Has anyone ever told you that you have your mother’s or father’s eyes? Mom’s or Dad’s could be the same shape, size and color as yours, but ultimately your eyes have a totally unique structure. That’s why, sometime in the near future, a store clerk might ask you to complete a purchase by looking into a scanner instead of handing over your credit card.
Iris recognition and retinal scanning are ocular types of biometric identification, a catchall term to describe methods of using biological characteristics to identify people. These characteristics, or biometrics, include any physical traits that are unique to each of us. Some biometric ID methods are already in wide use, such as fingerprint scans and voice recognition. Newer techniques involve biometrics including gait, ear shape and even the patterns of veins in the hands and eyes.
This technology has applications in commerce, healthcare, criminal justice and other fields. It’s already widely used to authenticate users of data-storing devices. For example, iPhones and Windows devices can be unlocked with fingerprints or facial recognition. Major employers are increasingly requiring employees to log onto computers and other devices using biometrics.
Biometric identification isn’t the wave of the future: it’s already here. And it’s making a lot of data security experts nervous.
Biometric Identification Leaves You Vulnerable
Critics are vocal about their objections to widespread use of biometric identification. Privacy concerns are one of the biggest drawbacks they cite. (If you allow your physical characteristics to be measured and recorded once, they often argue, you can no longer control who accesses that personal data or how they use it.)
At Northeast Data Destruction, we’re more concerned about the data security vulnerabilities associated with using biometric data. For one thing, biometrics are public, observable characteristics. Your eyes, ears, hands, gait and voice can be recorded without your knowledge. If photos and videos of you are posted online, some of your biometric data is already in the public sphere.
Say you have files that contain proprietary information belonging to your company, and these files can only be accessed via a biometric scanner that recognizes the specific shape of your ear. If a skilled hacker is really determined to get that information, a detailed image of your ear could be enough to get him in. It might sound far-fetched, but this kind of plot can really work. In 2016, computer vision specialists from the University of North Carolina Chapel Hill tricked four out of five facial recognition systems by creating 3D facial models from photos they found online. Many of the photos were pulled from social media sites.
Another vulnerability associated with biometric identification might surprise you. Biometrics are, for the most part, unchanging. A person’s body may transform over the years, but her vein patterns and ear shape probably won’t.
Seems like a good thing for biometrics, right? The retinal scan that grants you access to your computer today will still work in 10 years. Sure, but there’s a negative side to the permanency of your biometrics. When a thief steals your keys, changing your locks will keep him from getting in again. When a hacker breaks into your network, changing security protocols can prevent a second breach. Biometrics can’t be simply altered or replaced. If you use a retinal scan to log onto your work computer and a hacker somehow accesses your retinal data, you can’t just swap in a new image of your retina and secure the system again.
Data Protection in the Age of Biometric Identification
There are two separate data security issues to keep in mind while using biometrics. The first is protecting the biometric data itself, the biological measurements and calculations that can be used to identify an individual. Because this is a relatively new field that’s now exploding in popularity, biometric data protection hasn’t been perfected. It also hasn’t been widely regulated. A few states have established laws about collecting and using biometric data. Currently, no law explicitly protects biometric data at the federal level. This is one area where a wait-and-see approach is the best option right now.
The second security issue relates to using biometric ID methods to protect sensitive data, like when logging into a laptop requires a fingerprint from the authorized user. These technologies are impressive, to be sure. They can also be very effective, and some users will achieve higher rates of security using biometrics instead of standard security measures like passwords.
These methods can also give users a false sense of security, especially if they don’t realize that biometric ID methods can be compromised. The technology is so new that the average user hasn’t learned much about its vulnerabilities. The risk is that consumers will assume devices secured with biometrics are impenetrable, and will be lax with data security.
What This Means for You
Adhering to data destruction best practices is more important now than ever. Relying on biometric identification alone to keep your data safe is like securing your home with a single padlock. It’s just one layer of security. Sure, it’ll keep most people out. A determined thief can still get through, if he’s armed with the right tool. And once he’s inside and rummaging through your stuff, it doesn’t matter what kind of lock was on the door.
Ultimately, putting sensitive data behind a biometrics wall isn’t a perfect safeguard. Your financial records, health records and proprietary information are still vulnerable to theft. Biometrics may be changing some elements of how your business approaches device security, but this technology shouldn’t change the way you destroy data-storing devices. Complete and irreversible destruction is the only way to make sure the data is truly gone.
At Northeast Data Destruction, we track data security developments so you don’t have to. How can we help your business protect its data? Contact Northeast Data Destruction today with questions.