Using Biometrics to Enable Privacy
Print Issue: September 2019
A series of major data breaches over the past few years, combined with growing public distrust over how personal data is being used, culminated in the adoption of the European Union’s General Data Protection Regulation (GDPR).
The GDPR requires private industry to obtain the “unambiguous consent of the individual” to collect and store data about him or her. Noncompliance can result in tremendous fines—large enough to put many companies out of business.
The impact of the GDPR extends beyond Europe. American companies doing business in Europe must comply. Similar regulations in the United States may not be far behind. A 2017 Pew Research Center poll found that two-thirds of Americans believe that current laws are not good enough at protecting their privacy.
Most consumers resent the sale of their personal data to support marketing programs but are more ambivalent about how banks may use this information. For example, when a financial institution alerts an individual that a credit card transaction associated with his or her account might be fraudulent, that person most likely appreciates the notice—even if it’s a false alarm. Most individuals would rather allow banking algorithms to scour their personal data and create predictive models of their purchase behavior than risk thousands of dollars racked up on their credit card by someone else.
Regulations like the GDPR will limit financial institutions’ access to consumer data, requiring them to find a new means to combat fraud—one that relies on direct authentication of customers’ identities instead of inferences derived from collected personal data. Because of this, biometrics are a promising solution.
Biometrics are a direct measure of someone’s identification or authenticity. Depending on the modality, a biometric signature can be discriminating and impossible to spoof. For example, an individual’s iris scan is as unique as his or her DNA. As biometric authentication replaces data-inferred authentication, there could be additional benefits for privacy protection, security, and convenience.
Privacy. As laws make it more difficult for companies to collect private data, and consumers are more reluctant to share it, many companies may stop collecting it in the first place. The availability of alternative, highly accurate, and easily accessible authentication methods—like biometrics—will hasten this transition.
Security. Compared to inferred authentication, biometrics will bring the accuracy of consumer authentication to new heights. For financial institutions, the risk of fraud could be reduced so consumers might be incentivized to provide biometric authentication in exchange for cash-back discounts on purchases.
Customer vulnerability from a data breach would also be diminished. If logs of customer credit cards and bank account numbers were somehow compromised, bad actors would be unable to use those cards or access those accounts without a biometric match for each customer.
Convenience. In the future, biometric authentication may become so strong that stores and credit card companies may allow customers to bypass the use of physical cards by linking their biometric signature with a method of payment.
The GDPR is a harbinger of things to come. Even as U.S. legislation lags, the impact of Europe’s new regulations is immediate and consequential. And biometric technology offers new approaches for organizations that can no longer rely on access to consumer data.
Bobby Varma is president of Princeton ID.