A few weeks ago, the European Data Protection Supervisor –EDPS–, and the Spanish Data Protection Agency – AEPD–, published a joint technical paper detailing 14 misunderstandings relating to the use of biometrics and on how these misconceptions can affect data protection.
The report, aimed at data protection controllers and managers, seeks to shed light on some of the most common misconceptions and inaccuracies associated with the use of the technology.
Identification is the process of identifying an individual among a group, and authentication is the process of proving the identity claimed by an individual. The increased use of biometric data (e.g. fingerprints or facial measurements) for identification and authentication purposes has led to a series of widespread misconceptions. Some of the most common misconceptions are listed below:
- “Biometric information is stored in an algorithm”. An algorithm is a method, an ordered set of operations or a recipe and not a means to store biometric data.
- “The use of biometric data is as intrusive as any other identification/authentication system”. Biometric data reveals more information about the subject. For example, it can include data on race, gender, emotional state, diseases and disabilities, etc.
- “Biometric identification is accurate”. Biometric identification relies on probability. There is a certain rate of false positives (accepting an impersonator) and false negatives (rejecting an authorised individual).
- “Biometric identification/authentication is precise enough to always differentiate between two people”. Certain situations, such as the identification of twin siblings or the environmental conditions in uncontrolled settings, can lead to an increase in the error rate and therefore, to confusion.
- “Biometric identification/authentication is suitable for all people”. Some people cannot use biometrics because of their physical characteristics, injuries, accidents, etc. This factor can lead to social exclusion.
- “The biometric identification/authentication process cannot be circumvented”. Techniques that allow you to “fool” biometric authentication systems and assume the identity of another person do exist.
- “Biometric information is not exposed”. A person’s biometric characteristics are exposed and can be captured at a distance.
- “Any biometric processing involves identification/authentication”. Not necessarily. There is a risk that security failures, regulatory changes, etc. can lead to the information being processed beyond the original purpose.
- “Biometric identification/authentication systems are safer for users”. They are also susceptible to security breaches.
- “Biometric authentication is strong“. The truth of this statement depends on the technology used and the circumstances, perception and culture of each user.
- “Biometric authentication is more user-friendly”. This depends on the technology used.
- “Biometric information converted to a hash is not recoverable”. It may be possible to retrieve the original biometric pattern.
- “Stored biometric information does not allow the original biometric information from which it was extracted to be reconstructed”. A partial reconstruction sometimes has sufficient accuracy for another biometric system to recognise it as the original one.
- “Biometric information is not interoperable”. On the contrary, biometric information systems are developed according to standards that ensure their interoperability.