Sam Raimi's 2002 film Spiderman included timeless advice from Ben Parker: "With great power, comes great responsibility." Uncle Ben's advice is just as important to securing data as it is to web-slinging. But his advice is even more important with the evolution of biometric data.
Facial recognition. Retinal scanners. Palm-print activation. Each of these innovations, just years ago a staple of science fiction, are growing in sophistication and practical use. Currently, most smartphones and tablets have thumb print recognition, and in the next few months, at least one major credit card company is launching a selfie-security feature, which would allow customers to authentic their identity for purchases by simply taking a selfie and letting facial recognition software validate. All of these features are examples of biometric identification: using human attributes signature to an individual to serve as a unique identifier. Biometrics are a form of data, and just like any type of data it can be digitized and stored in databases.
The FBI & The Privacy Act of 1974
Earlier this summer, the FBI moved to exempt its Next Generation Identification System’s storage of biometric personal identifying information from certain notice and consent provisions of the Privacy Act of 1974. The Privacy Act prohibits government agencies from sharing information about individuals without their consent. The FBI argues that widespread disclosure of this data would harm law enforcement activities.
What is the Next Generation Identification System? According to the Justice Department, NGIS is intended to build on the FBI’s fingerprint database by enabling officials to link multiple forms of biometric data (e.g. palm print and facial recognition data, iris scans, heart rhythms, etc) to personal and biographic data (e.g. name, home address, social security number, date of birth, immigration status). The FBI argues that the NGIS should be exempt from several subsections of the Privacy Act, because these requirements could interfere with the agency’s mission to detect, deter, and prosecute crimes and to protect national security. For example, the Privacy Act requires individuals to be notified when their data is shared with another agency. The Justice Department contends that this requirement would undermine the FBI’s ability to conduct investigations because such disclosures would reveal investigative interests by the FBI.
The Justice Department identified another provision of the Privacy Act that proves troublesome with respect to biometrics. The Privacy Act requires governmental agencies to limit the information it retains on individuals to only that which is “necessary and appropriate” to achieve their objectives. But the Justice Department explains that it cannot always know in advance what information may be relevant and necessary to a law enforcement probe. In other words, the relevance of information may not be apparent until after it is vetted and matched with other sources of information that are already lawfully maintained by the FBI.
The Big Picture
So what does this mean for all of us? Does it confirm the conspiracy theories fueling the Internet that Big Brother is always watching? I will leave that the conspiracy theories for the next X-Files revival, but the FBI’s use of biometric databases provides an important reminder of the need for increased security when entities deal with more and more powerful data, such as biometrics.
When we think of the information that hackers want, we think classic personally identifying information (“PII”): name, date of birth, social security number, and address. These pieces of information are often the keys for hackers to enter the kingdoms of bank accounts, health records, and credit agencies. But now new keys are out there: facial recognition, heartbeats, retinal scans, palm prints and fingerprints. Like all data, biometrics can be used for harmful purposes if placed in the wrong hands. The only difference? With varying degrees of difficulty, names, addresses, and social security numbers can be changed. Your face and fingerprints? Not so easy.
Biometric data is a double-edged sword. The benefits include stronger identity protection for companies and increased efficiency for law enforcement to thwart criminal activity. But the costs can include heightened risks to your identity if the data is disclosed and able to be replicated, and a severe sense of privacy invasion to learn that someone has images of your face or digital files of your heartbeat. As the government and private sector begin embracing biometric data as an effective and efficient tool, we all need to gain an appreciation for how this data can be weaponized. This means increased dedication to cybersecurity efforts and a privacy-by-design approach. In other words, privacy protection must be a value that is adhered to at every step of the engineering and concept-development process for any governmental or private-sector program that makes use of this data. This means developing administrative, technical, and physical safeguards to protect biometric data from high risk of compromise.
Whether or not the FBI’s biometric database is subject to the Privacy Act, all data needs to be secured so as to minimize the effectiveness of outside threats. Reasonable minds can disagree about the utility of the FBI maintain a database with our biometric data, but we can all agree that once the data exists it should be secured. This is the responsibility all entities have when maintaining high risk data, such as biometrics. And to paraphrase Uncle Ben, "with great data, comes great cybersecurity responsibility."