Biometrics is incredibly useful. It can prevent identity theft and ensure that only authorized individuals can access our sensitive information. It can even protect against election fraud. Mostly, it is convenient.
However, the convenience of biometrics comes with significant risks. Think about facial recognition technology. It could be used to constantly monitor people, leading to mass surveillance and racial bias.
Biometric data isn’t directly linked to DNA now, but it could be in the future. DNA biometrics is an emerging field that looks at using DNA for identification, similar to fingerprints.
Dystopian futures
The slippery slope from biometric to genetic data misuse shows why stronger protections are needed. Consider how dystopian futures are portrayed in popular media.
The society in the 1997 movie, Gattaca, was driven by eugenics, and people were classified as “valid” or “invalid” based on their superior or inferior genetic makeup. Their classification would determine their opportunities, where those with “invalid” genetics would be relegated to menial jobs.
In the anime series Attack on Titan, people feared attacks by mutated humans called Titans. The Titan mutation was controlled by the ruling class, who triggered mutations through a serum that only worked on individuals with the DNA of the persecuted Eldians.
While these may be an exaggerated scenarios at this point, they highlight the need to protect biometric and genetic data.
In real life
Closer to home, today’s social media tactics that rely on online behavioral patterns would look like clumsy guesswork compared to what's possible with systems enhanced with basic DNA biometrics.
Imagine if these systems could reveal genetic markers for persuasibility and genetic predispositions. Political candidates wouldn’t need elaborate campaigns or ads targeting a specific population to win people over. A gentle nudge targeting only the right people, through a perfectly timed, personalized message would be all it takes, and the campaign is over. No more debates, no more convincing. As usual, we wouldn’t realize it was happening.
Currently, privacy laws lump biometric and genetic data with other sensitive information such as race, ethnicity, age, marital status, health, education, sexual life, and social security numbers. This means biometric and genetic information, despite the profound societal impact of their potential misuse, are treated the same way as other sensitive data.
Thus, processing biometric and genetic data only needs to comply with general principles: that processing be lawful, fair, and transparent, with limited purpose, etc. etc., and primarily with data subject consent, similar to other sensitive personal information.
The ideal framework?
The European Union’s AI Act points us in the right direction by using a risk-based approach, focusing on the specific risks of AI systems. It classifies biometric data as high-risk and mandates much stricter and more detailed standards.
High-risk systems must undergo rigorous risk management protocols, including more thorough risk assessments, transparency measures, and strong data governance. In contrast, lower-risk systems face fewer requirements and primarily focus on general compliance and reporting.
This differentiation ensures that the higher risks associated with biometric and genetic data are appropriately managed and mitigated.
Frameworks and guidelines recognizing risks and impacts, and tailored to address the distinct challenges posed by biometrics would ensure that higher standards of protection and stricter regulations are implemented to guard against unwanted outcomes and unintended use.
These guidelines should facilitate the easy implementation of several key measures such as advanced encryption techniques and the use of decentralized systems.
Advanced encryption techniques, such as fully homomorphic encryption, allow data to be processed while still encrypted. Imagine getting a surprise box of durian; you don’t open it, but the strong, distinctive smell gives away what’s inside.
Similarly, with fully homomorphic encryption, you can work with encrypted representation of your fingerprint without ever seeing the fingerprint data.
A use for blockchain
Using decentralized systems means leveraging technologies such as blockchain to spread biometric data across many different locations, eliminating a single point of failure. Instead of storing all biometric data in one central database, the use of blockchain means data is distributed, making it much harder for attackers to access them or access all of them at once.
Other privacy-preserving biometric systems transform biometric data into formats that cannot be easily traced back to the individual.
Lastly, the classic approach of raising public awareness about biometric data usage is essential. People need to understand their rights and the potential risks associated with biometrics.
By being informed, individuals can make empowered decisions and hold organizations accountable for how they handle their data.
A risk-based approach, like the EU AI Act, is essential for protecting high-risk data such as biometrics and genetic information and, more importantly, effectively managing the risks.
Focusing on these methods is a step to ensure the safe and ethical use of biometric technology, balancing privacy with innovation.
Nikki Mendez is a corporate lawyer specializing in technology, including cloud computing, cybersecurity, privacy, and intelligent systems, guiding pivotal technology transactions and policy developments.