too dark, skin too light, and even swapping from glasses to contacts. How does <Product X> handle those challenges?
- I love the convenience of biometrics but fear the risk of the database with my biometric info being hacked. I can change a password, but I can’t change my face! How does <Product X> protect against such risks?
- Does <Product X> store the biometric data, or is the data stored with the companies using your software?
- Biometrics are an excellent example of how challenging the balance between security and convenience can be. How does <Product X> smooth out that divide?
- The technologies around biometrics live in an incredibly active space of standards development. Is <Product X> participating in developing standards like FIDO Biometrics or the National Institute for Standards and Technology’s Biometric projects?
What Next?
Biometrics are here to stay; technologists are constantly improving it to avoid false positives and negatives when identifying a person. That said, not all vendors are keeping up with the latest improvements; if you have to work with a company selling biometric-based products, make sure you’re asking the right questions!
The post does an excellent job of encapsulating current thinking about facial recognition (both pro and con) but makes a fatal mistake: it equates facial recognition with all biometric systems without mentioning the dozens of different systems currently in use as authentication methods. And many of those systems do not have the problems that facial recognition has shown – e.g., fingerprint systems don’t care about skin color.