A digital security point of view for the digital business era

Embracing biometrics without compromising on privacy

23 Feb 2017

With biometrics now being used more widely, companies need to be sure the data they’re collecting is well protected.

With cameras and biometric sensors in smartphones and tablets, many more people are now in regular contact with biometric systems.

Apple led the way with Touch ID, which allowed their customers to use a scan of their fingerprint as a passcode. Samsung quickly followed suit, with their fingerprint sensor-enabled Galaxy S5.

Companies such as MasterCard have since started authenticating their online transactions using facial and fingerprint scans and several call centres are now using voice biometrics to verify identity and validate access to call centre services.

So where does all this leave us with regards to privacy and personal data? Biometrics clearly offer companies a more efficient way to identify people than simply asking them for an id and password. But how secure are the details they’re obtaining from customers when that data is being stored centrally, and could be at risk of loss or theft?

To counter these concerns, the ideal biometric system should have the right level of accuracy for the purpose, be easy to use, and provide a good level of privacy protection.

As it stands, the most widely used biometric systems are based on external bodily features that could potentially be captured without someone’s knowledge (fingerprints, face, iris, voice, and so on). If the biometric data is stored locally, such as on people’s smartphones, privacy isn’t such a big issue as each person remains in control of their own information. But once that data is stored centrally, concerns have to be raised about its safety, particularly if biometric databases start being created at a government level.

Vein ID provides a good compromise. The biometric data used for finger vein authentication is inside the body, so it can’t be captured without consent. The finger vein image is never stored anywhere and a template is created from the scanned image and encrypted before being sent for validation.

Vein ID means that the individual decides which applications their biometric data is used for and they remain in full control about how their data is used.

Contrast this with facial recognition where an individual’s data could be used by any video analytics application without their knowledge or consent, and you can see why Vein ID is now being taken up by companies looking for a fully privacy-compliant biometric system. Many clients are now using it for that reason to authenticate high value transactions and to manage access to critical infrastructure.

For more information about Vein ID or to discuss with Hitachi, please contact: