The High Cost of Groceries – Paying with Iris Scans
Privacy Plus+
Privacy, Technology and Perspective
The High Cost of Groceries – Paying with Iris Scans. This week, we address biometric information, privacy issues in refugee camps, paying for groceries with iris scans, and a recent a recent Lookout report indicating that United Nations agencies and many other NGOs, including the UN World Food Programme (and presumably, those served by the Programme), have been victimized by a large, sophisticated, and mobile-aware phishing campaign. A link to the Lookout report follows:
We find the reported UN breach particularly unnerving because the phishing attack may have compromised the privacy of Syrian refugees who rely on World Food Programme’s use of biometric technology—and in particular, iris scans—in refugee camps. The use of EyePay® by the World Food Programme was recently highlighted in Al-Jazeera’s excellent interactive series, “All Hail the Algorithm”, available at the following link:
https://interactive.aljazeera.com/aje/2019/hail-algorithms/index.html
In the episode “‘Follow me—You can run, but you can’t hide”—presenter/producer Ali Rae documented how Syrian refugees “can shop for groceries with the blink of an eye.” A link to that episode follows:
https://youtu.be/rDnKl-VSalE (@2:39)
Particularly listen when the UN representative truthfully—but eerily—explains that for refugees going to the market, “with their own iris, it’s easier than going with a card or a PIN.” “Easier,” indeed, since in many countries around the world, accurate identification of people is a major problem. Cards or PINs may be easily lost, stolen, or counterfeited. Biometrics seem like an obvious solution since they are unique, aren’t easy to counterfeit, and go automatically, of course, wherever their individuals go. The equally obvious trouble is that if biometrics are ever hacked and stolen, they can’t be changed, and are compromised forever.
Imagine that you are a refugee. Now, you face a stark choice: You can say no (and can keep your biometric information to yourself, if you like), but in that event, you and your family will likely starve. Or, you can say yes (and give up your biometric data and agree to be identified by it), and then you and your family can enter into the refugee assistance program, and you can eat.
Under these coercive circumstances, we would all agree. And we would just have to trust that the United Nations would protect our biometric information from hackers, phishers, and other bad actors. But what happens if the UN fails to protect it, and those iris scans fall into the hands of thieves or rogue nations?
Has that happened? We don’t know, but we are troubled.
We have repeatedly cautioned that few laws cover biometrics and biometric identifying technologies, and more are needed. See, for example, this post from October 19th:
https://www.hoschmorris.com/privacy-plus-news/privacy-plus-freezing-facial-recognition-lets-revisit
Further, we worry that the risks associated with the rapid-adoption and use of biometric information—even for the best purposes and with the best of intentions—have not been well-considered.
After all, certain compromised information (e.g., passwords) can be changed. But compromised biometric data can’t be changed, and it will stay compromised forever. When people lose their identities and can’t get them back, we all have a big problem.
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.