Just a few years back, scanning your fingerprint to unlock a safe seemed possible in spy movies only. Now, using your biological data instead of a password has become quite mundane. From your phone to border control, biometric authentication is gaining popularity. But does it protect you against authorities? And what are the implications of your biometric data being stolen?
Biometrics are any biological and physical measurements that allow identifying you — your fingerprints, face, iris, voice, or even your palm veins and heartbeat. The latest technology can use this data in airport security, financial transactions, and mobile devices.
Dozens of airports across the globe are implementing biometrics in their border security control. Delta, Norwegian, Lufthansa, and other airlines are launching biometric boarding options. Almost every new phone features face or fingerprint recognition tech. Apple's iCloud is rumored to get Face ID and Touch ID support with iOS 13.
In most cases, biometrics are safer than passwords. They’re way more challenging to crack than alphanumeric codes, especially if you're using generic ones. Besides, whenever you type a password in public, chances are someone will see it and use it for sinister purposes.
More of a threat than a safety measure?
However, while harder to crack, biometric authentication is not infallible. Face ID has been bypassed with a 3D printed mask. Back in 2014, a hacker recreated a fingerprint of the current European Commission president Ursula von der Leyen using pictures taken with a standard photo camera.
The implications of this are scary. Not only can hackers crack biometric passwords from photos using commercially available tech. If your password is compromised, you can simply change it. You can't change your inherent biological data.
In July, Oakland became the third US city to ban facial recognition, on the basis that it's inaccurate, unethical, and easy to abuse. According to the city's council, “the misidentification of individuals could lead to the misuse of force, false incarceration, and minority-based persecution.”
In the eyes of the law
There is also debate about what protections it provides against authorities. In the US, you have the right to refuse to give up your passcode to the police. It's based on the Fifth Amendment - your right to not incriminate yourself.
Even if the police have a warrant, they can’t compel you to reveal it. By telling your passcode, you'd be actively acting as a witness against yourself, which the Fifth Amendment prevents.
But things are different when it comes to biometric access. While passcodes are considered as a testimonial, biometrics exist objectively and are comparable to giving a DNA or blood sample. So if the police have a warrant, they can use your biological data to unlock your phone.
Outside the US, there is no international consensus on which security measure protects you from what. Canada and Norway have a similar stance to the US - you can be compelled to perform biometric authentication but can't be forced to tell your passcode.
In the UK and Australia, however, there's no difference whether you use biometric authentication or a passcode. Authorities can force you to do both, and failure to comply can lead to prison time. In 2018, a murder suspect was jailed for 14 months for not providing his Facebook password.
This is not to say that you should stop using biometric authentication altogether. Currently, there aren't that many instances where your biometrics can be misused. However, as it gains popularity, the ramifications of your biological data being stolen get scarier. For now, you're better off thinking about it as a tool of convenience rather than a security measure.