Biometric Data Is a Disaster For Your Privacy – And It May Already Be Used Against You

Posted on Jan 5, 2023 by Glyn Moody

We’ve written many times on the PIA blog about the increasing use of biometric systems as a way of establishing identity and controlling access. Biometrics being used in this way is problematic for many reasons, most notably because of their limited accuracy. However, the biggest issue with biometrics is, by far, the fact that they cannot be easily changed, if at all.

Whereas a leak of passwords can at least be dealt with – however imperfectly – by resetting them, biometrics are essentially permanent. Once biometric data has been recorded, there is no way to render it void. This lack of control makes biometrics one of the most serious threats to privacy, as two recent stories underlined.

In the United States, facial recognition is currently used by companies to geofence certain people from their premises and/or services. In Afghanistan, biometrics may be used to find, persecute, and even execute those who are deemed enemies of the current regime.

How Biometrics Redefine Urban Access

The first story about our characteristics being used against us, reported in The New York Times, concerns a perfectly harmless and normal trip into Manhattan to watch a “Christmas Spectacular” at Radio City Music Hall by the personal injury lawyer Kelly Conlon. She was unable to see the show for a rather remarkable reason. As she entered the venue, she was stopped by the security guards there, who informed her that she would not be allowed to enter.

A facial recognition system had identified her as being on an “attorney exclusion list” that had been created by MSG Entertainment, which owns Radio City. Its chief executive, James L. Dolan ordered the exclusion list to be created for all lawyers that were involved in suing his company, as well as all the other attorneys at their firms, even if they were not involved in the litigation, such as Kelly Conlon. As the New York Times article notes:

The [facial recognition] technology, which has grown more powerful and accurate in recent years, has been used sparingly by corporations because of privacy concerns. Retailers have deployed it to identify shoplifters; airports use it to check in travelers and usher them through security; and casinos rely on it to keep out gamblers they think may cheat. But using it to bar a company’s critics is unprecedented, said Adam Schwartz, a senior staff attorney at the Electronic Frontier Foundation. He called it a “major jump forward that needs to be treated as radical.”

Up until now, facial recognition has been used to confirm that someone has permission to access a resource or a location – that is, as a form of authentication, albeit a flawed one for the reasons mentioned above. In addition, national authorities have used it to spot people who were on some kind of wanted list.

But this latest move by a company to use facial recognition to create a geofence around its facilities, a geofence that prevents its critics from entering, is indeed a troubling escalation. If this were a play or a novel, the audience would be laughing by now.

It means that facial recognition is not only potentially an infringement of privacy, with all the harms that this implies, but may also result in immediate problems in the physical world. If this application of the technology starts to be deployed more widely, everyday life will begin to change in troubling ways.

As we move around an urban space, there will be the risk that at any point our way may be barred – not through general physical obstacles, but by facial recognition systems that refuse to admit us for things we or others we know may have said or written, as in the example above.

People waiting for biometric authentication
Widespread usage of biometric has a 1984 feel to it.

Biometrics Can Also Be Used for Persecution

The other example of the perils of facial recognition concerns a situation discussed on this blog last year. As PIA reported, in the wake of the chaotic exit of the US and other nations from Afghanistan, there were fears that biometric information could fall into the hands of the Taliban, allowing them to identify people who had worked for the Afghan military, police and other institutions.

One of the biometric devices mentioned in that post was the Handheld Interagency Identity Detection Equipment (HIIDE). The German security researcher Matthias Marx has revealed that he and other researchers at the Chaos Computer Club were able to buy two HIIDEs on eBay, along with four other biometric devices called SEEKs – Secure Electronic Enrollment Kit. The German television and radio broadcaster Bayerischer Rundfunk has a good explanation of how the equipment works. There is also a US military document from 2014 that has the full technical specifications, as well as background details about how the US used mobile biometric systems.

The fact that sensitive military devices from Afghanistan were available on the open market is worrying; worse is the fact that Marx found that two of the SEEKs still had biometric data on them. One of them, held the names, nationalities, photographs, fingerprints and iris scans of 2,632 people. As The New York Times reported:

Most people in the database, which was reviewed by The New York Times, were from Afghanistan and Iraq. Many were known terrorists and wanted individuals, but others appeared to be people who had worked with the U.S. government or simply been stopped at checkpoints.

Metadata on the device, which was not encrypted, and whose password could be easily circumvented, revealed that it had last been used in the summer of 2012 near Kandahar, Afghanistan. A second SEEK device contained fingerprints and iris scans of US service members.

According to the Bayerischer Rundfunk article, the Afghan military was supplied with 1,200 biometric devices by the US. Given that large number, it seems likely that at least some of them fell into the hands of the Taliban, who might therefore have access to biometric information about Afghan and US citizens.

Most of the latter are probably safe following the withdrawal of US forces. However, there may be security personnel still operating undercover in the Afghanistan; if their biometrics are on a device obtained by the Taliban, they could be at risk.

Moreover, as the PIA post last year noted, there is a special Taliban unit whose job is to exploit biometric and other data to seek out Afghans who helped the US and its allies. The Afghan nationals who worked for the US military or the previous government in the country, and whose biometrics were captured by some of these devices, are certainly at risk of punishment, and even execution.

Featured image created with Stable Diffusion.