Next Phase in Forcing Biometric Tracking on Consumers

Lambert here: Let’s remember that these are not biometrics, but representations of biometrics, with varying degrees of granularity and quality. And not all metrics uniquely identify a person over their life-time; Yves points out that her gait has changed multiple times over her adult life.

By Don Quijones, Spain, UK, & Mexico, editor at Wolf Street. Originally published at Wolf Street.

In 2018, banks in Mexico will face new regulations that will oblige them to collect biometric data (finger prints and iris scans) on all of their customers. Whenever a customer asks for a new home or car loan, cashes in a paycheck, applies for a credit card or opens a new savings account, the bank in question will have to request the customer’s digital fingerprints and then match those fingerprints with data against information in the database of the National Electoral Institute.

Foreign-owned subsidiaries of global banks like BBVA and Citi are thrilled with the initiative arguing that it will help them combat identity theft. Most high street lenders in Mexico have already agreed to help build a single biometric database, says Marcos Martínez, president of Mexico’s Banking Association (ABM).

The ultimate goal is to develop a unique identification system that will work alongside the government’s national ID scheme, which is in the final stages of development. According to the former Secretary of Finance and Public Credit (and now presidential candidate for the governing PRI party), José Antonio Meade, by the summer of 2018 all Mexicans will have a single biometric identification number.

These developments are moving fast and quietly. And as is the case with biometric programs being tried and tested all over the world right now, from the uncharted backwaters of long-forgotten war zones to the bustling metropolises of the West or East, no one is being consulted along the way.

Most national passports these days include biometric data. Driver licenses in the US (which serve as de facto ID cards) already have them or soon will. Meanwhile, millions — perhaps soon billions — of people have volunteered their digital fingerprints to log into their smartphones and other digital devices. In other words, we’re already giving away our most private data to work, communicate, cross borders or get on planes.

China has taken biometrics to a whole new level, using facial recognition technology to validate identities in virtually all forms of transaction, including the use of toilet paper in public bathrooms.

What sets the biometrics program in Mexico apart from what is happening in most other countries is that it is the country’s financial regulators and private banks — and not the government — that are requiring this, though the government is not far behind. The development of a single biometrics database to be used by banks and other financial institutions raises serious questions about financial security as well as data privacy.

“Biometrics are tricky,” Woodrow Hartzog, an Associate Professor of Law at Samford University told WIRED. “They can be great because they are really secure. It’s hard to fake someone’s ear, eye, gait, or other things that make an individual uniquely identifiable. But if a biometric is compromised, you’re done. You can’t get another ear.”

Unfortunately, as recent data leaks have shown, most databases remain incredibly porous. In this year’s hack of the U.S. consumer credit bureau Equifax, the personal data that was stolen included names, birth dates, Social Security numbers, driver’s license numbers, bank account numbers, credit card numbers, mortgage data, and payment history data, including to utilities, wireless service providers, and the like.

This, in itself, is highly compromising data that can be of huge value in the wrong hands. But imagine what could have happened if the database had included U.S. consumers’ most personal data of all — the biological traits that make them unique?

If the United States’ biggest consumer credit bureau can be hacked and key data on 143 million US consumers stolen with such apparent ease, what are the chances that a similar or even worse fate could befall Mexico’s newly created biometrics data bank? It’s not like Mexico is short of enterprising criminals with lots of liquid funds to hire gifted, mercenary hackers — or pull off an inside job.

Hackers are already engineering ways to spoof biometric authentication. Researchers were able to break into Apple’s Touch ID system with just a small piece of Play Doh.

The scariest thing about this mad rush by corporations, banks, credit card companies, governments and (yes!) some consumers to embrace biometrics is not the speed at which it’s happening, which is scary enough, but the complete lack of public debate taking place about the thorny issues it throws up. Those include the threat it poses to privacy and anonymity, the fact that use of data about your body parts is largely unregulated (and many companies want to keep it that way), or the deceptively public nature of biometrics.

“A password is inherently private,” says Alvaro Bedoya, Professor of Law at Georgetown University. “The whole point of a password is that you don’t tell anyone about it. A credit card is inherently private in the sense that you only have one credit card.”

Biometrics, on the other hand, are inherently public, he argues. “I do know what your ear looks like, if I meet you, and I can take a high resolution photo of it from afar,” says Bedoya. “I know what your fingerprint looks like if we have a drink and you leave your fingerprints on the pint glass.” And that makes them easy to hack. Or track.

But this juggernaut has now been put in motion, and it’s unlikely to be stopped because the biggest benefits will be enjoyed by the governments, banks, and corporations that are busily rolling out these schemes for their own purposes. By Don Quijones.

Print Friendly, PDF & Email
This entry was posted in Europe, Guest Post, Regulations and regulators, Social policy, Social values, Surveillance state, Technology and innovation on by .

About Lambert Strether

Readers, I have had a correspondent characterize my views as realistic cynical. Let me briefly explain them. I believe in universal programs that provide concrete material benefits, especially to the working class. Medicare for All is the prime example, but tuition-free college and a Post Office Bank also fall under this heading. So do a Jobs Guarantee and a Debt Jubilee. Clearly, neither liberal Democrats nor conservative Republicans can deliver on such programs, because the two are different flavors of neoliberalism (“Because markets”). I don’t much care about the “ism” that delivers the benefits, although whichever one does have to put common humanity first, as opposed to markets. Could be a second FDR saving capitalism, democratic socialism leashing and collaring it, or communism razing it. I don’t much care, as long as the benefits are delivered. To me, the key issue — and this is why Medicare for All is always first with me — is the tens of thousands of excess “deaths from despair,” as described by the Case-Deaton study, and other recent studies. That enormous body count makes Medicare for All, at the very least, a moral and strategic imperative. And that level of suffering and organic damage makes the concerns of identity politics — even the worthy fight to help the refugees Bush, Obama, and Clinton’s wars created — bright shiny objects by comparison. Hence my frustration with the news flow — currently in my view the swirling intersection of two, separate Shock Doctrine campaigns, one by the Administration, and the other by out-of-power liberals and their allies in the State and in the press — a news flow that constantly forces me to focus on matters that I regard as of secondary importance to the excess deaths. What kind of political economy is it that halts or even reverses the increases in life expectancy that civilized societies have achieved? I am also very hopeful that the continuing destruction of both party establishments will open the space for voices supporting programs similar to those I have listed; let’s call such voices “the left.” Volatility creates opportunity, especially if the Democrat establishment, which puts markets first and opposes all such programs, isn’t allowed to get back into the saddle. Eyes on the prize! I love the tactical level, and secretly love even the horse race, since I’ve been blogging about it daily for fourteen years, but everything I write has this perspective at the back of it.


  1. Mark P.

    Or consider DNA sampling-based biometric credentialization and put it together with possibilities of the technology of in vitro gametogenesis, which is coming down the line …

    ‘Disruptive reproductive technologies’ by Cohen, Daly, Adashi

    ‘Babies From Skin Cells? Prospect Is Unsettling to Some Experts’

  2. christine

    Well, this isn’t quite as frightening in Mexico as in other places because a large portion of the population doesn’t even have bank accounts. The government tried to get them to open them and if they did, most of them were closed within a year. People don’t trust banks. Much of Mexico, and not just the poor campesinos, pays in cash. I live here and my transactions are almost all in cash…no official tracks, even my rent to my wealthy landlord. Many businesses/people, will not accept credit or debit cards. They don’t have Smartphones either in many cases. San Miguel de Allende is putting in smart parking meters (ha, ha, ha..good luck with that) and they are having to figure out how employees who need to go downtown to Centro are going to manage without Smartphones. Mexico is more unruly for the rulers to manage than other more “civilized” places. I like it a lot for this and many other reasons.

    1. Joel

      Bank accounts are almost universal among Mexican salaried workers or haven’t you noticed all the ATMs?

      The biggest reason for Mexican businesses to demand cash is to avoid paying taxes. Many businesses will openly tell you that if you pay in cash you don’t have to pay VAT so it’s a win win. Consumers meanwhile are afraid of credit card fraud since banks don’t have as strong anti fraud guarantees as in the US. As for the poorer citizens, just as in the US they can’t afford bank fees or don’t see the point of having an account when they don’t have much money anyway.

      Mexico is not very different from the US in this regard except that tax evasion is easier and with a double-digit VAT consumers have a strong incentive to play along.

      A preference for cash is at most a very weak indicator of to what extent a country is “unbanked.” Until about 10 years ago many businesses in California refused cards, just as an example.

      Also saying that Mexico isn’t “civilized” is gross. They are a cradle of civilization and the world’s 16 th largest economy. I would suggest in a very polite way that living in an expat enclave such as San Miguel Allende does not give one much of a basis on which to speak of a country.

      1. Joel

        World Bank “Financial Inclusion” data for Mexico. Less than half the rate of the US but very far from zero. I would imagine this accounts for a large majority of the formally employed population but I don’t have the data for that.

        Also, there is the “Saldazo” phenomenon. I personally talked with a guy who had a microbusiness who got rid of his bank account for a “Saldazo” cash card at the Oxxo store chain, on the advice of his accountant that it would be better for evading taxes. This anecdote would only be relevant to small business owners who are getting paid almost entirely in cash but in Mexico that’s a lot of people.

        I know Saldazo isn’t technically a bank account, but it is backed by a major bank (Banamex) and it serves the same purpose. I’m guessing biometric tracking won’t be far off if it continues to be successful.

        This article talks about Saldazo cards:

  3. QuarterBack

    There is a systematic factor that is accelerating the demands on identification and authentication that is a byproduct from the double-edged sword of advancements in communications and information technology. From the earliest days of the printing press and the telegraph, these technologies have made it increasingly more possible to conduct business with people that you have never, and may never, meet. Computers and the Internet have affected a state change in commerce where it is now practical to interact with a counterparty that is not human at all.

    The Internet is accelerating a ‘disintermediation of everything’ that will only increase the demand and importance of technologies to service identification and authentication.. identification is naming who (and now including what) is a actor in a process, and authentication is how that identification can be verified and trusted.

    These concepts are not new. Early civilizations had this problem with messages carried from afar, and thence invented penned signatures, wax seals, passwords, and cyphers. Our modern Internet age has accelerated the speed and weight of reliance on theses transactions. Modern commerce has brought about technologies like biometrics and captchas.

    Note that captchas are needed to address the new state change of commerce where is is necessary to discern between a human and robot. Biometrics are much more flawed and vulnerable than he marketplace comprehends, but the need for reliable machine identification and authentication is dangerously, potentially catastrophically, behind the curve. It is not hard to imagine the terrible ramifications of fly-by-wire systems responding to unauthorized control input. It is also now possible to convincingly fake human narratives, audio, and even visual representations of humans and physical events and surroundings. The level of fictional reality that can be used to control the herd, will make “fake news” look like a children’s story.

  4. oh

    A few years ago I went into a USBank branch where I have an account to get a document notorized. The person who notarized my signature asked me for the fingerprint of my index finger. I felt it was unnecessay but I agreed. From that time on I’ve been going to the local credit union to get any document notarized.

    I wonder who made these policies at USBank? Quite an invasion of one’s privacy IMHO.

    1. johnnygl

      Another creepy thing usbank does is self-insures, with regard to health insurance. They collect employee premiums, and barely ever have to pay claims because they have hefty deductibles, co-insurance, and narrow networks. They had the horrible obama-care style plans BEFORE the HCA even got off the ground. And the bank gets to profit from them!

      1. Anon

        Every employer with more than a certain amount of insurance-eligible employees (i.e. large and many medium-sized corporations) self-insures.

  5. chuck roast

    I called Fidelity a while back to clear up some financial business, and the fellow asked me if I wanted to participate in their voice recognition program whereby I would no longer need passwords. After I repacked my exploded head, I informed the poor soul that I considered the tenor of my voice to be of no concern to any corporation and to never ask me that question again.
    We’re doomed…doomed.

  6. MtnLife

    I just met a woman whose entire car (IIRC it was a CRV) was controlled by biometrics. Her thumb unlocks her doors and trunk as well as starting the car. She said she got it because her significant other wouldn’t let her drive his vehicle so she made it so he couldn’t drive hers. Ridiculous if you ask me. No other people can drive the car or even go get something out of it for her because there is no key. No backup way to do anything outside of the dealership.

      1. Jean

        Or she needs valet or attended parking lot parking. How do mechanics test drive the vehicle? Oh yeah, she’s now stuck at the expensive Honda dealer that’ll have a special override code instead of a cheaper local garage–which by the way can be used for maintenance without invalidating the warranty.

        1. jsn

          I’ll wager all the dealer has to do to access the car is plug in a usb cable and hit a few keys. They can likely hack in remotely and probably would if the woman called with the need. I’ll bet that access is “really secure” too.

          1. MtnLife

            A correction: it was a RAV4. I was also thinking that this has heavy surveillance state implications as well. Now that all cars have gps and other tracking devices, combining that with a positive ID through the biometrics is going to leave a digital trail even if you don’t have a smartphone. A biometric phone and car is going to bring a whole new meaning to ‘two factor authentication’ at trial. Don’t forget about your biometric (possibly RF) bank card, RF drivers licenses, your fitness trackers, and who knows what else we will have locking down our location with unheard of precision and certainty as to identity.

            1. MtnLife

              And with a quick search I find the true intentions.

              Why biometrics are the key to driver authentication in connected cars Venture Beat

              Key quote:

              The auto insurance industry is also rapidly moving towards using biometric driver authentication by applying premium rates specific to the driver driving the vehicle, based on the history and characteristics of the driver. Such an approach is expected to significantly benefit the safe driver who today pays premiums based on alternative approaches that take drivers of all profile into account. With iris-enabled rearview mirrors, a driver can be continuously identified and authenticated, ensuring the appropriate insurance rates are applied. This will make sure a new teenage driver has a different rate than more experienced drivers, even when they use the same car.

              Identified and Authenticated. Part bezzle, part 1984?

  7. paddlingwithoutboats

    “The scariest thing about this mad rush by corporations, banks, credit card companies, governments and (yes!) some consumers to embrace biometrics is not the speed at which it’s happening, which is scary enough, but the complete lack of public debate taking place about the thorny issues it throws up. Those include the threat it poses to privacy and anonymity, the fact that use of data about your body parts is largely unregulated (and many companies want to keep it that way), or the deceptively public nature of biometrics.”

    Which leads to what happens when there is a mass hack and data catastrophe of these forms of personal identification? Well, it would be so easy to implement a more/more strategy of everyone must have implants now that their birth identifiers are hacked. Line ’em up for a li’l surgery and on we go.

  8. Joel

    The phrase I don’t see mentioned here is “two factor authentication.” If the fingerprint is part of two factor authentication, there is no security issue.

    That is, if the fingerprint requires a password for confirmation, the same way that an ATM card requires a password, then it’s simply an extra layer of security on top of the password. Used that way, it is far more secure than passwords alone.

    The real concern is yet more surveillance.

    1. a different chris

      Heh. In this particular case “two factor identification” is a polite way of saying that the bad guys can’t just cut off your finger and use it.

  9. grayslady

    Yesterday, I watched again Citizen Four. It’s a movie I think everyone should watch once a year in order to remember that personal freedom is right up there with economic well-being in importance. Biometrics is a terrifying concept that brings far fewer benefits than risks.

    1. Joel

      Whenever I am about to complain about customs and immigration and security hassles at an airport I think of all the hostility Laura Poitras and other brave activists have had to endure.

    2. Enquiring Mind

      Confluence, what we are seeing in those rivers of big data whether biometric, demographic, financial or the dreaded other. Here is another tributary to make you examine how tech companies seem to know more than you’d imagine to stay a step or two ahead and anticipate your every need.

      Mapping detail is advancing rapidly and it is only a matter of time before public displays of way more personal data become available. Look at how software mapping has changed recently and ponder where you may be able to drop off the grid, or how. Confluence becomes influence, or effluents, or maybe both.

  10. drumlin woodchuckles

    Certain Christian groups, some numbering in the millions, may decide that “biometrics” is the functional equivalent of Mark-Of-The-Beast technology, and may adopt avoidance methods and/or countermeasures.
    Others who wish to avoid or obstruct the use of biometrics against themselves may well adopt such methods from the Amish, the Armageddonites and the Rapturanians.

Comments are closed.