The Department of Homeland Security (DHS) is to propose a standard definition of biometrics for authorized collection, which would establish a defined regulatory purpose for biometrics and create clear rules for using the information collected.
A proposed expansion would modernize biometrics collection and authorize expanded use of biometrics beyond background checks to include identity verification, secure document production and records management.
The proposed rule would also improve the screening and vetting process and reduce DHS’ dependence on paper documents and biographic information to prove identity and familial relationships. It said the proposed rule would authorize biometrics collection for identity verification in addition to new techniques such as voice, DNA test results and iris and facial recognition technologies.
Ken Cuccinelli, senior official performing the duties of the deputy secretary for Homeland Security, said this proposed rule eliminates any ambiguity surrounding the Department’s use of biometrics, setting clear standards for how and why it collects and uses this information.
“Leveraging readily available technology to verify the identity of an individual we are screening is responsible governing,” he said. “The collection of biometric information also guards against identity theft and thwarts fraudsters who are not who they claim to be.”
Fausto Oliveira, principal security architect at Acceptto, said the use of biometrics, particularly facial recognition, has been publicized as a positive step forward, but the use of such biometric factors requires scrutiny and a legal framework. “Facial recognition is not by itself wrong, however it needs a comprehensive legal framework to protect individuals and an organization that supervises the application of this information, has a clear political mandate to supervise the agencies that deal with this type of information and the power to act to stop misuse of that information by federal entities,” he added.
“The collection of biometrics will not stop given the perceived value that it has for identification purposes. However, legislators need to intervene and create mechanisms that balance the need to know by justice departments against individual freedom, the right to be forgotten and the right to privacy.”
Joseph Carson, chief security scientist and advisory CISO at Thycotic, asked if the DHS will collect only a mathematical computation of biometrics, or if it collect the actual raw data, as this really increases both security and privacy risks. “It should also be clear on what it can and cannot be used for since limitations in scope should always be clear. It is important to note that biometrics are not a replacement for passwords but are improved and secure replacements for usernames as they are typically used for identifiers and not actual secrets. It should also be made clear on how long the data will be kept and whom it will be shared with.”
Carson said whilst biometrics improve identity proof, document verification and reduce password fatigue, they also introduce additional security risks that must be managed and secured using strong privileged access management. “It is important to protect the government, but at the same time, also protect the citizens,” he said. “When biometrics are abused, or stolen, it impacts the citizen for life and the company/government for a limited time.”