Biometric Technology: Regulatory and Privacy Concerns
August 12, 2019
According to a 2015 study, 73% of adults in the US and UK have used the same password for multiple accounts, and 47% have not changed their password in five years – an alarming practice given a recent Verizon Data Breach Investigations Reports which found that 81% of hacking-related breaches were due to poor passwords.
Biometric authentication is a remedy to these vulnerabilities—having a unique physical identifier is not only more efficient but also more difficult to steal. However, the use of biometric information comes with many concerns regarding consumer privacy, and there are no national regulatory standards to address these concerns. With the rising economic potential and industrial growth of biometric technology, there will likely be debates over the inherent tradeoff between convenience and privacy at the heart of this innovation. As such, this article seeks to objectively explore the current state of the field.
Privacy concerns and potential data breaches pose an issue to many. According to a Spiceworks survey, 48% of participants cited the risks of stolen biometric data as a top security concern. Biometric data is special in that it is a permanent and unique piece of information that follows you. You may be able to change a password or get a new credit card, but you cannot get a new fingerprint. That is why many are concerned with the risks of storing biometric data. In 2015, the Office of Personnel Management was the victim of a cyber breach that exposed 22.1 million people’s sensitive data, including fingerprint information – thus reinforcing the pertinence of these anxieties.
There is also concern that the government can use this technology to essentially track citizens, thus creating a surveillance state. Biometrics, ScientificAmerican argues, “could turn existing surveillance systems into something…more powerful and much more invasive.” Researchers are working on programs that would be able to identify a face in a crowd, or even a camera that takes rapid-fire iris scans from 10 meters away. In fact, China’s new “citizen score” merit system is already using facial recognition as one way to track its citizens, and assign them a behavioral score. In airports, the Department of Homeland Security is in the process of expanding a program to capture the facial information of every airplane passenger, in an attempt to track non-immigrant foreigners. However, they would also have to take the facial data of every citizen, which many argue is an invasion of privacy. “Congress authorized scans of foreign nationals. DHS heard that and decided to scan everyone. That’s not how a democracy is supposed to work,” said Alvaro Bedoya, executive director of the Center on Privacy and Technology at Georgetown University. Because of concerns like these, many have taken to the law as a way to address the privacy risks posed by biometric data.
Currently, there is no standardized, federal law that regulates the aggregation of biometric data. However many states have started to address the issue independently. In 2008, Illinois was the first state to create a biometric privacy law – the Biometric Information Privacy Act (BIPA). Texas and Washington followed suit in 2009 and 2017, respectively. Multiple other states have tried or are still trying to pass similar statutes, including Arizona, Florida, and Massachusetts. Most of these acts say that it is illegal to collect and store biometric data for commercial purposes without the owner’s knowledge and consent. However, BIPA is the only one to give consumers the right to sue for damages.
Furthermore, the legal definition of biometric data still requires standardization. For example, under CCPA, biometric information includes keystroke, gait patterns, as well as exercise data, while the definition under Texas and Illinois’ acts does not. Since 2017, over 200 class action lawsuits have been filed across the country claiming a violation of BIPA. Facebook, Google, and Snapchat have all been sued under BIPA, and the former two are still awaiting a final decision by the courts. Given the varied and relatively recent passage of the state laws, there is no precedent to follow on biometric jurisprudence, and many are looking to these decisions for precedence. In a recent ruling by the Supreme Court of Illinois, Six Flags must pay damages to a boy for collecting his fingerprint without consent. Most importantly, however, the court showed that a person need not establish they suffered actual harm, a decision that does not bode well for Facebook in its current suit.
With the rise of biometric technology comes economic implications as well. The biometrics system market is projected to grow from $16.8 billion in 2018 to $41.8 billion by 2023, with rising stocks as well. Many new products and patents are also being introduced by companies seeking to get a jumpstart in the burgeoning sector. In 2016, Amazon filed a patent application that prompts users to “perform an action in view of a camera or sensor” to pay for a product. Other industries are also moving to keep up. The recent surge in biometric privacy lawsuits have caused law firms to create specialty groups and hire attorneys solely to address biometric privacy litigation.
Ultimately, the biometrics industry has become increasingly pertinent for public and private groups alike. It has sparked debate on privacy concerns, economic impact, and future legislation to name a few. However, in the next few years, we will still likely see a fierce debate on what has ultimately been at the heart of all these controversial issues—the dynamic between privacy and efficiency.
Student Blog Disclaimer
The views expressed on the Student Blog are the author’s opinions and don’t necessarily represent the Wharton Public Policy Initiative’s strategies, recommendations, or opinions.