Why Your Job Shouldn’t Have Access to Your Biometrics

2 months ago by Sam Holland

The biometrics industry continues to boom indefinitely, and it already has a major place in the occupational sphere. But the risks of using such tech in, or designing it for, the workplace—and of course other areas—cannot be ignored.

According to market analysers Grand View Research, biometrics could be worth $59.31 billion by 2025, and a huge portion of this is fuelled by the working world. Naturally, the question is which, if any, industries should be a part of biometrics, or whether they should be designed into technology in the first place. One primary concern relates to the ethics of having any form of our biological data accessible to a third party—even (and to many, especially) your employer.

Let’s Start Small…

To consider the risks of biometrics on a company-wide scale, let’s first look at how it can affect the individual. Because far from just reaching the industrial level, biometrics have already been widely integrated into the casual consumer market. Smartphone owners are a primary example of a demographic whose large minority have embraced the technology; in fact, many do not even allow their phones to be unlocked without having their fingerprint (or, for the big spenders, facial features) scanned first.

Image courtesy of Bigstock.

Focusing on the more common and affordable fingerprint readers, one concern is the over-reliance involved in using a single solution. It may only take one person, one time, to mould your fingerprint well enough to be able to access your phone as many times as they want. This video shows how easily an iPhone can be tricked through non-specialised methods.

Yet, if they were to find out your password, you could instantly change this as many times as you want, and always to something that’s near-impossible to guess. All the while, however, your fingerprint remains the same for life.

A principal issue here is that biometric tech’s (BT) convenience is outweighed by its risks, as the immediate access it grants to the individual is at the expense of easily-copied biometric data. German minister of defence Ursula von der Leyen, for example, had her fingerprint cloned by Chaos Computer Club’s (CCC) ethical hacker Jan Krissler, who only required standard photographs of the politician’s hand to show how easily replicas can be made.

If it Happens to One Person, it Can Happen to Many…

Krissler’s cautionary tale is only one example of the vulnerabilities attached to BT, and by applying to a lone individual, it reflects just how much companies need to tread carefully.

This is particularly true when it’s introduced to the sensitive infrastructure that comes with managing an organisation. In fact, the issue has already reached the federal level, for example the breach of the United States Office of Personnel Management’s records, which exploited over 5 million fingerprints.

Image courtesy of Bigstock.

So when weak cybersecurity is already a global concern, until—or unless—biometric systems become more mature, their implementation will only add fuel to the fire.

The above cases are just some of the lessons for organisations to learn from and prepare for. Particularly now, in the days of GDPR, the simple office politics of requesting employees’ fingerprints and other personal info also often leads to a backlash towards the employers whose workforce may even consider the registration process incriminating. As Frank Rieger, CCC spokesperson explains, “It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token… Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.”

Currently, BT—particularly occupational BT—is unconvincing because it’s neither secure nor palatable. And while the former issue is already being addressed by Liveness Detection tech (which attempts to distinguish the animate from the inanimate, e.g., by checking for the veins in a real fingertip to tell apart a clay replica of one), the fact that this is still not a native function suggests that biometric scanning is still in its infancy.

Image courtesy of Bigstock.

Ultimately, when a consumer pays for biometric technology, this means they buy an affordable solution where security vulnerabilities are at the individual’s discretion: in other words, at their own risk, and on their own terms. When your employer invests in biometric technology, however, the vulnerabilities reach a company-wide scale and contractually, you, the employee, may have no say in the matter.

But If Not Biometrics, Then What?

Perhaps it’s time for companies to put BT on hold until manufacturers work out the kinks and instead work on enhancing security measures that are already tried-and-tested: log-in credentials that are less guessable, more frequent password resets, and altogether tighter data protection measures are just three ideas that help sidestep the ostensible need for biometric technology. When designing components as such, engineers need to be aware of the circumstantial details surrounding their end products.

Comments