With the rise of face and fingerprint recognition technology, just how safe is our biometric data?

Gabriela Kennedy and Karen Lee say while such technological advancements have made all kinds of daily transactions more convenient, we need to counter the threat of abuse

Reading Time:3 minutes

People use a biometric kiosk at the Otay Mesa port of entry in San Diego. Photo: AP

Published: 12:23pm, 18 Dec 2015Updated: 12:23pm, 18 Dec 2015

Face recognition technology to help “tag” friends in photographs, fingerprint recognition to unlock smartphones, and fingerprint door locks are just some of the ways in which biometric data has been used in recent years. In Asia, developments include palm vein authentication technology for payments and mobile terminals, or “biocarts” that take photos and fingerprints of passengers for immigration processing in Japan; fingerprint authentication for ATMs in Vietnam; and facial recognition technology for ATMs in China. Is this the end of long passwords and complex authentication systems?

Unlike passwords, which can be reset, biometric features cannot be replaced when stolen

Biometric technology can enhance a user’s experience by speeding up delivery and offering increased security. But is a fingerprint scan more secure than a password? Fingerprints can easily be “lifted” and used to fool sensors.

Biometric technology used to track employee attendance has also given rise to a host of data privacy concerns. Regardless of the benefits, the collection of biometric data makes the individual vulnerable to threats – misuse, theft, data leakage and an erosion of human dignity. Unlike passwords, which can be reset, biometric features cannot be replaced when stolen.

Biometric data can be used to identify the people from whom it was collected. The data can be stored on a person’s device, but is also recorded in a central database. Should such data be freely collected, and how can people be assured that it will not be misused?

It is no surprise that the collection and use of biometric data has led to heightened public and regulatory concern about the risk to privacy. Most countries, however, have no specific provisions in data privacy laws that solely address the collection and use of biometric data. In some jurisdictions, additional protections and restrictions regarding the collection and use of “sensitive data” exist.

In Hong Kong, where there is no separate definition of sensitive data, the biggest collector of biometric data is the government. Fingerprint data is stored on all Hong Kong identity cards. A new smart(er) biometric ID card is expected to be introduced in phases between 2018 and 2022.

READ MORE: New Hong Kong privacy chief vows to balance flow of information

CCTV cameras are common in public and private spaces in Hong Kong. Lately, the city has also seen the increased adoption of biometric technology by the private sector. Photo: David Wong

The city has witnessed the increased adoption and use of biometric technology by the private sector, and a few instances of misuse have led to investigations by the privacy watchdog. In May 2014, for example, it came to light that an investment company had required all female staff to provide blood samples for DNA testing in a misguided attempt to investigate toilet hygiene complaints. This July, a fashion trading company was reprimanded for the collection of employees’ fingerprint data. In both cases, the collection of data was found to have been excessive, as the sensitive nature of the data was disproportionate to the purpose of collection, and less intrusive measures for collection were available.