Written by Cameron Camp, Security Researcher at ESET
You can reset your PIN after a data breach, you can reset your password after a data breach, you can reset your security questions after a data breach – but can you reset your face? Sure, there’s surgery, but clearly that’s asymmetry of the amount of effort you’ll need to expend in response to a vendor’s careless handling of biometric data. Subsequent resets could get even weirder. This elevates identify theft to a whole new level. I can’t imagine a phone call to your online accounts saying, “that’s not me!” The reply: “Is this your face?”. Hard to argue you didn’t make the fraudulent purchase.
Vendors in the biometric space know they’re protecting really sensitive information, so they’d be super-diligent not to let that happen, right? The US Department of Homeland Security recently had a brush with biometric data theft, and they’re supposed to be good at protecting data, maybe better than most of vendors in the space. They certainly have access to good resources. What about other vendors?
There’s a pseudo-marketing-driven narrative behind it all: Please give us your face so we can guarantee security. But after years of doing security, we’ve learned there’s no such thing as perfect security, only better or worse. And a security record that included your face would also include a host of other sensitive information. There’s no need to enrich the data to seem convincing. This is one reason medical records have been such a target for data theft: there’re closer and closer to being you, and very hard to fake.
Facial recognition is definitely on the upswing. China has been extensively experimenting with it, using machine learning to do the heavy “face-lifting”, and plenty of other countries have joined the fray. Singapore is implementing a national ID based on the citizen’s face. It’s impossible not to insert sentences here that include “Orwell”.
You could argue that your face could be captured by the growing swarm of public cameras, so what’s the big deal? But if a biometric profile of you, including your face, can be used to interact digitally with an increasingly growing swarm of businesses and organizations you touch, it can substantially ruin your real life.
I had a friend who worked in the government sector who was accidentally declared dead due to a computer glitch. It’s taken her over 20 years to fix that. She had to convince her service providers that she wasn’t dead. It wasn’t enough that she was on the phone talking to them. It was weird. She’s now mostly alive in their eyes, but it still reset her retirement, which is why she’s still working. Also, someone stole her Social Security Number while she was “dead”, then ran up bad debt.
It’s hard to prove you’re not dead. It’s also hard to prove that your profile including your face isn’t you.