A centralised biometrics storage entity will develop in the near future, but questions are being raised over what that entity would look like, how to ensure impartiality, and security risks.
“There’s a great foundation for biometrics – there’s widespread user adoption via mobile phones and the next step in the evolution is to move that from just the convenience on our mobile phones to a more secure environment that will actually allow us to know who is on either end of a payment,” said Maxine Most, principal analyst at Acuity Market Intelligence on a panel at Money 2020 in Las Vegas this week.
Rob Douglas, CEO of BioConnect agreed that a centralised database of biometric information is important to take the responsibility away from the end user.
“You can’t solve biometric frictionless consumption if you assume that everybody is going to manage their own on their own devices,” he said. “There’s seven billion of us on the planet and history has proven that we can’t do it. We’re not capable. We’re not going to do it, we’re never going to do it, and it’s not going to happen. In the end to solve the problem of biometrics there will be a combination of on-device computing but also centralised computing. All we’re really afraid of is how to store data.”
Douglas suggested biometric data is “just a series of zeros and ones” which, once removed from each individual are unidentifiable. Storing that data in templates in a centralised hub should therefore be unproblematic.
Not everyone agrees however. Husayn Kassai, CEO of Onfido suggested there is no need for a database and biometrics should be decentralised.
“In essence identity underpins all transactions – period. No matter how you attempt to structure a centralised database eventually and inevitably it will be breached and hacked,” he said.
“In my view a decentralised approach is the only way it would work. The majority of the use cases for biometrics now is surveillance, profiling, and targeting people. The solution has to be that the user’s privacy has to come first and nothing like this can be used for ill purposes.
Kassai pointed out that a commercial entity entrusted with storing biometrics could lead to unforeseeable problems.
“If there’s a notion that some sort of tech giant – be it Apple or others – are somehow going to control everyone’s identities, I don’t think that could be adopted en masse because there will be many negative consequences of holding so much power,” he said.
The use of biometrics has increased substantially in recent years. In India, the Aadhaar project – a biometric registration scheme used to link public subsidies, unemployment benefits and a payment scheme was launched in January 2009. According to Gemalto, 1.24bn people now have an Aadhaar number – a 12-digit unique identifier based on a photograph, fingerprints and iris scans.
Commercial attention has been drawn to biometrics too: last year the market for global biometric systems saw revenues of $21.8bn, according to Statistica.
Accuity’s Most acknowledged that security should be considered of paramount importance but believes a centralised database can ensure that.
“We need to understand how to create a biometric solution that is both secure and convenient and I think we have to do that by building in certain mechanisms into centralised use of biometrics ie you should never store other biometric data with other personally identifiable information. If you’ve got a biometric template with any other PII that is bad,” she said.
“The other thing with biometrics is that security is if you store them separately and they’re independently stored if someone accesses that database and you were worried about using the templates you can kill those templates, apply a new algorithm and create new templates. I think the idea that your biometrics cannot be revoked is misunderstood.”