Biometrics: The Most Precious Data of All
The following excerpt is from Nick Corbishley’s new book Scanned: Why Vaccine Passports and Digital IDs Will Mean the End of Privacy and Personal Freedom (Chelsea Green Publishing, March 2022) and is reprinted with permission from the publisher.
Biometrics systems are used to identify or authenticate identity by using innate physical or behavioral characteristics, including fingerprints, face and palm prints, iris patterns, voice, gait, breath, and DNA. The argument for its use is that by tying digital IDs to biometrics, authorities can largely remove the risk of fraud and identity theft, an issue that’s recently come up with vaccine passports in France and elsewhere.
Biometric technologies are already being used in diverse settings, from banks and other financial institutions to schools and workplaces. UK global bank Standard Chartered has rolled out fingerprint and other biometric technologies across many of the African and Asian markets in which it operates, as part of a $1.5 billion technology investment package. Mexican banks have collected biometric data (fingerprints and iris scans) on all their customers. Passports around the world have included biometric features for years, as have other forms of IDs. Many people opt to sign into their mobile phones using their biometric data.
Children are also being conditioned to use biometric systems, sometimes for the most mundane of reasons. In Scotland, for example, a number of schools in 2021 began using facial recognition to expedite school lunch lines. The local council in North Ayrshire said that the new technology allowed for a faster lunch service while removing the need for any contact at the point of sale: “With Facial Recognition, pupils simply select their meal, look at the camera and go, making for a faster lunch service whilst removing any contact at the point of sale.”1
Similar facial recognition systems have been in use in the United States for years, though usually as a security measure. In the case of the schools in Ayrshire, the rationale is ease, speed, and efficiency, but critics argue that these pilot schemes have a much darker purpose than expediting school lunch queues; they are about conditioning children to the widespread use of facial recognition and other biometric technologies.
Stephanie Hare, author of Technology Ethics, argues that the widespread use of these technologies is normalizing children to understand “their bodies as something they use to transact. That’s how you condition an entire society to use facial recognition.”
In the end, North Ayrshire council decided to shelve its pilot scheme after parents and data ethics experts raised concerns that the privacy implications may not have been fully considered.2 There has also been pushback from citizens in the United States on the use of facial recognition in schools. In New York, public opposition was so strong that the state government ended up halting all use of biometric identifying technology in schools until at least July 2022.
San Francisco-based digital rights group Electronic Frontier Foundation says that biometric systems pose “extreme risks” to privacy and the security of personal data:
The government insists that biometrics databases can be used effectively for border security, to verify employment, to identify criminals, and to combat terrorism. Private companies argue biometrics can enhance our lives by helping us to identify our friends more easily and by allowing us access to places, products, and services more quickly and accurately. But the privacy risks that accompany biometrics databases are extreme.
Biometrics’ biggest risk to privacy comes from the government’s ability to use it for surveillance. As face recognition technologies become more effective and cameras are capable of recording greater and greater detail, surreptitious identification and tracking could become the norm.
The problems are multiplied when biometrics databases are “multimodal,” allowing the collection and storage of several different biometrics in one database and combining them with traditional data points like name, address, social security number, gender, race, and date of birth. Further, geolocation tracking technologies built on top of large biometrics collections could enable constant surveillance.3
This is a problem highlighted in a Financial Times article about Aadhaar, India’s biometric ID system. It came into being in 2016 after the government passed the Aadhaar Act without any debate, discussion, or even the approval of Parliament. Aadhaar (Hindi for “foundation”) is a 12-digit unique identity number (UID) issued by the government after confirming a person’s biometric and demographic information. The largest system of its kind on the planet, Aadhaar required Indian citizens to submit their photograph, iris, and fingerprint scans in order to qualify for welfare benefits, compensation, scholarships, legal entitlements, and even nutrition programs. By 2021, the Unique Identification Authority of India (UIDAI) had issued 1.3 billion UIDs covering roughly 92 percent of the population.
The UIDAI was led by Indian tech billionaire Nandan Nilekani, the cofounder and nonexecutive chairman of Infosys, India’s second largest IT company. Lauded by Bill Gates as one of his so-called “heroes in the field” for having made the world’s “invisible people, visible,” Nilekani has in recent years been working with the World Bank to help other governments set up similar digital ID systems.4
Besides serving as a gateway to government services, Aadhaar also tracks users’ movements between cities, their employment status, and purchasing records. It is a de facto social credit system that serves as the key entry point for accessing services in India. While the system has helped to speed and clean up India’s bureaucracy, it has also massively increased the Indian government’s surveillance powers and excluded over 100 million people from welfare programs as well as basic services, as the FT article notes:
The Indian media has reported several cases of cardless individuals starving to death because they could not access benefits to which they were entitled. “Aadhaar is deeply embedded in Indian life and works for most people most of the time. However, when it does not work, it most affects those who are already vulnerable,” the [2019 State of Aadhaar] report concluded.
Some critics go further, arguing Aadhaar has largely failed to fulfil its original promise of improving welfare and now acts as a tool for social exclusion and corporate influence. In Dissent on Aadhaar (2019), 15 academics, lawyers and technologists examined Aadhaar’s shortcomings, focusing on an almost Kafkaesque disparity between the “helplessness, frustration and vulnerability” of the individual and the omniscience and opacity of large bureaucracies. “The Aadhaar project is a perversion of the constructive purpose of technology to be subservient to the needs of society,” concluded Reetika Khera, the book’s lead author.5
Biometric systems are also prone to failure, warns the London-based charity Privacy International:
This can be a result of issues like the fading of fingerprints (the elderly and manual workers being particularly at risk) or cataracts affecting iris scans.
The consequences of this can be severe: for example, failing to get access to benefits to which an individual is entitled. This is not an abstract concern. There are already reports that this has led to starvation deaths in India.6
The systems are also notoriously inaccurate on women and those with darker skin, and they may also be inaccurate on children whose facial characteristics change rapidly. Wired magazine reported in 2019 that “US government tests find even top-performing facial recognition systems misidentify blacks at rates five to 10 times higher than they do whites.”7
There is also the risk that people’s biometric identifiers could end up in the wrong hands. A large-scale data breech in India, for example, could affect over a billion people. Privacy International reports that authorities in India, South Korea, and the Philippines have already suffered “extensive security and data breaches that led to the leaking of biometric ID information belonging to millions of individuals in those respective countries.” If biometric data is hacked, there is no way of undoing the damage. You cannot change or cancel your iris, fingerprint, or DNA like you can change a password or cancel your credit card.
“The idea of a data breach is not a question of if, it’s a question of when,” says Professor Sandra Wachter, a data ethics expert at the Oxford Internet Institute. “Welcome to the internet: everything is hackable.”
Most databases are exceedingly porous, even in countries with advanced cybersecurity systems, as we saw in the recent hack of Microsoft’s exchange servers.8 Governmental databases are often targets because they have fewer resources and often less skilled IT teams.9 Central banks, such as the Reserve Bank of New Zealand and Banco de Mexico, have also been targeted by cybercriminals. These incidents raise concerns about any system that seeks to collect, integrate, and use the biometric identifiers of hundreds of millions or even billions of people. While most vaccine passport systems haven’t collected users’ biometric data yet, it is probably a matter of time before they do. That data is unlikely to be fully secure.
Peter Yapp, former deputy director of UK Government Communications Headquarters’s (GCHQ’s) National Cyber Security Centre (NCSC) recently warned that building another centralized database to store even more of our personal data would create more opportunities for hackers and cybercriminals:
Centralised databases mean you’re putting a lot of data in one place so it becomes an attractive target for hackers and the like, so it’s like a honeypot—it attracts people in and they’re going to have a go because there is so much data.
Steve Baker, deputy leader of the COVID Recovery Group (CRG) of Conservative MPs, said a centralized vaccine passport system would become a magnet for hackers:
Bugs create security vulnerabilities. That’s why it’s a terrible idea to gather together so much data of such importance in one place. This is one more nail in the coffin in the idea of COVID certification.10
There is another reason why vaccine passport systems are a threat to our personal liberties, privacy, and digital rights: that the scale and scope of their application will grow over time.
- Nick Corbishley, “UK Goes Full-On Big Brother, Employs Facial Recognition Technology to Expedite School Lunch Queues,” Naked Capitalism, October 22, 2021, https://www.nakedcapitalism.com/2021/10 /uk-goes-full-on-big-brother-employs-facial-recognition-technolog y-to -expedite-school-lunch-queues.html.
- “Schools Pause Facial Recognition Lunch Plans,” BBC News, October 25, 2021, https://www.bbc.com/news/technolog y-59037346.
- “Biometrics,” EFF, last accessed December 18, 2021, https://www.eff.org /issues/biometrics.
- Bill Gates, “Making the World’s Invisible People, Visible,” Gates Notes, January 29, 2019, https://www.gatesnotes.com/Development/Heroes-in-the -Field-Nandan-Nilekani.
- John Thornhill, “India’s All-Encompassiong ID System Holds Warnings for the Rest of World,” The Financial Times, November 11, 2021, https://www .ft.com/content/337f6d6e-7301-4ef4-a26d-a4e62f602947.
- “The EU, the Externalisation,” Privacy International, October 15, 2021, https://privacyinternational.org/long-read/4651/eu-externalisation -migration-control-and-id-systems-heres-whats-happening-and-what.
- Tom Simonite, “The Best Algorithms Struggle to Recognize Black Faces Equally,” Wired, July 22, 2019, https://www.wired.com/story/best-algorithms -struggle-recognize-black-faces-equally.
- Zack Whittaker, “America’s Small Businesses Face the Brunt of China’s Exchange Server Hacks,” Tech Crunch, March 10, 2021, https://techcrunch .com/2021/03/10/america-small-business-hafnium-exchange-hacks.
- “Why Government Institutions Are the Perfect Target for Hackers,” Govern- ment Technology, August 2, 2021, https://www.govtech.com/sponsored /why-government-institutions-are-the-perfect-target-for-hackers.
- Stefan Boscia and Poppy Wood, “UK Vaccine Passport App Could Become ‘Honeypot’ for Hackers, Says Former Top Government Cyber Adviser,” City A.M., March 31, 2021, https://www.cityam.com/uk-vaccine-passport -app-could-become-honeypot-for-hackers-says-former-top-government -cyber-adviser.