How Is Our Biometric Facial Data Protected?

How is biometric facial data stored, and who has access to it?

Face ID: Is our biometric facial data being safeguarded?

By Fabricio Rodríguez

In a world where facial recognition technology (FRT) is rapidly expanding, its use has been increasingly applied in daily situations such as accessing a bank account through a mobile, registering attendance at the office, or authenticating our identity in airports.  Along with this widespread implementation, it also raises significant concerns about the safeguards of the biometric facial data that we provide (or not) to access different services or for other applications.  So, if our biometric facial data is increasingly being used, how is it being protected?

Similar to other biometric data like fingerprints, eye retina or iris, finger veins, or even ear canal recognition, facial recognition is a mechanism that can be used to identify a person, and together with fingerprint recognition, it is currently one of the most commonly used mechanisms of identification.  Facial recognition has experienced rapid growth in its applications and according to Deloitte, the market value of this technology is expected to increase from US$ 3.8 billion in 2020 to 8.5 billion in 2025.

How is biometric facial data captured?

As part of the process that uses facial recognition to authenticate whether we are who we say we are, there is an onboarding process that includes an enrollment phase.  For example, setting up facial identification in your phone.  During the initial setup process, it registers your biometrics, capturing in this case your facial data.  This data is subsequently used for future authentications, providing access not only to the phone but also to apps that might use this feature.

However, facial recognition is not only based on voluntarily provided data for identification.  Years ago, significant controversy arose around a company that collected billions of photos of people based on posts shared on social media to create a database later sold for identification purposes.  According to the New York Times, “Dozens of databases of people’s faces are being compiled without their knowledge”, and this data seems to be collected not only from social media and other websites but also from cameras placed in different places, such as restaurants, for example.

Nevertheless, this same technology has become very important in areas like citizen security, being an increasingly used tool not only by police departments but also in the justice sector by public defenders. 

How is biometric facial data stored, and who has access to it?

As mentioned before, facial recognition has become widely popular for accessing and unlocking mobile devices.  For instance, the iOS face identification system ensures that “Face ID data — including mathematical representations of your face — is encrypted and protected by the Secure Enclave.”  The Secure Enclave is a subsystem integrated into Apple System on chips (SoCs) and is isolated from the main processor to provide an extra layer of security for sensitive data.  iOS explicitly states that “Face ID data doesn’t leave your device and is never backed up to iCloud or anywhere else.”  Essentially, only the user owner of the phone is supposed to have access and can manage their biometric data use and permits.

However, in other cases where biometric facial data is collected (sometimes without prior knowledge), users may not be able to access information on how their biometrics are being stored and its potential uses.

In 2020, during one of the controversies regarding the sale of facial datasets and its impact on people’s privacy rights, Senator Edward J. Markey from the United States mentioned:

If your password gets breached, you can change your password.  If your credit card number gets breached, you can cancel your card.  But you can’t change biometric information like your facial characteristics…

Therefore, to protect the personal biometric data of citizens, including their “faceprint” from other images or videos captured with or without their consent, is not only important but absolutely necessary to ensure correct treatment of data and set limits to its use.  Protocols must be established to guarantee the appropriate handling of this very sensitive information, which, in the wrong hands, could lead to significant harm.

Is there legislation around biometric facial data protection?

While there is still a lack of legislation in many countries specifically addressing the protection of biometric data, some initiatives do exist aimed at defining rules for the treatment of this kind of data.  One of the most important laws in this space is the European Union’s General Data Protection Regulation (GDPR), which establishes a set of rules in this field.

The GDPR classifies biometric information (including facial data) as a “special category” of personal data.  Therefore, compliance with Article 9 is required, which, among other things, emphasizes the need for explicit consent from the data subject to process biometric data.  In 2023, the European Data Protection Board published the Guidelines on the Use of Facial Recognition Technology in The Area of Law Enforcement as an effort to provide relevant information to lawmakers and Law Enforcement Authorities for the implementation and use of FRT.

On the other hand, given that the United States has no federal law on data protection, the State of Illinois enacted a biometric privacy law in 2008.  The Illinois Biometric Information Privacy Act (BIPA) mentions that the subject should be informed in writing that a biometric identifier or biometric information is being collected or stored, and provide authorization.   Similarly, other states like Texas and Washington State have developed biometric privacy statutes.

In 2020, the National Biometric Information Privacy Act was presented to the Senate, as a proposal to regulate this field at a national level in the USA.  According to the US Congress website, this proposal mentions: “A private entity may not obtain an individual’s biometric data unless (1) the entity requires the data to provide a service or for a valid business purpose, and (2) the entity informs the individual in writing of the collection and its purpose and receives a written release.”  In Latin America, various countries have enforced data protection laws, and cases around data protection have arisen.  Some of these countries developed their laws based on the European model, including similar characteristics to those determined by the GDPR.  For instance, the Data Protection Law from Ecuador, adopted in 2021, establishes biometric data as sensitive data.  Therefore, among other rules, it determines that its use and processing are also forbidden without the explicit authorization of the data subject.

What might be done to safeguard people’s rights?

Biometric data, including facial data, will likely continue to expand its applications and use cases.  Therefore, it is necessary for countries worldwide to continue working on specific norms to regulate the way this data is captured, processed, and used.  Even though acts and specific protocols have already been developed in some countries, authorities need to work on strengthening their institutional capacities to guarantee adequate enforcement of these legal frameworks by promoting specialized guidelines, considering the rapid changes in technology, including artificial intelligence that uses facial biometric data as input.

Furthermore, it might be important for authorities to also consider working on FRT-based systems regulations.  This is necessary to prevent bias, discrimination, or other negative effects on citizens as a result of the application of this technology, as seen in various cases around the world.

A robust regulatory framework, coupled with effective enforcement and awareness campaigns, will protect citizens’ biometric data and, eventually, their right to privacy.  It will also establish an adequate environment to promote responsible innovation for the use and applications of FRT, as it can become a very powerful tool for the innovation and economic development when used appropriately.

Source / Comment

How to Build Trust Online

Trust: An Obstacle and an Opportunity for Digital Transformation

Low trust, in short, is an obstacle to digital transformation

By Benjamin Roseth

It is well understood that digital transformation can build trust between citizens and the state.  It improves service delivery, transparency, and the efficiency of public expenditure—all of which contributes to greater citizen trust in government.

But trust is also critical to allowing the process of digital transformation to occur in the first place, and Latin America, the least trusting region in the world, is notably behind global leaders in taking advantage of digital technologies to modernize government and business.

Low trust, in short, is an obstacle to digital transformation.  It is also a problem that digital transformation can help overcome.

We delve into this conundrum in a chapter of the recently-published Development in the Americas report on trust.  Here’s what we found.

Low-trust People Use Digital Services Less

Using digital services requires leaps of faith.  Users must believe that the good or service will be delivered as promised, even though in many cases they cannot actually see what they are purchasing.  They often must pay up front, requiring them to trust providers to fulfill their commitment (e.g., to send a product in the mail).  Furthermore, they have to trust that providers will be responsible stewards of the personal data they provide.  It is perhaps intuitive, then, that low-trust people, who make up the majority of Latin Americans, would be reticent to use digital services.  This is precisely what the data show. 

There’s another rub: many Latin Americans value inefficiency.  Sixty-two percent of citizens in seven Latin American countries believe that barriers to access have to be high (lots of requirements, complex forms) in order to prevent fraud in service delivery.  Digital services naturally have lower barriers to access than equivalent in-person services, which low-trust people may perceive as making them more vulnerable to fraud.

Roots of Mistrust Online: Privacy Concerns and Poor User Experience

Mistrust fuels reluctance to use digital services in Latin America and the Caribbean and part of the reason seems to lie in a disconnect between what people say, and what people do.

On one hand, Latin Americans overwhelmingly state in surveys that they trust neither public institutions nor private companies to treat their personal data responsibly.  On the other, they are avid users of services that are based on the aggressive usage of personal data, such as those of Facebook and Google.  If privacy concerns were really so important, these companies’ business model—known as surveillance capitalism—simply wouldn’t work.

So, then, what is driving low uptake of digital services?  Consider your own experiences.  If you go online with your bank, attempt to transfer money between accounts, and the website freezes, would you try a second time?  If you try to access a digital public service, and the forms don’t fit on your smartphone, would you think about going to an office instead?  This is precisely what happens to many Latin Americans: In a 2020 survey, nearly half of users of digital public services reported having difficult experiences.

Users Have Good Reason to be Concerned

Whether or not citizens’ doubts about privacy are backed by their behavior, Latin Americans generally should be concerned about trust online.  This is because the invisible foundations of digital security—data protection and cybersecurity—are weak in most countries.

Data protection: As of late 2020, 14 out of 26 countries in the region had no data protection laws in effect. Even in the 12 of 26 countries that do have a legal framework for data protection, the laws are often outdated or insufficient to grapple with the complex situations that the digital economy presents. In only nine of the 12 countries with laws is there any implementation capacity.

Cybersecurity: Out of 32 countries in the region, 25 do not have a critical infrastructure protection plan, 12 lack cybersecurity incident response teams, 20 do not have a national cybersecurity strategy, and 22 do not have a government entity in charge of national cybersecurity management.  There are sitting ducks everywhere.

How to Build Trust Online

There are some concrete actions that can help the online environment be (and seem) more trustworthy, and thus boost uptake of digital services:

1. Start with user needs.  Digital services must be designed with users in mind, iteratively testing and modifying, striving for the user experience of all services to be on par with those of the digital giants.
2. More information and transparency.  Crowdsourced rating systems and customer reviews, like those on Amazon, help customers and providers bridge the anonymity of the internet.  Status trackers help users see that providers are working on their requests.  Tools like Estonia’s personal data portal allow citizens to see what government institutions are accessing their information and why.
3. Stronger data protection and cybersecurity.  The less people hear about public institutions and companies playing fast and loose with their data, or about massive hacks, the more likely they’ll be to use online services.

Low trust is getting in the way of the uptake of online services.  Investing in these measures would help overcome trust shortfalls, and thus contribute to unleashing the potential of digital transformation for development.

Source