Earlier this year, the backlash against the IRS over the use of facial recognition technology to authenticate taxpayers signing up for online accounts caused the agency to abruptly change course. This situation is part of a familiar pattern, where privacy concerns regularly butt up against technology and innovation, which are accelerating faster than ever.
As companies and consumers increase their digital interactions, the ability to verify identities and confirm it’s a real person on the other end has become critical. With more transactions occurring in the digital realm, delivering a seamless and secure customer experience requires it. Growing cloud adoption, connected everything, and the expansion of the remote workforce are also shaping this reality. As recruiting and hiring processes have gone digital, organizations need to verify prospective employees are who they say they are. All of this brings us back to the controversy with the IRS.
Concerns over government agencies collecting biometric data or accessing such data collected by third parties often center on the fear that the data might be misused for surveillance or other purposes. Even as credential theft has made biometric authentication more enticing and relying solely on passwords a less attractive option, the public’s sensibilities can make the collection and storage of personal information problematic.
With a mishmash of state data breach and consumer privacy laws across the U.S. and no national data breach or privacy law in sight, it is largely up to organizations to strike the necessary balance between privacy and security. In the case of the IRS, the agency announced in February it would offer taxpayers the option to sign up for IRS online accounts without using any biometric data. Instead, taxpayers were permitted to prove their identity via a live, virtual interview with agents. They could still use the biometric verification offered by ID.me. However, for those that selected that option, new requirements were put in place to make sure the images supplied by taxpayers were deleted for the account being created. The agency also announced that biometric data collected from anyone who previously created an online account would be permanently deleted as well.
One of the common stumbling blocks in conversations about biometric data and privacy is the duration of time that the data will be retained. As the IRS’s revised approach shows, biometric data does not have to be stored forever to be an effective tool for identity verification. In fact, if the FIDO protocol is being used for authentication, the biometric information would never leave the consumer’s device. If the data is going to be shared, having the ability to delete it alleviates the fear that the data will be stored forever and potentially misused. If the information is stored, it can also be encrypted to render it useless to cybercriminals if they manage to steal it.
Perhaps a more significant issue than criminal hacking is the fear that companies will sell or provide users’ biometric information to others without their consent. In the EU, the General Data Protection Regulation (GDPR) forbids this. In the U.S., many state legislatures have either adopted or introduced consumer data privacy laws. But the laws and their protections are not uniform, which can add to the level of uncertainty among consumers. Ironically, these same lawmakers benefit from the online data collected by data aggregators and brokers to target voters during election season.
In some ways, the argument can be made that we have already given up privacy in the name of convenience. Anyone with a smartphone using an app that leverages their location, for example, has already sacrificed some of their anonymity. Safely using biometric data as a means of authentication and identity proofing facilitates digital transactions and can make the privacy and convenience trade-off more palatable. This runs the gamut from using a scan of your driver’s license information at the airport to biometric identity verification for mobile banking.
The sheer amount of passwords users have to remember has created a world where they no longer scale, and biometric technology represents a solution. From a security standpoint, biometrics offers an authentication factor that is not trivial to fake or brute force. While biometric detections are not flawless and have been known to experience errors, they are largely reliable. There are efforts underway to study equity during remote identity proofing to ensure standards are met across demographics. When used correctly, they protect against account compromise and malicious activity. The IRS’s decision to use biometrics is rooted in a desire to prevent tax fraud by giving taxpayers a way to verify their identity and prove they really exist, and that core need will not disappear. How many fraudulent transactions were prevented this tax year by biometric authentication?
In the final analysis, organizations in the private and public sectors will have to find the balance between security, privacy and convenience to create the best user experience possible and sell consumers on its safety. This type of effort will take collaboration between lawmakers, businesses, and advocacy groups to be effective. Expressing outrage must not be the only act that is bipartisan; cooperating to find workable solutions must be bipartisan as well.
About the Author: Aubrey Turner, Executive Advisor at Ping Identity, has extensive background successfully delivering strategic, enterprise cyber security solutions to Fortune 1000 companies that addresses business problems, strengthens organizations, reduces risk and delivers positive business outcomes. Aubrey has demonstrated rapport and consensus building with key stakeholders. Additionally, he has proven leadership, communication, management, collaboration and sales skills. Aubrey has 20 years of cyber security experience, including 12 years in identity access management, in customer facing strategic advisory consulting, implementation and solution sales roles, across financial services, healthcare, retail, software, telecom and other sectors. He serves on the Identity Defined Security Alliance Executive Advisory Board and holds CISSP, CIPP, CISA and CRIS certifications.