A common myth about biometric technology is that it is an invasion of privacy, and it’s easy to see how this misunderstanding has come about.
Biometric authentication has seen rapid growth in the journey to going passwordless, particularly as the technology balances protection with a frictionless user experience. However, you often hear stories about how live facial recognition is being used, almost always without consent, to ‘monitor’ and ‘keep tabs’ on a population, leading to fears that ‘Big Brother is watching you’.
But there’s a fundamental difference between comparison and recognition; between the facial comparison technology you use to authenticate yourself (like when you open your phone or login to a website with biometrics) and the facial recognition technology used to figure out who someone is (like viewing CCTV footage of a crowd in the street approaching a football stadium). The difference is consent and whether consent is given by the individual to have their face checked.
With comparison, I willingly consent to have a picture of my face stored and then actively consent to present my real face to be compared to that picture in order to verify I am who I say I am – in much the same way I consent for a company to store my password and then later consent to enter my password to be compared to the stored one to verify me.
For recognition of individuals, there is no specific consent for the act of trying to identify who an individual is. There may be a CCTV sign on a lamppost saying facial recognition is being used, or the police might have specific powers to carry out surveillance in an area, but typically every individual is largely unaware and not actively consenting to have their picture taken and processed to see if they can be identified.
So, using biometrics to authenticate who you are by comparing your face to a picture requires your consent and should only happen when you actively and knowingly request it. The scope of the biometric check is limited solely to confirm that you are who you say you are, and in this way there is no invasion of your privacy, no Big Brother hiding in the shadows.
In a well-designed biometric authentication system, the user remains in absolute control and their biometric data is never actually shared with the sites, apps or businesses where the user logs in. Instead, the biometric data is stored just once in a service that can undertake a comparison on behalf of multiple organisations.
This is precisely how we have designed Nomidio, so the user remains in total control, with their consent required before their Nomidio biometric ID can be checked. In fact, we’ve gone a stage further using secure multi-party computing to prove beyond doubt that a person’s biometric data can never be accessed or queried without their explicit consent.