As biometrics technology becomes more widespread and sophisticated, there is growing concern about it crossing ethical lines through misuse or fraud. Companies wanting to use identity verification technologies or systems for good must ask themselves: 1) Am I using ethical technology? and 2) How do I procure ethical technology?
To answer these questions, we first need to look at how ID verification works.
Identity verification is the ability to determine that a person is who they say they are through the exchange of personally identifiable information (PII). Initially there is an enrollment phase, taking place in areas like the DMV, and involving several steps and points of reference to establish their digital footprint. Once the ID is established and verified, it can be linked to a biometric, giving something physical, measurable, and ideally applicable for some time – though it will need refreshing every few years. Organizations responsible for PII verification must be accountable for this, ensuring individuals aren’t simply “one and done,” which can render the biometric ineffective after some time.
PII can be stolen or misused, especially in the digital age where everyone’s information is online. It’s important to ensure this data is properly managed and controlled. With biometrics, the good thing is that jurisdiction can relate it back to the system of records from which the biometric was issued to confirm it hasn’t been modified. This can then be used to prove or disprove a person’s identity, and to track and unravel imposters in the system.
There are good real-life examples of how PII has been used in ID verification. Take the TSA, which has a strong ID verification process at airports for immediate facial matching and credit authentication, data that is deleted immediately after. It’s a great way to limit data use for verification without keeping it for other purposes.
Effective identity verification should be ethical, consensual, and inclusive. For that, we return to our initial questions.
Am I using ethical technology?
Every company using technology for identity verification – of their consumers, employees, partners, etc. – must ask themselves if their tech comes under the banner of “ethical.”
In this case, it’s helpful to look at existing data privacy and security laws. We need to have a strong federal redress procedure to allow for PII corrections, removal, and so forth. For example, the General Data Protection Regulation (GDPR) outlines the regulations for storing, collecting, and processing data to ascertain that enterprises are maintaining data privacy and security to an established standard. Legislation like the GDPR or the California Consumer Privacy Act (CCPA) can serve as a good baseline for how companies should use their technologies – and from here, these businesses can further develop internal policies that are customized to meet their objectives and align with their specific technologies.
Earlier this year, the U.S. Office of Management and Budget (OMB) released its 24-9 memo outlining how organizations must securely use and manage AI. Succinctly put, the memo requires that agencies establish strategies, hire AI officers, and conduct risk assessments to ensure they are using ethical AI technology.
While this memo is specific to AI, it’s also a great resource to apply to other enterprise tech and operating systems. Doing so means walking the talk, streamlining policies across organizational tech, and being transparent with customers to improve risk and reputation management.
How do I procure ethical technology?
There are many factors to consider in procurement: security and privacy concerns, accessibility issues, ethical regulations, and more. This inadvertently means the public and private sector collide as corporations developing and using technologies are answerable to the federal, state, and local bodies that define the regulations under which they must operate.
Globally recognized groups like the International Biometrics + Identity Association (IBIA) facilitate these relationships by providing companies with access to decision-makers, keeping them informed, and getting involved in education, advocacy, and policy, including government regulation and interference.
For businesses reliant on ID verification, ethics can be achieved and maintained with three steps: running risk assessment, maintaining transparency, and keeping accountability.
Running risk assessment
When it comes to identity security, security teams should regularly monitor, identify, analyze, and report risks in their environment. If exploited, these risks can be detrimental to an organization, its assets, and stakeholders. They can also undercut ethical standards of privacy and data protection.
Running risk assessments is especially important when there is a lack of visibility in company processes and security gaps. Organizations can systematically assess their security measures surrounding user identity data and ensure compliance with privacy policies and regulatory standards.
Maintaining transparency
Transparency is among the most vital aspects of ethical identity verification. It requires organizations to be upfront about how they practice data collection and management, and how the data is used. This has to be reflected in the company policies, culture, and of course, its technology, including data storage and access. Users, i.e., customers from whom data is collected, should be able to access the policy terms easily at any point. Not only does this give users more control over their data; it also makes it easier to help customers manage the risks involved with sharing their biometric information.
Keeping accountability
When companies are looking to procure ethical technology, it’s important to account for factors like privacy, accessibility, security, and regulations. The above factors look at the perspective of the company using the tech and how they should operate it. These factors also speak to the technology’s innate features and enable a company to determine if it is designed to optimize privacy and security, automatically update regulations, and flag suspicious activity. In this sense, it becomes “ethical by design.” Having technology that is ethical by design can streamline and simplify the process of achieving ethical ID verification for organizations.
The biometrics/identification industry has come far. Even so, we continue to be hung up on fear mongering and misinformation, as well as clashing opinions surrounding AI and data privacy. To truly enact change, public and private sectors must come together in unison to establish a standard code of ethics and responsible policies, and promulgate responsible use cases.
In addition to baseline legislation, if the technology industry can self-govern, it can put its collective foot forward in Capitol Hill or state capitals. If it can self-regulate, then it stands a greater chance of fostering cooperation with governing bodies and building a way forward in an environment that allows ethical ID verification to flourish and to be used for good.
