Home of internet privacy

Risk of biometric payments: You can’t reset your fingerprint

In several parts of the world, it’s possible to board planes, pay for your morning coffee, and log in to your financial accounts with a facial recognition scan or thumb imprint.

Both Apple Pay and Google Pay support biometric payments, and Amazon, the world’s largest offline retailer, is getting in on the act, too. In September, it unveiled Amazon One, its new biometric payments technology which enables customers to pay at stores by placing their palm over a scanning device. This technology will initially only be available at its Amazon Go stores, but there are plans to extend it to its subsidiary Whole Foods and eventually to other retail outlets.

[Interested in more privacy hot takes? Sign up for the ExpressVPN Blog Newsletter.]

The convenience of this technology is not in doubt. No more fumbling around for your wallet or trying to get rid of the loose change in your pockets. Moreover, the permanence and uniqueness of our fingerprints and retinas in theory make it difficult for fraudulent transactions to occur.

The biometrics technology market has plenty of takers. It’s expanding at a compound annual growth rate of nearly 20%, estimated to be worth 59.31 billion USD by 2025. But as algorithms collect more identifying information about us, the inevitable questions about the privacy tradeoff start to emerge.

What happens when our biometrics are compromised?

In the case of a standard cyberattack or large data breach, changing our password and other login details can help limit the exposure of confidential information. The thieves might have been able to access our accounts that one time, but future breaches can be stopped.

In the case of biometrics, however, it’s not as straightforward. Our thumbprints and faces are ours; we can’t easily swap them out for a new identity. As it stands right now, there are high risks associated with the theft or misuse of biometric information—it’s just a matter of time for crime to grow as biometrics increase in use.

But alarming examples in some parts of the world give us an insight into the risks. Aadhar, India’s central database that catalogs biometric identifiers such as fingerprints, was hit with a massive data breach in 2019. A similar attack targeted Nadra, Pakistan’s central database, which also has biometric markers on its citizens. However, databases such as Aadhar and Nadra don’t hold payments information tied specifically to biometric details—for now.

While data breaches of any kind can have devastating consequences for individuals, it’s far trickier when permanent identification markers get tied to payment details. When you’re scanning your palm over a biometric machine, the algorithms are essentially validating the unique identifiers and matching them to pre-populated payment data. And as these databases grow, they’ll start to attract the attention of hackers and other nefarious entities seeking to siphon millions.

Regulation could hold the key

In February 2020, the EU instituted widespread regulations around facial recognition and artificial intelligence, with the aim to create a single market for data across Europe. Coupled with the privacy regulations under the GDPR, it’s not inconceivable that Europe could require companies working on biometric payments to adhere to unified standards and processes. This isn’t great news for companies like Amazon or Facebook, who would invariably seek to protect their IP and try to thwart attempts to incorporate a standardized framework.

Given how highly sensitive biometric information is, and knowing large tech companies aren’t always great at protecting users’ privacy, can we really trust them with even more intimate details about ourselves? As it stands right now, no one outside these firms has a clear idea of the security and privacy protocols embedded into their database management. But if there was regulation that described how companies should approach biometric payment management in a clear and standardized way, it could go a long way toward guarding against misuse.

“Untraceable biometrics” may be another solution. These are secure technologies that enable the processing of biometric information without actually associating the data to a single identifiable individual. The technology works by converting biometric data submitted by a person to an unrelated data string or key, therefore helping the biometrics to be a decoder of the unique identity.

Such technologies exist in the wild, such as NEXUS, a biometric-based system that expedites border crossings between Canada and the United States. However, they are mostly prohibitively restrictive for businesses due to the complexity of the algorithms and hardware sophistication needed. If businesses can use a cheaper option, there’s nothing stopping them from doing so. Without federal legislation mandating their use, it stands to reason that no major corporation will be incentivized to go above and beyond to implement untraceable biometrics.

Regulators have to step up and do their part. Some scattered legislation exists, such as the Illinois Biometric Information Privacy Act and the California Consumer Privacy Act. But a federal, possibly global effort is needed to ensure the integrity of biometric payments.

As ordinary consumers we have to recognize that any new technology that offers convenience inevitably has a privacy tradeoff. Biometric payments are tempting but unless we have assurances over their integrity, it’s better to hold off using the technology for now. And if you want to boost your anonymity, remember that cash can’t be traced back to you at all.