Face off: the perils of sharing your biometric data 

Last month, millions of people across the world watched themselves swap places with actor Leonardo DiCaprio in the film Titanic — all it took was a photo of their face.

The Chinese app Zao went viral but soon sparked privacy concerns after users realised that they had no control over the pictures uploaded to a company specialising in image manipulation. Russia’s FaceApp, which allows users to age themselves dramatically, had raised similar fears a few weeks before.

“People seem to understand privacy risks more when a foreign country is involved,” says Adam Harvey, a technology researcher and privacy activist, pointing out that companies storing and analysing biometric data — such as facial traits, fingerprint, DNA or voice pattern — are multiplying.

Unlocking a phone with a quick glance or the touch of a finger, rather than a passcode, has become so popular that up to three in four smartphones shipped in 2019 are estimated to use some sort of biometric authentication, according to Counterpoint Research.

The use of fingerprint and facial recognition is also expanding beyond the tech sector, with car rental company Hertz and hotel chain Marriott International introducing it as a way for customers to identify themselves on some sites. However, users may be giving away more than they intend.

In return for convenience, customers give companies permission to process data that is so unique it can be used to identify someone. The speed at which companies are adopting the technology has raised questions over security and data protection.

Zak Doffman, chief executive of Digital Barriers, a company that sells surveillance technologies to defence and law enforcement agencies, called the growing commercial use of facial recognition and biometric authentication an overlooked threat to civil liberties.

People seem to understand privacy risks more when a foreign country is involved

Database safety is one risk. “It just takes one disgruntled employee to walk out with an external hard drive,” Mr Doffman says, and hackers target companies that hold valuable information.

The UK’s Information Commissioner’s Office issued its intention this summer to fine Marriott almost £100m after hackers stole identifying information, such as name, home address and passport number of hundreds of millions of guests. The hotel group declined to comment on its procedures to keep data, including biometrics, safe.

Apart from the risk of data breaches, Mr Doffman argued that too few people question a company’s commercial incentive when they agree to share their image, fingerprint or voice sample.

The growth of Internet of Things technology — such as Amazon’s Alexa speakers that gather and share user data — will further help take biometric authentication mainstream, he says.

“We are so tied up with worrying about the surveillance state, but the challenge is actually coming from a different direction and there is not the same level of debate,” Mr Doffman adds.

Clear, the software company behind the biometric identification system used by Hertz, says it does not sell data belonging to its members.

However, less scrupulous businesses could offer “free” services in exchange for biometric data. “What many big tech companies, and increasingly governments, want to do with data are to link different databases,” says Paul Wiles, the UK’s biometrics commissioner who oversees public use of such information. “If you got biometrics, you got a unique identifier that you can use to follow a person through different databases if they all contain biometrics.”

This would, under the EU’s General Data Protection Regulation, require people to consent to their biometric data being shared with third parties, but critics have questioned whether people fully understand what terms and conditions they accept when using digital services.

Biometric data can also be used to protect a person’s identity. Sandra Peaston, director of research and development at the not-for-profit fraud prevention organisation Cifas, says biometric identification can help protect people from having their identities stolen.

Her organisation, which in 2018 recorded more than 189,000 cases of identify fraud in the UK, keeps a database of known imposters and shares this information with its members, which include banks such as Lloyds, Barclays and telecoms provider O2.

“Being able to say categorically that you are dealing with the right person is an avenue to cut down the ways of committing identity fraud,” Ms Peaston says.

But she did acknowledge that unlike a leaked password, the ramifications of stolen biometric data could be greater. Ms Peaston says: “You can change something that you know, but not something that you are.”

This story has been amended to reflect that the ICO issued its intention to fine Marriott almost £100m