E-Handbook: Designing secure, compliant identity access and management Article 3 of 4

Biometric data privacy, ethical questions complicate modern IAM

Use of biometrics in IAM systems may help secure company systems and data, but it also raises privacy issues. Here's how to keep both your security and ethical standards high.

Modern, upgraded identity and access management systems are transitioning from simplistic, username and password-based authentication. The latest IAM systems now collect a much broader range of biometric characteristics, which can include fingerprints, irises, faces, palms, gaits, voices and even DNA.

While these types of biometrics allow for more precise authentication, advanced identity and access management (IAM) capabilities create serious ethical concerns over biometric data privacy.

The following tips allow enterprises to factor ethics into modern IAM systems to ensure proper privacy and data integrity factors are included in IT systems.

Data security. Accessing, using and storing data that includes individuals' identifying characteristics creates an unprecedented challenge from the security perspective. This information needs to be protected from external attackers. Preventing misuse by insiders, both benign and malicious, is essential too; good data hygiene practices are critical.

A company's customers usually assume that their data is confidential and uncompromised.

However, when companies don't own this data but merely use it for authentication, they need to have a right to audit the data periodically. Enterprises that use data stored in a government database (e.g., a national ID database) will likely not receive permission to audit the data. Instead, they should turn to a group like the Electronic Frontier Foundation or the International Association of Privacy Professionals, which have greater clout.

If the business owns the data, then continuous monitoring of who has access to the data, privilege revocations upon exit or job change and continuous data classification are critical to biometric data privacy. Encryption lifecycle management of this data is another must-have.

Transparency. It is paramount to have easy-to-understand disclosures as to what sort of methods an enterprise is using to authenticate its employees, customers or partners. One prime example is boarding passes based on facial recognition. Delta was one of the first airlines to introduce facial recognition technology for distributing boarding passes in 2018, and they have done a remarkable job of making this process easy to understand.

Delta graphic shows how biometrics works in airline terminal

Optionality. When rolling out a new, intrusive technology like Delta's biometric identification processes, providing customers a choice to opt in or out creates a more ethical and friendly experience for the customer. When Delta first rolled this out, they specifically called it the "optional facial recognition technology from curb to gate." Customers could choose this or the traditional way to check in and pass through TSA. Once the technology becomes more accepted, biometrics like this could become the standard interface. But until then, choice is critical in maintaining a positive customer relationship.

Biometric data privacy. Frequently, this is grouped with security, but it is a unique attribute that needs to be understood independently. Historically, Security Assertion Markup Language (SAML) or OAuth has been used to send authorization messages between trusted partners. However, in the current data-brokering era, valuable biometric data and predictions are even more valuable, and these "trusted" -- as well as untrusted -- partners could be vying for each other's customer assets. Remember Cambridge Analytica and Facebook? Being cognizant of what constitutes private data, having privacy dos and don'ts in place and sharing these with the customer is important.

Understanding customers' cultural norms is crucial when it comes to ethics in IAM as well. In Germany, GDPR-based specific citizens' rights to information are mandatory when a facial recognition system is deployed. In contrast, data collectors in China have far greater leeway to access and use a citizen's personal information.

The recommendations above will empower you to ethically embrace modern IAM systems that employ biometrics but also respect biometric data privacy.

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG