The Difference Between Internal and External Biometrics(And Why It Matters for Privacy and Consent)
In the last several years, biometrics have developed a reputation for being “creepy,” with many privacy concerns and legal issues surrounding them.
The core problem here is consent. Facial recognition, for example, has received a lot of criticism from privacy advocates because it allows surveillance cameras to automatically identify you from a distance — without ever having asked your permission to do so.
This creepy and invasive technology is the reason for all the recent controversy regarding biometrics.
In Europe, biometrics are highly regulated. The GDPR has a strict set of rules that companies must adhere to, or they risk facing massive fines. The main rule here is that the user must give their explicit consent in order for their biometric data to be collected — making it illegal for facial recognition systems to automatically identify you without your permission.
But in the US, there is still no comprehensive federal privacy law regulating biometrics, and in most states, automatic face recognition is still legal.
As part of their “Privacy Project” campaign, the New York Times recently did an experiment where they created a fully-functional facial recognition system — 100% legally — for about $60. They were able to easily identify people using only photos of them found on the internet.
Pretty creepy, right?
And while facial recognition is the most extreme example, this is true for all external biometrics.
Fingerprint, for example, has one major flaw: you leave your fingerprints on everything you touch. Law enforcement has used this for decades to identify suspects at the scene of a crime, but your fingerprint can also be easily collected by criminals in order to forge your print and fool fingerprint scanners.
Iris scan has similar vulnerabilities. This biometric has already been deployed in various airports around the US, allowing travelers to avoid the long security lines by scanning their eyes. However, despite it being considered secure enough to be used for airport security, iris scan isn’t foolproof. Hackers have found ways to fool iris scanners just by using pictures found online.
This paints a bad picture of biometric technologies, but to be fair, they have many advantages as well. Biometrics essentially use your own body to create a code that is unique to you. This allows you to identify yourself quickly and easily without needing anything other than your own body.
The problem is that most biometrics are external to your body. This means that your biometric code is exposed for the entire world to see, making it possible for it to be captured and used without your consent.
At Keyo, we set out to solve this problem using a biometric that is actually inside your body: your hand’s palm vein pattern.
Like your fingerprints, your palm vein pattern is completely unique — even among identical twins — and it stays the same throughout life.
Unlike fingerprint, however, it is never exposed to the outside world.
Keyo’s terminal uses near-infrared light to read your palm’s unique vein pattern, identifying you in 0.2 seconds. This is the only way your palm vein pattern can be read, making it impossible for it to be captured without your direct interaction with the device.
This is the advantage palm-vein has over other biometrics. Your palm-vein pattern is concealed inside your hand, so unlike other biometrics, it can never be faked, spoofed, or duplicated.
As the world’s first privacy-by-design biometric, palm-vein has privacy and consent built into it. With Keyo, you are in complete control of your identity — and you hold it in the palm of your hand.