Vlog: Ensuring Biometric Data Privacy and Compliance

Michael Cichon:

Well, hello, everybody. Welcome to the 1Kosmos Vlog. This is Michael Cichon. I’m the chief marketing officer at 1Kosmos. I’m here with Mike Engle, our chief strategy officer. Always good to have you, Mike. Let’s jump right in. I want to talk to you about privacy. 1Kosmos is a identity verification, passwordless authentication company. So obviously, we capture biometrics. We use biometrics of various sorts, fingerprint, face ID, live ID, even getting into some things like iris if the company has that set up.

So a lot of privacy regulations making the news lately. The list’s probably too long to mention here, but Illinois, Texas, New York, probably several others by now, are all passing privacy legislation. Consumers generally seem to be at least, if not concerned, aware that their biometrics are being captured, and they want some degree of control here. So before jumping into 1Kosmos and how we manage privacy, can you talk a little bit about the privacy movement that we’re seeing in the United States and probably, in all likelihood, international, as well?

Yeah. So when Google and Facebook did their thing, they monetized all of us. Right? Get Facebook for free. Get Google for free. Guess what? They’re going to sell your data. There’s been quite a backlash, not only from people who don’t want that to happen, but the states are starting to force data privacy. A big part of data privacy is the biometrics, and it’s one of the most important things. You can sell the fact that I live at 123 Main Street, my social security number, and that’s bad.

You can protect against that. Right? You can move. Your address, by itself, really not too scary, and typically, there’s other controls. But you can’t change your biometrics. Then, the other challenge is once your biometrics are in a system, you don’t know how they’re using them and how they might use them in the future. So these are some of the things that are top of mind for legislators and, really, everybody.

Well, that is a concern, I mean, just a personal concern. I’ve been online. I’ve had to scan my driver’s license in a couple times, online prescriptions, even advertising, digital advertising now. When you go through the airport, if you want the fast path, you kind of have to scan your credentials. So should I, as a consumer, be concerned about scanning my driver’s license and my likeness into a website?

You should. Yeah. You should be careful where you do it. Trust the entity, and understand the privacy policies. Sometimes, you’re in a rush. You don’t check. Are they storing that driver’s license or your face in a place long term, or is it kind of transient, where they’re going to process it and throw it away, which is what they really should do unless there’s some reason, maybe legal. Right? Banking, they might have to keep it. So that privacy policy and how they’re going to use it in the moment and in the future is really important.

So privacy policy, of course, is important, but we’ve had thousands and thousands of data breaches. So data’s captured and secured until it isn’t. Right? So what are the questions to ask when we start scanning our biometrics into any system?

Well, it’s, what are they using it for? Right? That’s the consent part. For example, let’s say you walk into a grocery store, and they have some new face authentication thing, which, it’s getting out there. Right? The Amazon Fresh has palm scanners. Panera Bread does, as well. Chase has this thing called PopID, which is a facial and other types of biometrics that they’re putting into retail. So what if that face could now be used to tell anytime you walk into the store? Would that bother you?

It might.

Yeah. Right? So that’s the issue, is these entities must say, “We’re just going to use it to make your life easier at the register, and we’re going to take really good care of that face.” In fact, the way we do the technology, this is how 1Kosmos does it, is a way that we don’t even have to store your face in the system, but we can use you walking up to a camera over and over again. Right?

So we have, obviously, our fingerprint, 1Key device, and our face LiveID technology, which doesn’t actually store your face in a way that we can use it a second time without your consent. So that’s the big difference in the two. And so if I told you that, you’d probably have a little more comfort with the solution. Right?

I might. I might. So let’s talk a little bit more about that. What are some of the, if you were, the design considerations or security countermeasures that 1Kosmos puts in place to protect and secure personal identifiable information?

Yeah. So there’s a couple. There’s the concept of biometric hashing. So imagine you walk up to a terminal, a kiosk, a website, your phone, and at the edge, that face can be turned into a mathematical formula, call it a thousand random numbers that look random and that cannot be reverse engineered into your face. That is where the determination is made as to whether it is you or somebody else. Hashing is a concept that’s been used since the password was almost invented, going way back. It’s really important when you apply it to biometrics.

Okay. The 1Kosmos platform is privacy by design. What does that mean?

It means that the user is always in control of their PII. So if we work with you and verify your identity, or we need to authenticate you into your workstation or a website, we will never have access to your personal data, for example, your driver’s license information, your passport, that face biometric, your fingerprint biometric. We don’t have access to it.

So my head of engineering could not, with all his knowledge, reach into some type of database and get your stuff, period, full stop. That’s the way we’ve designed it. By design, it is private. Now, the only way to access it is if I give you my consent and, really, the private key, which enables that to be leveraged.

Okay. So in a traditional system, somebody hacks the admin’s credentials. They have the same access the admin has. They can then see what’s in the central files and, I guess, encrypt them, view it.

That’s right.

In our system, if, God forbid, you hacked a developer or a central admin, congratulations, but you’re not going to be able to get any personal data from anybody. Because that admin, that person, by definition, doesn’t have access to it. It’s the whole nature of a distributed ledger. All right. So let’s talk about the practical application of this, then. Now, you have chief information security officers trying to make decisions about passwordless authentication, whether or not to use biometrics. What are some of the considerations that these folks should have when they evaluate the approach they’re going to take to eliminating passwords or strengthening authentication?

Yeah. So there’s the design. Right? So we talked about privacy by design. If a face from the authenticating or verifying system ends up anywhere that it can be accessed, it’s a big red flag. There’s been many biometric breaches of recent years, and that, it just opens up a whole host of issues. Then, so let’s say you are, you mentioned a chief information security officer. If they want to allow their employees to log into a Windows workstation with just their face glancing at a camera, much like Windows Hello, but it would work anywhere, they have to make sure that not only the provider, 1Kosmos, doesn’t have access, but they don’t either. Right? That CISO does not want access to faces. They don’t want to be able to click on some button in a system and be able to see them. So the privacy by design is important.

Just as important is consent. So all that means is you have to ask the user for their permission to do the thing that you’re going to do, and that’s what the states have been enacted laws for very aggressively. The most famous state for this type of topic is Illinois with their biometric regulation that they call BIPA, B-I-P-A. They’ve had over 1,400 lawsuits since 2019 suing the biggest companies in the world and companies paying out millions of dollars, because they just didn’t disclose properly. They didn’t say, “Here’s how we’re going to do it. Do I have your permission?” And they used it for a purpose that wasn’t intended.

So it’s really, if you do those two things, make sure you don’t have access. Then, when you do get access, make sure you don’t use it for unintended or undisclosed reasons. You keep yourself out of trouble in general. So we put together some guidance on this. It’s kind of a state-by-state breakdown of how the laws are today, how they’re evolving, some details on the lawsuits that have happened, because by seeing what people have been sued for, it can help you keep out of trouble. Right? I think everybody has to become educated on the topic as they embrace the technology, but there’s a lot of help we can provide along the way.

Okay. All right. So interesting. So to use biometrics in authentication, you can access the data, but you don’t need to control it. If you’re going to access the data, you want to make sure you get user consent, and then, at the end of the day, sounds like the user has ensured that user has sole control of their information. Sounds like a three-step process that maybe makes sense out of the approach to some of these security regulations.

Yeah. That’s right. That’s right, and some states are even saying written consent. So that one term, what does that mean, written? You got to go look at the devil in the details of what they mean and maybe what the lawsuits are claiming. Written consent could be as simple as I check, “Yes. It’s okay.” Other times, it may be written. So maybe you avoid biometrics in that one state, which, of course, you can do. You can solve for the 90% and handle the 10% with some edge case solutions, like maybe, then, use an alternate form of authentication. But that’s right. That’s the two ways to get yourself out of trouble.

Awesome. All right. Mike, thank you very much for your time today. This is evolving topic. We might have to come back and revisit it, but appreciate you spending a few minutes with me today.

My pleasure. Hope to see you soon.