Have you heard of Aadhar? No, nor me. The name comes from the Hindi for “foundation”, and it’s a cloud-based ID database that holds the details of (at last count) over a billion Indians. When you register with Aadhar, you record your fingerprints, iris scan, name, date of birth, address and gender, and in exchange you are given a unique twelve-digit number which you quote to prove that you are you. Set up initially to enable the payment of welfare benefits to the correct people, Aadhar is now used to check and verify identity in all sorts of environments – including, of course, the wider financial services sector. For the man who led its development, Nandan Nilekani, said from the outset that his invention would be open-access and free to use, for both government and industry. As a consequence, according to the Economist article that alerted me to the existence of Aadhar, “fingerprint readers are a common sight in phone shops, insurance offices, banks and other sellers of regulated products”.
The arguments against a central ID database are many and varied, from concerns about civil liberties to fears of hacking and state corruption. One point that is never made, however, in favour of such systems is the international one. No-one – or at least vanishingly few people – objects to having to produce photo ID (usually a passport) to travel internationally. And to obtain such photo ID, you have to submit your details for verification to a database. Now, if you want to open a bank account or buy an insurance product or take out a mortgage or sell your home, you are launching a transaction into the international financial system. You may not be leaving the country, but your money certainly is, in some form or another. All finance is global now. And so is it really unreasonable to expect your money – through its association with you – to prove its identity before it sets off on its travels?
Dear Susan, for British people it might be acceptable, but for EU citizens it will be a violation of the new data protection regulation (directly applicable in the EU), which explicitly forbids to use biometric data for identification for financial institutions…
Thank you for your comment, Gabor, and welcome to the blog. This is very helpful – and demonstrates just how difficult it is to “control” an international financial system across national boundaries. Many thanks for the clarification – it had not occurred to me.
Best wishes from Susan
Certainly Gábor has a very valid point, that such cross border data sharing would be greatly complicated by differing standards for and attitudes towards data protection (the issues that exist between the EU and USA being a good example). Never mind the justifiable concerns about the potential abuses of such a database.
With regards to the EU General Data Protection Regulation, this will apply in the UK whilst it remains in the EU, the UK ICO is certainly committed to implementation. However, I’m curious as to the prohibition Gábor mentions, as I have no recollection of such a point from my reading of the Regulation. Has anyone else picked up on this?
Hello Peter, and welcome to the blog. I’m posting this in the hope that someone will enlighten us.
Best wishes from Susan
If hackers “steal” your biometric data though, you can’t just change your retina/finger print! In that way Biometric data is less secure than a password, once it is comprimised, it is comprimised for good.
“Steal” it and do what with it, Robert? I may well be missing the point here, though!
If we, as fraudsters for example, went to a darkweb market place and brought compromised identity details there we would know we have a limited amount of time to use them before customers discovered the theft, changed passwords, moved accounts etc. Their name and date of birth might stay the same, but we need more than that for many of our devious deeds
Now, in a world where biometric data is used for identity verification then if they steal your fingerprints, retina scan et cetera from yourself or the database they are stored on, then the information could be used by fraudsters in the exact way they use stolen personal details now. The difference will be when the victim discovers this (“No I did not open a bank account in Ipswich, I was in London…”), they can’t change there biometric details (certainly not easily anyway). The comprise, in this instance, is persistent in a way that a password is not. Even if the victim closes down the relevant account, if they use a fingerprint to open a new one…
That is my concern with biometrics, unless it is a case of a full DNA scan or something sci-fi like that, where the client must be present, it is as prone to hacking as anything else and harder to re-secure once breached.
This is the bit I’m not getting, Robert – again, almost certainly my own lack of imagination! Wouldn’t you have to be present for a fingerprint or retina scan as well, not just for a full DNA scan?
Ah, hold on: are you saying that someone would hack into the database and store their own fingerprint scan against the victim’s name and other details, and then use their own fingerprint to do naughty stuff? You’re not talking about pasting fake finger-tips onto someone… or are you?
I am not sure I am doing a great job with this.
I did once witness a “white hat” hacker demonstrating a fake finger print on a biometric reader which he successfully fooled, it was very spy-tech! Not sure how good that technology is, given this demo was in lab conditions rather than the real world, though I think if it was worth developing, if sufficient institutions start to use fingerprints etc, then some enterprising criminal will develop the spoofing technology, it is too profitable not to.
I am also assuming that if biometric data is rolled out en mass it would be used for online or other transactions as well as in person transactions (certainly this seems to be what banks looking at “voice print” tech seem to talking about). As such I would forsee that any biometric data would have to be stored in some sort of electronic format so I could use my “electronic” finger print to authenticate transactions (the central database you mention) and to authenticate card not present transactions (given the Bank has gone to the trouble of taking my biometric data they might as well use it, especially for the type of banking/transactions that is growing rather than old fashioned “in person banking”). Maybe we use scanners at home as a plug in periphery instead? Ether way at some point, unless they are being manually checked the biometric data will be in a electronic/cyber/digital format.
Hypothetically hack that database and have your or my electronic copy of fingerprint, a detail I can’t really change about myself once compromised. Now hypothetically banks might add some sort of “serial number” or urn to my biometric data (say the date it was taken) so if it is compromised I can just return to the bank and do a new biometric submission (with a new serial number). But even then the fundamental data remains the same, which is worrying.
Pingback: Smile: you’re on ATM camera! | I hate money laundering