While biometric data, such as facial scanning and fingerprints, means you can skip the password, it might also pose security concerns.
Imagine going to a grocery store and instead of taking out your wallet to pay for your sandwich, you wave your hand at a small scanner.
It might sound futuristic, but over three million people in the US give their biometric data to Amazon with this technology every day.
The biometric industry, which was boosted by the COVID-19 pandemic, will continue growing due to the increased use of smartphones, according to experts.
While governments are turning to biometric passports and facial recognition at borders – leaving no real choice to citizens wishing to retain their personal information – companies who want to collect their users’ personal data, still have to ask for permission.
What is biometric data and why is it used?
Biometric data is any data relative to your body that can identify you.
While facial recognition and fingerprints are some of the most commonly used features, gait analysis, analysing a person’s walk, and Amazon’s “palm signatures” also use biometric data.
Apple was one of the first companies to move to the commercial use of biometric data in 2013 with Touch ID, giving users the possibility to use their fingerprint to unlock their phones.
Today, it uses TrueDepth camera for Face ID recognition. A sensor on your phone projects about 30,000 invisible dots onto your face and creates a unique 3D map captured by an infrared camera. You’ll only be able to unlock your iPhone if your face matches the map stored on your device.
Essentially, companies in sectors such as security, health, finance and technology are using biometrics because it’s more secure than having passwords or identification documents.
“Biometric data skips some of the problems that we have with passwords,” said Melissa Goldstein, associate professor at George Washington University’s Milken Institute School of Public Health.
Amazon, for instance, boasts about its palm payment system One, which is “100 times more secure than scanning two irises,” and the company hasn’t seen a single false positive “after millions of interactions among hundreds of thousands of enrolled identities”.
Should you share your biometric data?
Giving away personal data isn’t necessarily worrying in itself, but it’s how that information is being used that we need to be concerned about, according to data experts.
“If I’m giving my data to Amazon specifically for them to process payment and then it’s added to a machine learning model that’s used to develop some other technology that I don’t agree with, then I feel deceived,” said Christopher Weatherhead, technology lead at Privacy International, a UK-based charity focusing on online privacy.
Last year, the tech giant came under fire for sharing personal data with police 11 times without user consent because it thought there was an emergency.
Experts also point to the risk of hacking and the fact that once your biometric data is compromised, it’s very difficult to change it.
“Biometric means it’s tied to your body and it’s safer because it’s your body. But then once it’s out on databases, it’s out,” Goldstein said.
Worst-case scenarios related to biometric data include medical fraud, but according to the professor, the benefit of paying with your palm or opening your phone with your finger might be greater than the risk of having your data hacked.
“People are willing to share their data in exchange for what they consider to be a benefit,” Goldstein told Euronews Next.
“You and I might define benefits differently than other people, so it’s for each of us to make our own decision about what is a benefit and what is a burden”.
Biometric data in Europe
In Europe, biometric data comes under the General Data Protection Regulation (GDPR), the EU’s data privacy rules.
“Valid consent is a specific requirement of the GDPR,” said Felix Mikolasch, a data protection lawyer at the non-profit NOYB, the European Centre for Digital Rights.
Speaking to Euronews Next, he explained that this means that every company collecting data in the EU (even if operated from outside the bloc), needs to ask for consent explicitly and that the approval needs to be valid.
“Valid consent has specific requirements, it needs to be free, specific and informed. You have to know what you’re consenting to, where this data is going and how it is used afterwards. You also have to be able to withdraw this consent, and that would also entail that the data is deleted afterwards”.
Last year, the French, Greek, Italian and UK data authorities each fined Clearview, a US company creating facial recognition databases from images on the Internet, including on social media, because it breached GDPR.
X, the platform formerly known as Twitter, announced it will start collecting the biometric data of users from September 29, but it is still unclear whether the social media company will be in breach of European regulations because no details about usage and collection were given.