Lambert here: Let’s remember that these are not biometrics, but representations of biometrics, with varying degrees of granularity and quality. And not all metrics uniquely identify a person over their life-time; Yves points out that her gait has changed multiple times over her adult life.
By Don Quijones, Spain, UK, & Mexico, editor at Wolf Street. Originally published at Wolf Street.
In 2018, banks in Mexico will face new regulations that will oblige them to collect biometric data (finger prints and iris scans) on all of their customers. Whenever a customer asks for a new home or car loan, cashes in a paycheck, applies for a credit card or opens a new savings account, the bank in question will have to request the customer’s digital fingerprints and then match those fingerprints with data against information in the database of the National Electoral Institute.
Foreign-owned subsidiaries of global banks like BBVA and Citi are thrilled with the initiative arguing that it will help them combat identity theft. Most high street lenders in Mexico have already agreed to help build a single biometric database, says Marcos Martínez, president of Mexico’s Banking Association (ABM).
The ultimate goal is to develop a unique identification system that will work alongside the government’s national ID scheme, which is in the final stages of development. According to the former Secretary of Finance and Public Credit (and now presidential candidate for the governing PRI party), José Antonio Meade, by the summer of 2018 all Mexicans will have a single biometric identification number.
These developments are moving fast and quietly. And as is the case with biometric programs being tried and tested all over the world right now, from the uncharted backwaters of long-forgotten war zones to the bustling metropolises of the West or East, no one is being consulted along the way.
Most national passports these days include biometric data. Driver licenses in the US (which serve as de facto ID cards) already have them or soon will. Meanwhile, millions — perhaps soon billions — of people have volunteered their digital fingerprints to log into their smartphones and other digital devices. In other words, we’re already giving away our most private data to work, communicate, cross borders or get on planes.
China has taken biometrics to a whole new level, using facial recognition technology to validate identities in virtually all forms of transaction, including the use of toilet paper in public bathrooms.
What sets the biometrics program in Mexico apart from what is happening in most other countries is that it is the country’s financial regulators and private banks — and not the government — that are requiring this, though the government is not far behind. The development of a single biometrics database to be used by banks and other financial institutions raises serious questions about financial security as well as data privacy.
“Biometrics are tricky,” Woodrow Hartzog, an Associate Professor of Law at Samford University told WIRED. “They can be great because they are really secure. It’s hard to fake someone’s ear, eye, gait, or other things that make an individual uniquely identifiable. But if a biometric is compromised, you’re done. You can’t get another ear.”
Unfortunately, as recent data leaks have shown, most databases remain incredibly porous. In this year’s hack of the U.S. consumer credit bureau Equifax, the personal data that was stolen included names, birth dates, Social Security numbers, driver’s license numbers, bank account numbers, credit card numbers, mortgage data, and payment history data, including to utilities, wireless service providers, and the like.
This, in itself, is highly compromising data that can be of huge value in the wrong hands. But imagine what could have happened if the database had included U.S. consumers’ most personal data of all — the biological traits that make them unique?
If the United States’ biggest consumer credit bureau can be hacked and key data on 143 million US consumers stolen with such apparent ease, what are the chances that a similar or even worse fate could befall Mexico’s newly created biometrics data bank? It’s not like Mexico is short of enterprising criminals with lots of liquid funds to hire gifted, mercenary hackers — or pull off an inside job.
Hackers are already engineering ways to spoof biometric authentication. Researchers were able to break into Apple’s Touch ID system with just a small piece of Play Doh.
The scariest thing about this mad rush by corporations, banks, credit card companies, governments and (yes!) some consumers to embrace biometrics is not the speed at which it’s happening, which is scary enough, but the complete lack of public debate taking place about the thorny issues it throws up. Those include the threat it poses to privacy and anonymity, the fact that use of data about your body parts is largely unregulated (and many companies want to keep it that way), or the deceptively public nature of biometrics.
“A password is inherently private,” says Alvaro Bedoya, Professor of Law at Georgetown University. “The whole point of a password is that you don’t tell anyone about it. A credit card is inherently private in the sense that you only have one credit card.”
Biometrics, on the other hand, are inherently public, he argues. “I do know what your ear looks like, if I meet you, and I can take a high resolution photo of it from afar,” says Bedoya. “I know what your fingerprint looks like if we have a drink and you leave your fingerprints on the pint glass.” And that makes them easy to hack. Or track.
But this juggernaut has now been put in motion, and it’s unlikely to be stopped because the biggest benefits will be enjoyed by the governments, banks, and corporations that are busily rolling out these schemes for their own purposes. By Don Quijones.