Last week I discussed the current state of privacy in the US and around the world. While it is somewhat in vogue for people to be concerned about government collection of our personal data – who we are, where we go, what we buy, who we meet, how we behave in real-time as we conduct our daily activities – the real concern is not government surveillance, but corporate surveillance (at least in the western world).
Big technology and product companies track far more about our hour-by-hour lives than the government, and keep that data for much longer periods of time and for much more nefarious reasons. I’d recommend you read that piece as a prelude to this one, if you haven’t already.
Tom Snyder: Everyday, everywhere your devices are recording data about you
This week, let’s take a more detailed look at why corporate surveillance is so dangerous. And more specifically, why we are in a more precarious situation now than just a few years ago. A lot of the concern has to do with our societal shift away from passwords and to biometric access controls.
The biometric shift is largely associated with smartphones. Most people are now using their fingerprint or face to unlock their smartphones. Fingerprint technology, first deployed at scale on laptops and later popularized with “Touch ID” on iPhones is much simpler and more convenient than typing in a password or PIN each time you want to unlock your phone. [Fun fact – Authentec, the startup to originally develop fingerprint technology, which Apple eventually acquired, was founded by NC State grad and current Raleigh resident, Scott Moody]. More recently, the finger is too much work and people are adopting an instant-on camera to inspect if we are the owner of a phone before unlocking it with facial recognition.
At first glance, it seems like using biometric technology, like facial recognition or a fingerprint scan, is far more “secure” than using a password. And to some extent, that is a true statement. Unless someone has your actual finger to put onto a scanner (a common heist movie workaround), how could anyone possibly defeat biometric technology?
Here’s the issue. History has shown that eventually, everything gets hacked. The simple truth is that your fingerprint (or face) is converted to a digital version. Think of that as a massive file of 0’s and 1’s that’s as unique as your unique body. The biometric reader must have access to your unique data file to compare to a reading of your physical body. So when someone hacks that reader, they could gain a copy of your digital signature.
Of course it’s not quite as simple as I describe. There is data encryption, cybersecurity layers and other cryptographic techniques. But the high level risk holds true – eventually everything gets hacked. Do you think the fingerprint file you created in 2016 can withstand hacker tools a decade later? Here’s the rub.
If your password is stolen and someone uses it to spoof (steal) your identity, it creates a massive headache. But the problem is recoverable. It is as simple as changing your password and re-establishing your accounts. If your accounts are tied to biometric data that gets hacked, then what are you to do? You can’t change your fingerprints. Plastic surgery to change your face is an extreme, unrealistic solution (that doesn’t prevent a future hack).
Countless times, we have read about hackers conducting massive password releases, both publicly and on the dark web. It is unrealistic to believe that similar biometric data releases will not soon follow. In fact, this has already happened several times.
● In May of this year more than 5 million high resolution headshots were leaked to the dark web, along with names, email and residential addresses, birthdates, phone numbers, and government identity numbers. This hack, in El Salvador, represents 80% of the entire population of the country.
● Back in 2018, there was a hack of the national biometric system used in India. More than 1 billion people’s biometric data was compromised.
● BioStar 2, a biometric security platform integrated into the devices that verify biometrics was hacked in 2019. 27.8 million records were released, putting at risk the secure operations of more than 5,700 organizations that used BioStar technology across 83 different countries.
The reason the risk of biometric hacks is so significant today is that in the recent past, we had a fair amount of control over whether we chose to share our biometrics. Our DNA was ours unless we decided to engage a company like 23andMe. Nobody was stealing a spit sample to gain our DNA signature.
But the proliferation of smart cameras in the past few years is astounding. A range of experts and industry analysts estimate the compounded annual growth rate of connected camera deployments is 12-20% annually. And all deployed systems are adopting AI. Numerous facial recognition algorithms have free, open source tools that make it easy to capture data. Suddenly, any time we walk past a camera, someone can capture our biometric signature.
No longer can anyone “opt out” of having their face captured. Even cheap cameras can capture you accurately enough to create a digital biometric file for your face. This is how China, for example, is building a massive database of every resident and everyone who visits the country. The next step is linking that digital file to other personally identifiable information like your home address, email or phone number. That’s nearly impossible to avoid.
As I described in an earlier article, there are clever ways to use our devices as “surrogates” for ourselves. This allows companies to make really accurate guesses about who we are, even if we don’t directly disclose that. The TL;DR of that article is that when smart devices are in proximity to each other, they handshake, leaving a digital footprint of where you have been.
Tom Snyder: Mobile devices deliver our data, our ‘proxy selves,’ whether we like it or not
So what happens when your face is scanned?
If you have your phone with you, or are in your car, or are wirelessly gaming on your Switch, or are wearing your smart watch or are in proximity to pretty much any other modern device that is owned by or associated with you – it will handshake with the camera that scanned you. After a few interactions, it is not hard for prediction algorithms to guess who you are.
Your face becomes associated with the devices that are regularly in proximity to you and, bingo! The device owner must be the person whose face was captured.
Last week and this week, I’ve painted a somewhat bleak picture.
Corporations are doing everything they possibly can to capture and track our daily movement, decisions and behaviors. We are living in a corporate surveillance state.
Biometric data will eventually get hacked, and we can’t reset our “body passwords”, after a hack like we can a traditional password.
Massive proliferation of low cost, but high performance face recognition cameras and algorithms all but guarantees our biometric data will be captured and accurately associated with us, if it hasn’t been already.
So what are we to do? I don’t have all the answers, but I have a few ideas. I’ll share those next week.
The post Tom Snyder: With every swipe, we create the digital surveillance state first appeared on WRAL TechWire.
