How Biometric Data Collection Can Be Dangerous — Even When Built With Blockchain

Governments have been collecting our data biometric data for decades now, and although some people seem to be bothered by it, most acknowledge it’s a necessary evil — some countries won’t approve your entry without it. However, one thing is to provide our personal data when it’s mandatory; another is to — although willingly — provide it to a private entity in exchange for money. Let’s delve into the latest news on biometric data collection and the dangers behind it.

ID Data vs Biometric Data Collection

The European Commission defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data”. These include scanning and storing your irises and/or fingerprints, and photographing your face, among other physical features.

When we talk about ID and personal information, it’s more about date of birth, full name, and in some cases, numbers associated with an individual’s citizenship documents, like an ID card, a driver’s license, or a passport. Some websites require you to verify your identity by providing such information. 10 years ago, your email address or phone number would be enough to open an account on social media. Nowadays, the companies behind these platforms might ask you for more: maybe your address, or ID.

A privacy-centric approach
Companies like Consensys and KILT are currently developing data-collecting tools for KYC and compliance purposes — people are now able to verify their identity online, be it to validate crypto wallets, or to keep an ID in a verified mobile app. This is done with the users’ consent, and they should be aware of the potential risks. Still, the companies developing these verification and storage applications assure a high level of security when it comes to privacy and personal data. The information is usually only stored on the user’s device or account and never released to a public space or the company. This is a very different kind of data-collecting method: it’s supposed to be safe for both users and companies, operating solely as a tool to ease the verification process. To know more about how Web3 thinkers are paving the way towards a safer, more private KYC and compliance world, read our article.

It’s a given
Websites have also been collecting people’s IDs and other personal information — like shopping or eating habits, financial background, etc — for many years now. There’s usually a consent form where each person can choose what information allows to be collected. They use this data mainly to determine market trends, customer preferences, and so on. The real issue arises when the box people tick also includes sharing this data with other entities — it’s hard to know how and for what it will be used.

Governments also collect information, sometimes even more than just our ID. It’s very common to pass through a country’s immigration security and have your retina and face photographed, and fingerprints collected. No one really explains for how long these will be stored, or for what they will (or can) be used. Nowadays, it just comes naturally, usually “for the sake of security”.

The Worldcoin Case

A quick online search for “worldcoin foundation biometric data” unveils countless news about how the Worldcoin Foundation’s efforts to collect people’s data are hitting a wall from governments and official institutions a bit all over the world, from Portugal to Hong Kong. In March, the Portuguese National Data Protection Commission (CNPD) ordered Worldcoin to cease all biometric data collection operations in the country, arguing the need to “safeguard the fundamental right to the protection of personal data, in particular of minors. (…) the CNPD considered that the risk to citizens’ fundamental rights is high, justifying an urgent intervention to prevent serious or irreparable harm.” How did Worldcoin work? They’d set up stalls in major locations like shopping malls and urged people to register and provide their biometric data in exchange for crypto tokens. Until the ceasing of operations, 300,000 people, including minors and migrant workers, had already submitted their information through the Orb device. Most of them didn’t even know what they were signing for, just that they were receiving money.

In Hong Kong, the Office of the Privacy Commissioner for Personal Data (PCPD) also ceased Worldcoin’s operations for the same reasons: due to privacy and personal data concerns.

According to Worldcoin’s website, the company has already stored the identity of more than 6 million people, with the purpose of becoming “the world’s largest privacy-preserving human identity and financial network, giving ownership to everyone.” The idea is that every individual can have a globally-inclusive identity, thus becoming part of the world’s economic system. At the same time, they ensure the privacy of the users’ data. However, the whole system seems a bit ambiguous. Although they assure personal data is “encrypted in transit and at rest”, there are still concerns from governments about the destination of such information. The media mentioned cases where Worldcoin was retrieving data — via the Orb — from minors, and migrant workers, people whose incentive was the money they were getting from providing such important information. Would these individuals be as willing to give their biometric data if tokens weren’t involved?

The blockchain-based project is interesting and poses a great deal of potential, especially with the rapid evolution of AI and related technologies, but the question remains: where does one draw the line?

Virtually any company can be hacked, which means these details that they so vehemently say are safeguarded and protected, can be compromised — although the storage might be done on a decentralized system, the collecting itself usually occurs on a centralized one. Biometric data poses identity theft risks that can last an individual’s lifetime since your iris and fingerprints remain the same forever. A more hypothetical logic can even suggest a higher risk for surveillance and tracking, thus leading to discrimination and other issues.

Blockchain-Based Biometric Systems

When biometric data collecting started, there was no blockchain involved, which meant less security. Most biometric systems are now being built with this technology, which ensures a higher (and stronger) level of security. Worldcoin is being developed with blockchain. According to the company, people only need to sign in once: at the moment the Orb scans the iris. This information isn’t kept; what’s stored is the IrisHash, a set of generated numbers that are unique to each person. The IrisHash is then used to access a digital wallet to create their WorldID or passport.

Last May, the company announced a new multi-party security system to prevent cybersecurity issues: The data from one iris is “broken down” into different pieces that are then stored in different places, which means it’s distributed. To decrypt and read the iris information of one individual, one will have to grab the scattered pieces from all over.

Decentralized systems are, indeed, the safest ones — at least from a technological standpoint. Imagine the following scenario: there’s a hidden treasure inside a box that requires 4 keys. A centralized system would keep all the keys in the same place; they could be hard to find, but when someone did, they’d be able to discover the treasure. A decentralized storage system would have you hide each key in a different place, making it almost impossible to uncover the treasure.

Blockchain provides other advantages, including user control (blockchain can enable individuals to have greater control over their biometric data by allowing them to grant and revoke access permissions through smart contracts), anonymization, and pseudonymization (biometric data can be stored in an anonymized or pseudonymized form on the blockchain, reducing the risk of personal identification and enhancing privacy protection), auditability, and trustlessness. If needed, biometric data stored on blockchain can also be useful for easier and quicker cross-border data sharing.

The integration of blockchain with biometric data collection and storage offers numerous benefits, including enhanced security, privacy, and efficiency. However, it is essential to address the challenges and risks associated with this integration through robust technical, legal, and ethical frameworks. By doing so, organizations can leverage the full potential of blockchain technology to create secure and trustworthy biometric data systems.

• • •

About Integritee

Integritee is the most scalable, privacy-enabling network with a Parachain on Kusama and Polkadot. Our SDK solution combines the security and trust of Polkadot, the scalability of second-layer Sidechains, and the confidentiality of Trusted Execution Environments (TEE), special-purpose hardware based on Intel Software Guard Extensions (SGX) technology inside which computations run securely, confidentially, and verifiably.

Community & Social Media:
Join Integritee on Discord | Telegram | Twitter | Medium | Youtube | LinkedIn | Website

Products:
L2 Sidechains | Trusted Off-chain Workers | Teeracle | Attesteer | Securitee | Incognitee

Integritee Network:
Governance | Explorer | Mainnet | Github

TEER on Exchanges:
Kraken | Gate | Basilisk