Welcome to the SecAware blog

I spy with my beady eye ...

20 May 2017

NBlog May 20 - more biometric woes

In the course of a routine eye checkup yesterday, the optician took and showed me high-definition digital images of both my retinas. Fascinating! 

This morning while in the dual-purpose creative thinking + showering cubicle, I idly wondered about the information risks. Could I trust the optician to have properly secured their systems and networks, and to have encrypted my retinal images to prevent unauthorized disclosure? If not, what impact might such disclosure cause, and what are the threats? 

I don't personally use retina-scanning biometric authentication, and I seriously doubt anyone would be desperate enough to steal and use my retinal images to clone my identity (given other much easier ways to commit identity fraud) so I'm not that fussed about it - it's a risk I'm willing to accept, not being entirely paranoid. 

I'm curious about the risk on a wider level though: are opticians and other health professionals adequately securing their systems, networks, apps and data? Do they even appreciate the issue? It's far from a trivial consideration in practice.

The risks would be different for people such as, say, Mr Trump who might actually be using retina or iris images or other biometrics for critically important authentication purposes. I wonder whether the associated biometric data security and privacy controls are any better for such important people, in reality? Do the spooks make the effort to check? What stops someone taking high-res close-up photos of Donald's iris or finger or palmprints, or high quality audio recordings of his voice, or video recordings of his gait and handwriting or typing, or picking up one of his hairs for DNA analysis, perhaps in the guise of the press corps, a doting fan or a close confidante? Inadvertent disclosure is an issue with biometrics, along with the fact that they cannot be changed (short of surgery) ... so the security focus shifts to preventing or at least detecting possible biometric forgeries and replays, taking us right back to the issue of false negatives that I brought up a few short hours ago.


No comments:

Post a Comment