Legal Implications of Implementing Biometric Security
What are biometrics?
Biometrics is the science and technology of measuring and statistically analyzing biological data. The field of biometrics encompasses “biological data” that we’re all familiar with, such as fingerprints and faces, but also includes data that may be less familiar, such as the rhythm of a heartbeat (www.nymi.com) or the shape of an ear (www.descartesbiometrics.com). One of the ways biometrics is used is for security, such as using a fingerprint or retinal scanner in lieu of a password to restrict access to data. Although biometric security is somewhat limited in everyday use at the moment, the time is fast approaching where biometric security will be leaping from the pages and screens of science fiction stories and into the everyday real world.
Biometrics are quickly moving from fiction to fact
Consider that FIDO (Fast IDentify Online) Alliance, which includes among its members Google, Microsoft, Visa and Mastercard, recently published a final draft of its biometric standards in December 2014, stating that “[t]oday, we celebrate an achievement that will define the point at which the old world order of passwords and PINs started to wither and die.” (https:// fidoalliance.org/news/item/fido-1.0-specifications-published-and-final1). Indeed, Microsoft’s next generation of the Windows operating system – Windows 10 – may ditch passwords altogether and rely on face, eye and fingerprint recognition to not only log you into your computer but to “authenticate apps and websites without sending a password at all.” (http://www. wired.com/2015/03/ microsofts-bold-plan-ditch-passwords-windows-10).
A cup of coffee for your biometric data
In a world where you are your password, ordering a cup of coffee (your voice), picking up the cup of coffee (your fingerprint), drinking the cup of coffee (the DNA in your saliva) and then walking back to your car (your face) are all potentially akin to handing out your password on a business card to everyone that passes by. Consider that a German hacker was able to accurately reproduce the fingerprint of the German Defense Minister using nothing more than high-resolution photos of her hands that were taken from ten feet away during a press conference (http://arstechnica.com/security/2014/ 12/politicians-fingerprint-reproduced-using-photos-of-her-hands/). Or consider the criminal who was convicted solely on DNA that was swiped from the armrests of a chair he was sitting in while being interrogated (http://arstechnica.com/ tech-policy/2015/03/supreme-court-gives-tacit-approval-for-government-to-take-anybodys-dna/).
Perhaps best summing up the problem is the dissent in the criminal’s appeal, which noted: “The Majority’s approval of such police procedure means, in essence, that a person desiring to keep her DNA profile private, must conduct her public affairs in a hemertically sealed hazmat suit…[t]he Majority’s holding means that a person can no longer vote, participate in a jury, or obtain a driver’s license, without opening up his genetic material for state collection and codification.” In a society such as this – where simply existing in the world exposes your biometric data to collection and subsequently places your private, privileged and/or confidential data, and potentially your very identity, at risk of being exposed – it will be critical for the law to allow this biometric data to be properly secured.
The law must be ready to address two categories of issues for biometric security
The potential legal issues with biometric security generally appear to fall into two categories. First, to what extent should individuals be required to secure their biometric data? For example, if a client provides me with access to a cloud drive with confidential documents on it and secures the account with a password, there is obviously an issue if I start passing that password out to everyone that walks by. But what if he secures the account to my fingerprint, do I have an obligation to keep my fingerprints from being duplicated and if so, what does that obligation entail – wearing gloves at all times or wiping down any surfaces I touch? And second, to what extent can individuals be permitted to secure their biometric data? For example, generally speaking if you are out in public your picture can be taken. But can you stop a person from taking your picture – or force them to destroy all copies of that picture – purely based on your interest in protecting your biometric data?
The courts have thus far failed to recognize the unique value of biometric data
Unfortunately, as it currently stands the law is very poorly equipped to deal with either of these categories. For example, last year a Virginia Circuit Court judge held that police officers cannot force criminal suspects to divulge the password for a cellular phone but they can force them to use their fingerprint to unlock the phone. The judge held that forcing a person to divulge a cell phone password violates the right to avoid self-incrimination but forcing him to unlock the cell phone with his fingerprint would be permissible. The judge found that a password is testimonial but fingerprints are merely physical evidence, analogous to a handwriting sample or DNA that authorities are already legally allowed to demand. (See http://hamptonroads.com/2014/10/ police-can-require-cellphone-fingerprint-not-pass-code).
You can see probably see the conflict. On the one hand, we all know that fingerprints are a vital tool for law enforcement and can’t be absolutely protected against production. On the other hand, there is a difference between fingerprints that function as physical evidence and fingerprints that function as biometric data to secure a device. The judge, however, was not able to recognize this difference; that is, he couldn’t see fingerprints as anything more than purely physical objects, deserving of no special protections. Yet if this is the general rule for biometric information – that it is afforded no protection under the law – then as things currently stand, even though the law may step in and stop someone from stealing your written password, it will do nothing to protect your fingerprints, facial details or other biometric data from being taken and freely used to bypass whatever security you may have in place
Protection of biometric data is up to the end users
In the end, there’s no short and easy answer to the legal issues associated with biometrics, but the fact that the law is simply not ready to address these issues should give anyone pause when considering biometrics as an alternative or supplement to language-based passwords. That is not to say, of course, that biometric security is something to be avoided. On the contrary, it represents a significant step forward in securing our data and information. However, before utilizing biometric security, there needs to be a recognition that at this time the law is largely unwilling and unable to support the protection of biometric data, such that it will be up to the end user – whether individuals or companies – to implement their own policies and procedures with respect to preventing biometric data from being taken and/or misused.
Perhaps the most critical question to ask, then, is this: how can I implement biometric security in a way that solves my problems rather than creating new ones or just putting a new face on the same old problems as before? Until such questions are answered, the best practice may be to keep on using the “devil you know” until you’ve fully considered the ramifications of replacing or supplementing written passwords with biometric security.
If you’re involved in a lawsuit or risk management and have any questions regarding current or potential legal issues, we would urge you to contact an attorney as soon as possible to obtain advice, guidance and representation. At Baker, Keener & Nahra, we have the experience, skill and drive to get the best possible results for our clients, no matter the size of the case or the scope of the problem. So if we can be of any assistance to you, please contact us and let us know how we can help.