Coldfinger not goldfinger, as smartphone biometrics not a panacea
Former GCHQ boss, Sir John Adye, has just given evidence about his concerns regarding the unsupervised use of biometrics on smartphones to an audience of British MPs in the Commons Science and Technology Committee.
Adoption of fingerprint technology has taken off most notably with smartphone giant Apple’s iPhone6 and users can now make payments and access services using a fingerprint. However, as the GCHQ security expert who runs his own biometrics company commented: “I don’t know what happens to my personal data when I use it on a smartphone… there’s no physical supervision of the system (unlike an ATM which a bank oversees)”. “You need to design security methods… which are going to be strong to protect the interests of the individual who is using the phone and the relying party at the other end… the bank or whoever it is, who is providing a service to them.” Apple says it uses the most technologically advanced fingerprint security and puts security and privacy at the core of the “Apple Pay” system. But Adye also wants more transparency in the way personal information is passed to third parties. He does not believe users fully read through the notices in the tick box procedures layering complacency, when in the background, the criminal community get ever more clever about seeking ways in.
Another biometrics engineer presenting to the Committee, Ben Fairhead, advised there were various anti-spoofing and other methods to work out whether the finger was real, but acknowledged spurious results got thrown up if for example blood flow to the finger was low, which would reject the verification. In a twist to the old tales of criminals smuggling a file into prison now we have criminals adding iron filings to fake fingers to mirror the conductivity of human skin. From the Government’s point of view there will come increasing pressure to demonstrate they have weighed up the increased approval of biometrics in border controls and public services with sufficient measures to safeguard against the risks and possible flaws.
Forget me not
With the ‘right to be forgotten’ now in situ, the European Commission has finally published guidelines to tell search providers how to handle individuals take down requests (first discussed in our blog of 16 May 2014).
Mostly requests synch with what Google has already been doing – and the balance is successfully struck between an individual’s search for privacy against the public’s rights to know something. One area that has created consternation though in the EU is Google’s tendency to warn both users and site operators when it takes a notice down. This lacks legal basis according to the Commission, when they could be contravening data protection laws.
This was recently experienced by US singer Barbara Streisand, who sought to have some online information taken down, but the ensuing actions actually drew attention to the very issue she was trying to keep secret.
The Commission also wants a level playing field so it applies to all web domains, not just removing them on country centric ones (ie. ‘.co.uk’ or ‘.fr’) and leaving uncensored results on a ‘.com’ page. This comes at a time when Microsoft’s ‘Forget.me’ has just started reviewing requests through its Bing search engine and using the EU advice as a template, but it remains to be seen if the guidelines can please both sides AND the regulators.