Airport biometrics take-off raises risky challenges ahead

New technology makes bold promises, but poses significant security risks

British Airways biometric self-boarding gates
British Airways biometric self-boarding gates

Dubai-based carrier Emirates Airline has announced that it is currently preparing to launch what it has dubbed the world’s first ‘biometric path’, offering travellers a seamless journey across its main hub in the United Arab Emirates.

Utilising the latest facial recognition and iris scanning technologies, passengers of the Gulf carrier can soon check-in for their flight, complete immigration procedures, and even access the premium Emirates Lounge hands-free, simply by walking through biometric checkpoints across the terminal.

Airports across the world are following suit. Clear, a New York-based technology firm contracted by the US government, announced last week that it is currently expanding its kiosk network to a total of 22 airports across the country. Instead of queuing for Transportation Security Administration officers to review travel documents and boarding passes, pre-approved Clear members will be able to verify their identities by undergoing a quick eye scan.

Biometrics risks

The use of biometric technology is gaining traction beyond the air travel industry. Following a string of high-profile data breaches impacting well-known companies in recent years, businesses are looking for better authentication systems while balancing end-user security and usability.

Widely used username-and-password models, along with two-factor authentication methods, will soon be phased out in favour of biometric technologies. Spiceworks, a professional network for the information technology industry, recently reported that nearly 90 per cent of businesses will deploy biometric authentication technologies by the year 2020, with 62 per cent already using some form of biometrics.

Yet many experts warn that the wide adoption of these methods are not without significant risks to users and could potentially create entirely new forms of identity theft and other cybercrimes.

David Emm, Kaspersky Lab’s Principal Security Researcher, recently commented on how serious a breach of this kind of data would be, and how it could cause even more damaging impacts for victims than current methods of identity theft.

In a public statement, Emm said “The development of biometric technologies has given us the ability to use our bodies for authentication, which is increasingly stretching to travel hubs, such as airports.  The major benefit, of course, is greater efficiency.  However, the integration of biometric identifiers, such as fingerprint, iris and facial recognition, shouldn’t be introduced at the expense of security.  Biometric data, stored by a single service provider or across an industry, is a valuable target for cybercriminals.  And a breach that resulted in the exposure of such data would be serious – perhaps more so than the compromise of passwords.  Any security breach resulting in leakage of biometric data is likely to have extremely serious consequences: we can change a compromised password, but not a compromised fingerprint or other biometric.”

“We can change a compromised password, but not a compromised fingerprint or other biometric.” 

David Emm, Kaspersky Security Researcher

Regulations playing catch-up

Despite the specific nature of this kind of information, there has until recently existed no legal framework for the protection of biometric data. Legislation instead has been awkwardly adapted from existing regulations concerning personal data protection and privacy.

In May 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR) for European member states, which addresses biometric data and has been considered a significant milestone for data protection and privacy. However, the GDPR defines biometric data somewhat vaguely, thus allowing member states to pursue very different strategies for the protection of biometric data.

Specifically, the GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (fingerprint) data.”

But by defining biometric data under such broad terms, the GDPR appears to recognize that biometric technology is relatively nascent and will continue to evolve. By using this definition, the GDPR seems to cover a wide range types of biometric data that could become available with the adoption of burgeoning technologies. The regulation will just have to keep one step ahead.

In the United States, however, there is no unified federal law regulating the collection and use of biometric data. The states of Washington, Illinois, Texas, each recently passed a biometric privacy law at the state level last year.

But with US President Donald Trump signing an executive order calling on officials at the Department of Homeland Security to speed up the deployment of the biometric system to airports, it is clear that federal regulators are also increasingly focusing on biometric data protection.


Please enter your comment!
Please enter your name here